Microsoft-Windows CAPI2 failed extract of third-party root list from auto update cab
Hi, I get this error in the last few weeks and I am not sure, whether I should do something about it. I went to TechNet, Event ID 11 Automatic Root Certificates Update Configuration, but I would need something simpler that I can follow. Confuseduser P.S. Exact error message is below: -
Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: 27/05/2009 8:42:16 PM
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Helga-PC
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
<EventID Qualifiers="49154">11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-05-27T10:42:16.000Z" />
<EventRecordID>32381</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Helga-PC</Computer>
<Security />
</System>
<EventData>
<Data>http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</Data>
<Data>A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
</Data>
</EventData>
</Event>2 people got this answerI do too
Answers
- I don't see any reason the solution above would not work in Vista. I see the same folder structure and registry entries on Vista.If you are not familiar with the registry, here is a very detailed instruction set on how to delete entries: http://support.microsoft.com/kb/136393Be sure to use the export option before deleting entries in order to back them up.
- Marked As Answer byconfuseduser Wednesday, October 21, 2009 5:51 AM
All Replies
My system (Vista Home Prem, updated to SP2) is reporting this too.
Also my system is hanging, today apparently forever, on a empty blue screen during the start-up sequence. Today I had to use ctl-alt-del to get control and then restart. Previously it just displayed the empty blue screen for a few seconds during boot. This all started, I think, after the SP2 update.
The first occurrence of the above error is May 27 in my Vista's 'error viewer' log. It appears from the log that SP2 was installed on my system on May 27 (eg., lots of 'servicing' events).
I'm wondering if the root sert problem above is causing part of the update to fail, so it keeps repeating every time I boot. Maybe the pause is it trying to reach the internet.
In any case, I'm looking forward to a reply to the question in the first post of this thread.- Proposed As Answer byESQP - IT TECH Saturday, October 31, 2009 5:43 PM
- Hi,
Thank you for visiting Microsoft Answers forum.
To resolve this issue, use the System File Checker tool (SFC.exe) to determine which file is causing the issue, and then replace the file. To do this, follow these steps:- Open an elevated command prompt. To do this, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
- Type the following command, and then press ENTER:
sfc /scannowThe sfc /scannow command scans all protected system files and replaces incorrect versions with correct Microsoft versions.
Also try the clean boot to check for 3party software problems.
To help troubleshoot error messages and other issues, you can start Windows Vista by using a minimal set of drivers and startup programs. This kind of startup is known as a "clean boot." A clean boot helps eliminate software conflicts. This article describes how to troubleshoot problems in Windows Vista by performing a clean boot. This article also describes how to start the Windows Installer service and how to reset the computer so that it starts as usual.
Note When you perform a clean boot, you may temporarily lose some functionality. When you start the computer as usual, the functionality returns. However, you may receive the original error message, or you may experience the original behavior.a. Log on to the computer by using an account that has administrator rights.
b. Click Start Collapse this image Expand this image , type msconfig.exe in the Start Search box, and then press ENTER to start the System Configuration Utility.
Collapse this image Expand this image If you are prompted for an administrator password or for confirmation, type your password, or click Continue .
c. On the General tab, click Selective Startup , and then click to clear the Load startup items check box. (The Use Original Boot.ini check box is unavailable.)
d. On the Services tab, click to select the Hide all Microsoft services check box, and then click Disable all .
Note Following this step lets Microsoft services continue to run. These services include Networking, Plug and Play, Event Logging, Error Reporting, and other services. If you disable these services, you may permanently delete all restore points. Do not do this if you want to use the System Restore utility together with existing restore points.e. Click OK , and then click Restart .
Step 2: Enable half of the services
a. Follow steps 1a and 1b to start the System Configuration utility.
b. Click the Services tab, and then click to select the Hide all Microsoft services check box.
c. Click to select half of the check boxes in the Service list.
d. Click OK , and then click Restart .
Step 3: Determine whether the problem returns
If the problem still occurs, repeat step 1 and step 2. In step 2, click to clear half of the check boxes that you originally selected in the Service list.
If the problem does not occur, repeat step 1 and step 2. In step 2, select only half of the remaining check boxes that are cleared in the Service list. Repeat these steps until you have selected all the check boxes.
