Long-standing bug in Win7 log file compression can suddenly fill your hard drive

Topic

New Reply

I’ve seen reports of hundreds of GB of junk files maxing out big hard drives. Microsoft knows all about the problem, but hasn’t deigned to fix it. Inf
[See the full post at: Long-standing bug in Win7 log file compression can suddenly fill your hard drive]

Reply | Quote

Replies

Never had this problem on any computer I’ve seen. makecab always seems to get the log compressed long before it has a chance to grow that much.

Reply | Quote

I’m not sure what combination of circumstances lead to the cbs.log file growing above 2 GB, but when it does, there’s helltopay.

Reply | Quote

I think there are good chances for this to happen when there is a large amount of Windows updates like in the case of a clean install.
Trusted Installer is managing the Component Based Servicing (CBS – the logs are located in that folder).
When Windows Update does a scan, there are 2 processes which run in sequence. First is Trusted Installer which does an inventory of what is on the system. This is logged in clear text on the CBS folder. When the amount of logging is huge, there is a possibility that one of the logs expands to more than 2 GB and when the makecab.exe does its compression cleanup, it crashes creating temporary files in the process, never finishing the compression job. And this repeats indefinitely until the temp files reach many GB and become noticeable.
The second process running during Windows Update and immediately after TrustedInstaller.exe is svchost.exe which does its scanning. This second process is in fact the Windows Update service wuauserv which was discussed here many times and affected by a separate bug – the known looping issue when there is a large amount of superseded updates to be processed.

There are other instances in which TrustedInstaller.exe runs outside of Windows Update, but related to installing Windows components. On servers this happens when the so called “Roles” and/or “Features” are installed or uninstalled. Every such activity is logged in detail in C:WindowsLogsCBSCBS.log, potentially creating the situation presented in the InfoWorld article.

Reply | Quote

A quick check of my most critical Win 7 system here, which primarily functions as a file server, shows a total of 85 MB of files in C:WindowsLogsCBS, the current CBS.log occupying only about 1 MB and the latest of 5 .cab files being about 12 MB and dated from May…

My strategy of disabling the Windows Update service except for when I want it to run means that the typical servicing activities that could lead to log bloat just aren’t happening. I find that comforting.

Everything I see reaffirms that my conservative system management strategy that involves taking control of WHAT runs WHEN is the right one. Who, today, *really* needs their older Windows system trying to update itself at a frantic pace? Especially now that Microsoft has proven that everything they are trying to deliver through Windows Update isn’t goodness and light.

http://Noel.ProDigitalSoftware.com/ForumPosts/Win7/HealthyWin7System.png

The question to ask oneself is: If I have a functional and stable older Windows system, used in a fashion that doesn’t put it in security risk situations, do I need Windows Update **at all**?

The answer isn’t “no” necessarily, but neither is it the simple, easy “yes” that it might have once been.

One’s Windows Update strategy is something that should occasionally be reviewed.

-Noel

Reply | Quote

I seen it happen after patch KB31616108 on W7/64 called for a restart to complete the install. The configuration step took several restarts then showed as failed to configure. Before trying again I decided to do a cold boot as I assumed the system needed to be free of all clutter. Before doing that I noticed the cab log had ballooned to around 4 GB from almost nothing so I ran ccleaner to erase the files and then did the shutdown

On reboot I started the MSI up again and the install and configuration was successful. The cab log was small after this.

I expect the failure to configure resulted in excessive log entries. Kernel updates can be unpredictable – never the same on all system configurations. Not saying that this is the cause, but W7 has had quite a few kernel updates recently and the problem seems to be recent.

Or maybe that fainting goat is the real problem (ha, really love that) it keeled over and revived itself. MS has its moments.

Reply | Quote

Go, goat!

Reply | Quote

Hi Woody. This does sound like the problem I’ve been having. I’m on 8.1 and it happened after I installed update kb3179574 on my main machine. It caused some error on boot up and caused I s*** you not 14-16 gigs to be eaten up. And each time I reinstalled Windows because I didn’t know any other way to fix it.

I’m on a 250 GB SSD so when I have 16 gigs being eaten up naturally I got a bit confused. Update kb3179574 caused some sort of boot up error. So should I avoid kb3179574 or install it and try this fix?

Reply | Quote

I think it’s too early to install any of the August patches. When the time comes, keep this fix in mind. I’d be interested in seeing if Win 8.1 falls to the same sort of shennanigans.

Reply | Quote

cbs.log bloat can be limited with registry tweak
http://pastebin.com/wrpqw1SD

CBSLogCompress
cbs.log always NTFS compressed

NumCBSPersistLogs
the number of cabbed logs, setting to 0 eliminate them (not created)

and if you want to get rid of cbs.log completely (not created), change EnableLog to 0 in
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionComponent Based Servicing]
require taking permissions ownership

Reply | Quote

Thanks for confirming. My recommendation and I insist about this is to avoid CCleaner unless you really, really understand everything it does. Maybe we should poll everyone and find out how many of those who have less stable systems use third-party products like CCleaner or excessive security suite products making big claims but in fact breaking systems.

