Showing posts with label KB2267602. Show all posts
Showing posts with label KB2267602. Show all posts

Monday, March 23, 2015

Windows 8.1 Error 80200056 after installing update KB2267602

Recently I noticed some strange behavior while launching an update through Windows 8.1's 'metro' menu. I launched Computer Settings app to run the update, which was a definitions update for Windows Defender (KB2267602).

The Update settings were configured to prompt prior to download & installation. This was the first task launched after awaking the computer from a Sleep state. The computer is not a virtual machine.

With Windows 8 and 8.1 the first places to look for Update failures are in the files C:\Windows\WindowsUpdate.log and C:\Windows\SoftwareDistribution\ReportingEvents.log - for those still unfamiliar with navigating the newer Windowses, you can reach a Run prompt to open these files using copy + paste by hitting the Window key and "R" key at the same time. 

The relevant entry of the ReportingEvents.log file shows me what Error 80200056 means in the most basic sense - the update failed to download; as opposed to failing to install.

{C7C93C12-61E3-4998-9EBD-B448C62540A4} 2015-03-23 19:39:34:484-0400 1 
161 [AGENT_DOWNLOAD_FAILED] 101 {FD8A47F9-2E75-4763-AE52-777D471C87C8} 201 
80200056 AutomaticUpdatesWuApp Failure Content Download 
Error: Download failed.




Right away my first instinct is a networking problem related to the sleep state. Going back to the Run prompt, I type `eventvwr` to bring up the Event Viewer log entries. I expand the Windows Log icon in the left navigation pane and select the System folder. A few seconds after the failed content download I see this: 


The browser has forced an election on network \Device\NetBT_Tcpip_{D03DC1BF-134A-4B75-B8F2-CD9086B301E1} because a master browser was stopped.

This would seem to confirm that there was in fact a networking issue; one relating to the always-disruptive Computer Browser service. The computer this issue occurred on does in fact reside on a network with a number of other Windows computers. The computer was also part of a homegroup. It was unlikely that any of the Windows computers had modified default LMHOSTS / NetBIOS over TCP/IP settings beyond configuration of the Homegroup.

This is a very long-winded blog post for what ended up being a very brainless solution. I launched the update service through the Control Panel in the Desktop user interface as opposed to the Metro user interface and the update completed successfully. Because my logs show that the a Browser election was forced and successfully completed seconds after the download failure, it is likely a retry within Metro would have worked as well.

Still, there is a reason why I described the issue in this much detail, and that is because there seems to be a great deal of misunderstanding about error and what is needed to resolve it.

First and foremost, Error 80200056 only indicates a download failure for Windows updates - not permissions failure, and it is not what I would describe as a warning sign of malware infection. Its possible I suppose that a compromised host could display this error but it is highly unlikely to be the only problem with a host that has been compromised through the updates system - there are a number of other places, like BITS and certificate trust issues, that are likely to occur as well. Quite a few of the articles I have seen on this issue on the internet are hysterical in their screams of "Its a virus!" when this issue comes up - even in paid technical support pages.

I have also seen incorrect explanations of KB2267602, where "technicians" describe this update as a one-time package. In at least one webpage I saw, a technician told a user that since KB2267602 was a package that "should have" been installed 9 months ago, that likely the last 9 months of updates were corrupted, instead of a single Virus definition. This claim is outrageous. Systems using Windows Defender should see regular downloads of KB2267602 in their Update History. Individual definition files can be told apart by their definition signature. The distinction is obvious:

Windows Defender, Josh Wieder, Definition Update logs
Windows Defender Definition Update Logs
If this issue is caught quickly, C:\Windows\WindowsUpdate.log should display a very detailed transaction history for Windows Update. If reviewing an older Update failure, older copies of this transaction log can be saved in subdirectories of C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ - the exact subdirectory can be found by consulting Event Viewer. The relevant log will be reported as Event ID 1001 from source Windows Error Reporting and will look like this:

