Just plain weird gigantic CBS.log

Discussion in 'Windows 7' started by Underclocked, Sep 5, 2015.

  1. Underclocked

    Underclocked MDL Member

    Sep 3, 2013
    243
    41
    10
    #1 Underclocked, Sep 5, 2015
    Last edited: Sep 5, 2015
    I've finished working on two small Dell computers just this evening. Both are Windows 7 Pro. After getting ALL the available updates from Microsoft, I used a script to uninstall those updates related to pushing Windows 10 and telemetry.
    The first one I did this to was a brand spankin' new Dell Optiplex (don't recall model number, they all look alike :D) SFF. The uninstalls seem to go without issue but after rebooting the CBS.log file was 3.3GB in size. WTH!!?

    The other was an older Optiplex 780 SFF and its CBS.log only grew to about 800MB.

    I attempted to delete both of them with the same immediate result. Both were in use by Trusted Installer and neither would allow deletion. So I killed Trusted Installer and immediately deleted those CBS.log files. I replaced the with two new files made in Notepad and they both functioned normally afterward. One stayed at 1KB in size while the other grew to 10KB.

    I have never before seen anything like this. Any ideas as to what was going on? I've a paranoid theory of my own but can't prove any of it.
     
  2. Palladin

    Palladin MDL Senior Member

    Feb 1, 2014
    333
    139
    10
    #2 Palladin, Sep 5, 2015
    Last edited by a moderator: Apr 20, 2017
    I'm running Win 7 Ultimate, 64 Bit, so this might not apply to other versions, but probably will.

    Nothing weird is probably going on. Windows writes to that log file way too much information. Somebody at Microsoft figured it would be a good idea to log every little bit of information they could. As the log file grows to some pre-determined amount, it will be archived, and stored in the same CBS directory. The archive files can be quite large and some report 10's of Gigs of space taken up by them. I got a feeling that all of this info gets sent back to MS at some point, but I can't be 100% sure.

    In some ways that's a good thing, since troubleshooting is much easier with detailed logs. But they way they organized the collection leaves much to be desired. Finding information in what gets written when is problematic at best.

    Once a month I restore a clean working image and then update it with all the necessary Windows and other software updates, leaving out the ones that I don't want and adding the ones I want. When I did it this month, the CBS file started out at 0 bytes and grew to over 950MB in an hour or so. :confused: I took a look at it and there was entry after entry of stuff that meant nothing to me. I deleted the file.

    I noticed this behavior long ago and decided to do something about it. Since the log files are pretty much useless to the average person, I figured I'd copy them to a daily file, store the daily file for a while and then delete the daily files after a while. I'm sure that there is valuable information in the CBS log files, but I have never used it, and honestly have no clue as to what all the entries mean. Somebody at MS probably does, but the entries are a mystery to me.

    I created a directory under the C:\Windows\Logs\CBS\old and then run this batch file once a day:
    Code:
    ren "%windir%\logs\cbs\cbs.log" "%date:~4,2%%date:~7,2%%date:~12,2%_%time:~0,2%.%time:~3,2%.%time:~6,2%_CBS.Log"
    copy %windir%\logs\cbs\*.log %windir%\logs\cbs\old
    pause
    del %windir%\logs\cbs\*.log /f /q
    del %windir%\logs\dism\*.* /f /q
    del %windir%\logs\dpx\*.* /f /q
    
    This renames the CBS.log file to today's date and time and looks like this: "090515_ 4.40.14_CBS.Log" Where the 090515 is the current date, the 4.40.14 is the time. You can format the time and date differently if you want.


    To see the different options in parsing out the system %date% and %time% variables, copy this Codes snippet below and save it as a .bat file and run it to see the different date options available. Note: The way you parse the variables will depend on the Time and Date formats for your region. If you get goofy results that don't match what's in this batch file, then check your Date and Time settings in Control Panel. Note: The offset count begins at 0, not 1.

    I wanted to format the time as HH:MM:SS but ran into errors trying to use a ":" (colon) in the command line, so I ended up using a "." in the final batch file I ended up using.
    Code:
    @echo off
    cls
    echo Date format = %date%
    echo dd = %date:~7,2%
    echo mm = %date:~4,2%
    echo yyyy = %date:~10,4%
    echo.
    echo Time format = %time%
    echo hh = %time:~0,2%
    echo mm = %time:~3,2%
    echo ss = %time:~6,2%
    echo.
    echo Timestamp = %date:~4,2%-%date:~7,2%-%date:~10,4%_%time:~0,2%.%time:~3,2%.%time:~6,2%
    
