none
Various TrustedInstaller related error logs

    Question

  • So i checked the event logs today, only to find the following errors, constantly repeated:


    Application
    Faulting application name: TrustedInstaller.exe, version: 6.1.7100.0, time stamp: 0x49ee8cdf
    Faulting module name: wcp.dll, version: 6.1.7100.13, time stamp: 0x49fa4ed0
    Exception code: 0xc0000235
    Fault offset: 0x000b5087
    Faulting process id: 0x564
    Faulting application start time: 0x01ca4d0b8447ee30
    Faulting application path: C:\Windows\servicing\TrustedInstaller.exe
    Faulting module path: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7100.13_none_e215faf667a47299\wcp.dll
    Report Id: c23a9260-b8fe-11de-a934-001a4d58a5c6

    Fault bucket , type 0
    Event Name: APPCRASH
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: TrustedInstaller.exe
    P2: 6.1.7100.0
    P3: 49ee8cdf
    P4: wcp.dll
    P5: 6.1.7100.13
    P6: 49fa4ed0
    P7: c0000235
    P8: 000b5087
    P9:
    P10:

    Attached files:

    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TrustedInstaller_9d7a674f37ed3f875a82827c11f96be93e715253_148fe4ea

    Analysis symbol:
    Rechecking for solution: 0
    Report Id: c23a9260-b8fe-11de-a934-001a4d58a5c6
    Report Status: 4

    Fault bucket , type 0
    Event Name: WindowsWcpOtherFailure3
    Response: Not available
    Cab Id: 0
    
    Problem signature:
    P1: 6.1.7100
    P2: base\wcp\sil\merged\ntu\ntsystem.cpp
    P3: Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysClose
    P4: 4598
    P5: c0000235
    P6: 0x8aef12c6
    P7: 
    P8: 
    P9: 
    P10: 
    
    Attached files:
    
    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_6.1.7100_d66fa77f426ce2de52191fb2256a5f8479a3b3d4_111fe3a2
    
    Analysis symbol: 
    Rechecking for solution: 0
    Report Id: c201cf20-b8fe-11de-a934-001a4d58a5c6
    Report Status: 4


    Setup
    Windows update  could not be installed because of error 2149842967 "" (Command line: ""C:\Windows\System32\wusa.exe" C:\Users\DOMOCH~1\AppData\Local\Temp\092509202002\Windows6.0-KB929547-v2-x86.msu /quiet /norestart")


    System
    The Windows Modules Installer service terminated unexpectedly.  It has done this 36 time(s).



    CBS.log says the following:

    ...
    2009-10-14 22:20:09, Info CBS Starting TrustedInstaller initialization. 2009-10-14 22:20:09, Info CBS Loaded Servicing Stack v6.1.7100.13 with Core: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7100.13_none_e215faf667a47299\cbscore.dll 2009-10-14 22:20:09, Info CSI 00000001@2009/10/14:20:20:09.598 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x5abee3e1 @0x5b3a50d1 @0x5b3815be @0x6e1c99 @0x6e1236 @0x75d875a8) 2009-10-14 22:20:09, Info CSI 00000002@2009/10/14:20:20:09.605 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x5abee3e1 @0x5b3e5a32 @0x5b3e28c2 @0x6e1c99 @0x6e1236 @0x75d875a8) 2009-10-14 22:20:09, Info CSI 00000003@2009/10/14:20:20:09.606 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x5abee3e1 @0x5b264b90 @0x5b265489 @0x6e1327 @0x6e1245 @0x75d875a8) 2009-10-14 22:20:09, Info CBS Ending TrustedInstaller initialization. 2009-10-14 22:20:09, Info CBS Starting the TrustedInstaller main loop. 2009-10-14 22:20:09, Info CBS TrustedInstaller service starts successfully. 2009-10-14 22:20:09, Info CBS SQM: Initializing online with Windows opt-in: False 2009-10-14 22:20:09, Info CBS SQM: Cleaning up report files older than 10 days. 2009-10-14 22:20:09, Info CBS SQM: Requesting upload of all unsent reports. 2009-10-14 22:20:09, Info CBS SQM: Failed to start upload with file pattern: C:\Windows\servicing\sqm\*_std.sqm, flags: 0x2 [HRESULT = 0x80004005 - E_FAIL] 2009-10-14 22:20:09, Info CBS SQM: Failed to start standard sample upload. [HRESULT = 0x80004005 - E_FAIL] 2009-10-14 22:20:09, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_all.sqm, flags: 0x6 2009-10-14 22:20:09, Info CBS SQM: Warning: Failed to upload all unsent reports. [HRESULT = 0x80004005 - E_FAIL] 2009-10-14 22:20:09, Info CBS No startup processing required, TrustedInstaller service was not set as autostart, or else a reboot is still pending. 2009-10-14 22:20:09, Info CBS NonStart: Checking to ensure startup processing was not required. 2009-10-14 22:20:09, Error CSI 00000004 (F) c0000235 [Error,Facility=(system),Code=565 (0x0235)] #89# from Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysClose(h = @0x1c4 "")[gle=0xd0000235] 2009-10-14 22:20:09, Error CSI 00000005@2009/10/14:20:20:09.617 (F) d:\winmain_win7rc_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(4598): Error c0000235 [Error,Facility=(system),Code=565 (0x0235)] originated in function Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysClose expression: ::NtClose(Handle) [gle=0x80004005]



    Also attempting to invoke sfc /scannow results in "Windows Resource Protection could not start the repair service. "


    The service Windows Modules Installer and Windows Installer are set to manual . I also noticed that Windows Update takes a long time to do its thing, including slowing down shutdown (30 sec longer than it should be).

