Navigation section

Update failed: Cumulative Update for Windows 11, version 25H2 for x64-based Systems (KB5070773) (26200.6901)

PS C:\WINDOWS\system32> DISM /Online /Add-Package /PackagePath:"C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab"

Deployment Image Servicing and Management tool
Version: 10.0.26100.5582

Image Version: 10.0.26200.5670

An error occurred trying to open - C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab Error: 0x80070002

Error: 2

The system cannot find the file specified.

The DISM log file can be found at C:\WINDOWS\Logs\DISM\dism.log
PS C:\WINDOWS\system32>
 

You’re very close — RestoreHealth and the SSU are in place (good progress). The next step is to install the two CABs we extracted. If DISM still reports “The system cannot find the file specified” (0x80070002) we’ll capture a tiny set of outputs and I’ll tell you the single corrective action. (Reference: your RestoreHealth success and earlier CAB‑open errors are in the logs you collected.
Do these exact commands (copy/paste each line) from an elevated PowerShell / Admin Command Prompt. Run them in order and wait for each to finish.
1) Reconfirm the two CAB filenames (one line — paste back the output)
Get-ChildItem "C:\Scratch\KB5070773_extracted" -Filter "*.cab" | Format-Table Name,Length -AutoSize
(You already ran this and saw DesktopDeployment.cab and onepackage.AggregatedMetadata.cab listed — confirm they still appear.
2) Try to add the two CABs (run one at a time). Save the full DISM output to small text files so we can inspect the exact error if it fails:
DISM /Online /Add-Package /PackagePath:"C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab" > "$env:USERPROFILE\Desktop\dism_onepkg_output.txt" 2>&1
DISM /Online /Add-Package /PackagePath:"C:\Scratch\KB5070773_extracted\DesktopDeployment.cab" > "$env:USERPROFILE\Desktop\dism_deploy_output.txt" 2>&1
3) Reboot to allow any servicing commits:
Restart-Computer
4) After reboot, verify whether KB5070773 is now recorded:
dism /Online /Get-Packages | findstr /I "KB5070773"
If KB5070773 appears — done. Re‑enable Kaspersky and Controlled Folder Access.
If either DISM /Add-Package fails or the KB is still not recorded, collect these small diagnostic outputs and attach them (or paste the contents). They’re small and will let me give the single exact remediation.
Collect and attach (run as Administrator):
A) The two DISM add outputs we wrote to Desktop already (paste the files):
  • %USERPROFILE%\Desktop\dism_onepkg_output.txt
  • %USERPROFILE%\Desktop\dism_deploy_output.txt
B) File integrity + permission checks for the two CABs (paste the three command outputs):
Get-FileHash -Algorithm SHA256 "C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab"
Get-FileHash -Algorithm SHA256 "C:\Scratch\KB5070773_extracted\DesktopDeployment.cab"
icacls "C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab" /T
icacls "C:\Scratch\KB5070773_extracted\DesktopDeployment.cab" /T
C) Small DISM/CBS excerpts (if DISM produced an error; these are the commands I’ll parse):
Select-String -Path "$env:windir\Logs\DISM\dism.log" -Pattern '0x800f0991','0x80070002','Error','Failed' -Context 3,6 | Out-File "$env:USERPROFILE\Desktop\dism_err_small.txt" -Encoding ascii
Select-String -Path "$env:windir\Logs\CBS\CBS.log" -Pattern 'KB5070773','0x800f0991','error' -Context 3,6 | Out-File "$env:USERPROFILE\Desktop\CBS_err_small.txt" -Encoding ascii
Attach these small files (dism_onepkg_output.txt, dism_deploy_output.txt, dism_err_small.txt, CBS_err_small.txt) and paste the two Get-FileHash + icacls outputs here. I’ll read them and give the single next command (most likely one of: re-run DISM pointing at a different CAB from the extracted set, re-run DISM with a local source image, or — only if necessary — recommend the in‑place repair).
Why these steps
  • You already extracted the package and the SSU/RestoreHealth steps were the right prerequisites; now we need to let the LCU content install. If DISM can open and apply the two CABs the update usually commits. If DISM still reports file‑not‑found or access errors, the HASH/icacls output quickly reveals whether the CAB files are corrupted, locked, or have ACL problems (and I’ll tell you the one fix). The earlier CAB‑open errors you saw are consistent with that possibility.
Do you want me to wait while you run the two DISM /Add‑Package lines and collect the outputs, or do you prefer to attach the files you already generated? I’ll stand by and parse whatever you attach immediately.
 