If only one service is selected in the Service list, and you still experience the problem, the selected service causes the problem. Go to step 6. If no service causes this problem, go to step 4.Step 4: Enable half of the Startup items
a. Perform a clean boot by repeating step 1.
b. Click the Startup tab, and then click to select half of the check boxes in the Startup Item list.
c. Click OK , and then click Restart .
Step 5: Determine whether the problem returns
If the problem still occurs, repeat step 1 and step 4. In step 4, click to clear half of the check boxes that you originally selected in the Startup Item list.
If the problem does not occur, repeat step 1 and step 4. In step 4, select only half of the remaining check boxes that are cleared in the Startup Item list. Repeat these steps until you have selected all the check boxes.
If only one startup item is selected in the Startup Item list, and you still experience the problem, the startup item that is selected in the list is the service that is causing the problem. Go to step 6.
If no startup item causes this problem, a Microsoft service most likely causes the problem. To determine which Microsoft service may be causing the problem, repeat step 1 and step 2 without selecting the Hide all Microsoft services check box in either step.Step 6: Resolve the problem
After you determine the startup item or the service that causes the problem, contact the program manufacturer to determine whether the problem can be resolved. Or, run the System Configuration Utility, and then click to clear the check box for the problem item.
Step 7: Reset the computer to start as usual
After you have finished troubleshooting, follow these steps to reset the computer to start as usual:
Click Start Collapse this image Expand this image , type msconfig.exe in the Start Search box, and then press ENTER.
Collapse this image Expand this image If you are prompted for an administrator password or for confirmation, type your password, or click Continue .
On the General tab, click the Normal Startup option, and then click OK .
When you are prompted to restart the computer, click Restart .
Hope this helps :)
Martin
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think - Hi Martin, I will try the above suggestions, although I have found with another problem that scannow did not work with Vista Home Premium (at least not mine). My problem also started after SP 2 Update. In my query at the middle: "Failed extra of thir party root list from auto update cab at: http://wwwdownload.windowsupdate.com/msdownload/update.... (see above) is a link and I clicked on it. It also came up as a failure, when I tried to run it. Does this change things? Confuseduser
- Hi Martin, I just ran scannow. The verification phase was 100 percent complete and stated "Windows Resource Protection did not find any integrity violations". After that scannow stopped. I have no problems with the Startup (like the other user above), therefore, I am wondering whether I need to follow your suggestions. However, I now realize that my message turns up after 4 pm (and at 4 pm every day I run the Windows Automatic Update). The error message led me to Microsoft TechNet, Event ID 11 Automatic Root Certificates Update Configuration. Under Resolve, I was asked to ensure that the user account is logged on with full Control permission. I checked and it is logged on as System. However, I cannot follow "Verify" because I do not know how to find a Web browser that requires the Automatic Root Certificates. All of the above is definitely caused by the last Vista Service Pack 2 and I assume that my computer is trying every day to find whatever is wrong. Confuseduser
- Hi again Martin, I just found the following on another Forum:
"Event Log Online Help offers absolutely no help other than to identify the problematic cab download as the "Automatic Root Certificates Update component designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site."
My system clock is correctly synched to Microsoft time and as owner/administrator I have full permissions to extract the file. But the properties for authroot.stl indicate "The certificate is not valid for the requested usage." It was signed by Microsoft on December 19, 2007.
Bottom line, this Microsoft-created Certificate Trust List is out of date or faulty, yet Microsoft refuses to issue a current certificate and has yet to reply to dozens of online posts seeking answers, yet another known Vista issue Microsoft ignores. Can Microsoft please explain why? Moreover, will Microsoft please update its Trust List for its own Windows Update site? "
This covers my error, so what should I do now. Confuseduser Martin:
Addendum: When I went to resture the normal boot (using msconfig.exe) I found TrueVector was enabled, which is ZoneAlarm's firewall, in case that's useful info. Also, my hardware is a Dell Inspiron 531 in an off-the-shelf config.
I ran sfc and it executed with no errors ("Windows Resource Protection did not find any integrity violations").
