SURT Log Introductory Tutorial

Welcome to the first tutorial in a series which aims to teach the basics of analysing and fixing errors reported by the System Update Readiness Tool. You need have no former knowledge of the subject, only a desire to learn.

The most important thing about System Update Readiness Tool logfiles is not to panic. There is a great tenancy on online communities at the moment not to recognise a logfile, particularly these logfiles, and simply ignore them. Most logfiles can be deciphered with some concerted effort and web searching. However, I intend to outline here some basic techniques used in the analysis of these logfiles. Further understanding should be gained through the other tutorials and indexes on this website, and through practice.

CheckSUR.log and CheckSUR.persist.log

If the System Update Readiness Tool (SURT) is run multiple times, multiple log files will have been created. The CheckSUR.log file stores only the logfile from the latest run of the SURT. The CheckSUR.persist.log file contains the logfiles from every execution of the SURT, in chronological order.

This log file can be found in the %windir%\Logs\CBS (C:\Windows\Logs\CBS) directory.

The System Update Readiness Tool

This tool can be found at KB947821. It should be downloaded, and then installed. It looks like it installs like any other Windows Update, except for the fact that it doesn’t actually install itself, but actually runs itself whilst “installing”. Since it has not properly installed itself, it cannot be, and does not need to be, manually run after installation. It can be “installed” (run) multiple times.

The header

A CheckSUR.log contains a header, for example:

Checking System Update Readiness.
Binary Version 6.1.7600.20667
Package Version 8.0
2010-08-13 13:26

Notice the binary version. 6.0.x.x indicates either Windows Vista or Windows Server 2008. 6.1.x.x indicates either Windows 7 or Windows Server 2008 R2. 6.2.x.x indicates Windows 8 or Windows Server “8″.

The package version number indicates the version of the SURT. Always check this, and know the latest version number, as it is important to ensure that the latest version of the tool is being used.

The structure of a line

All CheckSUR.log lines take the same general form.

(f) CBS MUM Corrupt 0x800F0900 servicing\Packages\Package_2_for_KB2079403~31bf3856ad364e35~amd64~~ Line 1:

The first part of this line is (f). This denotes a fatal error. The two others available are (w) for warning, and (fix), which denotes an error which has already been fixed. Fix lines are not a replacement for a (f) line. They come as a separate line immediately below the (f) line. Always check for a (fix) immediately below a (f). For example:

(f)    CSI Missing Identity    0x00000000    identity    amd64_microsoft-windows-i..iccontent.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06458c544252951f  �
(fix)    CSI Missing Identity    CSI Registry Item Repaired    amd64_microsoft-windows-i..iccontent.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06458c544252951f

The second part of the line is the error message, in this case CBS MUM Corrupt. The third part of the line is the error code for this message, in this case 0x800F0900. Each of these types of error code is fixed in an entirely different way. The rest of this tutorial will be devoted to the most common. Use the database available on this website to look up fixing instructions for the rarer return codes:

The fourth part of the line is the item the error applies to. This may be a file, a folder, a registry key, or a registry value. In this case, it is servicing\Packages\Package_2_for_KB2079403~31bf3856ad364e35~amd64~~

Finally, the fifth part of the line is optional, and is not included in all error codes. Its value is entirely dependent on the error code. For details on how to use this for each error code, consult the database linked above. This this example, “Line 1:” gives us the first line of the corrupt manifest. This particular manifest has nothing in its first line, but sometimes a huge amount of junk data could be returned here.

Using just the structure of the line, and some research, or the database linked above, most errors can be fixed. The rest of this tutorial is given to a more detailed general approach, which applies to the vast majority of return codes. When in doubt, consult the database for details about that particular error.

Fixing common CheckSUR.log errors, including for 0x800B0100

Anyone who works with these logs for any length of time will soon come to learn that the 0x800B0100 error code is the most common error code which results in a situation where this sort of fix is required. However, these techniques can be applied to many different error codes, and not just the 0x800B0100 error.

First, some background. These errors occur because some files have become corrupt, for whatever reason. Replacing these files fixes the error. That is the theory. This is actually the theory surrounding most of the SURT. This tool reports corruptions in certain locations. The most usual technique required to fix such a corruption is simply to replace the file, no matter where it is. The remainder of this tutorial will show you how to source and replace a file, which will allow you to fix most CheckSUR.log errors. The other type of error this tool reports, however, are registry errors. Many of these will require the reconstruction of a certain key or value in the registry, and are considerably harder and less common than their file system counterparts. These are beyond the scope of this tutorial, and you should consult the database for each error type for this information.

Take a look at this log. Attempt to understand what each part of it (for example, the severity, the error message, the file in question, etc. etc.) is saying, if not how to fix those errors.