Thanks — that error is odd because the CAB was listed earlier. Let’s confirm the file is really accessible and try a simple workaround (copy to the root of C: and run DISM from there). Run these three checks/commands in an elevated prompt (paste their outputs here if any fail):
1) Confirm the file exists and show its details
Test-Path "C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab"
Get-Item "C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab" | Format-List FullName,Length,Attributes,LastWriteTime
2) Show the file ACLs (permissions)
icacls "C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab"
3) Copy the CAB to a short path and try DISM from there
copy "C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab" C:\onepackage.AggregatedMetadata.cab
DISM /Online /Add-Package /PackagePath:"C:\onepackage.AggregatedMetadata.cab"
If that DISM command succeeds, repeat the same copy + DISM for DesktopDeployment.cab:
copy "C:\Scratch\KB5070773_extracted\DesktopDeployment.cab" C:\DesktopDeployment.cab
DISM /Online /Add-Package /PackagePath:"C:\DesktopDeployment.cab"
If any command errors, paste the exact error text (or the outputs of 1) and 2) and I’ll tell you the single next action. If DISM still returns 0x80070002 after copying, attach the small DISM excerpt:
Select-String -Path "$env:windir\Logs\DISM\dism.log" -Pattern '0x80070002','0x800f0991','Error','Failed' -Context 3,8 | Out-File "$env:USERPROFILE\Desktop\dism_err_small.txt" -Encoding ascii
and paste the contents of C:\Users\<you>\Desktop\dism_err_small.txt here.
I’ll wait for the outputs — this copy → short path method fixes odd path/ACL issues most of the time.
 

