Overview
We had this issue on some virtual servers migrated from a «cloud» provider back to our internal data center. The root cause was permissions to the %SystemRoot%\System32\catroot2 folder. There were a number of differences between the permissions on that folder on a healthy server vs those on the migrated server. I believe the key one was that TrustedInstaller didn’t have full access.
Additional Symptoms
Looking at the Application log in the event viewer, we saw a number of errors:
Source: CAPI2
EventId: 257
Text: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1032.
Source: ESENT
EventId: 490
Text: Catalog Database (416) Catalog Database: An attempt to open the file "C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read / write access failed with system error 5 (0x00000005): "Access is denied. ". The open file operation will fail with error -1032 (0xfffffbf8).
The clue is in the ESENT error’s text; i.e. permissions issue accessing a file under the catroot2 folder.
Resolution
Give the Trusted Installer account full control to the catroot2 folder and its children.
In case that’s not enough, for comparison, running icacls %systemroot%\system32\catroot2 on a healthy server gives this:
C:\Windows\system32\catroot2 NT SERVICE\CryptSvc:(F)
NT SERVICE\CryptSvc:(OI)(CI)(IO)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
NB: To add Trusted Installer, you’ll need to search on the local computer accounts for nt service\trustedinstaller.
After replacing permissions on catroot2, ensure you click the replace permissions on child objects & containers checkbox to ensure that child items have their permissions resolved also.
No reboot is required for the fix itself (though obviously, once updates start working again, you’ll likely need to reboot for those).
Windows Server 2012 Datacenter Windows Server 2012 Datacenter Windows Server 2012 Essentials Windows Server 2012 Foundation Windows Server 2012 Foundation Windows Server 2012 Standard Windows Server 2012 Standard More…Less
Symptoms
Consider the following scenario:
-
You have a Windows Server Update Services (WSUS) server that is running Windows Server 2012.
-
There is a required authenticated proxy running in the environment.
-
You enable the Use user credentials to connect to the proxy server setting together with the username, domain, and password provided in the WSUS console.
In this scenario, the WSUS synchronization performs successfully. However, the WSUS server cannot connect to Windows Update to download the required updates.
Note This issue also affects the deployment of Microsoft System Center Configuration Manager and Forefront Client Services.
Cause
This issue occurs because the system clears the stored network credentials when you enable the Use user credentials to connect to the proxy server setting. Therefore, you cannot connect to Windows Update.
Resolution
Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a «Hotfix Download Available» section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
Prerequisites
To apply this hotfix, you must be running Windows Server 2012.
Registry information
To apply this hotfix, you do not have to make any changes to the registry.
Restart requirement
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace a previously released hotfix.
The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2012 file information notesImportant Windows 8 hotfixes and Windows Server 2012 hotfixes are included in the same packages. However, only «Windows 8» is listed on the Hotfix Request page. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under «Windows 8» on the page. Always refer to the «Applies To» section in articles to determine the actual operating system that each hotfix applies to.
-
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
Version
Product
Milestone
Service branch
6.2.920 0.16 xxx
Windows Server 2012
RTM
GDR
6.2.920 0.20 xxx
Windows Server 2012
RTM
LDR
-
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
-
The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the «Additional file information for Windows Server 2012» section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2012
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
Eventcategories.dll |
6.2.9200.16384 |
8,704 |
26-Jul-2012 |
03:07 |
x64 |
|
Iiscustomaction.exe |
6.2.9200.16579 |
102,912 |
12-Apr-2013 |
00:44 |
x64 |
|
Microsoft.updateservices.catalogsyncagent.dll |
6.2.9200.16582 |
56,832 |
12-Apr-2013 |
00:44 |
x64 |
|
Microsoft.updateservices.contentsyncagent.dll |
6.2.9200.16582 |
46,080 |
12-Apr-2013 |
00:44 |
x64 |
|
Microsoft.updateservices.reporting.rollup.dll |
6.2.9200.16582 |
93,696 |
12-Apr-2013 |
00:44 |
x64 |
|
Microsoft.windows.bits.dll |
6.6.4000.16582 |
131,072 |
12-Apr-2013 |
00:44 |
x64 |
|
Wsuscertserver.exe |
6.2.9200.16384 |
64,512 |
26-Jul-2012 |
03:08 |
x64 |
|
Wsusservice.exe |