Fault bucket , type 0
Event Name: WindowsUpdateFailure2
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.9.9600.17489
P2: 80200056
P3: FD8A47F9-2E75-4763-AE52-777D471C87C8
P4: Download
P5: 101
P6: Unmanaged {9482F4B4-E343-43B6-B170-9A65BC822C77}
P7: 0
P8:
P9:
P10:

Attached files:
C:\Windows\WindowsUpdate.log
C:\Windows\SoftwareDistribution\ReportingEvents.log

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.9.9600.17489_60820ed604236fc9285c92356031cd8da6466_00000000_cab_164a6aea

Analysis symbol:
Rechecking for solution: 0
Report Id: deccbe22-d1b5-11e4-8269-c7e81028dc3b
Report Status: 4


The "These files may be available here:" directory will include a copy of the relevant WindowsUpdate.log. For this error, the transaction report should provide quite a bit of detail about what was going on with the Update Service through the time of the failure:

19:39:34:015  892 191c AU #############
2015-03-23 19:39:34:015  892 191c AU ## START ##  AU: Download updates
2015-03-23 19:39:34:015  892 191c AU #########
2015-03-23 19:39:34:015  892 191c AU   # Approved updates = 1
2015-03-23 19:39:34:015  892 191c AU WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80070490
2015-03-23 19:39:34:015  892 191c IdleTmr Incremented idle timer priority operation counter to 2
2015-03-23 19:39:34:031  892 191c AU AU initiated download, updateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}.201, callId = {D9E27348-F835-47F4-8C48-7F6F84A58614}
2015-03-23 19:39:34:031  892 18b0 DnldMgr ***********  DnldMgr: Begin Downloading Updates [CallerId = AutomaticUpdatesWuApp]  ***********
2015-03-23 19:39:34:031  892 18b0 DnldMgr   * Call ID = {D9E27348-F835-47F4-8C48-7F6F84A58614}
2015-03-23 19:39:34:031  892 18b0 DnldMgr   * Priority = 3, NetworkCostPolicy = 6, Interactive = 1, Owner is system = 1, Explicit proxy = 0, Proxy session id = 1, ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}
2015-03-23 19:39:34:031  892 18b0 DnldMgr   * Updates to download = 1
2015-03-23 19:39:34:031  892 18b0 Agent   *   Title = Definition Update for Windows Defender - KB2267602 (Definition 1.193.3478.0)
2015-03-23 19:39:34:031  892 18b0 Agent   *   UpdateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}.201
2015-03-23 19:39:34:031  892 18b0 Agent   *     Bundles 3 updates:
2015-03-23 19:39:34:031  892 18b0 Agent   *       {78E75BF6-5B6F-4FCB-AD33-9A5618E50403}.200
2015-03-23 19:39:34:031  892 18b0 Agent   *       {768A90D1-09F4-475A-A4AF-6FCBB85222F1}.200
2015-03-23 19:39:34:031  892 18b0 Agent   *       {9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1}.201
2015-03-23 19:39:34:031  892 18b0 DnldMgr No locked revisions found for update FD8A47F9-2E75-4763-AE52-777D471C87C8; locking the user-specified revision.
2015-03-23 19:39:34:031  892 18b0 DnldMgr No locked revisions found for update 9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1; locking the user-specified revision.
2015-03-23 19:39:34:046  892 191c AU   # Pending download calls = 1
2015-03-23 19:39:34:046  892 191c AU <<## SUBMITTED ## AU: Download updates
2015-03-23 19:39:34:062  892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob) started; operation # 760; does use network; is not at background priority; will NOT stop idle timer
2015-03-23 19:39:34:062  892 18b0 IdleTmr Incremented idle timer priority operation counter to 3
2015-03-23 19:39:34:093  892 18b0 DnldMgr ***********  DnldMgr: New download job [UpdateId = {9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1}.201]  ***********