    An alternate option is this syntax:
    Code:
    for /f "tokens=1-5 delims=:" %%d in ("%time%") do rename "%windir%\logs\cbs\cbs.log" "%%d-%%e-%%f_cbs.log"
    ren "%windir%\logs\cbs\cbs.log" "%date:/=-% %time::=-%_CBS.Log"
    
    I compressed the command line to eliminate spaces in the output, and it's a little hard to parse out. Here's what it looks like with the commands separated:

    Code:
    This is the command with the spaces added. It parses fine without them, but it's a bit awkward to read
    ren "%windir%\logs\cbs\cbs.log" "%date:~4,2% %date:~7,2% %date:~12,2%_%time:~0,2%.%time:~3,2%.%time:~6,2%_CBS.Log"
    --------------------------------------------^-----------^------------^-----------^-----------^-----------^
    
    Be aware that if you run this batch file while Windows is writing information to the CBS log file, you will get an error message. The file will be copied but not renamed to the date and time. That's why I insert a "Pause" in the batch file, so I know to rename the file to the current date and time. After a while your backup directory will look something like this:

    CBS-Log-File.png

    And while your are at it, you may as well clean up the Extended Trace Log files (*.etl) that Windows creates and sends back to the mother ship:

    echo Now clearing the etl files ....
    del %programdata%\Microsoft\*.etl /s /f
    del %systemdrive%\Users\*.etl /s /f
    del %windir%\system32\*.etl /s /f
    del %windir%\servicing\sqm\*.* /s /f /q

    Good luck.
     
  3. Underclocked

    Underclocked MDL Member

    Sep 3, 2013
    243
    41
    10
    Thanks Palladin. I had never encountered a single example of a CBS.log file being anywhere near as large as those two were. Encountering both huge files in a two day period makes me wonder if something about those more recent updates (and possibly uninstalling them) makes for such growth in file size.
     
  4. Carlos Detweiller

    Carlos Detweiller MDL Spinning Tortoise

    Dec 21, 2012
    2,507
    2,143
    90
    Somehow I feel this is directly related to WU/MU taking ages checking for updates. Regular CCleaner runs (with CCEnhancer) should keep those at bay.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Palladin

    Palladin MDL Senior Member

    Feb 1, 2014
    333
    139
    10
    I think you are right, but it's hard to get your head around how Windows can write a 950MB file in under an hour. I don't remember if I checked the number of lines in that file, but based on the other files it was probably 500,000- 700,000 lines written to that file in about an hour. And I have to question WTF that was all about. To say nothing of the system resources required to do it. And for Gigabyte file, it had to extract even more resources.

    On another note, when you mentioned Ccleaner, I thought to myself, "Hmm...I haven't run that program in a while." I downloaded the latest version, checked all the boxes, and let it run. When I went to do some maintenance on the CBS directory where I had stored the old files, the directory was empty. o_O As were the all the files in the DISM and DPX sub-directories.

    Seems like Ccleaner got rid on all files in those directories. NBD, but I find it odd that Ccleaner would delete all the files in a non-standard Windows sub-directory (old) that I created under the CBS directory. I'll have to remember to move them someplace before I run Ccleaner again.

    Oh well, live and learn.
     
  6. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    8,093
    27,006
    270
    #6 abbodi1406, Sep 5, 2015
    Last edited by a moderator: Apr 20, 2017
  7. Underclocked

    Underclocked MDL Member

    Sep 3, 2013
    243
    41
    10
    No, had not done that, abbodi1406. I no longer have the two computers in my possession.
     
  8. Palladin

    Palladin MDL Senior Member

    Feb 1, 2014
    333
    139
    10
    #8 Palladin, Sep 5, 2015
    Last edited by a moderator: Apr 20, 2017
  9. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    8,093
    27,006
    270
    I don't know

    but the variable description is clear, it's for tracing and logging
    so yes, i would delete it
     
  10. Palladin

    Palladin MDL Senior Member

    Feb 1, 2014
    333
    139
    10
    I deleted the windows_tracing_logfile as well as the windows_tracing_flags and I'm happy to report that for the last few days, Windows hasn't even created one CBS.log file.

    Zip, zero, nada.:biggrin:

    Although I did run DWS_1.5.345 (Destroy Windows Spying) so that might have something to do with it. Dunno

    I'm hoping that there's nothing in those logs I need to worry about. But since I've never used them I don't think I'll miss them.
     
  11. Underclocked

    Underclocked MDL Member

    Sep 3, 2013
    243
    41
    10
    #11 Underclocked, Sep 11, 2015
    Last edited: Sep 11, 2015
    (OP)
    Deleted those as well. Will see if any monsters arise. :D I ran sfc /scannow and my CBS.log was recreated at 0kb.