CAPI2 errors driving you crazy?

http://msmvps.com/blogs/bradley/archive/2010/07/11/failed-extract-of-third-party-root-list-from-auto-update-cab.aspx


Remember that?  The key to that is that it is the error tied to an issue with an autoroot update.


EVENT # 4364
EVENT LOG Application
EVENT TYPE Error
OPCODE Info
SOURCE Microsoft-Windows-CAPI2
EVENT ID 4107
COMPUTERNAME   7OF9
DATE / TIME   7/11/2010 5:57:17 AM
MESSAGE Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.


That one… the one that refers to A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file  should be fixed if you follow KB2328240 as long as you keep in mind that that deleting of the certs cache needs to be done on each profile.


You might even consider manually removing the certs from C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content and C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData as well as c:\user\username\appdata\locallow\cryptneturlcache and remove the contents of the content and Metadata folders.  Then backup and delete the certificates listed under “Certificates” key: HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates


When you try to click on that url and look at the cert you get an error message.


THIS IS NORMAL.  THERE IS NOT A PROBLEM WITH MICROSOFT’S CERT.


As I got from the partner group … the explanation when you try to install it or look at it manually is that it’s okay if the CTL gives off the error that it’s not valid. 


“This behavior is expected. The reason for this UI error is that the CTL UI expects the signer to contain the Microsoft Trust List Signing EKU. However, the automatic root update mechanism uses a different EKU (Root List Signer) and as part of certificate chain validation, Windows checks for the presence of the Root List Signer EKU in the CTL signer chain.  In this case, the chain is valid for the Root List Signer EKU and hence no root update functionality is affected.


However, I check with the Dev team of the root update program, manually installing the CTL will not help as the root update mechanism will not pick up CTL installed in a local store.”


For the error message of “A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.”, KB2328240 should fix you up.


BUT and here’s the big BUT….then there’s ANOTHER error in the log files you may see out there …


Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          8/30/2010 9:54:49 PM
Event ID:      4107
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      BITZIEVISTA
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
.
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event“>
  <System>
    <Provider Name=”Microsoft-Windows-CAPI2″ Guid=”{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}” EventSourceName=”Microsoft-Windows-CAPI2″ />
    <EventID Qualifiers=”0″>4107</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime=”2010-08-31T04:54:49.263714400Z” />
    <EventRecordID>146212</EventRecordID>
    <Correlation />
    <Execution ProcessID=”1268″ ThreadID=”8712″ />
    <Channel>Application</Channel>
    <Computer>BITZIEVISTA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</Data>
    <Data>The data is invalid.
</Data>
  </EventData>
</Event>


The exact error is:  Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.


Notice the difference.  Again from various sources we are told:


“The error “Data is invalid” indicates the object returned from the network was not a valid cab and hence CAPI could not parse it correctly. We have seen instances of such an error when the network retrieval attempt for the cab fails to go through a proxy. If the proxy returns some data/message instead of a standard HTTP error code, CAPI will try to parse the message received from the proxy expecting it to be the cab. This will fail with the “data is invalid” error.  “


Hmmm, says I, I’m not going through a proxy, so that can’t be it.  But I enabled CAPI2 diagnostics as per http://technet.microsoft.com/en-us/library/cc749296(WS.10).aspx and in kicking up the logging the detail gave me an Event 11 Build chain error.  In searching for that I found a thread http://www.vistax64.com/general-discussion/280924-capi2-crypto-errors-event-log.html that pointed to a resolution of the “what” but not the “why”.


If I disable the Windows Media Player Network Sharing Service, set the service from automatic (delayed start) to disabled and stop the service the CAPI2 errors stop immediately. 


Now at this time I don’t understand why this service running is causing this as I see it running on another Windows 7 at home where it’s not throwing off the error, but it certainly is the root cause of mine here.


So for all of you following this thread, I need your help.  I need to you report back what EXACT CAPI2 error you are getting.

If you are seeing
A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file, temporarily turn off UAC, reboot,  follow the advice in KB2328240, turn back on UAC, reboot and see if that does the trick.


If you are seeing The data is invalid, see if you have Windows Media Player Network Sharing Service running and shut it off/disable it.  See if that makes your error go away. 



If you have any other error messages, let me know exactly the error message you are getting.


UPDATE:


 I removed the cached certs from  C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData and C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content AND the cached certs from C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData and C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\content (browse to those folder, remove the funky contents underneath, reboot) and now can leave that service running without CAPI2 errors.


Note that these are hidden folders so you’ll need to go into the folder options and untick the box to Hide protected folders.

8 Thoughts on “CAPI2 errors driving you crazy?

  1. TomislavRed on September 4, 2010 at 7:06 am said:

    The article doesn’t do the trick, and killing that registry key MIGHT cause Windows Update errors.

    I found this in the certificate that causes the error, the situation might get resolved by the end of this month.