2015-03-23 19:39:34:109  892 18b0 DnldMgr   * BITS job initialized, JobId = {8F94CFCA-5055-4CD6-B71E-13F540B0BC5F}
2015-03-23 19:39:34:171  892 18b0 DnldMgr   * Downloading from http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/defu/2015/03/am_delta_48e485cc83da49bce931292934e1d75788e0629a.exe to C:\Windows\SoftwareDistribution\Download\a72da7d4ae868d3ed29b457ac7415777\48e485cc83da49bce931292934e1d75788e0629a (full file).
2015-03-23 19:39:34:203  892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob) started; operation # 762; does use network; is not at background priority; will NOT stop idle timer
2015-03-23 19:39:34:203  892 18b0 IdleTmr Incremented idle timer priority operation counter to 4
2015-03-23 19:39:34:234  892 18b0 DnldMgr *********
2015-03-23 19:39:34:234  892 18b0 DnldMgr **  END  **  DnldMgr: Begin Downloading Updates [CallerId = AutomaticUpdatesWuApp]
2015-03-23 19:39:34:234  892 18b0 DnldMgr *************
2015-03-23 19:39:34:312  892 db4 DnldMgr WARNING: BITS job {F79CE1D4-F6F3-4D14-A8AB-704A88E200AC} failed, updateId = {768A90D1-09F4-475A-A4AF-6FCBB85222F1}.200, hr = 0x80200056, BG_ERROR_CONTEXT = 2
2015-03-23 19:39:34:312  892 db4 DnldMgr   Progress failure bytes total = 295552, bytes transferred = 0
2015-03-23 19:39:34:312  892 db4 DnldMgr   Failed job file: URL = http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/defu/2015/03/mpsigstub_5dfd7f28a79c6fac6a908b9e5c2cf4e56320f3ee.exe, local path = C:\Windows\SoftwareDistribution\Download\f160e023de7cfeeda671dc169ba732fb\5dfd7f28a79c6fac6a908b9e5c2cf4e56320f3ee
2015-03-23 19:39:34:312  892 db4 DnldMgr CUpdateDownloadJob::GetNetworkCostSwitch() Neither unrestricted or restricted network cost used, so using current cost
2015-03-23 19:39:34:375  892 db4 IdleTmr WU operation (DownloadManagerDownloadJob, operation # 760) stopped; does use network; is not at background priority; will NOT start idle timer (task did not previously stop it
2015-03-23 19:39:34:375  892 db4 IdleTmr Decremented idle timer priority operation counter to 3
2015-03-23 19:39:34:375  892 db4 DnldMgr Error 0x80200056 occurred while downloading update; notifying dependent calls.
2015-03-23 19:39:34:375  892 12ec AU >>##  RESUMED  ## AU: Download update [UpdateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}]
2015-03-23 19:39:34:375  892 12ec AU   # WARNING: Download failed, error = 0x80200056
2015-03-23 19:39:34:437  892 18b0 DnldMgr *********
2015-03-23 19:39:34:437  892 18b0 DnldMgr **  END  **  DnldMgr: Download Call Complete [Call 5 for caller AutomaticUpdatesWuApp has completed; signaling completion.]
2015-03-23 19:39:34:437  892 18b0 DnldMgr *************
2015-03-23 19:39:34:468  892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob, operation # 762) stopped; does use network; is not at background priority; will NOT start idle timer (task did not previously stop it
2015-03-23 19:39:34:468  892 18b0 IdleTmr Decremented idle timer priority operation counter to 2
2015-03-23 19:39:34:468  892 12ec AU Download call completed, hr = 0x80200056
2015-03-23 19:39:34:468  892 12ec AU #########
2015-03-23 19:39:34:468  892 12ec AU ##  END  ##  AU: Download updates
2015-03-23 19:39:34:468  892 12ec AU #############

That's pretty much it. Since this has brought the always-irritating Computer Browser service to my immediate attention, I think I will write a more detailed post about it as well as some common issues here soon - as online documentation is few and far between on it.

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...