    So... what's going on?

    (System: Windows 7 RC)
    Wednesday, October 14, 2009 8:34 PM

Answers

  • Y'know, i had this weird hope that all the numbers in the event logs i posted would mean something to someone.
    Instead here we are, poking randomly at stuff. :/

    Ok, so...

    No MSDN/TechNet subscription.

    I think i've narrowed this down. There's some function of ZoneAlarm Security Suit that acts overzealous, (most likely the OSfirewall) stopping some internal functions. I'll have to further investigate.


    Edit: I think i figured it out.

    "Enable Timing Attack Prevention" under Program Control (Custom) appears to be the culprit. Turning it off seems to have resolved the issues. I'll keep an eye on it, though.
    • Edited by Domochevsky Saturday, October 17, 2009 8:51 PM Added the solution
    • Marked as answer by Domochevsky Sunday, October 18, 2009 3:59 PM
    Saturday, October 17, 2009 8:42 PM

All replies

  • Hi Domochevsky,

    Exception code 0xc0000235 is "STATUS_HANDLE_NOT_CLOSABLE" - "NtClose was called on a handle that was protected from close via NtSetInformationObject.".

    So it sounds like you may have encountered a bug in Win7 RC (may or may not be fixed in RTM).  Or, some third party software (perhaps malware? or security software?) is somehow affecting the components / objects that TrustedInstaller is attempting to manipulate.

    Do you have access to the RTM build?
    Thursday, October 15, 2009 1:48 AM
  • Uh, dunno? I don't know what "the RTM build" is.
    Thursday, October 15, 2009 2:36 PM
  • You indicated you're running the RC (build 7100).  Do you have access to the release-to-manufacturing build, build 7600?
    Friday, October 16, 2009 2:33 AM
  • I suggest you  disable all startup items and third party services when booting. This method will help us determine if this issue is caused by a loading program or service. Please perform the following steps:
     
    1. Click the Start Button type "msconfig" (without quotation marks) in the Start Search box, and then press Enter.
     
    Note: If prompted, please click Continue on the User Account Control (UAC) window.
     
    2. Click the "Services" tab, check the "Hide All Microsoft Services" box and click "Disable All" (if it is not gray).
    3. Click the "Startup" tab, click "Disable All" and click "OK".
     
    Then, restart the computer. When the "System Configuration Utility" window appears, please check the "Don't show this message or launch the System Configuration Utility when Windows starts" box and click OK.
     
    Please test this issue in the Clean Boot environment, if the issue disappears in the Clean Boot environment, we can use a 50/50 approach to quickly narrow down which entry is causing the issue.

    Arthur Xie - MSFT
    Friday, October 16, 2009 4:19 AM
    Moderator
  • No.Compromise ,
    I don't think so, no. Unless it is available online somewhere.

    Arthur Xie ,
    This did nothing.
    • Edited by Domochevsky Saturday, October 17, 2009 6:18 PM Doublepost
    Saturday, October 17, 2009 5:19 PM
  • If you have a MSDN or TechNet subscription, you may have access to the RTM build.

    It may also be related to a software conflict, as Arthur suggested.  How far back do the messages in the event logs go?  Can you tie the start of the messages with some other event, in Reliability History or elsewhere?

    Have you tried running SFC in safe mode?  Any difference?
    Saturday, October 17, 2009 8:06 PM
  • Y'know, i had this weird hope that all the numbers in the event logs i posted would mean something to someone.
    Instead here we are, poking randomly at stuff. :/

    Ok, so...

    No MSDN/TechNet subscription.

    I think i've narrowed this down. There's some function of ZoneAlarm Security Suit that acts overzealous, (most likely the OSfirewall) stopping some internal functions. I'll have to further investigate.


    Edit: I think i figured it out.

    "Enable Timing Attack Prevention" under Program Control (Custom) appears to be the culprit. Turning it off seems to have resolved the issues. I'll keep an eye on it, though.
    • Edited by Domochevsky Saturday, October 17, 2009 8:51 PM Added the solution
    • Marked as answer by Domochevsky Sunday, October 18, 2009 3:59 PM
    Saturday, October 17, 2009 8:42 PM
  • It's good to hear you seem to have identified some item that may be involved in the reported behavior!

    What numbers are you referring to?  Crash addresses, offsets, and exception codes?  Barely enough to loosely discern what is happening, especially in this case (I'd never come across "STATUS_HANDLE_NOT_CLOSABLE" before.)  When you've got security software that injects itself into all kinds of processes on the machine, you're at the mercy of the software you've installed.  So it can be difficult to say explicitly that "oh! something is corrupting memory and causing a crash that some code in wcp.dll ultimately triggers" or some such, based off of the details.  Sorry, that's just how it is sometimes.

    I wouldn't call the suggestions "random" - they are at least targeted towards something specific to your system, given the information provided and the fact that few others (in these parts, at least) have encountered / reported similar behavior.  So it has to be something specific to your system, and a good place to check is the software installed, and what the effect of removing it from the picture may be. 
    Sunday, October 18, 2009 3:56 PM
  • I guess so. In any case, it triggered me to dig even deeper than i usually would have, so that's that. :)

    So far no further log entries of that kind have turned up, so i'd say that one's solved.
    Sunday, October 18, 2009 3:59 PM