SFC and Trusted Installer? Is this normal?

[Netlace]

I have NOT been able to run a SFC for a long time. I uninstalled some programs last night and tried today with success. I am not familiar with Windows 7 but I don't think Vista ran SFC via Trusted Installer. I ran a MSE on this computer a month or so ago and it ran over 4 hours and when finished had installed and deleted so many files. I removed Adobe, and Live Essentials. I need to remove Java as there are HUNDREDS of Java in the registry, but it is not showing up in the uninstall list. I am wondering if someone can look at my CBS Log and offer any advice as to what is going on. This is the oddest CBS I have ever seen. I was making progress getting this laptop clean and worried something may have reverted or worse.

 

[ShamrockRig]

post the log and im sure someone will get back to you buddy!

 

[Netlace]

CBS Log

Here it is thanks...

 

[Britton30]

This may help, run the steps outlined in this tutorial, Option Two, and reboot the system:
http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html#post14392
You may get this result:

Windows Resource Protection found corrupt files and successfully repaired
them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log
The system file repair changes will take effect after the next reboot.

Or a message that no integrity violations were found.
Or that Windows Resource Protection found errors it cannot repair.

did you follow these steps for the sfc /scannow?

 

[NoelDP]

The SFC log showed the following repair...

2013-12-13 14:55:30, Info                  CSI    00000193 [SR] Repairing 1 components
2013-12-13 14:55:30, Info                  CSI    00000194 [SR] Beginning Verify and Repair transaction
2013-12-13 14:55:31, Info                  CSI    00000195 [SR] Repairing corrupted file [ml:520{260},l:108{54}]"\??\C:\Program Files\Common Files\Microsoft Shared\Ink"\[l:20{10}]"rtscom.dll" from store
2013-12-13 14:55:31, Info                  CSI    00000196 [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:18{9}]"InkEd.dll" from store
2013-12-13 14:55:31, Info                  CSI    00000197 [SR] Repairing corrupted file [ml:520{260},l:108{54}]"\??\C:\Program Files\Common Files\Microsoft Shared\Ink"\[l:20{10}]"InkDiv.dll" from store

It looks like that operation completed properly - but the log is missing the usual summary.

Please run a new SFC scan, and post the full CBS folder in your reply.
...in fact, it may be a good idea to follow the Windows Update Posting Instructions and post the requested data

 

[Netlace]

New SFC/CBS Log

I ran them both as a elevated Admin cmd. Here are the new results.

Is it normal for Trusted Installer to be in charge of this and running at high CPU during the scan?

I got no results from using the command [findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"]

It worked using this command.. [notepad c:\windows\logs\cbs\cbs.log]

 

[Britton30]

I may be wrong, but I believe TrustedInstaller = Admin privileges. It starts in my sfc scans too.
From the first few lines of one...

2013-11-20 16:55:17, Info                  CBS    Starting[COLOR=red] TrustedInstaller[/COLOR] initialization.
2013-11-20 16:55:17, Info                  CBS    Loaded Servicing Stack v6.1.7601.17592 with Core: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\cbscore.dll
2013-11-20 16:55:18, Info                  CSI    00000001@2013/11/20:21:55:18.208 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fee459f0ad @0x7fee48c9849 @0x7fee48934e3 @0xff7ae97c @0xff7ad799 @0xff7adb2f)
2013-11-20 16:55:18, Info                  CSI    00000002@2013/11/20:21:55:18.208 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fee459f0ad @0x7fee4916816 @0x7fee48e2aac @0x7fee48935b9 @0xff7ae97c @0xff7ad799)
2013-11-20 16:55:18, Info                  CSI    00000003@2013/11/20:21:55:18.223 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fee459f0ad @0x7fee4478738 @0x7fee4478866 @0xff7ae474 @0xff7ad7de @0xff7adb2f)
2013-11-20 16:55:18, Info                  CBS    Ending [COLOR=red]TrustedInstaller [/COLOR]initialization.
2013-11-20 16:55:18, Info                  CBS    Starting the [COLOR=red]TrustedInstaller[/COLOR] main loop.
2013-11-20 16:55:18, Info                  CBS   [COLOR=red] TrustedInstaller[/COLOR] service starts successfully.

 

[NoelDP]

Netlace - I need the whole CBS folder, please
Britton - the TrustedInstaller is a Service that has special privileges exceeding those of the Administrators group, and is called mostly when doing installs/uninstalls.

 

[NoelDP]

The SFC scan appears to have completed properly this time?

It found nothing to do (apart from a few minor cleanup items which aren't logged in the SR parts of the log)

Here's the final summary area...

 Line 7139: 2013-12-14 16:42:50, Info                  CSI    0000018c [SR] Verifying 31 (0x0000001f) components
 Line 7140: 2013-12-14 16:42:50, Info                  CSI    0000018d [SR] Beginning Verify and Repair transaction
 Line 7145: 2013-12-14 16:42:55, Info                  CSI    0000018f [SR] Verify complete
 Line 7146: 2013-12-14 16:42:55, Info                  CSI    00000190 [SR] Repairing 0 components
 Line 7147: 2013-12-14 16:42:55, Info                  CSI    00000191 [SR] Beginning Verify and Repair transaction
 Line 7152: 2013-12-14 16:42:55, Info                  CSI    00000193 [SR] Repair complete

There don't appear to be any errors in the background CBS data either - and there is nothing really odd about it that I can see.

