Component-Based Servicing (cbs.log) causes all drive space to be consumed

Because I’ve seen this question asked in many places and not answered, I thought I’d post my issue and resolution here.  I regard this as a Bug, but I’m not invested enough to deal with the support incident process.

I’ve had repeated instances where a Windows 7 x64 client runs out of hard drive space, and found that C:\Windows\TEMP is being consumed with hundreds of files with names following the pattern “cab_XXXX_X”, generally 100 MB each, and these files are constantly generated until the system runs out of space.  Upon removing the files & rebooting, the files start being generated again.

I’ve found that this is caused by large Component-Based Servicing logs.  These are stored at C:\Windows\Logs\CBS.  The current log file is named “cbs.log”.  When “cbs.log” reaches a certain size, a cleanup process renames the log to “CbsPersist_YYYYMMDDHHMMSS.log” and then attempts to compress it into a .cab file.

However, when the cbs.log reaches a size of 2 GB before that cleanup process compresses it, the file is to large to be handled by the makecab.exe utility.  The log file is renamed to CbsPersist_date_time.log, but when the makecab process attempts to compress it the process fails (but only after consuming some 100 MB under \Windows\Temp).  After this, the cleanup process runs repeatedly (approx every 20 minutes in my experience).  The process fails every time, and also consumes a new ~ 100 MB in \Windows\Temp before dying.  This is repeated until the system runs out of drive space.

This can be reproduced by trying to manually create the cab file –

Directory of C:\CBS-BAK
12/11/2019  12:28 PM    <DIR>          .
12/11/2019  12:28 PM    <DIR>          ..
12/11/2019  12:12 PM     2,491,665,966 CbsPersist_20150823021618.log

C:\CBS-BAK>makecab CbsPersist_20150823021618.log
Cabinet Maker – Lossless Data Compression Tool
86.19% – CbsPersist_20150823021618.log (1 of 1)
ERROR: (FCIAddFile)Data-size or file-count exceeded CAB format limits

C:\CBS-BAK>dir %TEMP%\cab*
Volume in drive C is OSDisk
Volume Serial Number is 44DE-0CDD
Directory of C:\Users\USERNAME\AppData\Local\Temp
08/26/2015  02:31 PM       102,786,654 cab_4556_2

12/11/2019  12:28 PM        12,978,919 cab_5860_2
12/11/2019  12:27 PM                 0 cab_5860_3

To resolve this –

Stop the Windows Modules Installer (TrustedInstaller) service

Delete or move the large Cbspersist_XX.log file out of \Windows\Logs\CBS.

Start the Windows Modules Installer (TrustedInstaller) service

How to Disable/Enable Internet Options Tabs in Internet Explorer

As an IT guy, I always encounter problems when untrained users tweak their Internet connection settings.  They always make a mistake somewhere and sometimes the solution is to just keep them away from the Internet Options dialog box altogether.

I have worked at many companies that hide the Internet Options tab in Internet Explorer to discourage users from changing the options, which makes sense since network admins are the only ones who are supposed to access these options.

In a controlled environment, companies usually allow only one type of browser like Internet Explorer and those companies usually don’t allow their employees to change the Internet Options like default the homepage and proxy server.

Below is a typical Internet Options window:

clip_image001

There are several ways to disable the Internet Options tabs in IE and I’ll explain the different methods in this post. The first method uses Group Policy, but will only work if you have the Pro or Ultimate versions of Windows. If you are running Home or Home Premium, then skip down to the registry section.

Disable Internet Options in IE via Group Policy

To disable any tab in the Internet Options window, follow these steps below:

Step 1: Click Start and type GPEDIT.MSC in the search bar and hit enter to launch the Group Policy editor window.

clip_image002

Step 2: In the Local Group Policy editor window expand User Configuration > Administrative Templates > Windows Components > Internet Explorer then click on Internet Control Panel.

clip_image004

Step 3: On the right pane of the window, double click on the item you want to disable. For example, to disable the Advanced tab, double click on Disable the Advanced page option.

clip_image006

Step 4: In the properties window, click on the Enabled option and click OK. The Advanced tab in the Internet Options window will now be disabled and removed.

clip_image007

Step 5: Follow the previous steps to disable other items in the Internet Options window. To enable items, just select the Not Configured option in the properties window and click OK.

