Security update KB4019263 deployment issue

[toky76]

Greetings to all Windows Updates lovers,

we are facing issues with deployment of one important Microsoft security patch kb4019263 (windows6.1-kb4019263-x64_d64d8b6f91434754fdd2a552d8732c95a6e64f30.msu) from https://support.microsoft.com/en-us/help/4019263/windows-7-update-kb4019263
We solved the sfc /scannow issues however the deployment of the patch stops after reboot and a roll-back is initiated due to a failure.
Here are the logs of the current state of the server: https://www.dropbox.com/sh/diq0i5tzjdgtupi/AAAQfDEFLbDrjrs2iJSg1BR1a?dl=0
There are 2 folders with logs of current state and the other from the state where we tried almost all possible recommendations starting from Clean Boot of the System, resetting Windows Updates components, through Servicing stack update (KB3177467) and Readyness Tool up to SafeMode replacing the above mentioned file however the installer of the patch replaces it back to older version with original permissions.
The main part is about the file C:\Windows\System32\Crypt32.dll and a strange error HR=0x800700ea.

Thank you in advance for any feedback!!!

 

[torchwood]

Hi Toky76,

from the SURT report

Checking Package Manifests and Catalogs (w) CBS Catalog Expired 0x800B0101 servicing\Packages\Package_5_for_KB2722913~31bf3856ad364e35~amd64~~6.1.1.0.cat

Basically your getting a permissions problem.

try the fix from this artical.

Can I uninstall hotfixes signed with an expired certificate - Microsoft Community


Roy

 

[toky76]

Hi Roy,
thanks for quick reply but may I ask you what do you mean exactly from provided article?
To remove it from registry, uninstall the expired package and try to install kb4019263?
Thanks!

 

[torchwood]

Hi Toky76,
pretty sure the fix was

Try installing KB2749655 (Expired Certificate fix), then applying MS12-054/KB2705219-V2 and MS12-055/KB2731847-V2.



The KB referenced by SURT was one of MS dodgy patches.




Roy

 

[toky76]

Hi,

so I have tried to deploy the patches as recommended but no luck.
KB2731847 failed to deploy cause actually it has been replaced by 2761266 (MS12-075)
What strange it is that CheckSURlog does not show any errors.
So I decided to do the last move that I can do tonight and that was In-Place Upgrade Install (Repair Install) where I have to re-activate the license but no change related to the patch.


If you can help me to solve the issue that has been gaining my attention for a long time I would be very thankful.
Regards,
Peter

 

[torchwood]

Hi toky76,

There are errors in the CBS log.

The main is that it cant find the URL for the certificates chain.

another to try, (doubt if the fixit links will work)
https://support.microsoft.com/en-us/help/2328240/event-id-4107-or-event-id-11-is-logged-in-the-application-log-in-windo

As for the SURT warning thats standard for a virtual machine.


Roy

 

[toky76]

Hi torchwood,

I agree that SURT error is normal for virtual machines but I am curious about the same error that is in CBS:

2017-10-29 10:36:30, Info CSI 0000005d Begin executing advanced installer phase 38 (0x00000026) index 56 (0x0000000000000038) (sequence 95)
Old component: [ml:308{154},l:306{153}]"Microsoft-Windows-System-Events, Culture=neutral, Version=6.1.7600.16385, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=x86, versionScope=NonSxS"
New component: [ml:308{154},l:306{153}]"Microsoft-Windows-System-Events, Culture=neutral, Version=6.1.7601.23796, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=x86, versionScope=NonSxS"
Install mode: install
Installer ID: {3bb9fd2b-351e-4b9c-b1fc-ed0758805998}
Installer name: [6]"Events"
2017-10-29 10:36:30, Error CSI 00000001 (F) Logged @2017/10/29:09:36:30.315 : [ml:272{136},l:270{135}]"events installer: online=1, install=1, component=x86_Microsoft-Windows-System-Events_31bf3856ad364e35_6.1.7601.23796_neutral_release__."
[gle=0x80004005]
2017-10-29 10:36:30, Error CSI 00000002 (F) Logged @2017/10/29:09:36:30.736 : [ml:166{83},l:164{82}]"WmiCmiPlugin reghelp.cpp(27): InstrumentationManifestAssert failed. HR=0x800700ea."
[gle=0x80004005]
2017-10-29 10:36:30, Error CSI 00000003 (F) Logged @2017/10/29:09:36:30.736 : [ml:166{83},l:164{82}]"WmiCmiPlugin eventloghandler.cpp(192): ProcessEventsInstall failed. HR=0x800700ea."
[gle=0x80004005]
2017-10-29 10:36:30, Error CSI 00000004 (F) Logged @2017/10/29:09:36:30.736 : [ml:170{85},l:168{84}]"WmiCmiPlugin eventloghandler.cpp(212): EventLogHandlerInstall failed. HR=0x800700ea."
[gle=0x80004005]
2017-10-29 10:36:30, Error CSI 00000005@2017/10/29:09:36:30.736 (F) CMIADAPTER: Inner Error Message from AI HRESULT = HRESULT_FROM_WIN32(234)
[
[25]"More data is available.

I also tried to delete the content of CryptnetUrlCache folders but no luck.

Thank you so far for your support!
Regards,
Peter

 

[torchwood]

Think we got lucky

Updates for Windows 8 (updated from Windows 7) fail during configuration - Super User

Back up registry first


Roy

 

[toky76]

Hey,
so I backed up the registry, removed the one with Microsoft-Windows-Kernel-WDI (2ff3e6b7-cb90-4700-9621-443f389734ed) from WINEVT\Publishers, rebooted the server and tried to deploy that damned patch but not luck.
Looking into the CBS log the error seems to be the same and again the same file
It looks to me that the TrustedInstaller does not have proper rights to process what it needs...

 

[toky76]

Hi,

so the result is that I have reverted back the virtual machine using snapshot and installed KB2749655, KB2705219 and KB2731847 again. The sfc /scannow and CheckSUR logs dont show any error however CBS log still poinst to c:\windows\System32\Crypt32.dll.
I have tried to replace it manually in Safe mode as well as remove it from the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ but no luck either.
Maybe a good loud question from my mind is which version should I try to replace it? With the original from DVD, newer version (tried but no success) or if any at all cause the critical patch always replace it with Version=6.1.7601.18277 and is trying to install Version=6.1.7601.23769
In-Place Upgrade did solve this issue partially however other issues came up including OS activation etc.

 

[torchwood]

Hi Toky76,

Do you have another machine (VM prefferrably) that is successfully updating.

Please confirm that KB2722913 is STILL installed
(the newer MS diskcleaner removes superceeded updates)

Can you also run this tool, copy/paste the output
http://www.sysnative.com/niemiro/apps/SFCFix.exe


Now we could either
remove it (wusa /uninstall /KB:2722913) or
try and update it, extract package-5 from the MSU


Roy

 

[toky76]

Hey Roy,

KB2722913 is not visible in the OS neither it is not applicable to the computer.
It seems that it has been replaced by some newer one.

SFXFix tool output attached.

I am about to replace that crypt32.dll with some original from installation DVD if I get approval.

Thank you so far...

 

[torchwood]

Hi Toky76,

sorry bout delay been going over the logs, (trust you to put poqexec last)


1d2e9b5f0ff09fc: 74c, c0190003, 1e2e, 0, SetKeyValue ;\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_d94ccf54ab7bcc8a02577e5904829641_31bf3856ad364e35_none_e8457ac0781a11f8\6.1, 6.1.7601.23807, , AQ==

Believe this is the little devil causing the problem
The c0190003 means fatal error, basically ignored
i have a very limited knowledge of this part of the process, im only a home user.
suggest you search d94cc........ see which process it passes the key too.
(AV or Sage by any chance)
as for the key? AQ== what are its rights.


The inplace repair you performed earlier should have allready replaced the crypt32.dll


Roy