Checking System Update Readiness.
Binary Version 6.1.7601.21645
Package Version 12.0
2011-07-24 20:02

Checking Windows Servicing Packages

Package Manifests and Catalogs
(f) CBS MUM Corrupt 0x800F0900 servicing\Packages\Package_for_KB2479628_SP1~31bf3856ad364e35~amd64~~ Line 1:
(f) CBS Catalog Corrupt 0x800B0100 servicing\Packages\
(f) CBS MUM Corrupt 0x800F0900 servicing\Packages\Package_for_KB2479628~31bf3856ad364e35~amd64~~ Line 1:
(f) CBS Catalog Corrupt 0x800B0100 servicing\Packages\

Checking Package Watchlist

Checking Component Watchlist

Checking Packages

Checking Component Store
(f) CSI Manifest All Zeros 0x00000000 winsxs\Manifests\amd64_microsoft-windows-win32k_31bf3856ad364e35_6.1.7601.17535_none_1704df9bb135a53a.manifest amd64_microsoft-windows-win32k_31bf3856ad364e35_6.1.7601.17535_none_1704df9bb135a53a
(f) CSI Manifest All Zeros 0x00000000 winsxs\Manifests\wow64_microsoft-windows-win32k_31bf3856ad364e35_6.1.7600.16732_none_1f702c09e872af44.manifest wow64_microsoft-windows-win32k_31bf3856ad364e35_6.1.7600.16732_none_1f702c09e872af44

Seconds executed: 595
Found 6 errors
CSI Manifest All Zeros Total count: 2
CBS MUM Corrupt Total count: 2
CBS Catalog Corrupt Total count: 2

Unavailable repair files:

Customer Experience report successfully uploaded. Thank you for participating. For more information, see the Microsoft Customer Experience Improvement Program on the Microsoft web site.

If you look towards the bottom of the log, you will notice that all the files which you need to source for replacement are neatly grouped at the bottom of the log for you. However, if you look very closely, you will notice that all the .cat files are duplicated. This is just something you will have to get used to. If a .cat or a .mum file appears in the log, it appears twice at the bottom. I can only assume that this is a bug in the code at Microsoft’s end, as I can see no reason for it. Presumably cost-benefit analysis at Microsoft has concluded that this extremely minor bug is not worth fixing, and re-testing the entire program for.

However, I do have a theory about how this bug came about. Some more theory is required!

Whilst fixing errors in these logs, you will come across three main file types which require fixing: .manifest, .mum, and .cat.

.manifest and .mum files are both internally XML files, and can therefore be opened using Notepad, or a similar text editor. .cat files are security catalogs. .cat and .mum files come in pairs (in actual fact, a very few updates, primarily service packs, may contain an extra XML based .ses file which attaches to the primary package pair (more on this later), forming a trio), and are extremely closely related, whereas .manifest files are separate entities. I shall talk more about this later, but .cat and .mum files must always be replaced as a pair, even if only one file of the pair is corrupt. I therefore believe that this duplication was semi-deliberate, with the programming intending to convert one of the duplicated entries to the other file type (.cat to .mum, and .mum to .cat), to remind those reading the log file to replace them as a pair. However, I believe that this final conversion was forgotten, and so the current situation, with the duplication in the log file, arose. Although this is only my own, personal, theory, I do put faith in it. No matter what the cause, the duplication exists, and must just be ignored.

Manifest files reside in %windir%\Winsxs\Manifests, and catalog and mum files reside as a pair in %windir%\servicing\packages.

There are two parts to replacing these corrupt files, sourcing a good replacement, and performing the replacement.

Sourcing a clean copy of the file:

The most important thing to remember when sourcing a file is that very similar is not good enough! If you can’t quite find the right file, do not ever use a similar file instead. You MUST find the correct file!

Whilst some people will, or sometimes even recommend, finding the missing file on a different computer, I do not recommend this. That copy of the file is more likely to be corrupt than a cleanly downloaded copy, it takes much longer, and because most files only appear on certain computer configurations, you will need to maintain very many different computers to source files from. And occasionally, you won’t have the file you need at all. Much better to learn the proper way originally.

The first thing to do is to identify the KB update which the file originated from. This is usually very easy for .cat and .mum files, but can be significantly more difficult for .manifest files.

Most .cat or .mum files have a name the following example .cat file:

This take the form:

Package_{Package number}_for_{KB number}~{Public Key Token}~{architecture type}~~{version}.cat

Public key tokens, and what they are, are outside of the scope of this tutorial, and there is no need to know anything about them for fixing these errors, but if you are interested, there is a good explanation here: Dot net blog: Public keys and public key tokens.

