Recently I noticed some strange behavior while launching an update through Windows 8.1's 'metro' menu. I launched Computer Settings app to run the update, which was a definitions update for Windows Defender (KB2267602).
With Windows 8 and 8.1 the first places to look for Update failures are in the files C:\Windows\WindowsUpdate.log and C:\Windows\SoftwareDistribution\ReportingEvents.log - for those still unfamiliar with navigating the newer Windowses, you can reach a Run prompt to open these files using copy + paste by hitting the Window key and "R" key at the same time.
This would seem to confirm that there was in fact a networking issue; one relating to the always-disruptive Computer Browser service. The computer this issue occurred on does in fact reside on a network with a number of other Windows computers. The computer was also part of a homegroup. It was unlikely that any of the Windows computers had modified default LMHOSTS / NetBIOS over TCP/IP settings beyond configuration of the Homegroup.
This is a very long-winded blog post for what ended up being a very brainless solution. I launched the update service through the Control Panel in the Desktop user interface as opposed to the Metro user interface and the update completed successfully. Because my logs show that the a Browser election was forced and successfully completed seconds after the download failure, it is likely a retry within Metro would have worked as well.
Still, there is a reason why I described the issue in this much detail, and that is because there seems to be a great deal of misunderstanding about error and what is needed to resolve it.
First and foremost, Error 80200056 only indicates a download failure for Windows updates - not permissions failure, and it is not what I would describe as a warning sign of malware infection. Its possible I suppose that a compromised host could display this error but it is highly unlikely to be the only problem with a host that has been compromised through the updates system - there are a number of other places, like BITS and certificate trust issues, that are likely to occur as well. Quite a few of the articles I have seen on this issue on the internet are hysterical in their screams of "Its a virus!" when this issue comes up - even in paid technical support pages.
I have also seen incorrect explanations of KB2267602, where "technicians" describe this update as a one-time package. In at least one webpage I saw, a technician told a user that since KB2267602 was a package that "should have" been installed 9 months ago, that likely the last 9 months of updates were corrupted, instead of a single Virus definition. This claim is outrageous. Systems using Windows Defender should see regular downloads of KB2267602 in their Update History. Individual definition files can be told apart by their definition signature. The distinction is obvious:
If this issue is caught quickly, C:\Windows\WindowsUpdate.log should display a very detailed transaction history for Windows Update. If reviewing an older Update failure, older copies of this transaction log can be saved in subdirectories of C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ - the exact subdirectory can be found by consulting Event Viewer. The relevant log will be reported as Event ID 1001 from source Windows Error Reporting and will look like this:
The "These files may be available here:" directory will include a copy of the relevant WindowsUpdate.log. For this error, the transaction report should provide quite a bit of detail about what was going on with the Update Service through the time of the failure:
The Update settings were configured to prompt prior to download & installation. This was the first task launched after awaking the computer from a Sleep state. The computer is not a virtual machine.
With Windows 8 and 8.1 the first places to look for Update failures are in the files C:\Windows\WindowsUpdate.log and C:\Windows\SoftwareDistribution\ReportingEvents.log - for those still unfamiliar with navigating the newer Windowses, you can reach a Run prompt to open these files using copy + paste by hitting the Window key and "R" key at the same time.
The relevant entry of the ReportingEvents.log file shows me what Error 80200056 means in the most basic sense - the update failed to download; as opposed to failing to install.
{C7C93C12-61E3-4998-9EBD-B448C62540A4} 2015-03-23 19:39:34:484-0400 1
161 [AGENT_DOWNLOAD_FAILED] 101 {FD8A47F9-2E75-4763-AE52-777D471C87C8} 201
80200056 AutomaticUpdatesWuApp Failure Content Download
Error: Download failed.
Right away my first instinct is a networking problem related to the sleep state. Going back to the Run prompt, I type `eventvwr` to bring up the Event Viewer log entries. I expand the Windows Log icon in the left navigation pane and select the System folder. A few seconds after the failed content download I see this:
The browser has forced an election on network \Device\NetBT_Tcpip_{D03DC1BF-134A-4B75-B8F2-CD9086B301E1} because a master browser was stopped.
This would seem to confirm that there was in fact a networking issue; one relating to the always-disruptive Computer Browser service. The computer this issue occurred on does in fact reside on a network with a number of other Windows computers. The computer was also part of a homegroup. It was unlikely that any of the Windows computers had modified default LMHOSTS / NetBIOS over TCP/IP settings beyond configuration of the Homegroup.