    Revocation Status : OK. Effective Date < Sunday, ‎May 2 ‎2010 11:27:19 PM> Next Update < Monday, September ‎‎20 2010 11:47:19 AM>

  2. In my case it would not.

    Deleting those keys did not impact windows update.

  3. Some of the SBS2008 servers I manage, KB2328240 alone did the trick clearing CAPI2 Event 11 errors. Some required both KB2328240 and maually deleting cached certs under C:\Windows\ServiceProfiles…

    I’m FINALLY rid of the CAPI2 Event 11 errors on all the SBS2008 I manage and no issue with Windows Updates either.

    Pete

  4. I have this error 11 CAPI2 but source is consent,exe. will any of the fixes here help me this only noticeable in event viewer after I enable CAPI2 log and slows my boot. I have had this issue for months and also 4107 error but it went away last month.

  5. If Windows Media Player is involved it probably has something to do with DRM.

    TomislavRed is probably correct. All you probably have to do is wait until September 20th when that certificate gets updated.

    What you really need to research is what the trigger is as to when these certificates get revoked and then updated and then tell us. The certificates are the real mystery here.

  6. Robert Searle on September 8, 2010 at 4:11 am said:

    This is one of my many capi2 errors event id 81

    + System

    – Provider

    [ Name] Microsoft-Windows-CAPI2
    [ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}

    EventID 81

    Version 0

    Level 2

    Task 80

    Opcode 2

    Keywords 0x8000000000000040

    – TimeCreated

    [ SystemTime] 2010-09-08T09:05:36.247Z

    EventRecordID 7469577

    Correlation

    – Execution

    [ ProcessID] 10400
    [ ThreadID] 8080

    Channel Microsoft-Windows-CAPI2/Operational

    Computer SERVER01.searlesbs.local

    – Security

    [ UserID] S-1-5-21-2625093687-2116546914-2218878636-1142

    – UserData

    – WinVerifyTrust

    ActionID {00AAC56B-CD44-11D0-8CC2-00C04FC295EE}

    – UIChoice WTD_UI_NONE

    [ value] 2

    – RevocationCheck

    [ value] 0

    – StateAction WTD_STATEACTION_IGNORE

    [ value] 0

    – Flags

    [ value] 80000100
    [ WTD_SAFER_FLAG] true
    [ CPD_USE_NT5_CHAIN_FLAG] true

    – FileInfo

    [ filePath] C:\Users\SearleAdmin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [ hasFileHandle] true

    – RegPolicySetting

    [ value] 23E00
    [ WTPF_IGNOREREVOKATION] true
    [ WTPF_OFFLINEOK_IND] true
    [ WTPF_OFFLINEOK_COM] true
    [ WTPF_OFFLINEOKNBU_IND] true
    [ WTPF_OFFLINEOKNBU_COM] true
    [ WTPF_IGNOREREVOCATIONONTS] true

    – StepError

    [ stepID] 3
    [ stepName] TRUSTERROR_STEP_SIP
    – Result The form specified for the subject is not one supported or known by the specified trust provider.

    [ value] 800B0003

    – StepError

    [ stepID] 9
    [ stepName] TRUSTERROR_STEP_MSG_SIGNERCOUNT
    – Result The form specified for the subject is not one supported or known by the specified trust provider.

    [ value] 800B0003

    – StepError

    [ stepID] 32
    [ stepName] TRUSTERROR_STEP_FINAL_OBJPROV
    – Result The form specified for the subject is not one supported or known by the specified trust provider.

    [ value] 800B0003

    – StepError

    [ stepID] 33
    [ stepName] TRUSTERROR_STEP_FINAL_SIGPROV
    – Result No signature was present in the subject.

    [ value] 800B0100

    – StepError

    [ stepID] 34
    [ stepName] TRUSTERROR_STEP_FINAL_CERTPROV
    – Result No signature was present in the subject.

    [ value] 800B0100

    – EventAuxInfo

    [ ProcessName] Explorer.EXE

    – CorrelationAuxInfo

    [ TaskId] {7B4CA2EF-0773-437A-9468-9516B7CBE870}
    [ SeqNumber] 2

    – Result No signature was present in the subject.

    [ value] 800B0100

  7. i do the same process and the only thing a can see, is that the error 4107 is not more in windows log>aplication but the error is still there, the pc freeze anytime and is rly frustating.

    I find in event view>aplications and services>microsoft>windows>CAPI2>a bunch of 41 and 11 errors.


    41
    0
    2
    41
    2
    0x4000000000000005

    207


    Microsoft-Windows-CAPI2/Operational
    anata-u











    The certificate is not in the revocation server’s database.


    i dont wanna make a fresh install but this driving me crazy… plz help

  8. I had a pile of those (event id 11) in the eventlog on a production webserver. Unfortunately I followed the advice outlined in MSKB #2328240 and now the server won’t boot. Tried several hard reboots, but it is just dead…

    My advice: be *very* careful and have a datacenter technician on standby if you’re going to try that workaround on a production server…

Post Navigation