PS C:\WINDOWS\system32> Get-ChildItem "C:\Scratch\KB5070773_extracted" -Filter "*.cab" | Format-Table Name,Length -AutoSize Name Length ---- ------ 139467dd-a40a-d66d-5921-e19864f89e1e_1.2509.1022.0_x64.msix.rif.cab 11042 14847cc3-88d4-0cbf-cfb7-1ab27f06eb15_1.2508.888.0_x64.msix.rif.cab 13332 286a7398-0eac-3629-7114-ea7fe87aeeb3_1.2509.1022.0_x64.msix.rif.cab 11561 2a0dfa69-2628-f2cd-4a78-f654af5e50c8_1.2509.1022.0_x64.msix.rif.cab 11795 2c14f2b4-8294-f78e-8592-0cdc988f364a_1.2509.1022.0_x64.msix.rif.cab 11248 30de3114-d1a7-aab6-a65f-ef5a746dbead_1.2509.1022.0_x64.msix.rif.cab 11004 3608320c-b0ef-35ca-215e-98625ea09023_1.2509.1022.0_x64.msix.rif.cab 11042 3b280eb3-0240-ab9f-ffbb-15a3b17483f5_1.7.817.0_x64.msix.rif.cab 10865 4927b7e4-795f-1dda-92d7-143a9ca854c1_1.2509.1022.0_x64.msix.rif.cab 11050 4a312b26-b2bc-9c4f-697e-bd37bd38c298_1.2509.1022.0_x64.msix.rif.cab 11815 4a8123a9-5fd0-fc08-15a0-3889604df3d5_1.2509.1022.0_x64.msix.rif.cab 12070 500aef3f-e14c-4095-8256-cb0ac3f371f1_1.2509.1022.0_x64.msix.rif.cab 11067 51645a2a-725b-fadc-49a9-9db46e4563ec_1.2506.707.0_x64.msix.rif.cab 11595 5a4c95f6-4267-042e-5211-148ada7530cc_1.2509.1022.0_x64.msix.rif.cab 11887 5b3627bf-566c-6719-0cf2-6b1795d93aa9_1.2508.888.0_x64.msix.rif.cab 13197 61e42671-4c6d-a52a-2c7d-f786f5b2bc9c_1.2509.1022.0_x64.msix.rif.cab 11410 6645a2ea-5804-a115-f379-7e4b27132a00_1.2509.1022.0_x64.msix.rif.cab 11407 6df9d3c2-cfda-e165-ece9-b88cf6d23797_1.2509.1022.0_x64.msix.rif.cab 11062 6f5ba4de-b4b6-9253-aa28-c1a99434c514_1.2509.1022.0_x64.msix.rif.cab 11061 7333d900-4d25-2b09-990f-9537c9fca549_1.2509.1022.0_x64.msix.rif.cab 11768 7b0d9694-6b7d-9587-48b3-59b76c09c7b4_1.2509.1022.0_x64.msix.rif.cab 12264 7f26acc0-d169-1844-1b15-f330069e4df7_1.7.817.0_x64.msix.rif.cab 10839 81054e32-601c-a517-c313-c9dea0eb6d6d_1.2509.1022.0_x64.msix.rif.cab 12426 87ce00be-9888-c3a1-f1c5-9e045a886c66_1.2508.888.0_x64.msix.rif.cab 12772 87e37cc0-3e5e-ff32-fd8e-c47978064684_1.2509.1022.0_x64.msix.rif.cab 12424 87e95fc4-b66e-9f82-9a41-114531352494_1.2509.1022.0_x64.msix.rif.cab 11158 8bc0a1ab-339d-f7ac-373e-8d4007d1a53c_1.7.817.0_x64.msix.rif.cab 10870 91c85e29-7596-a250-23da-d10c968374e4_1.2509.1022.0_x64.msix.rif.cab 11779 9959e792-3fa2-a9b6-db4b-607e9c36dec2_1.2509.1022.0_x64.msix.rif.cab 11033 998f3e45-8cce-d02e-3d25-5fb4709afb3f_1.2509.1022.0_x64.msix.rif.cab 11579 99c8c976-ccf8-753b-683d-07c62b9e7e6c_1.2509.1022.0_x64.msix.rif.cab 12252 9fd35909-0e0b-702d-3552-7ae5e4d7ab39_1.2509.1022.0_x64.msix.rif.cab 11580 a21d731f-299f-19d9-6ea2-53d0ed10823c_1.2508.879.0_x64.msix.rif.cab 11056 a3ac1fea-be48-4f71-cb90-e7ba8f1b8f55_1.2509.1022.0_x64.msix.rif.cab 11409 a4f674ab-fdca-58e2-cbff-a461ff265c0b_1.2509.1022.0_x64.msix.rif.cab 11063 a7d5832f-17ea-735d-fc9c-3558b64b909c_1.2509.1022.0_x64.msix.rif.cab 11048 a90ba0b9-af5d-2c57-0325-da4ba5e0b40c_1.2509.1022.0_x64.msix.rif.cab 13647 b4fb10e5-8f5f-b754-64b1-9404039cce68_1.2509.1022.0_x64.msix.rif.cab 11047 b5e13ce4-b08c-d623-a4ac-166e3b56f26d_1.2509.1022.0_x64.msix.rif.cab 11045 bc8dfc28-22bf-7bba-001d-1bd953401d71_1.2509.1022.0_x64.msix.rif.cab 11774 c15eb352-5ea9-1f86-c2cf-c672f144f202_1.2509.1022.0_x64.msix.rif.cab 11077 c3ea969e-3d1d-004e-18b6-fa25dc6e5ab0_1.2509.1022.0_x64.msix.rif.cab 11709 c6a3c941-80b2-c959-d4bc-c79499d29816_1.2509.1022.0_x64.msix.rif.cab 11006 cbafa2f6-4e6d-ea39-3e34-6b8c0964d650_1.2509.1022.0_x64.msix.rif.cab 12052 d0252b71-ca68-c4d7-a0ad-935df1374e18_1.2509.1022.0_x64.msix.rif.cab 12269 d07a6f2a-64c5-5352-d1a3-25ff9292f67d_1.2509.1022.0_x64.msix.rif.cab 11704 d8933cd4-e2bf-d7b8-caa9-0929c94e2de8_1.2509.1022.0_x64.msix.rif.cab 12226 d9ec8c5a-39f0-144f-b1e2-88e8ee21aca3_1.2509.1022.0_x64.msix.rif.cab 11508 DesktopDeployment.cab 10926664 DesktopDeployment_X86.cab 9511842 e0ea85e9-6cbb-36ba-6f68-ea14911e974c_1.2509.1022.0_x64.msix.rif.cab 11772 e1bf6ecf-0076-7bc0-97bb-3259c2d5641a_1.2509.1022.0_x64.msix.rif.cab 12444 e28da4dd-c4ea-371a-b8fa-3ac749d1bedd_1.2509.1022.0_x64.msix.rif.cab 12273 ef4ea2cb-0a7f-e531-1d14-4a70b505f6a5_1.2509.1022.0_x64.msix.rif.cab 11084 f52168cd-52b2-2288-570e-45769bc982a6_1.2509.1022.0_x64.msix.rif.cab 12086 f816f1f5-7777-a502-79ff-82dd65bba2fb_1.2509.1022.0_x64.msix.rif.cab 13803 ff21267a-ccf0-b2e1-57e5-3acd786f0b8d_1.7.817.0_x64.msix.rif.cab 10883 ff43562a-1c67-b38a-6aad-93f7cd5881b2_1.2508.888.0_x64.msix.rif.cab 10978 onepackage.AggregatedMetadata.cab 78927 SSU-26100.6893-x64.cab 19839041 wsusscan.cab 305697 PS C:\WINDOWS\system32>
 