6.2.9200.16582 |
17,920 |
12-Apr-2013 |
00:44 |
x64 |
|
Eventcategories.dll |
6.2.9200.16384 |
8,704 |
26-Jul-2012 |
03:07 |
x64 |
|
Iiscustomaction.exe |
6.2.9200.20682 |
102,912 |
12-Apr-2013 |
00:41 |
x64 |
|
Microsoft.updateservices.catalogsyncagent.dll |
6.2.9200.20686 |
56,832 |
12-Apr-2013 |
00:41 |
x64 |
|
Microsoft.updateservices.contentsyncagent.dll |
6.2.9200.20686 |
46,080 |
12-Apr-2013 |
00:41 |
x64 |
|
Microsoft.updateservices.reporting.rollup.dll |
6.2.9200.20686 |
93,696 |
12-Apr-2013 |
00:41 |
x64 |
|
Microsoft.windows.bits.dll |
6.6.4000.20686 |
131,072 |
12-Apr-2013 |
00:41 |
x64 |
|
Wsuscertserver.exe |
6.2.9200.16384 |
64,512 |
26-Jul-2012 |
03:08 |
x64 |
|
Wsusservice.exe |
6.2.9200.20686 |
17,920 |
12-Apr-2013 |
00:41 |
x64 |
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the «Applies to» section.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
More Information
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Additional file information for Windows Server 2012
Additional files for all supported x64-based versions of Windows Server 2012
|
File name |
Amd64_7ab8b927a14dcc5eda478e71367856cd_31bf3856ad364e35_6.2.9200.16582_none_3e2886e1b40e95fb.manifest |
|
File version |
Not applicable |
|
File size |
697 |
|
Date (UTC) |
12-Apr-2013 |
|
Time (UTC) |
16:49 |
|
Platform |
Not applicable |
|
File name |
Amd64_b93defe8cfebc11f8551c211aff6fa25_31bf3856ad364e35_6.2.9200.20686_none_7c231fff6ef907ce.manifest |
|
File version |
Not applicable |
|
File size |
697 |
|
Date (UTC) |
12-Apr-2013 |
|
Time (UTC) |
16:49 |
|
Platform |
Not applicable |
|
File name |
Amd64_updateservices-services_31bf3856ad364e35_6.2.9200.16582_none_d78cc926490d935c.manifest |
|
File version |
Not applicable |
|
File size |
56,377 |
|
Date (UTC) |
12-Apr-2013 |
|
Time (UTC) |
16:49 |
|
Platform |
Not applicable |
|
File name |
Amd64_updateservices-services_31bf3856ad364e35_6.2.9200.20686_none_d81a671962279882.manifest |
|
File version |
Not applicable |
|
File size |
56,377 |
|
Date (UTC) |
12-Apr-2013 |
|
Time (UTC) |
16:49 |
|
Platform |
Not applicable |
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
Overview
We had this issue on some virtual servers migrated from a «cloud» provider back to our internal data center. The root cause was permissions to the %SystemRoot%\System32\catroot2 folder. There were a number of differences between the permissions on that folder on a healthy server vs those on the migrated server. I believe the key one was that TrustedInstaller didn’t have full access.
Additional Symptoms
Looking at the Application log in the event viewer, we saw a number of errors:
Source: CAPI2
EventId: 257
Text: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1032.
Source: ESENT
EventId: 490
Text: Catalog Database (416) Catalog Database: An attempt to open the file "C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read / write access failed with system error 5 (0x00000005): "Access is denied. ". The open file operation will fail with error -1032 (0xfffffbf8).
The clue is in the ESENT error’s text; i.e. permissions issue accessing a file under the catroot2 folder.
Resolution
Give the Trusted Installer account full control to the catroot2 folder and its children.
In case that’s not enough, for comparison, running icacls %systemroot%\system32\catroot2 on a healthy server gives this:
C:\Windows\system32\catroot2 NT SERVICE\CryptSvc:(F)
NT SERVICE\CryptSvc:(OI)(CI)(IO)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
NB: To add Trusted Installer, you’ll need to search on the local computer accounts for nt service\trustedinstaller.
After replacing permissions on catroot2, ensure you click the replace permissions on child objects & containers checkbox to ensure that child items have their permissions resolved also.
No reboot is required for the fix itself (though obviously, once updates start working again, you’ll likely need to reboot for those).
Table of Contents
- Issue
- Reason
- Resolution
- Troubleshooting
Issue
Windows updates failed to install with error code: 800F0831 in Windows Server 2012 R2
Reason
If any previous update is missing on the server then you will get the above error. To find the missing patch you have to check the CBS logs on the affected server and you will find the similar entries like below.
2017-05-10 10:09:45, Error CBS Failed to resolve package 'Package_514_for_KB3205401~31bf3856ad364e35~amd64~~6.3.1.4' [HRESULT = 0x800f0831 - CBS_E_STORE_CORRUPTION]
2017-05-10 10:09:45, Info CBS Mark store corruption flag because of package: Package_514_for_KB3205401~31bf3856ad364e35~amd64~~6.3.1.4. [HRESULT = 0x800f0831 - CBS_E_STORE_CORRUPTION]
In this case, it was KB3205401 missing on the server. hence request you to find out the correct missing package on the server and install it to resolve the issue
Resolution
- Install the missing patch and reboot the server.