There are also a couple of other formats of .cat and .mum files:

1: Primary package:

The primary package does not have a package number, and so that section is ommitted, for example:

2: Localised packages:

Localised packages have localisation strings inserted between the double tilde symbol in the name, just before the version number, for example:

It is perfectly possible for localised packages to appear on single language computers. They are required, and should be fixed, just like any other file.

3: Additional versioning:

An additional string is appended after the KB number and an underscore to indicate further versioning. The most common values will be RTM and SP1, although other values are possible, particularly on non-native components, for example vpc.

4: Fully named packages:

Some packages use a name instead of a KB number and package number. They usually belong to other, non-Windows Microsoft products, or core Windows components (native packages). These can cause problems, and will be discussed later, but for the record, some examples:

Short Practice Exercise:

Have a little fiddle in the %windir%\servicing\packages folder, and look at the naming conventions used for each of the different pairs of .mum and .cat files. See if your computer features any .ses files. Explore the .mum and .ses files in notepad, and simply double click on .cat files to explore them.

Once you have had a good look, come back for the rest of this tutorial.

Sourcing a clean copy of the file (part II):

I am sure that you have all worked it out by now, but to identify which KB article (Windows Update) a .cat or a .mum file originates from, you simply read it from the file name! The very observant among you might have noticed that not all .cat or .mum files have this information in their names. How to deal with this situation is dealt with later.

Now that you know the KB article, you can use it to extract a replacement. However, first, .manifest files.

Once again, there are a variety of naming conventions, for example:


You will notice that none of these contain a KB article number. Usually this doesn’t matter, because usually the corrupt update is missing both .cat or .mum files, and .manifest files. Although we may not be able to trace the .manifest files, by extracting the Windows Update files for the missing .cat and .mum files, and by looking there for replacement .manifests, the vast majority of files can be sourced. In the extremely rare cases where a .manifest file cannot be sourced in this way, a more complicated approach, outlined later, can be utilised.

Now that you know the KB numbers of the Windows Updates, either web search for them, or enter them in the URL{number}. Once you have reached that page, use the download link for IT Professionals, to reach the actual download page.

Short Practice Exercise:

Have a little fiddle in the %windir%\winsxs\manifests folder, and look at the naming conventions used for each of the different .manifest files. See if your computer has any .cat or .mum files there (most computers will have a very few .cat or .mum files there, with the vast majority in the normal location of %windir%\servicing\packages. Explore the .manifest files in notepad

Once you have had a good look, come back for the rest of this tutorial.

Short Practice Exercise:

Find the download links for the following KB articles (I recommend that you attempt all of these, as they each attempt to teach a subtly different point):

KB2586448 (Windows 7 x64, SP0, IE9)

Extracting an update:

Once you have downloaded the Windows Update file you believe to contain a clean copy of a file you are attempting to source, most usually with the file extension .msu, it must be extracted. It is imperative they you do not use 3rd party extraction programs (for example 7-Zip or Win-Rar) to extract either this .msu file, or any internal .cab files, as these programs incompletely extract such archives (in reality, some of these tools may work on service packs, but they certainly won’t work on normal updates, so I recommend always using this one safe method).

First create a small directory structure in a convenient location, with a new folder inside another new folder. I shall use C:\Update\Extracted (both new, empty, folders) as an example. Place the downloaded .msu file into the outer of the two folders (C:\Update\Windows6.1-KB2345886-x64.msu in this example).

Open up an instance of the Command Prompt, and type:

expand -f:* {update location and name}.msu {destination folder}
(for example, expand -f:* C:\Update\Windows6.1-KB2345886-x64.msu C:\Update)

Then type:

expand -f:* {update location and name}.cab {destination folder}
(for example, expand -f:* C:\Update\ C:\Update\Extracted)

Clean replacements of files can then be sourced from the C:\Update\Extracted folder.

(You may be pleased to learn that there is actually a tool for quickly extracting Windows Update files, although it is imperative to remember NEVER to use 3rd party extraction programs (for example 7-Zip or Win-Rar), and it is important to learn how to perform this technique manually before using a tool to automate the procedure).

Short Practice Exercise:

Download and extract, using this method, a clean copy of:

for a Windows 7 SP1 x64 computer. Please keep these extracted files handy, as you will be using them again very soon.