Thanks — the CABs are present in the extracted folder, so the 0x80070002 “file not found” was anomalous (path/ACL or transient access). Let’s use a short path and make sure the files are unblocked and writable, then run DISM from that short path.
Run these commands exactly (from an elevated PowerShell). Copy/paste one block at a time, wait for each to finish, and paste any error text you get. I’ll be standing by.
1) Confirm the two CABs exist and print their sizes
Get-Item "C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab","C:\Scratch\KB5070773_extracted\DesktopDeployment.cab" | Format-List FullName,Length,LastWriteTime
2) Copy them to the root of C: (short path) and unblock them
copy "C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab" "C:\onepackage.AggregatedMetadata.cab"
copy "C:\Scratch\KB5070773_extracted\DesktopDeployment.cab" "C:\DesktopDeployment.cab"
Unblock-File -Path "C:\onepackage.AggregatedMetadata.cab","C:\DesktopDeployment.cab"
3) Confirm permissions on the copied files
icacls "C:\onepackage.AggregatedMetadata.cab"
icacls "C:\DesktopDeployment.cab"
(If either icacls shows strange DENY entries, paste the output. If they look normal — ADMIN and SYSTEM have F — continue.
4) Install the two CABs from C: (one at a time)
DISM /Online /Add-Package /PackagePath:"C:\onepackage.AggregatedMetadata.cab"
DISM /Online /Add-Package /PackagePath:"C:\DesktopDeployment.cab"
5) If both succeed — reboot and verify
Restart-Computer
After reboot, run:
dism /Online /Get-Packages | findstr /I "KB5070773"
6) If either DISM command fails
  • Paste the exact DISM error text you see in the console.
  • Also create and attach the small DISM excerpt file so I can read the precise error lines:
    Select-String -Path "$env:windir\Logs\DISM\dism.log" -Pattern '0x800f0991','0x80070002','Error','Failed' -CaseSensitive:$false -Context 3,8 | Out-File "$env:USERPROFILE\Desktop\dism_err_small.txt" -Encoding ascii
    Get-Content "$env:USERPROFILE\Desktop\dism_err_small.txt" -Encoding ascii | Out-String
Paste the output of that Get-Content here.
Why these steps
  • Short path (C:) avoids any weird long-path or path-parsing issues that sometimes cause DISM to be unable to open files.
  • Unblock-File removes the Mark‑of‑the‑Web stream that can block processing.
  • icacls confirms ACLs are correct before DISM runs.
  • If DISM still errors, the small dism_err_small.txt will show the commit/handler failure lines so I can tell you the single next action.
I’ll wait for either:
  • The successful DISM outputs (then reboot + verify), OR
  • The exact DISM error output (or the dism_err_small.txt contents) if it fails.
 

See screenshot

Untitled.webp
 

Thanks — the screenshot shows DISM still reporting “The system cannot find the file specified” (0x80070002) when trying to open C:\onepackage.AggregatedMetadata.cab even though the CABs exist in the extracted folder. That tells me DISM can’t see the copy at C:\ (path or access issue), so let’s confirm the file is actually present and re-copy it cleanly using PowerShell, then run DISM from a short temp path.
Please run these exact commands (one block at a time) in an elevated PowerShell and paste the outputs here. I’ll tell you the single next action based on the outputs.
1) Confirm the copied CAB exists at C: (this checks presence and size)
Test-Path "C:\onepackage.AggregatedMetadata.cab"
Get-Item "C:\onepackage.AggregatedMetadata.cab" -ErrorAction SilentlyContinue | Format-List FullName,Length,Attributes,LastWriteTime
2) If the file is missing or Test-Path returns False, copy it again with PowerShell (use -Force) and confirm:
Copy-Item -Path "C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab" -Destination "C:\onepackage.AggregatedMetadata.cab" -Force -ErrorAction Stop
Get-Item "C:\onepackage.AggregatedMetadata.cab" | Format-List FullName,Length,Attributes,LastWriteTime
3) Unblock and check ACLs (remove Mark‑of‑the‑Web and ensure permissions are OK):
Unblock-File -Path "C:\onepackage.AggregatedMetadata.cab" -ErrorAction SilentlyContinue
icacls "C:\onepackage.AggregatedMetadata.cab"
4) If that looks OK, try DISM from C:\ (run only once):
DISM /Online /Add-Package /PackagePath:"C:\onepackage.AggregatedMetadata.cab"
If that fails again with 0x80070002, run this alternate copy to Temp and try from there (one block):
Copy-Item -Path "C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab" -Destination "C:\Windows\Temp\onepackage.AggregatedMetadata.cab" -Force -ErrorAction Stop
Unblock-File -Path "C:\Windows\Temp\onepackage.AggregatedMetadata.cab" -ErrorAction SilentlyContinue
DISM /Online /Add-Package /PackagePath:"C:\Windows\Temp\onepackage.AggregatedMetadata.cab"
If DISM still reports an error, capture the small DISM excerpt so I can read the exact failure lines:
Select-String -Path "$env:windir\Logs\DISM\dism.log" -Pattern '0x80070002','0x800f0991','Error','Failed' -CaseSensitive:$false -Context 3,8 | Out-File "$env:USERPROFILE\Desktop\dism_err_small.txt" -Encoding ascii
Get-Content "$env:USERPROFILE\Desktop\dism_err_small.txt" -Encoding ascii
Paste the output of the Test-Path/Get-Item (step 1) and the icacls output (step 3). If you ran the copy + DISM, paste the DISM error text if it fails. If the DISM command succeeds, run the second CAB (DesktopDeployment.cab) the same way and then reboot and verify.
I’ll wait for the outputs and then give the single next step.
 