There you have it!  For less savvy computer users who don’t know about GPEDIT, it should discourage them from changing the advanced settings in IE.

Disable IE Options via Registry Editor

The second way to disable tabs in IE options is to use the registry editor. This is a bit more complicated, but is the only option if you can’t access group policy editor.

You can open the registry editor by clicking on Start and typing in regedit. Once there, navigate to the following key:

HKEY_CURRENT_USER\Software\Policies\Microsoft

Note that if you want to disable this option for all users on the PC, navigate to the same key, but under HKEY_LOCAL_MACHINE.

If there isn’t already a key called Internet Explorer under Microsoft, you’ll have to create it manually. Just right-click on Microsoft and choose NewKey. At this point, there are two options. If you want to disable the entire Internet Options dialog, you can create another key under Internet Explorer called Restrictions.

clip_image009

Lastly, you’ll create a new DWORD value in the right-pane inside Restrictions called NoBrowserOptions. Give that a value of 1 and restart Internet Explorer. If you try to go to Internet Options, it will give you an error message.

clip_image010

If you don’t want to disable the whole dialog, but instead just a few of the tabs, then you should create a new key called Control Panel under Microsoft instead of Restrictions. Inside of that, you’ll create DWORD entries that correspond to the tabs:

AdvancedTab

ConnectionsTab

ContentTab

GeneralTab

PrivacyTab

ProgramsTab

SecurityTab

clip_image012

As you can see above, I created the Control Panel key under Internet Explorer and then created a DWORD entry in the right-pane called AdvancedTab with a decimal value of 1. This removed just the advanced tab from the IE options window.

Hopefully, these methods will allow you to gain more control over Internet Explorer advanced settings in your environment. If you’re having issues, feel free to comment and I’ll try to help. Enjoy!

Troubleshooting Failed Login Attempts in Windows Active Directory Server

On Event Viewer, we should look for the following information (filter Security log):

Security log, events 4625 and 4771 (format for filtering is: 4625,4771).

We need to filter for these two events since we don’t know if the user failed to authenticate using NTLM (4625) or Kerberos (4771).

References:

4625(F): An account failed to log on

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

4771(F): Kerberos pre-authentication failed

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771

With a view containing only events 4625 and 4771 we can then search (Find…) the user we are troubleshooting.

We should be looking for and see the following information on each of events.

4625:

You can refer to the article above for a full description on the Status and Sub-Status codes.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 5/21/2019 10:40:19 AM

Event ID: 4625

Task Category: Logon

Level: Information

Keywords: Audit Failure

User: N/A

Computer: DC2.contoso.local

Description:

An account failed to log on.

Subject:

Security ID: NULL SID

Account Name: –

Account Domain: –

Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: test2016 à This should be showing the account you are troubleshooting.

Account Domain: WIN2K16MEMBER

Failure Information:

Failure Reason: Unknown user name or bad password.

Status: 0xC000006D à These are the fields you should be looking also.

Sub Status : 0xC0000064 à We can have either 0xC0000064 or 0xC000006A

Process Information:

Caller Process ID: 0x0

Caller Process Name: –

Network Information:

Workstation Name: WIN2K16MEMBER à This might not show on this event but if it does this is where the bad password is coming from.

Source Network Address: 192.168.0.31 à This might not show on this event but if it does this is the IP where the bad password is coming from.

Source Port: 49735

Detailed Authentication Information:

Logon Process: NtLmSsp

Authentication Package: NTLM

Transited Services: –

Package Name (NTLM only): –

Key Length: 0

If the above event does not show the Network Information details, you will have to enable the Netlogon debug log to have more tracing and NTLM authentication information.