- Post reboot try patching it will resolve the issue completely.
Troubleshooting
If the missing patch does not install: reported not applicable; remove the update via DISM first. Note the KB detailed within the CBS log after «Store corruption, manifest missing for package:»; In this case KB3205401. This KB is not installed
or visible within control panel or Powershell (get-hotfix | select hotfixid) however, the manifest file is present within the folder C:\Windows\servicing\Packages.
Download the KB3205401 MSU file from the Microsoft Update catalog and extract the CAB file to a temp directory.
expand C:\temp\updates\windows8.1-kb3205401.msu /f:* C:\temp\updates\kb3205401
Then remove the package using DISM; this will in affect remove the manifest file from C:\Windows\servicing\Packages
dism /online /remove-package:C:\Temp\Updates\kb3205401\Windows8.1-KB3205401-x64.cab
Finally after removing the corrupted manifest files /updates the intended update will install via DISM/SCCM successfully and the CBS log will not have any corruption errors.
Dism /online /add-package /packagepath:C:\Temp\Updates\kb123456\Windows8.1-KB123456-x64.cab
This tutorial contains several methods to fix Windows Update Problems in Windows 7/8/8.1 & Server 2008/2012 OS. In many cases, even in fresh Windows installations, the Windows Update is not working as expected, or it stuck when checking for updates or it displays several errors whenever you try to search for the available updates.
In such cases your system may become slow or unresponsive, because the Windows Update service (svchost.exe) causes high CPU usage. The Windows Update service is an essential feature in all Windows versions, because it is needed to provide all the available important and optional updates needed for the proper Windows operation and security.
The Windows Update problems often occur on Windows 7 or Vista based computers and in most cases, the errors are caused without any obvious reason and without a permanent solution to fix them from Microsoft. For all these reasons, I decided to write this troubleshooting guide, with the most efficient methods to resolve Windows Update problems on Windows 8.1, 8, 7 & Server 2008 or Server 2012.
Problems-Symptoms that are solved with this guide:
Windows Update is checking for updates forever.
Windows Update stuck/freezes.
Windows Update cannot find new updates.
Windows Update cannot currently check for updates because the service is not running.
Windows Update occurred an Unknown error: Code 8007000E
How to Solve Windows Update Issues on Windows 7/8/8.1 & Server 2008/2012
Important:
1. Before proceeding to apply the methods below, in order to troubleshoot Window Update problems, make sure that the Date and Time settings are correct on your system.
2. Try the following trick: Change the Windows Update settings from «Install updates automatically» to «Never check for updates (not recommended)» & restart your system, After restart set the update settings back to «Install updates automatically« and then check for updates. If this trick fails then set the Windows Update Settings to «Check for updates but let me choose whether to download and install them» and then check for updates again.
3. If you have performed a fresh Windows 7 or Server 2008 installation, install Service Pack 1 for Windows 7 or Windows Server 2008 R2, before you continue.
4. Make sure that your computer is clean from viruses and malware. To accomplish this task you can use this Malware Scan and Removal Guide to check and remove viruses or/and malicious programs that may be running on your computer.
Method 1. Force Windows to re-create the Windows Update Store folder.
Method 2. Install the KB3102810 security Update.
Method 3. Install the latest Update Rollup.
Method 4. Run the Windows Update Troubleshooter.
Method 5. FIX Corrupted System Files and Services (SFC).
Method 6: FIX Windows corruption errors with the System Update Readiness tool (DISM).
Method 7: Update Windows by using the WSUS Offline Update tool.
Method 1. Force Windows to re-create the Windows Update Store folder
The Windows Update Store folder (commonly known as «SoftwareDistribution» folder), is the location where Windows stores the downloaded updates.
-If the SoftwareDistribution folder becomes corrupted then it causes problems with Windows Update. So, one of the most efficient solutions to resolve problems with Windows Update, is to recreate the SoftwareDistribution folder. To do that:
1. Simultaneously press the Windows 
+ R keys to open run command box.
2. In run command box, type: services.msc and press Enter.
3. Right click on Windows Update service and select Stop.
4. Open Windows Explorer and navigate to C:\Windows folder.
5. Select and Delete the “SoftwareDistribution” folder.*
(Click Continue at «Folder Access Denied» window).
* Note: The next time that the Windows Update will run, a new empty SoftwareDistribution folder will be automatically created by Windows to store updates.
