none
SideBySide Error EventID 33 on conhost.exe

    Question

  • Hi,

    On windows server 2008.  After an automatic windows update I recieved a warning of..

    ------------------------------------------------------------------------------------------------------------

    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

     DETAIL -
     3 user registry handles leaked from \Registry\User\S-1-5-21-2513515177-2666375023-899155717-1001:
    Process 1400 (\Device\HarddiskVolume1\Windows\System32\conhost.exe) has opened key \REGISTRY\USER\S-1-5-21-2513515177-2666375023-899155717-1001\Control Panel\International
    Process 1512 (\Device\HarddiskVolume1\Program Files (x86)\copSSH\Bin\sshd.exe) has opened key \REGISTRY\USER\S-1-5-21-2513515177-2666375023-899155717-1001\Control Panel\International
    Process 1512 (\Device\HarddiskVolume1\Program Files (x86)\copSSH\Bin\sshd.exe) has opened key \REGISTRY\USER\S-1-5-21-2513515177-2666375023-899155717-1001\Software\Microsoft\Windows NT\CurrentVersion

    ------------------------------------------------------------------------------------------------------------

    followed by and Error on w2wp.exe

     

    ------------------------------------------------------------------------------------------------------------

    Faulting application name: w3wp.exe, version: 7.5.7600.16385, time stamp: 0x4a5bcd2b
    Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception code: 0xc0000005
    Fault offset: 0x6bcc6a34
    Faulting process id: 0xfe0
    Faulting application start time: 0x01cc406b72d1ff66
    Faulting application path: C:\Windows\SysWOW64\inetsrv\w3wp.exe
    Faulting module path: unknown
    Report Id: c2325e23-ad15-11e0-bb3e-003048b94307

    ------------------------------------------------------------------------------------------------------------

     

    The Erro I have noticed from time to time and everything work fine and and the error doesn;t occur again.  So I don;t worry to much about this.

    However after this update on the 13/7/2011 I have started to get a side by side error on conhost.exe.

    ------------------------------------------------------------------------------------------------------------

    Activation context generation failed for "C:\Windows\system32\conhost.exe". Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16816" could not be found. Please use sxstrace.exe for detailed diagnosis.

    ------------------------------------------------------------------------------------------------------------

     

    The happens repeatedly, but the server is still running OK.  I've read a quite a few forum posts now and I see the issue it down to the sxs keys not being i place on the winsxs directory.  But how do I replace this entry and get rid of the error?

     

    Thanks,

    Dave.

     

    Thursday, July 14, 2011 7:38 AM

Answers

All replies

  • Hi Dave

    I have the exact same problem - Windows Updates have been installed on the 13/07/2011 and now they are all whining about this message.  I have rebooted the entire environment and they still all report the same message.

    SXSTRACE makes a log file that is incomprehensible so would love to know how to fix it otherwise I am off to Microsoft Business Support!

    Cheers

    Rowan

    Thursday, July 14, 2011 9:10 AM
  • Hi Dave,

    the issue could be related to update KB2507938.

    If you have a look at the updated files log at http://support.microsoft.com/kb/2507938, the conhost.exe file could be traced, with the same file version (6.0.7600.16816) and modify date (14th of May). If you have a look in C:\Windows\System32\conhost.exe, it has the same properties (modify date 14-05-2011).

    The update KB2507938 can be uninstalled through Add/Remove Programs.

    Cheers

    Gerrit

    • Proposed as answer by Ivo Meier Thursday, July 14, 2011 1:08 PM
    Thursday, July 14, 2011 12:40 PM
  • the information from Gerrit will help