Then I used msconfig.exe to disable all non-Microsoft services, as you directed, and did a restart -- no improvement -- the system behaved the same, pausing on an empty blue screen.
Here's more info that might be helpful: During boot, the usual things happen up to the display of the Welcome message. During the display of the Welcome message, the disk rattles as usual but then slows down to just a few flickers. After a few sectonds of this, the screen changes to empty blue. After a few more seconds, the disk starts rattling at 'normal' intensity and the blue screen clears (though on one occasion, as I described above, it stayed on the blue screen).
Maybe during the pause in disk activity during the Welcome display the system is tring to access the internet? And getting the root cert problem? While waiting maybe the Welcome times out and blue screen comes? Then the internet reply causes the resumption of the usual boot sequence? (and if no reply, no resumption?)
Anyway, it looks like a Microsoft problem, since the problem seems to occur even with just MS services enabled on a 'clean' boot. Has anyone checked that the certificate it wants is still valid? That looks like the obvious thing to check.
Looking forward to your reply, and thanks for your help.- Edited byBaffin Wednesday, June 03, 2009 3:32 PM
- Hi
Try adding windows updates to your trusted sites, then run the commands given bellow.
To make this site a trusted website:
- In Internet Explorer, click Tools, and then click Internet Options.
- On the Security tab, click the Trusted Sites icon.
- Click Sites and under Add this website to the zone, copy and paste these website addresses.
You can only add one address at a time and you must click Add after each one:
"Copy & paste following into command prompt ..hope this helps.
"ipconfig /flushdns
Cd %windir%
del /s *.chk;*.rip;*.tmp;~*.*
msiexec /regserver
sc config msiserver start= auto
net stop msiserver
msiexec /unreg
msiexec /regserver
regsvr32 msi.dll /s
regsvr32 msihnd.dll /s
net start msiserver
Regsvr32 wuaueng.dll /s
net stop wuauserv
cd /d %windir%
rmdir /s /q softwaredistribution
net start wuauserv
sc config eventlog start= auto obj= Localsystem
net start eventlog
regsvr32 qmgr.dll /s
regsvr32 qmgrprxy.dll /s
sc sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
regsvr32 wuaueng.dll /s
sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc config wuauserv start= auto obj= Localsystem
net stop wuauserv
sc config bits start= DEMAND obj= Localsystem
net stop bits
regsvr32 msxml.dll /s
regsvr32 msxml2.dll /s
regsvr32 msxml3.dll /s
regsvr32 msxml4.dll /s
regsvr32 qmgr.dll /s
regsvr32 qmgrprxy.dll /s
regsvr32 muweb.dll /s
regsvr32 winhttp.dll /s
regsvr32 wuapi.dll /s
regsvr32 wuaueng.dll /s
regsvr32 wuaueng1.dll /s
regsvr32 wucltui.dll /s
regsvr32 wups.dll /s
regsvr32 wups2.dll /s
regsvr32 wuweb.dll /s
net start wuauserv
net start bits
sc config cryptsvc start= auto
net stop cryptsvc
cd %windir%\system32\catroot2
del *.* /f/q/s
regsvr32 cryptdlg.dll /s
regsvr32 cryptui.dll /s
regsvr32 dssenh.dll /s
regsvr32 gpkcsp.dll /s
regsvr32 initpki.dll /s
regsvr32 mssip32.dll /s
regsvr32 sccbase.dll /s
regsvr32 softpub.dll /s
regsvr32 slbcsp.dll /s
regsvr32 rsaenh.dll /s
regsvr32 winhttp.dll /s
regsvr32 wintrust.dll /s
net start cryptsvc
cd\
sc config ose start= demand
net start ose
regsvr32 qmgr.dll /s
regsvr32 qmgrprxy.dll /s
regsvr32 es.dll /s
cls
Rem **************End of the process*****************
pause
exit
Martin
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think - That's pretty scary.
How certain are you that that list of commands will fix the problem?
I'm worried that if I run that long list of commands, my system might end up in a non-standard state from which Microsoft will not be able to update it, or get it back (without a re-install, etc).
