2

We have been having a push to get all 2k8 R2 servers up to SP1, and I've noticed that some of them have ~4.5 GB of files left in a folder in the root of the system root (C: drive).

This directory has a seemingly random name, eg C:\1830d38bd5fd4ccdcf. It contains the file "spinstall.exe", and another seemingly randomly named folder, which contains various other subfolders for different regions/languages (eg en-us, ja-jp, es-es) and an 879 MB windows6.1-KB976932-X64.cab file.

It appears to be the files required in order to install the service pack. I'm pretty sure it can be deleted with no ill effect, but I'd like to understand what it is doing there in the first place.

Usually, when installing SP1, you would see two events from "Service Pack Installer" in the eventlog. Event ID 1 would be logged when the installation is started, and event ID 9 would be logged upon successful completion of the SP install. On the servers which have this directory left behind, event ID 1 is logged, but no event ID 9. The SP appears to have been successfully installed, according to Winver.exe, and according to event ID 6009 which is logged on the subsequent boot (which says 'Microsoft (R) Windows (R) 6.01. 7601 Service Pack 1 Multiprocessor Free').

I have nothing in the PendingFileRenameOperations or SetupExecute registry keys.

Adam Thompson
  • 587
  • 3
  • 12

1 Answers1

2

These are files extracted from the self-extracting archive of the service pack installer. They indeed should have been deleted upon installation completion. For one reason or the other, this has not been the case.

From the event log entries, you likely would not be able to identify the cause. You should be looking into the log file of the Windows Module Installer %windir%\Logs\CBS\cbs.logs for further clues.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • Many thanks for taking the time to respond. Unfortunately, my cbs.log file goes back to just 17 hours short of the material time. There's at least another 800 servers to be upgraded, so I'm sure I'll have the chance to check it out next week. – Adam Thompson Aug 23 '13 at 13:48
  • 1
    @AdamThompson Old logs are archived away. Check out the `CbsPersist.cab` files - they contain the compressed, archived logs up to ``. – the-wabbit Aug 23 '13 at 15:42