    Ivo

    Thursday, July 14, 2011 1:09 PM
  • Kind Sirs: I'm just another dumb end user trying to make it through another day of a woefully unremarkable life without bothering anyone or being bothered. If only you people would simply let me wallow in the obscurity I so deeply crave! I, too, recently applied Windows Updates and have apparently installed KB2507938. Thus, I read with amazement the reply suggesting that I actually go through the extremely lengthy knowledge-base article for that KB and check file dates! Or perhaps UNINSTALL this particular update ?!? That's almost as bad as the suggestion on the original system event error message that I "run sxstrace.exe for a more detailed diagnosis" !!! You Microsofties have got to be KIDDING, right? Here's what y'all need to do, the way I sees it: 1) FIX THIS NONSENSE of sending out patches that break things instead of fixing 'em. Sit down with them updates people, and tell 'em this kind of knuckleheadedness has simply got to STOP. 2) ELIMINATE the need to EVER have to run HIDEOUS MONSTROSITIES like sxstrace.exe that write output files that only DEEPLY HEXADECIMAL-CENTRIC INDIVIDUALS like that SysInternals fellow and budding spy book author can possibly understand. Y'all seriously need to learn to write friendly error messages for the rest of us. And, finally: 3) Issue another patch the re-patches the previous patch and makes this all go away ASAP. No one should EVER need to uninstall an update. There's only one direction to keep pressing on in, and that's FORWARD, EVER FORWARD! Thank you for your prompt attention to this matter.
    Thursday, July 14, 2011 1:58 PM
  • I have the same prob. I am uninstalling  KB2507938 and will let youy know ...
    Thursday, July 14, 2011 1:58 PM
  • Uninstalling  KB2507938 eliminated the problem (event log below) - I will report to Microsoft.

    Log Name: Application

     

    Source: SideBySide

     

    Date: 7/14/2011 9:12:06 AM

     

    Event ID: 33

     

    Task Category: None

     

    Level: Error

     

    Keywords: Classic

     

    User: N/A

     

    Computer: DWASS.dwa.local

     

    Description:

     

    Activation context generation failed for "C:\Windows\system32\conhost.exe". Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16816" could not be found. Please use sxstrace.exe for detailed diagnosis.

    Thursday, July 14, 2011 2:14 PM
  • I have the same problem, but can't get rid of it.

     

    Thursday, July 14, 2011 6:46 PM
  • Also have the same problem, performed sxstrace...
    (not sure what it means)

    =================
    Begin Activation Context Generation.
    Input Parameter:
     Flags = 0
     ProcessorArchitecture = AMD64
     CultureFallBacks = en-US;en
     ManifestPath = C:\Windows\system32\conhost.exe
     AssemblyDirectory = C:\Windows\system32\
     Application Config File =
    -----------------
    INFO: Parsing Manifest File C:\Windows\system32\conhost.exe.
     INFO: Manifest Definition Identity is Microsoft.Windows.ConsoleHost.SystemDefault,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="5.1.0.0".
     INFO: Reference: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"
    INFO: Resolving reference Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823".
     INFO: Resolving reference for ProcessorArchitecture amd64.
      INFO: Resolving reference for culture Neutral.
       INFO: Applying Binding Policy.
        INFO: No binding policy redirect found.
       INFO: Begin assembly probing.
        INFO: Did not find the assembly in WinSxS.
        INFO: Attempt to probe manifest at C:\Windows\assembly\GAC_64\Microsoft.Windows.SystemCompatible\6.0.7600.16823__6595b64144ccf1df\Microsoft.Windows.SystemCompatible.DLL.
        INFO: Attempt to probe manifest at C:\Windows\system32\Microsoft.Windows.SystemCompatible.DLL.
        INFO: Attempt to probe manifest at C:\Windows\system32\Microsoft.Windows.SystemCompatible.MANIFEST.
        INFO: Attempt to probe manifest at C:\Windows\system32\Microsoft.Windows.SystemCompatible\Microsoft.Windows.SystemCompatible.DLL.
        INFO: Attempt to probe manifest at C:\Windows\system32\Microsoft.Windows.SystemCompatible\Microsoft.Windows.SystemCompatible.MANIFEST.
        INFO: Did not find manifest for culture Neutral.
       INFO: End assembly probing.
     ERROR: Cannot resolve reference Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823".
    ERROR: Activation Context generation failed.
    End Activation Context Generation.

    Thursday, July 14, 2011 8:12 PM
  • I uninstalled the update and the message still appears. So that apparently didn't solve anything.

     

    Thursday, July 14, 2011 8:27 PM
  •   Well, I unstalled all of my July updates. I uninstalled vcredist_x64 which I put in place as a hopeful fix, as well as the C++ Library updates that someone had suggested. Those did not help fix anything.

    So after removing all of the updates and fixes I powered down my server. Powered up, and no more errors!

    As I test I put back KB2507938, and the errors started up again. I removed the KB one last time and rebooted.

    All is well now, I don't know why the first time I removed KB2507938 it did not fix anything, but the second time was the charm.