I think I've got a standard installation (standard Dell hardware, standard Vista), so I would think that if SP2 has a bug, Microsoft would address it by something other than a cut-and-paste -- what about all the people who don't know how to do cut-and-paste, etc? I'd prefer to wait until Microsoft has definitely found the problem and issued a tested fix -- something more formal than a cut-and-paste.
Will there be something formal? Maybe via Update?
If the problem is thought to be unique to me and the other poster, why is that? What is the problem?
If there is information I can provide from my system to help confirm the problem, that'd be great, I'd be happy to provide it. - Hi Martin, I am wondering whetheryou noticed my above email that a
" Microsoft-created Certificate Trust List is out of date or faulty, yet Microsoft refuses to issue a current certificate and has yet to reply to dozens of online posts seeking answers, yet another known Vista issue Microsoft ignores. Can Microsoft please explain why? Moreover, will Microsoft please update its Trust List for its own Windows Update site? " (I found this on another Forum through Google). Will above fix this problem or not? I do not have any problem with Microsoft Updates and when I go to Windows Updates in the Control Panel everything seems to be uptodate. I only noticed that the above problem seems to occur, when Windows checks for Updates.
My problem clearly refers to a Certificate that is invalid. Confuseduser P.S. I have the Microsoft Updates in my trusted sites. P.S. I also found Microsoft TechNet Even ll and I followed some of it, however, I do not know how to handle a web browser that requires an Automatic Root Certificate. Confuseduser - Hi Martin, I found out the following: Every day after 4 pm the Certificate Services Client starts, afterwards the Security Centre starts and then I get the error with the CAPI2 as above. I have now gone back to the Windows Security log. I found even 5038 audit failure, System Integrity (it happened at the same time as the CAPI2 message). I get error message: Device/HarddiskVolume1\Windows\System32\drivers\mchInjDrv.sys is the cause.
I looked around on the Internet and it could be a Rootkit and it could be Malware. What do I do now. I really don't even know, what it all means. However, I think that it is all linked. Confuseduser - 04 June, 2009
Hello Everyone,
I too started experiencing CAPI2 11 errors on 27May2009 - the day Windows Vista SP2 appeared on my Windows Update list. At that time however, I only set Windows Update to 'hide' Vista SP2 for the meantime to allow it time to go through the usual debugging process for newly issued software.
But after noticing the CAPI2 11 errors a few days later, I decided to install Vista SP2 immediately to see if the CAPI2 11 errors will go away. So now with deep foreboding I am using Vista SP2 and the CAPI2 11 errors still haven't gone away.
What I noticed though is that:
(a) The CAPI2 11 errors occur only during pc start-up and only when my internet connection is enabled prior to pc start-up - my usual pradtice ever since;
(b) I have tried disabling my internet connection is disabled prior to start-up - by disabling the on-board LAN prior to shutdown - and discovered that no CAPI2 11 error occurs during the next pc start up.
Aside from Windows Vista, the only other software I have that has automatic update enabled is Norton 360 v2. By experimentation, I have determined that the CAPI2 11 errors still occur during pc start up when the on-board LAN is enabled, whether N360 v2 automatic update is enabled or disabled.
To Martin: I do not think the problem is Vista SP2. I think it was Windows Update on 27May2009 - all CAPI2 11 errors started occuring on that date! The last time something like this happened to me with automatic Windows Update, I lost access to my Security Center. Back then, I was also directed to run SFC and to check my start-up programs one by one - to no avail. I have forgotten the prescribed solution for that problem, but it I think it involved fixing a corrupted configuration file(?) that could not be detected by SFC.
Alex_PH Hey Alex
take a look at this forum thread:
http://www.vistax64.com/vista-installation-setup/113153-vista-error-updating-kb942763-code-80070643-a.html
It is the Daylight Saving Time update, Open Windows Update, rt click on
it, and Hide it. Same goes for Office SP1. They wont trouble you again.
You can manually download the update/fix from 'here'
(http://tinyurl.com/ypfrqf).For some Vista updates troubleshooting tips, click 'here'
(http://www.winvistaclub.com/t4.html).
Today was a good day, I didn't have to use my AK.- Martin, more info: As mentioned, when doing a 'clean boot' using msconfig.exe, I noticed afterwards that ZoneAlarm (from Zonelabs) had still installed itself at boot but all other non-Microsoft items had not.
