Windows 7: CBS.log bug can fill your system drive

win7[German]In Windows 7 (and other versions) there is a CBS.log bug that Microsoft should have known about for years. A Windows component writes data to a log file, which can become very large as a result. However, a function to compress the log file fails if this file becomes too large. Then the system drive will be filled with trash data.


Advertising

Woody Leonhard has discussed the problem (after a reader's tip) on ComputerWorld. The bug occurs under Windows 7, Windows 8, Windows Server 2008 R2 and possibly under other versions. I have been alerted to this via Twitter (thx for that).

The Log File Size Problem

The problem: For some users Windows 7 runs out of free space on the system drive at some point because hundreds of files are written in C:\Windows\TEMP. The cause is a bug that Microsoft must have been aware of since 2015. A user describes the issue in Microsoft Answers in this forum thread

Component-Based Servicing (cbs.log) causes all drive space to be consumed

Because I've seen this question asked in many places and not answered, I thought I'd post my issue and resolution here.  I regard this as a Bug, but I'm not invested enough to deal with the support incident process.

I've had repeated instances where a Windows 7 x64 client runs out of hard drive space, and found that C:\Windows\TEMP is being consumed with hundreds of files with names following the pattern "cab_XXXX_X", generally 100 MB each, and these files are constantly generated until the system runs out of space.  Upon removing the files & rebooting, the files start being generated again.

I've found that this is caused by large Component-Based Servicing logs.  These are stored at C:\Windows\Logs\CBS.  The current log file is named "cbs.log".  When "cbs.log" reaches a certain size, a cleanup process renames the log to "CbsPersist_YYYYMMDDHHMMSS.log" and then attempts to compress it into a .cab file.

However, when the cbs.log reaches a size of 2 GB before that cleanup process compresses it, the file is to large to be handled by the makecab.exe utility.  The log file is renamed to CbsPersist_date_time.log, but when the makecab process attempts to compress it the process fails (but only after consuming some 100 MB under \Windows\Temp).  After this, the cleanup process runs repeatedly (approx every 20 minutes in my experience).  The process fails every time, and also consumes a new ~ 100 MB in \Windows\Temp before dying.  This is repeated until the system runs out of drive space.

In short: The Windows drive is filled with entries in the Temp folder because log files become too large.

  • The Component-Based Servicing function logs events under C:\Windows\Logs\CBS in cbs.log.
  • If this file reaches a certain size, the file is renamed CbsPersist_YYYMMDDHHMMSS.log.
  • If the file CBS.log reaches C:\Windows\Logs\CBS 2 GByte, Windows tries to compress this file with makecab.exe as CAB file.

The problem: makecab.exe cannot compress a file larger than 2 GByte. When trying, the tool creates a 100 MByte file under \Windows\Temp and fails after about 20 minutes with the compression. This is then repeated until the system drive is full. 


Advertising

Fix: Delete the CBS.log

If you run into this problem, you can only try to delete the CBS.log manually. The following steps are required to do this:

  1. Stop the Windows Modules Installer (TrustedInstaller) service. 
  2. Delete the large Cbspersist_XX.log file in \Windows\Logs\CBS or move it out of the directory.
  3. Restart the Windows Modules Installer (TrustedInstaller) service.

If the hard disk is already full, you can boot with Windows PE and delete the files in \Windows\Temp. Woody Leonhard describes the steps here in more detail. After a restart the writing of the 100 MByte files in \Windows\Temp by makecab.exe should be omitted.


Advertising

This entry was posted in issue, Windows and tagged , . Bookmark the permalink.

3 Responses to Windows 7: CBS.log bug can fill your system drive

  1. Crysta T Lacey says:

    Gunter,

    In its current iterations it was sound mostly like a WinSxS Bloat problem.

    I included everything people were coming up as a possibility just incase there were others with various concerns.

    In short if people maintain their PC's(I do mine once a week) they shouldn't have these problems

    Disk Cleanup
    DISM for the SxS ans Windows Directory in general
    SFC
    Some thing like CCleaner(file cleanup only, with an older Version)
    Activity Center Maintenance run.
    Defrag

    Best Regards,

    Crysta

    • guenni says:

      Thx for your thoughts. Within my German blog post, I received a bunch of user feedback from administrators. It seems, that this issue happens more often than I've espected (on my systems the files are pretty small).

      One user added an interesting comment. He wrote, that Windows 7 looks during each start at cbs.log and compress a file that's bigger as 32 MByte. But on systems, that are running for long time in 'standby/energy saving' mode, this checks are not done, so the 2 GByte limit is reached.

      • Crysta T Lacey says:

        Yes Gunter,

        I agree with him. What people whom run their PC's continually don't realise that allot of maintenance is done in a restart BUT even more is DONE through a a Shutdown and Cold Start. It is definitely part of my HEALTHY PC program every night, I Shutdown all my NAS and PC's everyday unless I have over night Runs like, Backups, 7 Zip, or Large Copies. That over night activity is rare.

        People like to believe that PC OS are so advanced in there Code. They are not, They are mostly based in '60s and '70s thinking and expertises in OS coding. That is how Legacy is handled as well as the foundations are built in the '80s and '90s. This is not just my assumptions or assertions.

        If you listen to the experts that really know the history and are speaking granularly and honestly with integrity, they will say the same things.

        Yes we know how to build much more advanced technology, development and coding techniques for OS's BUT that is not in Windows, Linux or BSD. Those OSes are stuck in the Past.

        Restarts and Shutdowns are most necessary for Personal Computers. ChromeBooks I suspect the same but I don't know.

        Crysta

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).