    FYI, I do no have SP1 on my Windows 2008 R2 Enterprise server. I wonder if that was the issue, if I had applied SP1 maybe KB2507938 would work.

     

    Thursday, July 14, 2011 8:43 PM
  • My environment is Windows 2008 R2 Enterprise, but I do not have Sp1 applied.

    The server is running C++ 2005.

    My fix was to remove all updates I applied yesterday for my July updates. Shut the server down, boot up and apply KB 2507938. The errors occured immediately, then I removed the KB and rebooted.

    Apply all other security updates, reboot.

    No more errors.

    So I am wondering if I had applied SP1 if this would have occured??

    Thursday, July 14, 2011 9:09 PM
  • So basically, I just have to uninstall ALL of my July updates, restart my laptop, shut it down, then boot it back up, and that would theoretically get rid of the errors? 
    Thursday, July 14, 2011 9:33 PM
  • The same problem. Error appears when I launch CMD.
    Friday, July 15, 2011 10:01 AM
  • Removing KB2507938 worked for me. 
    Friday, July 15, 2011 11:27 AM
  • I had the same thing happen to me.  I had to uninstall all of the 7/13/11 updates - and I rebooted when prompted after each install.  The problem didn't go away until all of them were gone.  Today, the problem re-appeared when I installed KB2507938, and went away when i uninstalled it.

    I'm running Windows 2008 R@ - but without SP1

    Friday, July 15, 2011 1:45 PM
  • Did anybody open an issue with Microsoft about this issue?

    Friday, July 15, 2011 3:06 PM
  • I just submitted an incident because the option to uninstall the update manually not always works and is not workable since I deployed it to over 100 servers in our test environment so I need a centralized solution.

    This update replaces C:\Windows\System32\conhost.exe with version 6.1.7600.16385 (14/07/2009) by 6.1.7600.16823 (2/06/2011) which causes the problems on Server 2008 R2.

    Friday, July 15, 2011 3:47 PM
  • This is also happening on my Windows 7 machine, not just limited to Windows Server 2008.  It's filling up my event log, making it a pain in the backside to debug other application behaviour.
    Friday, July 15, 2011 4:14 PM
  • Thanks Johan! Will you let us know when Microsoft comes back with as a solution.  We also would prefer a centralized solution, because like you, we have deployed the security patches to mostly all of our test servers and some production servers as well. 

    Friday, July 15, 2011 7:23 PM
  • I had the same issue with 2008 R2. I installed SP1 and the errors stopped.
    Friday, July 15, 2011 7:50 PM
  • If you are not on SP1 you could try updating Conhost.exe with hotfix 977648.

    977648 An application that calls the ReadConsoleOutputCharacter function closes unexpectedly or data becomes corrupted when the application runs in Windows 7 or in Windows Server 2008 R2
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;977648

    You will need to reapply 2507938 after installing 977648, because 977648 has an earlier version of conhost.exe.

    Friday, July 15, 2011 8:31 PM
  • I had the same issue on a SBS 2011 server and the hotfix above has fixed it.

    Thanks


    Friday, July 15, 2011 9:48 PM
  • If you are not on SP1 you could try updating Conhost.exe with hotfix 977648.

    977648 An application that calls the ReadConsoleOutputCharacter function closes unexpectedly or data becomes corrupted when the application runs in Windows 7 or in Windows Server 2008 R2
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;977648

     

    KB977648 solves the issue, thanks Craig!

    Still haven't received an answer on my Premier incident but not necessary anymore now.

    Upgrading to SP1 would probably solve it too but that's a completely different impact risk.
    Afaik this is only on Server 2008 R2 (no SP) when Visual C++ 2008 Redist is installed.

    Saturday, July 16, 2011 6:36 PM
  • Solved with KB977648. Thanks!
    Saturday, July 16, 2011 10:29 PM
  • In my case KB2533623 http://support.microsoft.com/kb/2533623/en-us was the source of problem and errors with conhost.exe and event ID 33.
    This fix changed file conhost.exe to problematical version of file.

    Wojciech Szostak
    Monday, July 18, 2011 9:25 AM
  • I contacted Premier Support and received this fix and it worked on my test system.  When I questioned whether or not they would be providing a hotfix, they didn't seem to be too willing to do it.  I'm still working on that one as I believe that since they broke it then they should fix it.