Reply | Quote

This is not a fix as such, it is a good idea to keep an eye on those logs and see if any goes above 2GB. If this happens, then it is time to take action. I don’t expect this to happen many times in the life time of a PC used and updated normally, but it may happen once or twice in which case it can be catastrophic, requiring reinstallation if troubleshooting does not provide relevant results.

Reply | Quote

Wow, thanks abbodi86.

Reply | Quote

Just to clarify, I used ccleaner to clean cache, history, cookies and Windows temp files – clutter (as I stated in my post). I did not clean the registry, if that is what you read into it. The cold boot did the rest.

Reply | Quote

You are right, I made reference to the Registry cleaning feature of CCleaner. Just as a matter of fact, why don’t you use the built-in features for each browser to remove what you mentioned in your post? Any third party tool, even those most evolved and trusted like CCleaner can introduce some sort of risk.

Reply | Quote

For my part, I find that CCleaner makes my system __more stable__ rather than less. I have read and (I think) understood all of the check-boxes. But without CCleaner, Google Search won’t run on my machine (yes I do know what the issue is, and what Google’s solution is, but I’m not going to play their game either).

Reply | Quote

Slow news month?

This issue is more than four years old: CBS.log file HUGE
https://social.technet.microsoft.com/Forums/en-US/3b0b2bbc-d295-4a1b-8818-0b76ebe36b5a/cbslog-file-huge

And the solution has been well-documented for 3.5 years:
Mysterious cab files fill-up temp folder
http://felixyon.blogspot.com/2013/03/mysterious-cab-files-fill-up-temp-folder.html

Has anything happened this year to make it topical again?

Reply | Quote

I’m seeing more reports of the same problem, probably due to people trying to perform clean installs of Windows 7. Felix’s blogspot post is accurate, but doesn’t include the necessary steps to perform the delete – if you follow his steps, you’ll be locked out of the file.

The bug itself has been around as long as Windows 7, best I can tell. That’s why I called it a “long-standing bug.” Microsoft still hasn’t fixed it.

Reply | Quote

Agreed, I could get the browsers to clean on exit by browser settings but I chose not to. I open and close several browsers during the day and appreciate the cache being there. The main reason I used ccleaner in this case was because it was a quick way to get rid of everything at once. I was able to view the temp file details in ccleaner before I erased them – the cab file log file being the major contributor.

Reply | Quote

If it suits you and works, it should be fine. I only flagged potential issues. CCleaner is a good and very powerful tool, only that I am not comfortable with the risks associated and potential for mistakes due mainly to user action. And probably most of all because if something does not go according to the plan, the user is by itself, the support (Microsoft or community) for a particular custom action is minimal.

Reply | Quote

@woody “…people trying to perform clean installs of Windows 7”

I am wondering why this happens after so many years from the release of Windows 7 (with or without SP1). Rolling back from poor experience with Windows 10 maybe and taking an opportunity to start fresh? I did the same few months ago and don’t feel bad about it, although I keep an eye on Windows 10 mostly due to professional interest.

Reply | Quote

What is the issue that you encounter with Google Search? It would be interesting to know and how it reacts to certain restrictions.

Reply | Quote

@abbodi86 I researched your suggestions and found that the values CBSLogCompress and NumCBSPersistLog are already configured on my Windows 7 64 bit, without doing anything special. The behaviour is the known one which is not broken for me. Those values seem not to be configured on servers, but may be default (implicit if missing). I need to do more tests for a definitive conclusion, but if you have more information, I think it would be very useful to understand more about this configuration. On Windows 2012 R2, I found CBS.log being NTFS Compressed, which may take a little bit space in case it expands out of control, but makecab.exe is still looking at the file size and not the space on disk, so NTFS compression may contribute to hiding the problem or delay the troubleshooting.
The value EnableLog set to 0 should do exactly so, I didn’t test it though. It may be very useful in larger image deployments rather than a single home user machine.

Reply | Quote

Nobody claimed to be a new bug discovery. It is just that it is not well known, Microsoft keeps quiet about it instead of documenting it and saying “it is by design” which is the truth and a lot of people complain more and more about issues with Windows Update. This is one of the possible reasons, because if the CBS Servicing Stack is corrupted, the log growing indefinitely and the temp files filling the hard-disk could be one of the symptoms.

Reply | Quote

It’s simply that I am reluctant to formally accept their T&Cs (since I don’t identify myself to them, and they should in any case treat any data about me fairly under Data Protection law). So after a few days, Google Search refuses (understandably) to run. Deleting their cookies makes me look to Google like a newby, who has to be allowed some grace period.

Reply | Quote

I actually forgot that those values works for Win8.1/Win10 only
sorry about that

but the value EnableLog set to 0 works for win7 to disable cbs.log, i’m 100% sure

Reply | Quote