I’ve been seeing this error on my SBS 2008 and another Win2k8 r2 box I have uber monitoring on.


Subject: ES: Microsoft-Windows-CAPI2::4107 by Email Critical Events
Date: Sun, 11 Jul 2010 10:57:21 GMT
From: 7OF9 sbradcpa@pacbell.net
To: susan@msmvps.com 

EVENT # 4364
EVENT LOG Application
SOURCE Microsoft-Windows-CAPI2
DATE / TIME   7/11/2010 5:57:17 AM
MESSAGE Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Not interested in getting this event via email? Click here for information on exclude filters or find out more about the event at http://www.myeventlog.com.
 This message was sent with EventSentry v2.91.0.33

And it’s funny when I can’t remember that I researched that before.

Event ID 11 Source Microsoft-Windows-CAPI2:

Given that I’m seeing this on two separate servers, one a 2k8 the other a 2k8 r2, I’m not going to do anything at this time but hang loose and see what’s up.  I honestly don’t think it’s corruption on my part but possibly something funky on MS’s part.

If you are seeing this too, hang loose and don’t follow what I previously posted on eventid.net


20 Responses to Failed extract of third-party root list from auto update cab

  1. Peter Perry says:

    I’m getting this error on ALL my SBS boxes as well.


  2. seeing this error on SBS2k3 boxes as well.

  3. Coral Bay CC says:

    I concur. I’m getting that in my daily detailed reports from all my SBS 2008 servers. Seems like all 12 of them are reporting this error.

    Makes sense to ignore, IMO.

    BTW, love this site. Is a must hit, every morning!


  4. David Moisan says:

    I’ve been getting this on both SBS machines I manage–and I know I’ve done nothing on them in several week. My thought was MS pushed out a bad signature. Unfortunately, the last time I was something like that I had to find the bad CAB file and delete it. I won’t do that until I hear back.

  5. Paul Crosbie says:

    Any update on this issue? Its on all my SBS boxes now.

  6. Marco says:

    I’m so glad I found this site! Got the same error on several Server 2008. There are a lot of How-To’s regarding this issue and I almost – maybe a little bit to ambitious – started to do something…

    So any updates?

  7. Euphrates says:

    Any new information on this. I am seeing this on Server 2003 (Standard and SBS) along with Server 2008 (Standard and SBS).

  8. bradley says:

    Still hold tight. I’m seeing it very sporatically across servers and so I’m not recommending that you do anything at this time.

  9. bradley says:

    Failed extract of third-party root list from auto update cab:

    Hi Susan,

    Thank you for posting!

    I also noticed this event error logged on my servers, and have consulted the Dev team. This error has no impact to functionality and no troubleshooting is needed.

    Here is the information from the Dev team:

    The event log error indicates that the signing certificate for the CTL (certificate trust list) has expired. This was likely caused by the following issue:

    The signing certificate for the automatic root update CTL expired on 7/9. We re-signed the CTL with a renewed certificate and published it on Windows Update on 7/7. A valid CTL was available on WU before the signing certificate expired.

    However, for any machine that had the older CTL cached, CAPI will first try to use the cached CTL which would result in the error you are seeing. Since the cached CTL does not have a time valid signature, CAPI will retrieve the CTL from WU and obtain the valid CTL. As a result, certificate validation will not be affected but you will see the error being logged due to the cached CTL with an expired signing certificate. Once the updated CTL is retrieved from WU, you will not see this error and no further action will be required for resolving this.



    Best regards,

    Tony Ma
    Partner Online Technical Community
    We hope you get value from our new forums platform! Tell us what you think:
    This posting is provided “AS IS” with no warranties, and confers no rights

  10. Aaron says:

    Thanks for the good info! I am seeing this across many SBS 2008 servers as well. I guess my question is; why then, if once the CTL has been updated is the error still present? We have been getting them for about a week now every day. I would think that this should have been updated long ago unless my understanding of when the update occurs is incorrect.


  11. Pete says:

    I’m still getting the error on my servers. I tried Susan’s method posted below but my servers hang at Applying Computer Settings when I restart them.



  12. Pete says:

    I’m still getting the error on my servers. I tried Susan’s method posted below but my servers hang at Applying Computer Settings when I restart them.



  13. bradley says:

    Crypt32 8 events continuously reported on Windows Server 2003, Windows Server 2003 R2, or Windows XP:

    That KB doesn’t make sense. Hang loose.

  14. Pete says:

    Its the ongoing quest to have clean/all green checks in the daily server reports. I should say obession. 🙂


  15. Euphrates says:

    Well, I’ve found that all our 2003/SBS 2003 machines are clean. There was one that generated this alert on the 26th but hasn’t generated it since. However, ALL 2008/SBS 2008 machines that originally reported the event are still reporting it.

  16. GeoffB says:

    I’ve been getting this error on a daily basis for the last two months. Has anyone at Microsoft checked the new certificate chain is correct? that SBS is trying to downlaod? http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

    If I download and extract the ctl file and then open it, I see that “The certificate trust list is not valid” and “The certificate that signed the trust list is not valid”

    This suggests to me that the problem is with the new CTL on the Microsoft servers; not something on my SBS2008 installation.

  17. Euphrates says:

    We are still seeing this in the field as well. Still wondering if Microsoft has or hasn’t fixed this yet…???

  18. bradley says:

    Event ID 4107 or 11 is logged in the Application Log in Windows Vista or Windows Server 2008 and later:

    Testing that out.. and don’t “runas”

  19. GeoffB says:


    This solution does not work.

    Please, someone at Microsoft please check the Certificate Trust List: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

    The certificate trust list General tab reads:

    “This certificate trust list is not valid. The certficiate that signed the trust list is not valid.”