Untitled.webp


Select-String -Path "$env:windir\Logs\DISM\dism.log" -Pattern '0x80070002','0x800f0991','Error','Failed' -CaseSensitive:$false -Context 3,8 | Out-File "$env:USERPROFILE\Desktop\dism_err_small.txt" -Encoding ascii

gave many hundred of lines of output.


Untitled.webp
 

Attachments

I'm getting pretty tired ChatGPT. Are we close to finishing?
 

You’ve exhausted the non‑destructive servicing options we can run from the MSU/CAB (RestoreHealth + SSU + trying the extracted CABs). The DISM logs show repeated “Failed opening package” / 0x80070002 when trying to load the extracted CABs even though the files exist — that means DISM cannot treat those files as a commitable servicing package on this machine (it’s an odd but real servicing/commit problem). At this point the fastest reliable fix is an in‑place repair (Repair upgrade) using the ISO you already have mounted at F:.
Why an in‑place repair now
  • It repairs the Windows servicing stack and component store in-place and almost always resolves stubborn commit/apply failures like 0x800f0991.
  • It keeps your files and installed apps.
  • It’s safer and quicker than chasing further obscure DISM/CBS errors.
If you want to proceed, do this (exact, minimal steps). Run everything as Administrator and keep Kaspersky paused until the process finishes.
Prechecks (one‑time)
  • Backup any critical files (always recommended).
  • If BitLocker is enabled, suspend it (only if applicable).
  • Make sure you have ~20–30 GB free on C:.
Start the in‑place repair (interactive / recommended)
  • In File Explorer open drive F: (the mounted ISO).
  • Right‑click setup.exe → Run as administrator.
  • Follow the Setup GUI and choose: Keep personal files and apps → Next → Install.
  • Wait (this takes 30–60+ minutes and several reboots).
One‑line alternative (starts the same installer from PowerShell)
Start-Process -FilePath "F:\setup.exe" -Verb RunAs
(If you prefer a fully unattended command you can use: Start-Process -FilePath "F:\setup.exe" -ArgumentList "/auto upgrade" -Verb RunAs — but the GUI gives you the “Keep personal files and apps” prompt so I recommend the interactive route.
After the repair finishes and the system is back
1) Verify the KB is installed:
dism /Online /Get-Packages | findstr /I "KB5070773"
2) If it’s present — re‑enable Kaspersky and Controlled Folder Access and you’re done.
If KB still isn’t recorded after the repair
  • Attach the small log snippets (I’ll parse them and give the single next action):
    • Select-String -Path "$env:windir\Logs\DISM\dism.log" -Pattern '0x800f0991','Error','Failed' -Context 3,8 | Out-File "$env:USERPROFILE\Desktop\dism_err_small.txt" -Encoding ascii
    • dism /Online /Get-Packages | Out-File "$env:USERPROFILE\Desktop\Packages_full.txt" -Encoding ascii
    • Select-String -Path "$env:windir\Logs\CBS\CBS.log" -Pattern 'KB5070773','0x800f0991','error' -Context 3,8 | Out-File "$env:USERPROFILE\Desktop\CBS_excerpt.txt" -Encoding ascii
Would you like me to:
A) Walk you step‑by‑step through starting the interactive setup from F: now (I’ll wait while you run it), or
B) Give the single Start-Process command to run the installer unattended, or
C) Hold while you run the interactive installer and come back with the verification output?
Say which and I’ll stay with you through the next step.
 