Today I tried setting ZoneAlarm to NOT install at start-up, using its own configuration options. When I restarted the system (normal mode), the start-up was much faster and there was only about 1 second between the Welcome screen and the rendering of my desktop. Nice! However, the CAPI2 error was still in the event log.
I restarted again and it was again very fast.
I re-set ZoneAlarm to load at start-up and restarted and it behaved as reported previously -- a long display of the Welcome message, followed by a few seconds of empty blue screen, then the rendering of the desktop.
I conclude ZoneAlarm is a factor in the delay (once apparently indefinite) and 'blue screen'. Maybe it's waiting for internet connectivity during its startup.
I presume Microsoft coordinates problem-solving within its 'ecosystem' since many end-users probably judge PCs by the overall experience. (I'd dump ZoneAlarm but I like knowing what wants to go out, and, AFAIK, the Vista firewall doesn't provide that.) - Hi, there seem to be different problems in this thread. I have found that the error message occurs, when the Security Certificate Client starts. When I then look under Security in the Event viewer, I notice an audit failure and I have listed the file above. I still don't know what to do with it. I have no problems with the general startup. Confuseduser (more confused now)
- Hi Pibes,
I took a look at the other forum thread that you have kindly provided. Although I do not have the Daylight Saving Time update on my list, I will try hiding all the the other optional updates that I do have and see if this action will produce results on this CAPI2 11 problem.
Thanks,
Alex_PH Hello All,
To confuseduser: If I'm not mistaken, your Windows Update has been set to automatic and scheduled to run at 4pm. My setting on the other hand is just to "check for updates and let me choose ...". With my setting, an automatic check for updates is performed every time I start or re-start my pc.
To Pibes: I've hidden all the optional updates on my list and re-started my pc with the on-board LAN enabled. Result: CAPI2 11 error still occured.
To Martin: I do not know if this is significant, but here are the results of something new that I've tried:
a. With a CAPI2 11 error already registered in the event logs for the current pc work session, I perform a
manual check for Windows updates. Result: No CAPI2 11 error occurs.
b. Encouraged, I next restarted my pc with on-board LAN disabled. Result: No CAPI2 11 error, as previously
reported. Then I enabled my on-board LAN and did a Network Connection diagnose and repair. After verifying
my network connection to be normal, I again forced a manual check for Windows updates. Result: Still no
CAPI2 11 error!
Just to recap:
1. Everybody on this thread started experiencing CAPI2 11 errors on 27May, 2009;
2. Except for me, everybody else on this thread installed Windows Vista SP2 on 27May, 2009. I merely hid mine
on 27May, 2009 and installed it only on 02June, 2009. Yet, my filtered event logs show that my CAPI2 errors
also started on 27May, 2009 and occur each time I start my pc (because of my chosen Windows Update
setting - "check for updates and let me choose ...");
Alex_PH- Have you tried re installing the Windows installer?
Visit the article to download the correponding Installer agent.
http://support.microsoft.com/kb/934307
Martin
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think - Hi Martin, before doing anything else, have you looked into it, whether there is a Windows file without the proper security settings. See above. Confuseduser
- Thank you for responding, Martin.
I've looked into the active link that you provided, but I could not find where to get the wusa.exe file. I'm willing to try to re-install this if you can provide me the link for the file download.
Meantime, may I know if Microsoft tinkered with the Windows Update engine just prior to 27May, 2009?
Alex_PH - Martin,
I just took a look at my Systems32 folder. My copy of wusa.exe was created and last accessed on 02Jun2, 2009 - the day I installed Vista SP2. Since the CAPI2 11 errors started on 27May, 2009, I don't think we need to pursue this line of investigation further.
Alex_PH - Hi Martin and all the others who might be interested - I found out that CAPI2 now had a reference to a Windows Update file. I clicked on it and it stated (there is more than I am quoting): Digital Signature Information - the certificate is not valid for the requested usage : -
Signer information: Microsoft Certificate Trust List Publisher
Sign time, Saturday 2nd May 2009
Name of Sign... Email address: timestamp
Microsoft time not available, Sat. 2nd May.
