Registry Key for Reports May Cause Windows Updates to Fail and Revert

Registry Key for Reports May Cause Windows Updates to Fail and Revert

A recommended registry change for EventLog Analyzer has recently caused our Windows Hyper-V host servers to fail e very time they applied Microsoft updates. The server O/S was Windows Server 2012 Data Center. This is a report of the situation and what was done to fix it.

On page http://help.eventloganalyzer.com/configuring-out-of-the-box-reports in the User Guide for EventLog Analyzer, there is a recommendation to add certain keys to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Service > eventlog. One of these keys, Microsoft-Windows-Hyper-V-Worker-Admin, recently prevented our Hyper-V servers from applying a recent update (September 2017) to a Hyper-V component (Virtual Machine Worker Process, vwmp.exe).

THE SYMPTOM: Windows Update would apply monthly security updates, then restart, then run the second part of the update process at Windows start-up. The process would get to about 91% complete, then fail. The display was "Failure configuring Windows updates. Reverting changes." The server would then restart multiple times, apparently once for each update package being reverted.

THE CAUSE: The Microsoft update package included a rare update to a Hyper-V component (vwmp.exe). At the very end of the update, the process attempts to write a record of this change into the Hyper-V-Worker-Admin event log. It tries to get data from the blank registry key Microsoft-Windows-Hyper-V-Worker-Admin, created for EventLog Analyzer. The update process is unable to read the parameters it needs from the empty registry entry, it cannot write its data to the event log, and then goes into a failure condition and rolls all updates back.

THE IMMEDITAE FIX: Deleted the registry key that was manually added to support EventLog Analyzer. In this case it was HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Hyper-V-Worker-Admin. Restarted the server. Then ran Windows Update, which now responded normally and was able to complete all tasks.

Having updated the servers successfully, I suppose I could put the Microsoft-Windows-Hyper-V-Worker-Admin key back in registry. It would depend on which is more valuable -- the event log data going to EventLog Analyzer, or the stability of the Hyper-V host.

I speculate that a similar situation is possible for any of the other event logs that have been made 'administrative' logs for EventLog Analyzer by adding registry keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\. The Windows update process may fail if it is supposed to write event to those event logs and cannot. How likely that is to happen I have no idea; I think it is pretty rare.

Ideally, it would be good if there is a better way to make the event logs available to EventLog Analyzer that does not imperil the ability of Widows Update to write data to the event logs with unusual registry keys.

- Charlie Savage

                New to ADSelfService Plus?