Patch installation with script fails at first but succeeds the second time

 

Hi, my name is Prachi and today I will be talking about a patch installation problem which occurs when multiple patches are installed together.

 

Consider the following scenario

 

You have a scheduled task\script that scans for updates and while it detects multiple updates, it fails when installing them. If you check the update history, you see that it failed to install any update after it tried to install a security update. The security update, then shows reboot required.  

 

When you open the CBS logs located in C:\windows\logs\CBS, you see the following:

2015-08-30 04:25:29, Info CSI 00000235 Component change list:
2015-08-30 04:25:29, Info CSI 00000236 Couldn't find the hash of component: Microsoft-Windows-BootEnvironment-OS-Loader.Resources, Version = 6.1.7601.23136, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the catalog [l:192{96}]"\SystemRoot\WinSxS\Catalogs\33aaa08f767a1d074889ca79e8ed861442eef084bcbaaa5379376ad63e2c87d5.cat".
2015-08-30 04:25:29, Error CSI 00000237@2015/8/30:04:25:29.184 (F) : Error 80092004 [Warning,Facility=FACILITY_NTSSPI,Code=8196 (0x2004)] originated in function CCSDirectTransaction::AddImplicationsToCatalogsAndVerifyComponentHashes expression: (null)
[gle=0x80004005]
2015-08-30 04:26:07, Error CSI 00000238 (F) 80092004 [Warning,Facility=FACILITY_NTSSPI,Code=8196 (0x2004)] #14706236# from CCSDirectTransaction::PrepareForCommit(...)[gle=0x90092004]
2015-08-30 04:26:07, Error CSI 00000239 (F) 80092004 [Warning,Facility=FACILITY_NTSSPI,Code=8196 (0x2004)] #14706235# from CCSDirectTransaction::ExamineTransaction(...)[gle=0x90092004]
2015-08-30 04:26:07, Error CSI 0000023a (F) 80092004 [Warning,Facility=FACILITY_NTSSPI,Code=8196 (0x2004)] #14706234# from CCSDirectTransaction_IRtlTransaction::ExamineTransaction(...)[gle=0x90092004]
2015-08-30 04:26:07, Error CSI 0000023b (F) CRYPT_E_NOT_FOUND #14705449# from Windows::COM::CPendingTransaction::IStorePendingTransaction_Analyze(...)[gle=0x80092004]
2015-08-30 04:26:07, Error CSI 0000023c (F) CRYPT_E_NOT_FOUND #14534227# from Windows::ServicingAPI::CCSITransaction::ICSITransaction_Commit(Flags = 47 (0x0000002f), pSink = NULL, disp = 0, coldpatching = FALSE)[gle=0x80092004]
2015-08-30 04:26:07, Error CSI 0000023d (F) CRYPT_E_NOT_FOUND #14534226# 42410326 us from Windows::ServicingAPI::CCSITransaction_ICSITransaction::Commit(flags = 0x0000002f, pSink = NULL, disp = 0)
[gle=0x80092004]
2015-08-30 04:26:07, Error CBS Exec: Failed to commit CSI transaction to resolve execution chain. [HRESULT = 0x80092004 - CRYPT_E_NOT_FOUND]
2015-08-30 04:26:07, Info CSI 0000023e@2015/8/30:04:26:07.856 CSI Transaction @0x2feaf1b0 destroyed
2015-08-30 04:26:07, Info CBS Perf: Resolve chain complete.
2015-08-30 04:26:07, Info CBS Failed to resolve execution chain. [HRESULT = 0x80092004 - CRYPT_E_NOT_FOUND]
2015-08-30 04:26:07, Error CBS Failed to process single phase execution. [HRESULT = 0x80092004 - CRYPT_E_NOT_FOUND]
2015-08-30 04:26:07, Info CBS WER: Generating failure report for package: Package_for_KB3071756~31bf3856ad364e35~amd64~~6.1.1.2, status: 0x80092004, failure source: Resolve, start state: Absent, target state: Installed, client id: WindowsUpdateAgent

 

 

 

This happens because security updates usually require a reboot to commit and will fail any update that is installed after that. Please note that once you encounter a security update, it always does ask for a reboot. In addition to committing the transactions, a reboot is also responsible for committing a task called scavenging. Please note that scavenging is invoked on system startup (when TrustedInstaller starts on boot), system shutdown and idle processing.

 

There is another type of reboot called a non-mandatory reboot which only requires scavenging.

 

You can manually invoke scavenging by stopping and starting the Windows Modules Installer (TrustedInstaller) service. Please note that scavenging, as the name suggests, removes the unused components and it might help with the problem but only when the reboot required is non-mandatory.

 

If a third party software is being used for this, the following steps can be added to the schedule:

1. Check the patch to see if it is a security patch.
2. If it is a security patch, then install it and restart the Windows Modules Installer (TrustedInstaller) service.
3. If not, then simply install it.

NOTE: Types of RebootRequired in the Windows Update system

There are two levels of “reboot required” within the Windows Update system. There’s “mandatory reboot required”, which basically means “nothing more will happen in Windows Update until you reboot”; and there’s “non-mandatory reboot required”, which basically means “You can’t do new scans, but you can continue to install updates that you already located through previous scans”.

 

A non-mandatory reboot creates the key:

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

A mandatory reboot creates the key

 SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory

 

 

Prachi Gupta

Support Engineer |Microsoft Windows Core

Disclaimer : This information is provided ‘as-is’ with no warranties

Comments

• Anonymous
  May 12, 2016
  good