You can refer to the following article for the full instructions on how to enable and disable Netlogon

debugging:

Enabling debug logging for the Netlogon service

https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service

Although, enabling and disabling Netlogon debugging is quite easy but should only be enabled for troubleshooting purposes and disabled afterwards:

Enable Netlogon debug:

From an elevated command prompt (as administrator), run the following command:

nltest /dbflag:2080ffff

Disable Netlogon debug:

From an elevated command prompt (as administrator), run the following command:

nltest /dbflag:0x0

The netlogon debug log can then be found under C:\Windows\debug\netlogon.log

On the netlogon debug log we should look for (find…) the user we are troubleshooting and should be able to find information similar to the bellow:

08/15 16:38:22 [LOGON] [608] C ONTOSO: SamLogon: Generic logon of CONTOSO.LOCAL\test2016 from ( WIN2K16MEMBER ) (via JUMPSERVER) Returns 0xC000006A

This entry tells you where the bad password came from.

4771:

You can refer to the article above for a full description on the Failure Codes.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 7/26/2019 11:47:11 AM

Event ID: 4771

Task Category: Kerberos Authentication Service

Level: Information

Keywords: Audit Failure

User: N/A

Computer: DC2.contoso.local

Description:

Kerberos pre-authentication failed.

Account Information:

Security ID: CONTOSO\Administrator

Account Name: Administrator à This should be showing the account you are troubleshooting.

Service Information:

Service Name: krbtgt/CONTOSO

Network Information:

Client Address: ::ffff: 192.168.0.4 à This might not show on this event but if it does this is the IP where the bad password is coming from.

Client Port: 49908

Additional Information:

Ticket Options: 0x40810010

Failure Code : 0x18 à This is the Failure Code we should be looking for: The wrong password was provided.

Pre-Authentication Type: 2

Certificate Information:

Certificate Issuer Name:

Certificate Serial Number:

Certificate Thumbprint:

This was the easy part!

The hard part is often to troubleshoot from the client side as we don’t have any specific procedure to understand what is sending the bad passwords.

An application? A Scheduled Task? A script?

Can be either and/or all of them and for that reason we often need to revisit the client workstation to continue searching for the culprit(s).

Sometimes it is a middle device that connects the user to Exchange, SQL or any other resource and the same steps needs to be taken on each device in the middle that will bring us back to the originating source.

More information:
You can also check the bellow articles for more information on troubleshooting information and tips regarding account lockouts:

Active Directory: Bad Passwords and Account Lockout

https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx

Active Directory: Troubleshooting Frequent Account Lockout

https://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx

Troubleshooting account lockout the PSS way

https://blogs.technet.microsoft.com/instan/2009/09/01/troubleshooting-account-lockout-the-pss-way/

how-to-disable-inactive-user-accounts-using-powershell

Inactive Active Directory (AD) user accounts can pose a security risk to organizations, in situations such as when former employees still have active accounts months after leaving the company because HR failed to inform IT, or accounts might be created for a particular purpose but never deleted after the event. Whatever the reason for the existence of such accounts, Active Directory can quickly get out of control, in turn making your systems harder to audit and less secure.

Active Directory Module for PowerShell

The PowerShell module for Active Directory allows system administrators to query Active Directory and generate reports using the resulting data. The AD module for PowerShell is installed by default on Windows Server 2012 domain controllers, or alternatively you can download the Remote Server Administration Tools (RSAT) for Windows 8.1 and install the module using the command below.

Log in as a local administrator, open a PowerShell prompt, type the code below and press ENTER to install the AD module for PowerShell:

Install-WindowsFeature RSAT-AD-PowerShell

Search Active Directory for Inactive Accounts

The Search-ADAccount cmdlet provides an easy way to query Active Directory for inactive user accounts:

Search-ADAccount –UsersOnly –AccountInactive

clip_image002Figure 1

The above command returns all inactive accounts. To narrow down the results to a specific time range, you can add the –TimeSpanparameter to Search-ADAccount. In the example below, a variable defines the value for the –TimeSpan parameter, using the New-Timespan cmdlet to simplify the input:

$timespan = New-Timespan –Days 90

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan

Alternatively, you can specify the –DateTime parameter to return accounts that have been inactive since a given date. In the command that follows, accounts not active since May 5th 2014 are returned:

Search-ADAccount –UsersOnly –AccountInactive -DateTime ‘5/20/2014’