     

    Here are the steps for installing the QFE build of the hotfix  2507938:

    1.         1.        Download the MS11-056 (KB2507938) and save the file (.msu package)

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26759

     

    Now we need to install the LDR version of this hotfix.

     2.       Open an administrative cmd prompt

     

    3.       Create 3 folders separately for:

    a)      a folder for the downloaded MSU

    b)      a folder for expanded MSU

    c)       a folder for the expanded CAB file

    4.       Type the following commands:

    5.       C:\> Expand -f:* <full path of .msu file> <expanded MSU folder>

    This would create 4-5 new files in the folder specified.

    6.       C:\>Expand -f:* <full path of extracted kb article # .cab file> <expanded CAB folder>

    7.       C:\>pkgmgr /ip /m:<expanded CAB folder>\update-bf.mum

    After successful installation, you will get a message asking to restart the machine. 
    • Proposed as answer by jls-ess Monday, July 18, 2011 11:59 AM
    Monday, July 18, 2011 11:57 AM
  • Installing KB977648 worked for me. Thanks.
    Patrick Hoban
    http://patrickhoban.wordpress.com
    Tuesday, July 19, 2011 4:23 AM
  • jls-ess solution works for me 

     

    thx

    Tuesday, July 19, 2011 5:53 AM
  • This is a known issue and is documented in http://support.microsoft.com/kb/2507938.  You can safely ignore this, however, if needed you can work around this by applying one of the two below, although there are caveats –

    1.      Apply KB977648, but please note that this would put the system on the QFE branch for this component, which means the system would be on the Hotfix branch and not the General Release branch.

    2.      Apply Service Pack 1, clearly deploying an SP has bigger implications.

    Tuesday, July 19, 2011 4:24 PM
  • just great.  between crappy Exchange patches and windows patches, Microsoft has been killing me the last few months...

    Tuesday, July 19, 2011 9:02 PM
  • Solved with KB977648. 

       Thanks.

    Saturday, July 23, 2011 8:51 PM
  • Security update packages contain both a LDR (QFE) and GDR version of the update.
    You need to install the LDR (QFE) version of a security update package on Windows Vista.

    In order to install an update on Windows Vista or Windows Server 2008 (Longhorn) in the QFE-Branch (similar to the /B: switch in Windows XP/Windows 2003) you need to perform the following steps:

    Method 1
    -------------
    Prior to installing the desired QFE fix install any previous QFE only version of the same component (a hotfix containing the same binaries)

    Explanation: If you have an earlier
    LDR (QFE) Version of the same component installed, upon installing the security bulletin, the installer automatically installs the LDR (QFE) version which is also included in every security update.

    Method2
    --------------
    On a Windows Vista or Windows Server 2008 based system:
    1. Click Start , type cmd in the Start Search box, right-click cmd.exe in the Programs list, and then click Run as administrator

    If you are prompted for an administrator password or for confirmation, type your password, or click Continue.
    2. At the command prompt, create a msu_expand_folder and a cab_expand_folder and then type the following commands

    a) C:\> Expand -f:* "<path of the .msu file> <msu_expand_folder>
    b) C:\> Expand -f:* <path of the KB#.cab file> <cab_expand_folder>
    c) C:\> pkgmgr /ip /m:cab_expand_folder\
    update-bf
    .mum

    Note: only the Expand.exe command from Vista (or Longhorn) can extract MSU files

    Friday, July 29, 2011 7:38 PM
  • Hi,

    On windows server 2008.  After an automatic windows update I recieved a warning of..

    ------------------------------------------------------------------------------------------------------------

    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

     DETAIL -
     3 user registry handles leaked from \Registry\User\S-1-5-21-2513515177-2666375023-899155717-1001:
    Process 1400 (\Device\HarddiskVolume1\Windows\System32\conhost.exe) has opened key \REGISTRY\USER\S-1-5-21-2513515177-2666375023-899155717-1001\Control Panel\International
    Process 1512 (\Device\HarddiskVolume1\Program Files (x86)\copSSH\Bin\sshd.exe) has opened key \REGISTRY\USER\S-1-5-21-2513515177-2666375023-899155717-1001\Control Panel\International
    Process 1512 (\Device\HarddiskVolume1\Program Files (x86)\copSSH\Bin\sshd.exe) has opened key \REGISTRY\USER\S-1-5-21-2513515177-2666375023-899155717-1001\Software\Microsoft\Windows NT\CurrentVersion