This is a very long-winded blog post for what ended up being a very brainless solution. I launched the update service through the Control Panel in the Desktop user interface as opposed to the Metro user interface and the update completed successfully. Because my logs show that the a Browser election was forced and successfully completed seconds after the download failure, it is likely a retry within Metro would have worked as well.
Still, there is a reason why I described the issue in this much detail, and that is because there seems to be a great deal of misunderstanding about error and what is needed to resolve it.
First and foremost, Error 80200056 only indicates a download failure for Windows updates - not permissions failure, and it is not what I would describe as a warning sign of malware infection. Its possible I suppose that a compromised host could display this error but it is highly unlikely to be the only problem with a host that has been compromised through the updates system - there are a number of other places, like BITS and certificate trust issues, that are likely to occur as well. Quite a few of the articles I have seen on this issue on the internet are hysterical in their screams of "Its a virus!" when this issue comes up - even in paid technical support pages.
I have also seen incorrect explanations of KB2267602, where "technicians" describe this update as a one-time package. In at least one webpage I saw, a technician told a user that since KB2267602 was a package that "should have" been installed 9 months ago, that likely the last 9 months of updates were corrupted, instead of a single Virus definition. This claim is outrageous. Systems using Windows Defender should see regular downloads of KB2267602 in their Update History. Individual definition files can be told apart by their definition signature. The distinction is obvious:
Windows Defender Definition Update Logs |
Fault bucket , type 0 Event Name: WindowsUpdateFailure2 Response: Not available Cab Id: 0 Problem signature: P1: 7.9.9600.17489 P2: 80200056 P3: FD8A47F9-2E75-4763-AE52-777D471C87C8 P4: Download P5: 101 P6: Unmanaged {9482F4B4-E343-43B6-B170-9A65BC822C77} P7: 0 P8: P9: P10: Attached files: C:\Windows\WindowsUpdate.log C:\Windows\SoftwareDistribution\ReportingEvents.log These files may be available here: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.9.9600.17489_60820ed604236fc9285c92356031cd8da6466_00000000_cab_164a6aea Analysis symbol: Rechecking for solution: 0 Report Id: deccbe22-d1b5-11e4-8269-c7e81028dc3b Report Status: 4
19:39:34:015 892 191c AU ############# 2015-03-23 19:39:34:015 892 191c AU ## START ## AU: Download updates 2015-03-23 19:39:34:015 892 191c AU ######### 2015-03-23 19:39:34:015 892 191c AU # Approved updates = 1 2015-03-23 19:39:34:015 892 191c AU WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80070490 2015-03-23 19:39:34:015 892 191c IdleTmr Incremented idle timer priority operation counter to 2 2015-03-23 19:39:34:031 892 191c AU AU initiated download, updateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}.201, callId = {D9E27348-F835-47F4-8C48-7F6F84A58614} 2015-03-23 19:39:34:031 892 18b0 DnldMgr *********** DnldMgr: Begin Downloading Updates [CallerId = AutomaticUpdatesWuApp] *********** 2015-03-23 19:39:34:031 892 18b0 DnldMgr * Call ID = {D9E27348-F835-47F4-8C48-7F6F84A58614} 2015-03-23 19:39:34:031 892 18b0 DnldMgr * Priority = 3, NetworkCostPolicy = 6, Interactive = 1, Owner is system = 1, Explicit proxy = 0, Proxy session id = 1, ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77} 2015-03-23 19:39:34:031 892 18b0 DnldMgr * Updates to download = 1 2015-03-23 19:39:34:031 892 18b0 Agent * Title = Definition Update for Windows Defender - KB2267602 (Definition 1.193.3478.0) 2015-03-23 19:39:34:031 892 18b0 Agent * UpdateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}.201 2015-03-23 19:39:34:031 892 18b0 Agent * Bundles 3 updates: 2015-03-23 19:39:34:031 892 18b0 Agent * {78E75BF6-5B6F-4FCB-AD33-9A5618E50403}.200 2015-03-23 19:39:34:031 892 18b0 Agent * {768A90D1-09F4-475A-A4AF-6FCBB85222F1}.200 2015-03-23 19:39:34:031 892 18b0 Agent * {9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1}.201 2015-03-23 19:39:34:031 892 18b0 DnldMgr No locked revisions found for update FD8A47F9-2E75-4763-AE52-777D471C87C8; locking the user-specified revision. 