Part 1 highlighted what Windows Servicing is and highlighted a number of documents that you will find beneficial if you are new to Windows Servicing and WaaS.
In this part we’ll discuss the Windows Component Store. The Windows Component Store is located at C:\Windows\WinSxS
What is the Windows Component Store?
The Windows component store contains all system components that are installed or updated as part of a Windows installation or servicing operation. Components that are in use are projected from C:\Windows\WinSxS to the C:\Windows\System32 or C:\Windows\System32\Drivers folder and have relationship known as hard link. This can be useful for understanding which version of a component is in use.
The WinSxS folder can contain updated versions of the same component but only one version of the component can actually be projected and in use. Take the following example:
On a Windows 10 2004 build you can see it has 2 versions of the same component amd64_dual_acpi.inf_31bf3856ad364e35_10.0.19041.1_none_15ac74e69bb4c374
You can see from the date and time stamps that first component is the amd64_dual_acpi.inf_31bf3856ad364e35_10.0.19041.1_none_15ac74e69bb4c374
This is the Release to Media (RTM) version that was on the original media when Windows 10 2004 was installed. This highlighted by 10.0.19041.1
The 2nd component is amd64_dual_acpi.inf_31bf3856ad364e35_10.0.19041.423_none_3dc74b775b190662
Looking at the timestamp this was installed after the original RTM component and is highlighted by the version 10.0.19041.423
Build numbers are described in this format:
- Major = 10 Minor = 0 Build = 19041 Revision = 423
In theory the component with this build 10.0.19041.423 should the active component projected folder also referred to as a Winner.
Looking inside C:\Windows\WinSxS\amd64_dual_acpi.inf_31bf3856ad364e35_10.0.19041.1_none_15ac74e69bb4c374 we can see 2 files
This is a driver file and can be found in C:\Windows\System32\Drivers.
We can check the hard link against acpi.sys and see what component it is linked to in the WinSxS folder by doing the following:
- Open an elevated command-line
- Type fsutil hardlink list acpi.sys
- See the result on the output
You can see from the output that the driver file acpi.sys is linked to our component amd64_dual_acpi.inf_31bf3856ad364e35_10.0.19041.423_none_3dc74b775b190662
You can also track down the component in the Windows Registry. This may be useful for troubleshooting scenarios
- Open RegEdit.exe as an Admin
When a servicing operation takes place then the Components registry hive is imported into the registry. As no servicing operation is taking place we will need to add this manually
- Click on HKEY_LOCAL_MACHINE (HKLM)
- File > Load Hive
- Navigate to C:\Windows\System32\config
- Select COMPONENTS > Open
- Give it a name, the name you give it is not important
- Expand Components > DerivedData > Components
- Right-Click Components> Find
- Search for Keys amd64_dual_acpi.inf_31bf3856ad364e35_10.0.19041.423_none_3dc74b775b190662
You can also locate the driver acpi.sys
- Expand Components > Drivers > amd64
- Right-Click Components> Find
- Search for Keys, acpi.inf
- You can see below that acpi.inf is part of 10.0.19041.423
Why does the Windows Component Store keep 2 copies of the same component?
Windows can keep multiple copies of the same component. This can be useful in scenarios where you may need to rollback an update which relies on an older component. The component store can have a clean up run against it to remove older components and reduce the size of the overall store
In Part 3 we’ll move on to looking at Update Handlers, CBS and CSI