When I click on details, I get a long list:
Certificate Version V3
Ser.No. 61 02 b4 0c 00 01 00 00
sign. algorithm sha1 RSA
Issuer Microsoft Certific Trus...
Valid Sat 11 Apr 2009
Valid to Sunday 11 July 2010
Subj Microsoft Certiicate
Public key RSA 12048 bits etc. I have not found a way of copying it all. However, it asked me whether I want to install it and I did. Confuseduser - Hi Confuseduser, Alex_PH, and Baffin,
Thanks for your responses to the community forum.
Some issues experienced has been a result of bad cache files in Internet Explorer.
Try clearing all cache and resetting Internet Explorer - if this is IE8
To clear cache - From IE Click Tools / Internet Options / on the General Tab in Browsing History select Delete.
To reset IE - From IE Click Tools / Internet Options / Advanced Tab select Reset.
At this poinst, follow this knowledge base article. Microsoft root certificate program members (February 2009)
Some information in the article is included below. http://support.microsoft.com/kb/931125/en-us
Update for Root Certificates
This item updates the list of root certificates on your computer to the list that is accepted by Microsoft as part of the Microsoft Root Certificate Program.
The following file is available for download from the Microsoft Download Center:
Download the rootsupd.exe package now. (http://www.microsoft.com/downloads/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0)
Release Date: 2/24/2009
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:119591 (http://support.microsoft.com/kb/119591/ ) How to obtain Microsoft support files from online servicesMicrosoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
Please let us know if this assists in resolving this issue or if further suggestions are needed involving the issue.
Regards,
Debbie
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think. - Hi Debbie, I clear the IE8 cache regularly (and did so again), but it did not change the problem. I also RESET IE 8 and it makes no difference to the error. When I went to the Update for Root Certificates, it seems to be for XP and I have VISTA. Did you look at my message above, which gives details of the certificate which is not valid for the intended usage?????? Confuseduser
- Hi Debbie
We have the same problem on more and more of your Windows Server 2008 machines. Is there also an "Update for Root Certificates" for this operating system - 64bit version? (maybe the same for vista)
thanks in advance
Yves - Hi confuseduser,
Thanks for the responses.
You are right that was for XP, my oversight. The option I want to present involves verifying the product key for Windows Vista is still active. It may be that there is a need to reactivate your Vista Operating System and this is why it continues to reject the certificate.
Here is a little more information about issues when the product key is not associate with the Operating System ran on the PC.
The Windows Genuine Advantage (WGA) program and Office Genuine Advantage (OGA) program are part of Microsoft’s on-going effort to protect its customers and partners from counterfeit software and to increase customer awareness of the value of genuine Microsoft software.
Here is an excerpt from this Windows document that may provide assistance in verifying the Product key is activated.
http://www.microsoft.com/genuine/downloads/FAQ.aspx?displaylang=en
What is genuine Microsoft software and why is it important?A:Genuine Microsoft software is published by Microsoft, properly licensed, and fully supported by Microsoft or a trusted partner. Using genuine Microsoft software offers you greater capabilities and easy integration with the widest variety of hardware, software, and services. It also provides confidence that you will receive the latest product features, updates, and ongoing improvements to keep your PC performing at its best.
View all answers.A:Activation reduces piracy by associating your Product Key—the 25-character security code located on your Certificate of Authenticity (usually affixed to your software package, PC, or laptop)—to a PC hardware key. Microsoft stores this information in a database so that no one else can use your Product Key on another PC.
A:Activation is required for many users of Microsoft Windows and Office in order to enjoy the benefits of the software. If Windows activation is required, you will be asked to activate during Windows setup and required to complete activation within the first 30 days of initial use. If Office activation is required, you will be asked to activate the first time you run an Office application and required to activate within the first 50 launches for Office XP and Office 2003, or within first 25 launches for Office 2007. Registration is recommended, but not required.
A:Validation is a process that helps you to verify that your Microsoft software is genuine. Microsoft will ask you to validate Windows when requesting a genuine Windows download from the Microsoft Download Center or Windows Update and to validate Office when requesting a genuine Office download.
A:Office validation is a similar but separate process from Windows validation. Office validation only validates Office suites and applications, and Windows validation only validates Windows. To learn more about each process, see the Windows Validation and Office Validation sections of this FAQ.