2015-03-23 19:39:34:031 892 18b0 DnldMgr No locked revisions found for update 9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1; locking the user-specified revision. 2015-03-23 19:39:34:046 892 191c AU # Pending download calls = 1 2015-03-23 19:39:34:046 892 191c AU <<## SUBMITTED ## AU: Download updates 2015-03-23 19:39:34:062 892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob) started; operation # 760; does use network; is not at background priority; will NOT stop idle timer 2015-03-23 19:39:34:062 892 18b0 IdleTmr Incremented idle timer priority operation counter to 3 2015-03-23 19:39:34:093 892 18b0 DnldMgr *********** DnldMgr: New download job [UpdateId = {9B5A0E5A-4ED6-47B6-B0B2-B45C537C02A1}.201] *********** 2015-03-23 19:39:34:109 892 18b0 DnldMgr * BITS job initialized, JobId = {8F94CFCA-5055-4CD6-B71E-13F540B0BC5F} 2015-03-23 19:39:34:171 892 18b0 DnldMgr * Downloading from http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/defu/2015/03/am_delta_48e485cc83da49bce931292934e1d75788e0629a.exe to C:\Windows\SoftwareDistribution\Download\a72da7d4ae868d3ed29b457ac7415777\48e485cc83da49bce931292934e1d75788e0629a (full file). 2015-03-23 19:39:34:203 892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob) started; operation # 762; does use network; is not at background priority; will NOT stop idle timer 2015-03-23 19:39:34:203 892 18b0 IdleTmr Incremented idle timer priority operation counter to 4 2015-03-23 19:39:34:234 892 18b0 DnldMgr ********* 2015-03-23 19:39:34:234 892 18b0 DnldMgr ** END ** DnldMgr: Begin Downloading Updates [CallerId = AutomaticUpdatesWuApp] 2015-03-23 19:39:34:234 892 18b0 DnldMgr ************* 2015-03-23 19:39:34:312 892 db4 DnldMgr WARNING: BITS job {F79CE1D4-F6F3-4D14-A8AB-704A88E200AC} failed, updateId = {768A90D1-09F4-475A-A4AF-6FCBB85222F1}.200, hr = 0x80200056, BG_ERROR_CONTEXT = 2 2015-03-23 19:39:34:312 892 db4 DnldMgr Progress failure bytes total = 295552, bytes transferred = 0 2015-03-23 19:39:34:312 892 db4 DnldMgr Failed job file: URL = http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/defu/2015/03/mpsigstub_5dfd7f28a79c6fac6a908b9e5c2cf4e56320f3ee.exe, local path = C:\Windows\SoftwareDistribution\Download\f160e023de7cfeeda671dc169ba732fb\5dfd7f28a79c6fac6a908b9e5c2cf4e56320f3ee 2015-03-23 19:39:34:312 892 db4 DnldMgr CUpdateDownloadJob::GetNetworkCostSwitch() Neither unrestricted or restricted network cost used, so using current cost 2015-03-23 19:39:34:375 892 db4 IdleTmr WU operation (DownloadManagerDownloadJob, operation # 760) stopped; does use network; is not at background priority; will NOT start idle timer (task did not previously stop it 2015-03-23 19:39:34:375 892 db4 IdleTmr Decremented idle timer priority operation counter to 3 2015-03-23 19:39:34:375 892 db4 DnldMgr Error 0x80200056 occurred while downloading update; notifying dependent calls. 2015-03-23 19:39:34:375 892 12ec AU >>## RESUMED ## AU: Download update [UpdateId = {FD8A47F9-2E75-4763-AE52-777D471C87C8}] 2015-03-23 19:39:34:375 892 12ec AU # WARNING: Download failed, error = 0x80200056 2015-03-23 19:39:34:437 892 18b0 DnldMgr ********* 2015-03-23 19:39:34:437 892 18b0 DnldMgr ** END ** DnldMgr: Download Call Complete [Call 5 for caller AutomaticUpdatesWuApp has completed; signaling completion.] 2015-03-23 19:39:34:437 892 18b0 DnldMgr ************* 2015-03-23 19:39:34:468 892 18b0 IdleTmr WU operation (DownloadManagerDownloadJob, operation # 762) stopped; does use network; is not at background priority; will NOT start idle timer (task did not previously stop it 2015-03-23 19:39:34:468 892 18b0 IdleTmr Decremented idle timer priority operation counter to 2 2015-03-23 19:39:34:468 892 12ec AU Download call completed, hr = 0x80200056 2015-03-23 19:39:34:468 892 12ec AU ######### 2015-03-23 19:39:34:468 892 12ec AU ## END ## AU: Download updates 2015-03-23 19:39:34:468 892 12ec AU #############That's pretty much it. Since this has brought the always-irritating Computer Browser service to my immediate attention, I think I will write a more detailed post about it as well as some common issues here soon - as online documentation is few and far between on it.