To get more user-friendly information about the accounts, pipe the results to the Get-ADUser cmdlet and then choose the columns to display in the output using Select:

Search-ADAccount –UsersOnly –AccountInactive | Get-ADuser -Properties Department,Title | Select Name,Department,Title,DistinguishedName

clip_image004Figure 2

The results can also be sorted by a specified field, in this example by the LastLogOnDate attribute, which is derived from the LastLogonTimestamp and converted into a readable format:

Search-ADAccount –UsersOnly –AccountInactive | Get-ADuser -Properties Department,Title | Sort LastLogOnDate | Select Name,Department,Title,DistinguishedName

It’s worth noting that unlike the LastLogOn attribute, LastLogonTimestamp is synchronized between domain controllers, but can be 9 to 14 days out-of-date, so you should bear this in mind when processing your results.

Another way to simplify the output and count the number of inactive users is to pipe the results to the Measure cmdlet:

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Measure

As with any other PowerShell cmdlets, the results can be piped to Out-GridView, or to a comma-delimited file so that the results can be imported into Excel.

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Out-GridView

Disable Inactive Accounts

Once you’ve got the set of results you’re looking for, all you need to do is pipe them to the Disable-ADAccount cmdlet as shown here to disable the accounts:

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Disable-ADAccount

How to Disable IPv6 Using Command Prompt

Start a command prompt with administrative permissions and enter the following command:

reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 0xFFFFFFFF

 

How to Disable IPv6 Using Registry Editor

Press the Windows Key and the R key at the same time to bring up the Run dialog box.



Type regedit in the Run dialog box and click OK



Use Registry Editor to expand the registry tree and browse to:

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters



Right click on Parameters, expand New, and select DWORD (32-bit) Value



Enter DisabledComponents into the Name field



Double click on the new DisabledComponents value, enter ffffffff into the Value data dialog box, and click theOK button



Confirm the new registry value contains the required data.



After restarting the computer, run ipconfig again at the command prompt to confirm that IPv6 is disabled.

September 2015 Release of MFCMAPI and MrMAPI

The September 2015 Release (build 15.0.0.1043) is live: http://mfcmapi.codeplex.com.

It’s amazing – how much I don’t get to work on MFCMAPI when I’m no longer in Developer Support. That’s no excuse for leaving it alone for a year! I did patch quite a bit in the past year.



Here’s a change list – see the Issue Tracker and ChangeSets on Codeplex for more details:

  • SmartView: Completely rewrote the engine to be much more modular and easier to maintain
  • MrMAPI: Fixed several crashes, leaks, and hangs
  • Migrated a metric ton of old CString and manual string handling to wstring
  • Performance: Did a whole bunch of performance tweaks – everything should be much snappier

Using PowerShell to Manage Windows Updates: PSWindowsUpdate

The secret to deploying Windows Updates from within Audit Mode is an excellent PowerShell module created by Michal Gajda. This module, aptly called PSWindowsUpdate, allows managing Windows Update on any computer running PowerShell 2.0 or higher. This module even enables Windows admins to check for and install updates on remote PCs and servers. PSWindowsUpdate is particularly handy for installing updates on Server Core machines that have no GUI, or in instances such as Sysprep’s Audit Mode where the Windows Update GUI doesn’t work.

§ Get started by downloading the latest version of PSWindowsUpdate.zip.

clip_image001

§ Once downloaded, extract the contents of the zip file to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\.

clip_image002

Extracting files from PSWindowsUpdate.zip.

§ Click Continue if a UAC prompt appears.

clip_image004

§ When the files have been extracted into the PowerShell Modules folder, open an elevated PowerShell prompt. Change PowerShell’s Execution Policy to RemoteSigned. The RemoteSigned Execution Policy allows PowerShell scripts downloaded from the Internet to run on a PC as long as they are signed by a trusted publisher.

§ Type Set-ExecutionPolicy RemoteSigned and press Enter. When prompted, confirm the change by pressing Y and then Enter.

clip_image005

Changing PowerShell’s execution policy

This completes the one-time configuration of the module! Now it’s time to put PSWindowsUpdate to use!