 

[Netlace]

Noel I have searched for cbs using search and it came up with tons of things like cbshandler,cbspersist_,cbscore.dll, cbsprovider.dll, cbsprovider.dll.mui, cbsmsg.dll, cbsmsg.dll.mui, cbsapi.dll, and the last two logs I ran. I can't find anything more to send you. I guess this is the whole folder...
I am more use to XP and Vista and I don't recall TrustedInstaller being charge of it. If it is normal then thats fine, and I will trust the results. I CAN"T run chkdsk at all.
I have to say I don't trust "TrustedInstaller" at all. It is constantly installing regardless of my settings. It appears as I have no say on this notebook. Regardless of the settings it appears as everything is Virtual, Shared, and Peer to Peer. The notebook takes forever to shut down and the other night I held the power button down to force shutdown. I briefly saw a logon screen with "Other User". I am all the time getting a message at shutdown "other users are loggoned on .....".
I want to thank everyone for responding to this post. Should I assume it is normal for Trusted Installer to be in control of the SFC?

 

[NoelDP]

TrustedInstaller, as I said, is a Service - and as such it has special privileges, and will be in the background most of the time. ANYTHING that requires special file access to the winsxs folder, or any file associated with that folder, has to go through the TrustedInstaller service to do it, and the whole folder and content are owned by the service, and even the System account doesn't have modification rights there.


TrustedInstaller isn't 'in control' of SFC as such - but without TrustedInstaller, SFC can do none of the maintenance tasks it's designed to accomplish.

Your 'Other User' flags are worrying, though.
How many users exist on this machine?
What level user are they?

What account do you routinely work in? - is UAC switched on or not?

 

[Netlace]

UAC is on, but often just bypasses it it seems. How do I check for users?

 

[NoelDP]

Control Panel > User Accounts - what's listed?

and....

Open an Elevated Command Prompt, and run the following commands.

REG QUERY HKU
REG QUERY HKLM
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"

post the results

Here are some instructions to make life easier
1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.

 

[Netlace]

I had to expand manage to see the accounts, and it shows Admin and guests.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>REG QUERY HKU

HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-20
HKEY_USERS\S-1-5-21-2452422238-2317045706-931954555-1000
HKEY_USERS\S-1-5-21-2452422238-2317045706-931954555-1000_Classes
HKEY_USERS\S-1-5-18

C:\Windows\system32>REG QUERY HKLM

HKEY_LOCAL_MACHINE\BCD00000000
HKEY_LOCAL_MACHINE\HARDWARE
HKEY_LOCAL_MACHINE\SAM
HKEY_LOCAL_MACHINE\SECURITY
HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_LOCAL_MACHINE\SYSTEM

C:\Windows\system32>REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Users
Default REG_EXPAND_SZ %SystemDrive%\Users\Default
Public REG_EXPAND_SZ %SystemDrive%\Users\Public
ProgramData REG_EXPAND_SZ %SystemDrive%\ProgramData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2452422238-2317045706-931954555-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2452422238-2317045706-931954555-501

I noticed today that my Recycle Bin has a $, and inside are 2 users accounts and the real Recycle Bin. Is this normal?

 

[NoelDP]

It looks like you have/had a temporary user account in operation - which is possibly not good news.

The Recycle Bin situation is 'normal' for some circumstances.

Let's take a bit of a sideways look at the system - please follow the http://www.sevenforums.com/bsod-help-support/96879-blue-screen-death-bsod-posting-instructions.html and post the log - I'll get someone to have a look at it while I try and get some sleep.

 

[Netlace]

Ok, thanks and will talk tomorrow. I will try to give you more info too.

 

[Netlace]

I have done the above but will wait till tomorrow to post. The MSINFO32 is a nfo file. That seems odd to me. When I open it opens the system Information on the laptop. Seems it should open a txt log.

 

[Netlace]

SF Log

I figured out how to change to txt.
Several Event logs have been cleared so I am trying to figure a way to bring them back...

 

[Britton30]

I have done the above but will wait till tomorrow to post. The MSINFO32 is a nfo file. That seems odd to me. When I open it opens the system Information on the laptop. Seems it should open a txt log.

It is supposed to do that, changing it to a text doc may not show all info and be very difficult to read.

 

[Netlace]

under C:\Users, showing hidden there are many folders. here is the list.. C:\Users\All Users, C:\Users\Aubrey,
C:\Users\Default (Hidden), C:\Users\Default (can't access), C:\Users\Guest, C:\Users\Public (not hidden but all folders hidden), and the desktop.ini =
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21813

I thought Windows 7 did away with desktop.ini? It is everywhere! I started to copy the default folder but it is so much. Things are connected to the IE, when they shouldn't be, including- Electronics, Cars, Fashion, Collectibles, Coupons and More |eBay, Electronics, Cars, Fashion, Collectibles, Coupons and More |eBay.
Is there away to copy everything in these default folders?