Fixing component store corruption in Windows 8 and Windows Server 2012

One of the most used tools when fixing corruption for Windows Vista, 7, 2008 and 2008 R2 was the System Update and Readiness Tool (KB947821), commonly called CheckSUR.  The CheckSUR tool was an excellent way for most people to see what corruption had happened on their store, and potentially fix that corruption if the tool contained the payload to do so.  I’ve written in the past how to use this mechanism to also fix corruption when the CheckSUR utility doesn’t include the payload for your files to “fool” CheckSUR into resolving the problem without needing to do all sorts of whacky permission changes (https://blogs.technet.com/b/joscon/archive/2010/05/26/using-checksur-and-update-packages-to-fix-corruption.aspx). 

The way this works in Windows 8 and Windows Server 2012 is different, in a fantastic way.  It’s called Inbox Corruption Repair and it brings the functionality of CheckSUR into Windows rather than requiring a separate download to get the utility like you do now.  This is exposed in two ways, the first is really unseen by the end user and happens when we detect a corrupted state when attempting to install fixes via Windows Update.  When this happens, we'll fix the corruption silently and then re-install the prior packages.  The manual way to use this tool is via DISM.  The way this is exposed is via the DISM /Cleanup-Image functionality.  Here’s what the available switches do:

/CheckHealth: This checks to see if a component corruption marker is already present in the registry.  We’ll inform the user if there is corruption but nothing is fixed or logged anywhere.  This is merely a quick way to see if corruption currently exists.  Think of it as a read-only CHKDSK. This operation should be almost instantaneous.

/ScanHealth: This checks for component store corruption and records that corruption to the C:\Windows\Logs\CBS\CBS.log but no corruption is fixed using this switch.  This is useful for logging what, if any, corruption exists.  This operation takes ~5-10mins.

/RestoreHealth: This checks for component store corruption, records the corruption to C:\Windows\Logs\CBS\CBS.log and FIXES the corruption using Windows Update.  This operation takes ~10-15mins or more depending on the level of corruption.

As an example, if you wanted to run this utility against your local component store to check for corruption and you wanted it to repair everything as it found it you would run the following command: DISM /Online /Cleanup-Image /RestoreHealth

So a couple of things of note here:

  1. CheckSUR.log is not created using Inbox Corruption Repair, this logging has now been rolled into CBS.log
  2. I would typically recommend you run /RestoreHealth if you suspect corruption as it will record and fix issues and takes about the same time as /ScanHealth. 
  3. This functionality is also present in Windows PowerShell and can be scripted across an environment
  4. Windows Update or a network available WIM are valid recovery sources but WSUS installations are not.  This is important because if you have WSUS enabled in your environment, there is a chance that your repair operations may be captured by the WSUS Servers and not be properly serviced.  You can control this behavior using Group Policy or the /LimitAccess switch
  5. If you decide to block Windows Update and use a local source WIM, the WIM will only be able to recover payloads present in that WIM.  This means that you’ll need to update your WIM files accordingly to match the patch level of your environment or you wont successfully recover.
  6. CheckSUR will continue to be available for down-level operating systems prior to Windows 8 and Windows Server 2012 and will continue to get updated

These changes are really fantastic in my opinion because you no longer need to attempt to move files from other servers, manipulate permissions or “hack” other utilities to get corruption resolved.  Windows Update is updated frequently so that it contains all of the payloads necessary to repair corruption.  And above all else, Inbox Corruption Repair can repair both payload files and manifests (CheckSUR only did manifests) which is a HUGE win for you and I as customers. 

As always, ask questions here.

--Joseph