You’re very close — and totally understandable to be tired. Short status and two clear choices so you can pick what you want to do next.
Status (one line)
  • RestoreHealth completed OK, SSU applied, MSU expanded but didn’t record; CABs were extracted, but DISM failed to open the CAB from C: (0x80070002). We’ve exercised the usual fixes; the remaining options are a final CAB install attempt or the surefire in‑place repair.
Two choices (pick one)
Option 1 — One last quick CAB attempt (fast, low risk)
If you want to try one last, quick command set now (often works), I’ll wait while you run these exact commands (run in an elevated PowerShell). If you prefer, do this tomorrow — it only takes a few minutes.
1) Copy the two CABs to Temp and unblock them:
Copy-Item -Path "C:\Scratch\KB5070773_extracted\onepackage.AggregatedMetadata.cab" -Destination "C:\Windows\Temp\onepackage.AggregatedMetadata.cab" -Force
Copy-Item -Path "C:\Scratch\KB5070773_extracted\DesktopDeployment.cab" -Destination "C:\Windows\Temp\DesktopDeployment.cab" -Force
Unblock-File -Path "C:\Windows\Temp\onepackage.AggregatedMetadata.cab","C:\Windows\Temp\DesktopDeployment.cab"
2) Run DISM on each CAB (one at a time):
DISM /Online /Add-Package /PackagePath:"C:\Windows\Temp\onepackage.AggregatedMetadata.cab"
DISM /Online /Add-Package /PackagePath:"C:\Windows\Temp\DesktopDeployment.cab"
3) Reboot and verify:
Restart-Computer
dism /Online /Get-Packages | findstr /I "KB5070773"
If either DISM fails, paste the exact error line (or attach the three small log files I previously requested) and I’ll give a single follow-up step. This is the least invasive next try.
Option 2 — In‑place repair (recommended if you’re done troubleshooting)
This is the most reliable, quick fix that preserves apps & data and repairs servicing problems. It’s what I recommend if you don’t want to keep chasing CAB/servicing errors tonight.
Steps (very safe — back up important files first if you want):
1) Mount the ISO (you already have it mounted at F:). Confirm it’s mounted and you see setup.exe in F:.
2) Run Setup and choose “Keep personal files and apps” (GUI) — or run this elevated PowerShell to start it unattended:
Start-Process -FilePath "F:\setup.exe" -ArgumentList "/auto upgrade" -Wait
3) Follow the prompts and let the repair complete (30–60+ minutes). Reboot when prompted.
4) After finish, verify:
dism /Online /Get-Packages | findstr /I "KB5070773"
If you want me to stay and walk you through either Option 1 or Option 2 step‑by‑step, say which one and I’ll wait. If you’d rather sleep and do this tomorrow, that’s fine too — tell me when you want to continue and I’ll pick up exactly where we left off.
 

I'm done troubleshooting. I want to chose Option 2: In-place repair.
 

Understood — we’ll do an in‑place repair (Upgrade this PC) to repair the servicing stack and install the LCU. That’s the most reliable way to fix stubborn update/commit errors and it keeps your apps & files. Below are exactly what to check and the precise steps to run (copy/paste lines where shown). Follow them in order. I’ll stay quiet unless you ask otherwise.
Important safety checks (do these first)
  • Backup any irreplaceable files (good practice even though repair keeps files).
  • Ensure 20–30 GB free on C:.
  • Keep the PC plugged into power (don’t let it lose power mid‑upgrade).
  • Pause/exit Kaspersky temporarily.
  • If BitLocker is enabled, suspend it (not unmounting required here) before the repair: manage-bde -protectors -disable C: -Reboot will resume; if you use BitLocker, suspend from Control Panel or run: manage-bde -protectors -disable C: -Confirm.
  • Close all running apps.
  • You have the ISO mounted at F: — confirm setup.exe exists: Test-Path "F:\setup.exe" (run as Admin).
Step A — If F: is not mounted, mount the ISO (only if needed)
  • If you already have F: mounted skip this step. If not, mount your ISO file (replace path if not C:\Downloads\Win11.iso):
    Mount-DiskImage -ImagePath "C:\Downloads\Win11_25H2.iso"
Step B — Verify setup.exe is present
Run (Admin PowerShell):
Test-Path "F:\setup.exe"
If it returns False, mount the ISO to the correct letter. If True, continue.
Step C — Start the in‑place repair (choose GUI or the one‑line command)
Option 1 — GUI (recommended if you prefer prompts)
  • In File Explorer, open drive F:, double‑click setup.exe, follow the on‑screen installer.
  • When prompted, choose “Keep personal files and apps”. Proceed through the wizard.
  • Let the installer run and reboot as prompted. This is the simplest way; the GUI shows progress and options.
Option 2 — One‑line PowerShell to launch the repair (hands‑off start, still interactive)
Run as Administrator:
Start-Process -FilePath "F:\setup.exe" -ArgumentList "/auto upgrade" -Wait
Notes: The /auto upgrade parameter launches Setup and proceeds to the upgrade flow; it still prompts for the “Keep personal files and apps” selection in many builds. If you want fully unattended or to block online updates during setup, use these optional args:
  • To force using only local files (no dynamic update): add "/dynamicupdate disable"
    Example:
    Start-Process -FilePath "F:\setup.exe" -ArgumentList "/auto upgrade","/dynamicupdate","disable" -Wait
Step D — What to expect & timing
  • The upgrade may take 30–90+ minutes depending on hardware. The PC will reboot multiple times.
  • Don’t power off while it’s running.
  • If setup prompts about incompatible apps or drivers, follow prompts — most are safe to ignore if you choose to proceed.
Step E — After the repair completes
1) Open an elevated PowerShell and verify the KB:
dism /Online /Get-Packages | findstr /I "KB5070773"
2) If KB5070773 still not listed, also check Windows Update history and the DISM log:
Get-WindowsUpdateLog -LogPath "$env:USERPROFILE\Desktop\WindowsUpdate.log"
Select-String -Path "$env:windir\Logs\DISM\dism.log" -Pattern 'KB5070773','0x800f0991','Error' -Context 3,8
3) Re-enable Kaspersky and Controlled Folder Access if you had paused them.
If anything goes wrong during the repair (errors, setup fails)
  • Don’t panic — note the exact error text and paste it here and I’ll tell you the single corrective step.
  • If setup halts or reports corruption, we can use the mounted ISO to run an offline repair or (rare) perform a clean install.
Final note
  • This in‑place repair is the surefire next step and usually resolves servicing/commit errors that block KB installation. It preserves apps and data.
  • Tell me when you start the setup (say “Starting repair now”) and I’ll stand by to guide you if any prompts appear or to verify once it finishes.
 