§ If running PowerShell v2.0, type Import-Module PSWindowsUpdate and hit Enter. This isn’t necessary in PowerShell v3 and higher, but it doesn’t hurt anything either. This step simply guarantees that the modules cmdlets will be available to the PowerShell v2.0 session.

§ Display a list of all the module’s available cmdlets by typing Get-Command –module PSWindowsUpdate and hitting Enter.

clip_image006

Using Get-Command -module PSWindowsUpdate.

§ Possibly the most important function for getting and installing updates is Get-WUInstall. Help for each cmdlet is available, so to see full help for Get-WUInstall type Help Get-WUInstall –full and pressEnter.

clip_image007

Looking at help for Get-WUInstall.

When applying updates, I prefer connecting to the Microsoft Update servers. Using these instead of the standard Windows Update servers allows installing updates to Office and other Microsoft products in addition to the normal Windows updates. Unfortunately, trying to connect to the Microsoft Update servers using the PSWindowsUpdate module from a fresh Windows installation will produce an error, as shown below.

clip_image008

Sponsored

§ The reason for this error is because Windows is registered to use only the standard Windows Update servers by default. To use the Microsoft Update servers, the Microsoft Update Service must be registered on the computer. In the GUI, this is done by selecting the checkbox for Give me updates for other Microsoft products when I update Windows from the Control Panel – Windows Update – Change Settings applet.

§ In the PSWindowsUpdate module, the same process is completed by using the Add-WUServiceManager cmdlet with the ServiceID for the Microsoft Update service specified. Type Add-WUServiceManager -ServiceID 7971f918-a847-4430-9279-4a52d1efe18d and press Enter. When prompted, confirm registering the service by typing Y and pressing Enter one more time.

clip_image009

Registering the Microsoft Update servers.

§ List available updates from the Microsoft Update servers by typing Get-WUInstall –MicrosoftUpdate –ListOnly and pressing Enter. After a few moments, the system will return a list of the available updates for the current machine. No error this time!

clip_image010

§ The same results are produced by typing Get-WUList –MicrosoftUpdate and pressing Enter.

clip_image011

§ Type Get-WUInstall –MicrosoftUpdate and press Enter to go through the available updates, confirming installation of each one manually.

clip_image012

PSWindowsUpdate and Parameter Support

Another awesome feature of the PSWindowsUpdate module is its support of parameters. For example, using the –AcceptAll and the –AutoReboot parameters with the Get-WUInstall cmdlet changes the manual process into an automated one. Type Get-WUInstall –MicrosoftUpdate –AcceptAll –AutoReboot and press Enter. The system will download and install all available updates and then automatically reboot if any of the updates require a reboot.

clip_image013

Retrieving updates and installing automatically.

Don’t want a particular update to be installed? No problem! Use Hide-WUUpdate. Selection parameters such as –Title or –KBArticleID narrow in and hide specific updates. Feel free to use wildcards with these parameters. As an example, type Hide-WUUpdate –Title “Bing*” –KBArticleID “KB2673774” –MicrosoftUpdate –Confirm:$false and press Enter to hide the Bing Bar 7.3 update.

clip_image014

Hiding an unwanted update.

Notice that I used the –Confirm parameter, along with the $false switch, to automatically confirm hiding the selected update. In the future the update won’t appear when listing available updates.

Did you make a mistake and hide the wrong update? No problem! Hide-WUUpdate can unhide an update by using the –HideStatus parameter with the $false switch. To unhide the update hidden earlier, type Hide-WUUpdate –Title “Bing*” –KBArticleID “KB2673774” –MicrosoftUpdate –HideStatus:$false –Confirm:$false then press Enter. As before, I used the –Confirm:$false parameter to keep everything streamlined.

clip_image015

Unhiding a previously hidden update.

I started out seeking simply to solve a challenge installing updates within Sysprep’s Audit mode. The PSWindowsUpdate module goes far beyond simply solving this problem. It offers to automate and simplify dealing with Windows Updates. In addition to all the functionality discussed in this article, it can be scripted and even used to process updates on remote computers. Want my advice? Download PSWindowsUpdate and put it to use on your systems today!