as seen on: Microsoft Windows [Version 6.1.7601] also known as Windows 7 Ultimate SP1 with automatic Updates enabled.

What is it?

“CBS stands for “Component-Based Servicing” and it basically (as far as I’ve read) is the way components get installed and uninstalled during updates. It is the reason you see “Stage 1”, “Stage 2”, and “Stage 3” during the Service Pack 1 install. “Stage 2” and “Stage 3” exists for the registry keys and files that are normally locked during regular operation.

If you want to investigate the CBS, check out %windir%\Logs\CBS\ and the log files inside of it. You might have a file in there called “FilterList.log” that lists the various filter drivers that the setup program “saw” during instal”

More Details?

Prior to Windows Vista, if you wanted to install optional components, Windows Updates or driver files on your system, the process was fairly simple.

Great… complexity always fails. (can not be handled after a certain point… because mankind is STUPID and not the CENTER OF THE UNIVERSE)

In Windows Vista, the new componentization architecture, known as Component-Based Servicing (CBS) changes the way that these components are installed.

The CBS architecture is far more robust and secure than the installers in previous operating systems.

Users benefit from a more complete and controlled installation process that allows updates, drivers and optional components to be added while simultaneously mitigating against instability issues caused by improper or partial installation.

CBS allows components and features from IIS to Windows Media Player to be packaged as small modules that encompass the full functionality of the component. In other words, each module contains all of the files, registry settings, and methods required for a full installation or removal of the component it contains. The Core componentization services include the following:

CBS (Component Based Servicing) – Also known as the trusted installer (TRUSTEDINSTALLER.EXE), which works at the package / update level
CSI (Component Servicing Infrastructure) – Works at the deployment/component level
DMI (Driver Management and Install) – Advanced driver installation processes
CMI (Component Management Infrastructure) – Handles the advanced installers
SMI (Systems Management Infrastructure) – Used to manage registry settings
Kernel Transaction Manager (KTM) – Enables clients to use the transactional registry and file system

The Servicing Stack in Windows Vista consists of three levels:

At the top of the stack are the top level clients, such as Windows Update, Programs and Features, and MSI, which deliver packages to a system. The top-level clients are also responsible for control of user input and collection of user preferences during the servicing process.
In the middle of the servicing stack is the Trusted Installer, CBS. The top-level clients pass downloaded packages to CBS, which evaluates each individually to determine if they are applicable to the system. For applicable updates, CBS provides the components to CSI, generates appropriate installation events, and registers packages with Programs and Features if needed. Finally, CBS exposes the interfaces to enumerate and inventory the updates.
At the bottom of the servicing stack is CSI, which uses the Kernel Transaction Manager (KTM) to do its work.

CSI is responsible for the actual installation of components. To install components, CSI utilizes the Component Store (the %windir%\WinSXS folder) which is a collection of all components, manifests (%windir%\WinSXS\Manifests) and files on the system. As new components are added, CSI moves them into the Component Store, and determines what state the component should enter. Staging determines the current state of the package on the file system. There are different staging activities that occur during the installation of a package:

Identify any files that are missing from the package. For a file to be installed, it must first be staged. Some may already present in the system store, others may need to be transferred from installation media or downloaded from network locations
Determine which files are required to install a package and identify files in other packages that may also be required
Resolve dependencies and ensure that all required files are present before installation begins
Complete installation

When a package is uninstalled, the process is reversed:

The installer creates a list of any files in use, and other actions that require system reboot
Remove the files or dependencies – files may either be removed from the system completely or may remain in the system store for future use.
Files not in use may be removed from the system, and the system is rebooted to release and remove any files that were in use

When a newer version of a component is installed on the system, CSI queries the Component Store to determine what components are being updated. When installing a component, CSI sets up a Primitive Operations Queue (POQ) which contains all files and registry keys that will be installed. Advanced installers or generic commands are then executed to complete installation. Advanced installers run in-process using CMI.

If there is a failure during installation of a component, CSI rolls back the entire installation. If a file or process is in use during a component installation and cannot be replaced, generic commands and advanced installer actions are written to %windir%\WinSXS\Pending.xml, and then written to disk on the following reboot. If several packages are installed at the same time, each additional package appends to Pending.xml. Additional logging during this phase occurs in %windir%\Logs\CBS\CBS.log.

And that brings us to the end of our post on Component-Based Servicing. Until next time …”


cbs 3Gbytecbs big files


Microsoft(R) Windows (R)-Ressourcenüberprüfungsprogramm, Version 6.0
Copyright (C) 2006 Microsoft Corporation. Alle Rechte vorbehalten.

Überprüft alle geschützten Systemdateien und ersetzt falsche Versionen mit


/SCANNOW        Überprüft die Integrität aller geschützter Systemdateien und
                repariert ggf. Dateien mit Problemen.
/VERIFYONLY     Überprüft die Integrität aller geschützter Systemdateien.
                Es erfolgt keine Reparatur.
/SCANFILE       Überprüft die Integrität der angegebenen Datei, und
                repariert ggf. die Datei, wenn Probleme gefunden werden.
                Es muss ein vollständiger Pfad angegeben werden. Pfad 
/VERIFYFILE     Überprüft die Integrität der angegebenen Datei.  Es erfolgt
                keine Reparatur.
/OFFBOOTDIR     Gibt den Speichort des Offlinestartverzeichnisses für
                Offlinereparaturen an.
/OFFWINDIR      Gibt den Speichort des Offline-Windows-Verzeichnisses für
                Offlinereparaturen an.


        sfc /SCANNOW
        sfc /VERIFYFILE=c:\windows\system32\kernel32.dll
        sfc /SCANFILE=d:\windows\system32\kernel32.dll
            /OFFBOOTDIR=d:\ /OFFWINDIR=d:\windows
        sfc /VERIFYONLY

C:\Users\Administrator>sfc /VERIFYONLY