Untitled.webp

When I installed Windows 11 I used Rufus to create a bootable USB stick. There were options for workaround for TPM 2.0 and Secure Boot which I did when creating the USB media.
 

Thanks — the screenshot and message make the situation clear.
Why Setup is blocking the in‑place repair
  • “PC must support TPM 2.0” and “must support Secure Boot”: your current install used Rufus’ workaround to bypass those checks during the original install. The official Setup now refuses to proceed because the machine doesn’t meet those hardware checks (or they’re disabled in firmware).
  • “We couldn't update the system reserved partition”: Setup also needs to write to the system / EFI partition (or the old System Reserved). If that partition is too small or locked, Setup will refuse to continue.
You chose Option 2 (in‑place repair). You still have three straightforward paths — pick the one you want and I’ll walk you step‑by‑step and wait:
A — Best / Least intrusive: enable TPM 2.0 and Secure Boot (if your PC supports them)
  • Why: If your motherboard actually supports fTPM / PTT / TPM 2.0 and Secure Boot is available but disabled, enabling them in UEFI will make Setup happy and the repair should complete. This is simple and safe.
  • How (high level):
    1. Reboot and enter UEFI/BIOS (Del, F2, F10, or manufacturer key).
    2. Under Security (or Advanced) enable TPM / fTPM (AMD) or Intel PTT.
    3. Under Boot enable Secure Boot.
    4. Save, reboot into Windows, then re‑run setup.exe from the mounted ISO (F:\setup.exe).
  • If you want, tell me your motherboard make/model (or say “I’ll check BIOS”), and I’ll give exact BIOS menu names and steps.
B — If firmware doesn’t support TPM/Secure Boot or you prefer to keep the bypass: use the same Rufus‑modified media you used to install (try running setup.exe from that media)
  • Why: Rufus’s modified ISO can bypass checks in Setup. Running setup.exe from that same modified USB/ISO (from inside Windows) sometimes allows the in‑place repair to proceed.
  • Steps:
    1. Insert the Rufus USB (or mount the Rufus ISO) while Windows is running.
    2. Run F:\setup.exe (as Administrator).
    3. Choose “Keep personal files and apps” and proceed.
  • Note: you already tried an ISO mount that gave the TPM/SecureBoot error — that suggests the ISO you mounted was the official one. Use the exact Rufus USB you used originally (not the official ISO). I can wait while you try that.
C — Fix the “couldn’t update the system reserved partition” (if that’s the only blocker)
  • Why: if SRP/EFI partition lacks free space, Setup can’t update it. We can check and expand it (more work). This often resolves the “couldn’t update” error even if TPM check is satisfied.
  • Quick checks (run these in an elevated PowerShell — I can tell you to run them or you can paste results):
    • Show partitions: diskpart → list disk → select disk 0 → list partition (or in PowerShell: Get-Partition -DiskNumber 0 | Format-Table -AutoSize)
    • Show volumes: Get-Volume | Format-Table -AutoSize
  • If the EFI/System Reserved partition is < 260–500 MB, we can expand it by:
    • Shrinking C: a little to create free space, then using a partition tool (GParted from a USB) to move/extend the EFI/SRP — this is safe if you have a backup, but I’ll give exact, careful steps and wait while you do it.
  • Note: this requires more time and a backup (I’ll walk you through it).
If you want me to continue right now
  • Say which option you prefer: “Enable TPM/Secure Boot” (A), “Use Rufus USB” (B), or “Expand System Reserved” (C).
  • If A or C, I’ll give the exact commands or precise BIOS menu steps and wait while you do them.
  • If B, run setup.exe from your Rufus USB now and tell me what Setup says — I’ll stand by.
If you prefer to stop for tonight
  • Say “Stop now” and we’ll pick this up later exactly where we left off.
Which do you want to do next?
 