The default package:

I briefly mentioned the default package earlier in this tutorial, where I said that they take a general form without a package number, for example: (default package) (package number 1)

That was all that you needed to know back then, but there is a little bit more to the story. If you were to extract KB2345886 (the same KB which you just extracted into C:\Update\Extracted as a practice exercise), you will notice that it does not seem to contain the default package file ( This is actually not quite true – it does contain it, but under a different name –

If you ever need to extract a replacement of the default package, you must use the, or update.mum, and you MUST rename it. --> package_for_kb{kb number}~{public key token}~{architecture type}~~{version}.cat
update.mum --> package_for_kb{kb number}~{public key token}~{architecture type}~~{version}.mum

For example, -->
update.mum --> package_for_kb2345886~31bf3856ad364e35~amd64~~

You must not forget this. It is extremely important, comes up time and time again, and has confused many a good analyst.

Finally, the default package can also have versioned versions of it (remember from earlier in this tutorial, SP1, RTM, and occasionally others, such as VPC). These require no renaming, and should be treated just like any other .cat or .mum file. For example,

The bf files:

Look back once again at your extracted KB2345886. You will notice that every pair of .cat and .mum files has a linked pair of bf files, where _bf is inserted into the name directly after the kb number. For example,

You need to learn very little about bf files, except for the fact that they are different to their non-bf companions, can therefore not be used interchangable, but are extracted and repaired (and renamed, in the case of and update-bf.mum) in exactly the same way as their non bf companions.

Using clean copies of files to repair a computer:

Now that you have sourced all the required files (extracting multiple Windows Updates if required), it is time to replace the corrupt files on the affected computer. There are a couple of ways of doing this. I do not ever recommend altering permissions or ownership on system files. This is actually far more dangerous that it first appears, because permissions are a primary line of defense against malware, and there are easy alternatives which avoid the need for this. In addition, files are often in use, and need to be replaced over a reboot or with special tools, and so manual permissions altering and replacing is dangerous and often ineffective. Do not use it! There is no real need to! Provided below are safer alternatives.

Fortunately, there is a very neat solution provided for us by Microsoft through the SURT for .cat, .mum, and .manifest files (only these file extensions, unfortunately, due to security reasons, I think).

.cat and .mum files, in pairs (they MUST be paired up, even if only one is corrupt), can be placed in the %Windir%\Temp\CheckSur\Servicing\Packages directory, and .manifest files can be placed in the %Windir%\Temp\CheckSur\Winsxs\Manifests directory, and the System Update Readiness Tool re-run. The SURT will then perform the replacement of corrupt files, sourcing good files from the directories given above.

This is the best way of replacing corrupt files of these extensions. When the corruptions lie in other locations (primarily %WinDir%\Winsxs), or affect other file extensions, and this method cannot be used, an offline fix is the best solution. Both of these topics are outside of the scope of this introductory tutorial, and will be covered in full in separate tutorials.

Remember to rename all and update.mum files (and bf equivalents) before placing them in this directory.

The CheckSUR.log can then be re-analysed to confirm that all detected errors have been fixed. For example,

(f) CBS MUM Corrupt 0x800F0900 servicing\Packages\Package_2_for_KB2286198~31bf3856ad364e35~amd64~~ Line 1:
(fix) CBS MUM Corrupt CBS File Replaced Package_2_for_KB2286198~31bf3856ad364e35~amd64~~ from Cabinet: C:\Windows\CheckSur\v1.0\
(fix) CBS Paired File CBS File also Replaced from Cabinet: C:\Windows\CheckSur\v1.0\
(f) CSI Manifest All Zeros 0x00000000 winsxs\Manifests\amd64_mscorlib_b77a5c561934e089_6.1.7600.20717_none_3dbbc63282d93e16.manifest amd64_mscorlib_b77a5c561934e089_6.1.7600.20717_none_3dbbc63282d93e16
(fix) CSI Manifest All Zeros CSI File Replaced File: amd64_mscorlib_b77a5c561934e089_6.1.7600.20717_none_3dbbc63282d93e16.manifest From: C:\Windows\CheckSur\v1.0\

Practice Log 1:

If you haven’t already, now would be a very good time to put your new skills to practice, and attempt Practice Log 1.

What are Practice Logs?
Practice Log 1


Finally, the end of the first tutorial! I hope you learned something, maybe even enjoyed it! There is plenty more to learn though; this is only the beginning!

In the next tutorial I shall cover how to trace .manifest files which you cannot find in the normal way, through the hope that they originate from an update you have already extracted to create the fix. The third tutorial covers some extremely interesting and modern material, however. Although the techniques outlined above work well, and must be understood in order to understand and learn more complex subject matter, the truth is that these techniques are slow and antiquated. There are far too many people to help these days for each user to have a fix generated in such a manual and labour intensive way. Instead, automation techniques, scripts, and applications make the job of the analyst much simpler these days. The third tutorial covers these tools, and how they can be used to make your life so much easier.