    ------------------------------------------------------------------------------------------------------------

    followed by and Error on w2wp.exe

     

    ------------------------------------------------------------------------------------------------------------

    Faulting application name: w3wp.exe, version: 7.5.7600.16385, time stamp: 0x4a5bcd2b
    Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception code: 0xc0000005
    Fault offset: 0x6bcc6a34
    Faulting process id: 0xfe0
    Faulting application start time: 0x01cc406b72d1ff66
    Faulting application path: C:\Windows\SysWOW64\inetsrv\w3wp.exe
    Faulting module path: unknown
    Report Id: c2325e23-ad15-11e0-bb3e-003048b94307

    ------------------------------------------------------------------------------------------------------------

     

    The Erro I have noticed from time to time and everything work fine and and the error doesn;t occur again.  So I don;t worry to much about this.

    However after this update on the 13/7/2011 I have started to get a side by side error on conhost.exe.

    ------------------------------------------------------------------------------------------------------------

    Activation context generation failed for "C:\Windows\system32\conhost.exe". Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16816" could not be found. Please use sxstrace.exe for detailed diagnosis.

    ------------------------------------------------------------------------------------------------------------

     

    The happens repeatedly, but the server is still running OK.  I've read a quite a few forum posts now and I see the issue it down to the sxs keys not being i place on the winsxs directory.  But how do I replace this entry and get rid of the error?

     

    Thanks,

    Dave.

     


    Friday, July 29, 2011 11:42 PM
  • Well, I removed the offending update but the errors did not go away. I uninstalled all of my updates, rebooted, then applied all updates but the offending patch. That seemed to do it.

    The fix though is apply SP1 for Windows 2008 R2 and be done with it.

    Monday, August 1, 2011 9:27 PM
  • Yes, I removed it as well, but for some reason did not clear the errrors, it's like it left something and did not delete everything all the way, so after uninstalling all July updates, and then applying without 7938 worked. Apply SP1 and you don't have to mess with any of this.
    Monday, August 1, 2011 9:29 PM
  • I did.

    Here is the response.

    This is a known issue and is documented in http://support.microsoft.com/kb/2507938.  You can safely ignore this, however, if needed you can work around this by applying one of the two below, although there are caveats –

    1.     Apply KB977648, but please note that this would put the system on the QFE branch for this component, which means the system would be on the Hotfix branch and not the General Release branch.

    2.     Apply Service Pack 1, clearly deploying an SP has bigger implications.

    Otherwise, we are working on a fix for the General Release branch, but there is currently no ETA.

    Monday, August 1, 2011 9:33 PM
  • Are you being sarcastic?  If your experience is like mine, the only problem here is event log spam.  Will poor dumb end users ever look at the event log?  What's the harm in an error message that only shows up when poor dumb end users look for them?  If, however, you are a server admin, knowledge of hex is expected.  Tracing and debugging is part of the job.  Sure, perfection would be great, but I'm not willing to pay $1,000,000 per license or willing to wait 10 years per release so every hardware and software combination can be tested completely to avoid this attrocious event log spamming.

     

     

    Saturday, August 6, 2011 10:43 PM
  • Note that MS11-063 (2567680) released today replaces MS11-056 (2507938)

    Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680)
    http://www.microsoft.com/technet/security/Bulletin/MS11-063.mspx

    MS11-063: Vulnerability in Windows Client/Server Run-time subsystem could allow elevation of privilege: August 9, 2011
    http://support.microsoft.com/kb/2567680

     

     

    Tuesday, August 9, 2011 7:10 PM
  • In this moment I am installing the latest updates for a 2008 R2 machine with this conhost sidebyside 33 error in the log. I assume that 2567680 is in the list. Reboot is running right now. And I have not applied any of the other suggested solutions yet. To be continued ...
    Thursday, August 11, 2011 11:30 AM
  • Yes, this seems to be a working solution. Last incidence of sidebyside 33 is at 1:29. At 1:33 the system says: 13 sec uptime. Up to now - 1:40 - no more sidebyside 33. And 2567680 was in the list.
    Thursday, August 11, 2011 11:43 AM
  • as expected -  all fine
    Thursday, August 11, 2011 1:11 PM