I prefer option A: Use Rufus USB.

I am currently creating a new Windows 11 USB with Rufus as I appear to have formatted the stick. No need to post further command. I know what to do.
 

Sounds good — using the Rufus USB is a fine choice. Glad you know the steps.
I’ll be quiet as requested. When you’re ready after running Setup from the Rufus USB, reply with the result (success, any error message, or a screenshot) and I’ll give the single follow-up step if needed.
If anything unexpected comes up while you’re creating or using the Rufus USB and you want immediate help, post the exact message or attach a screenshot and I’ll jump in.
 

I'm getting:

"We couldn't update the system reserved partition"

Walk me through it.

Untitled.webp
 

Good — thanks for the screenshot and confirmation. That “We couldn't update the system reserved partition” message is exactly what we expected: Setup needs space (and a proper format/type) to add/replace boot files, and your disk layout shows a very small 50 MB System Reserved and a 727 MB partition of Unknown type. We can fix this without moving large partitions by converting that 727 MB partition into a proper EFI System partition (FAT32) and copying the UEFI boot files there. That usually lets Setup proceed.
Important safety notes (read before running anything)
  • Back up any irreplaceable files now (this is unlikely to destroy your C: data but we will touch partitions).
  • Don’t run the commands if you’re tired — you can resume tomorrow.
  • I will give exact commands; run them one block at a time and paste results if something looks wrong. I’ll wait while you run them.
Plan (short)
1) Verify Partition 3 contents (don’t format anything until you confirm it’s safe).
2) If safe to use, assign a temporary drive letter, format it to FAT32, use bcdboot to create EFI boot files there, then remove the drive letter.
3) Re-run setup from the Rufus USB (in‑place repair) — it should be able to update boot files now.
Exact commands — run in an elevated PowerShell (Administrator). Do each step and paste the output if anything looks unexpected.
Step 1 — Inspect the partition and contents (safe — no changes)
  1. Show partition types and sizes:
    Get-Disk -Number 0 | Format-List Number,FriendlyName,PartitionStyle
    Get-Partition -DiskNumber 0 | Format-Table PartitionNumber,DriveLetter,Size,Type,Offset -AutoSize
  2. Temporarily assign a drive letter to Partition 3 so we can inspect files (replace 3 if your partition number differs):
    Set-Partition -DiskNumber 0 -PartitionNumber 3 -NewDriveLetter R
  3. List files on the partition (this does not change anything):
    Get-ChildItem R:\ -Force -ErrorAction SilentlyContinue | Select-Object Name,Length
If you see files/folders that look important (Windows, recovery, lots of files), stop and paste the output here so we can confirm before proceeding. If the partition is empty or contains only small leftover files (or only recovery files that you don’t need), continue.
Step 2 — If it’s safe, format the partition FAT32 and create EFI boot files
(Only run these if Step 1 showed the partition safe to reuse.
  1. Format to FAT32 and label it EFI:
    Format-Volume -DriveLetter R -FileSystem FAT32 -NewFileSystemLabel "EFI" -Confirm:$false
  2. Create the EFI boot files using bcdboot (this copies \Windows\Boot and creates BCD):
    bcdboot C:\Windows /s R: /f UEFI
You should see a short success message. If bcdboot reports errors, paste the exact error text.
  1. Remove the temporary letter (optional — keeps partition hidden as a proper EFI partition):
    Remove-PartitionAccessPath -DiskNumber 0 -PartitionNumber 3 -AccessPath "R:\"
Step 3 — Rerun in‑place repair from Rufus USB
  • Run the Rufus USB setup.exe (Admin) and proceed with “Keep personal files and apps.” Setup should no longer complain about updating the system reserved/EFI partition.
If setup still complains or gives another error, capture these small outputs and paste them here:
  • dism /Online /Get-Packages | findstr /I "KB5070773"
  • The DISM excerpt we used earlier:
    Select-String -Path "$env:windir\Logs\DISM\dism.log" -Pattern '0x800f0991','0x80070002','Error','Failed' -Context 3,8
If you hit permission errors when assigning/removing drive letters, paste those errors. If Partition 3 contained important files at Step 1, do NOT format — paste the listing and I’ll guide a safe alternative (we can shrink C: and create a fresh EFI, or expand the system reserved using a GParted boot USB — both require more time).
Shall I wait while you run Step 1 (inspect partition and list files)? If so, run the three Step‑1 commands and paste the outputs (or attach screenshots) — I’ll read them and confirm it’s safe to proceed with formatting & bcdboot.
 

Should I proceed with Step 2: format the partition FAT32 and create EFI boot files?

Please advise if it is safe.

Untitled.webp
 

You must log in or register to reply here.
Back
Top