6. Restart your computer and then try to check for updates.
Method 2. Install the KB3102810 (KB3102812) security Update.
I have seen many times, that Windows Update is checking for updates forever (stuck) without finding updates, even in fresh Windows 8, 7 or Vista installations. Thankfully, Microsoft has released a security update to resolve the «Installing and searching for updates is slow and CPU utilization is high» issue. To apply the fix:
Step 1. Install Internet Explorer 11. *
* Note: This step is applied only to a fresh Windows 7 or Windows 2008 installation. If Internet Explorer 11 is already installed on your system, then skip this step and continue to step 2 below.
1. Download and install Internet Explorer 11 according to your OS version.
2. Restart your computer.
Step 2. Install the KB3102810 Update.
1. Download – but do not install it yet – the following security update according to your OS version, to your computer:
- Windows 7 & Server 2008: KB3102810
- Windows 8.1 & Server 2012: KB31028102
2. After the download, restart your computer.
3. After the restart, immediately install the security update, otherwise the installation hangs.
4. After the installation, restart your computer.
Step 3. Delete the SoftwareDistribution folder.
1. Follow the steps in Method-1 and delete the «SoftwareDistribution» folder.
2. Restart your computer.
2. Navigate to Windows Update and check for updates. Then, let it run at-least half to one hour. If you ‘re lucky, Windows will find all available updates.
Method 3. Install the latest Update Rollup to fix Windows Update issues.
The Windows Update Rollups, in most cases can fix issues with Windows Update. But before installing the latest Windows update rollup, first change the way that Windows install updates to «Never check for updates (not recommended«. To do that:
1. Simultaneously press the Windows 
+ R keys to open run command box.
2. In run command box, type: wuapp.exe and press Enter.
3. Select Change settings on the left.
4. Set Never check for updates (not recommended).
6. Proceed and download the latest Windows Update rollup for your system, but don’t install it (yet).
July 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2
September 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
September 2016 update rollup for Windows 8.1 and Windows Server 2012 R2
7. After the download, restart your computer.
8. After restart, then proceed and install the downloaded rollup.
9. Check for updates.
Method 4. Run the Windows Update Troubleshooter.
Microsoft offered the Windows Update Troubleshooter tool, in order to fix problems with Windows Update.
1. Navigate to Control Panel > All Control Panel Items > Troubleshooting > Fix Problems with Windows Update.
2. Click Next and let Windows to try to fix the update problems.
3. When the repair is completed, restart you PC and check for updates again.
Method 5. FIX Corrupted System Files and Services (SFC).
The next method to solve Windows Update problems is to run the System File Checker (SFC) tool in order to fix Windows’ corrupted files and services. To do that:
1. Open an elevated command prompt:
- Right click at Windows start button
and select Command Prompt (Admin)
2. In the command window, type the following command and press Enter.
- SFC /SCANNOW
3. Wait and do not use your computer until SFC tool checks and fixes the corrupted system files or services.
4. When SFC tool finishes, reboot your computer and check for Updates.
Method 6: FIX Windows corruption errors with the System Update Readiness tool (DISM).
The System Update Readiness tool is a Microsoft tool that can fix Windows corruption errors.
Windows 7, Vista & Server 2008:
1. Download and save to your desktop the System Update Readiness tool according to your Windows version.
2. Double click to install the downloaded file (e.g. Windows6.1-KB947821-v34-x86.msu).
3. When the installation is completed, restart your computer and try to install Windows Updates.
Windows 8, 8.1 & Server 2012:
1. Right click at Windows start button 
and select Command Prompt (Admin).
2. At the command prompt window, type the following command & press Enter:
- Dism.exe /Online /Cleanup-Image /Restorehealth
3. Be patient until DISM repairs component store.
4. When the operation is completed, you should be informed that the component store corruption was repaired.
5. Close command prompt window and restart your computer.
6. Check for updates.
Method 7: Update Windows by using the WSUS Offline Update tool. (Windows 10, 8.1, 8 or 7)
1. Download the latest version of WSUS Offline Update utility.
2. After the download, extract the «wsusoffline.zip» file.
3. From the «wususoffline» folder, double click at UpdateGenerator.exe application.
4. At Windows tab, select the Windows Edition, that you are using.
5. Press the Start button.
6. Be patient until the WSUS Offline Update utility downloads all the available updates.
7. When the download is completed, open the client folder (wsusoffline\client) and double click at «UpdateInstaller.exe» application.
8. Place a check at «Automatic reboot and recall» checkbox.
9. Finally press the Start button and be patient until the WSUS Offline Update installer, installs the downloaded updates to your system.
That’s it! Which method worked for you?
Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.