1 Reply Latest reply on May 18, 2017 5:15 AM by Bartosz.Wilga

    After patch scan TrustedInstaller.exe stuck at 100% even after multiple reboots

    frankgnl86 Rookie

      Yesterday we scanned around 750 servers (windows 2003 till windows 2016) to check for the latest missing MS patches.

      We have created a scan template and checked all MS products.

       

      The scan itself went successful and got a nice report.

       

      But now we noticed that on Windows 2008 R2 servers TrustedInstaller.exe is occupying 1 complete core. Even after the scanning is done and after multiple reboots.

      From our monitoring system we can see that the high CPU utilisation started when we started the patch scan.

       

      WSUS is completely disabled via GPO, so that can't be the issue

       

      We got the following from the CBS.log on the affected Windows 2008 R2 servers, it is logging multiple times per second:

      2017-05-17 22:35:44, Info CBS Expecting attribute name [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]

      2017-05-17 22:35:44, Info CBS Failed to get next element [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]

      2017-05-17 22:35:44, Info CBS Warning: Unrecognized packageExtended attribute.

      2017-05-17 22:35:44, Info CBS Expecting attribute name [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]

      2017-05-17 22:35:44, Info CBS Failed to get next element [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]

      2017-05-17 22:35:44, Info CBS Warning: Unrecognized packageExtended attribute.

      2017-05-17 22:35:44, Info CBS Expecting attribute name [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]

      2017-05-17 22:35:44, Info CBS Failed to get next element [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]

      2017-05-17 22:35:44, Info CBS Warning: Unrecognized packageExtended attribute.

      2017-05-17 22:35:44, Info CBS Expecting attribute name [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]

      2017-05-17 22:35:44, Info CBS Failed to get next element [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]

      2017-05-17 22:35:44, Info CBS Warning: Unrecognized packageExtended attribute.

       

       

      We tried to kill the TrustedInstaller.exe process, but i will start up again and occupying 1 of the cores. Even a reboot is not working

       

      Last week we updated Shavlik 9.x to Ivanti 9.3 according to the upgrade guide

        • 1. Re: After patch scan TrustedInstaller.exe stuck at 100% even after multiple reboots
          Bartosz.Wilga SupportEmployee

          Hello Frank,

           

          Thank you for posting your question.

           

          As discussed through support case today, this looks like a known issue in relation to TrustedInstaller.exe but this is more Microsoft issue.

           

          Windows Server 2008 will run TrustedInstaller.exe shortly after rebooting after installing the monthly Windows Updates.

          The program will take up ~75-100% of a CPU core for up to 30 minutes or more, as it is running the malicious software removal scanning code.

          While this is running on a single-core machine, certain programs or services will not work properly, such as SQL Server -- most single-core SQL Server installations will not take connections while the above is running.

          So, plan accordingly. After your first reboot, expect a CPU hog.

          If you're running on Amazon EC2, it may be wise to make sure to boot up as a dual-core server after installing updates, and then back down to a single-core once TrustedInstaller is done hogging a core. => source:

          https://serverfault.com/questions/122624/trustedinstaller-exe-takes-a-lot-of-cpu

           

          in addition to entries from the CBS.log:

           

          2017-05-17 22:35:44, Info CBS Expecting attribute name [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]

          2017-05-17 22:35:44, Info CBS Failed to get next element [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]

           

          you can find several possible solutions provided by Microsoft, for example:

           

          1. a. Press “Windows Key" to open Start menu
          2. b. Type “cmd” without quotes in the search box.
          3. c. On the left pane, right click on the “cmd” option and select “Run as Administrator”.
          4. d. Type ‘sfc /scannow’ without quotes and hit enter.

           

          Thanks,

          Bartosz