A:Yes. Customers using a copy of Windows or Office with a legitimate Volume License will be validated and given full access to genuine Microsoft downloads. Volume License keys have been a source of counterfeit in some instances, so the WGA and OGA validation services are able to recognize and block a Volume License key that is being used improperly.
A:Yes. You will need to revalidate each time you reinstall Windows, and you will need to revalidate Office each time Office is reinstalled.
Please follow the information from the document to verify the Validation process. It may be that this will resolve the issue.
Debbie
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think. - Hi Debbie, I have never reinstalled Windows Vista and it has been activated properly. It is a legitimate copy. Whenever, I download anything that requires validation, I have absolutely no problems. I have checked in the past whether Windows was legitimate and it is. I frequently download free Microsoft programs and I never have a problem. However, when you look at the above details you will see that it is only in one case, where there is a root certificate problem. So I really do not think that this causes the problem. Confuseduser
- Hi Debbie, I just checked again. The activation is ok and when you go to My Computer, Properties, a List comes up, which also states at the bottom that Windows is activated and gives the Product Key (I also have a disk). Confuseduser P.S. Have you ever looked at the details of the troublesome root certificate above?????
Hi confuseduser,
I suggest you download the file again and install the new file.
Thanks for using the Answers Forum. Please let us know how this works out.
Joseph
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think.- Hello To all, I am getting the same error for CAPI2 since May27, I tried all the above solutions and none of them have solved the problem.
Thank you in advance for your help - Hi Joseph, which file and were do I get it from? Confuseduser
- Hi confuseduser,
Thanks for using the Answers Forum.
"I get error message: Device/HarddiskVolume1\Windows\System32\drivers\mchInjDrv.sys is the cause.
I looked around on the Internet and it could be a Rootkit and it could be Malware. What do I do now. I really don't even know, what it all means."
I suggest downloading and running the Malicious Software Removal Tool.
I also suggest updating your anti-virus and running a full scan.
You may also want to do a free online to be thorough.
The Microsoft Windows Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom—and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed.
http://www.microsoft.com/security/malwareremove/default.mspx
Please let us know if this helps.
Chris
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think. To Alll,
I am having this same problem on Windows Server 2008 64 bit. The event ID Error 11 Source=Microsoft-Windows-CAPI2 also showed up on May 26th. It would be nice if Microsoft could help us resolve this since for me this erro happens every minute. I have tried various things and nothing has fixed it yet.
Everyone from Microsoft so far has added something to try to this forum and its all been a waste of time. What does this have to do with Malware Chris? Microsoft Engineers please help us resolve this Application Error 11 Source=Microsoft-Windows-CAPI2 in our event logs.
ThanksThis is a much more deep problem. I dont think any of the so called "Support Engeneers" is going to solve your problem.
Did you know there is free tech support via email. if its an issue with Win Updates.
I would also recommend posting your question in the Tech Net forum to have one of their more experienced techs have a look at your logs and find out the root cause. This is the only way you will be able to fix the problem efficiently. without trying unessesary steps, since you can actually see what the problem is on the log.
Today was a good day, I didn't have to use my AK.- Just to add myself to the list.... I am having exactly the same problem as everyone here on ONE of my Server 2008 64-bit on the network as well. Strange thing is that the other DC (also Server 2008 64-bit) didn't have this problem at all.
The CAPI2 error started appearing from 5/28/2009 1:40:22AM (Hong Kong time) which is 5/27/2009 5:40:22 GMT.......
Definitely something that MS pushed out around that time which is causing issues... - Hi laim and tech-JD,
As you are not using Vista, some of this information may not fix your issue.
confuseduser, you can also try updating your root certificates to see if it resolves your issue.
Update for Root Certificates
This item updates the list of root certificates on your computer to the list that is accepted by Microsoft as part of the Microsoft Root Certificate Program.
The following file is available for download from the Microsoft Download Center:
Download the rootsupd.exe package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0)
Release Date: 2/24/2009
Please let us know if this helps.
Chris
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think. - Just downloaded onto the server. Upon double click, UAC pops up and I allow it to proceed but nothing happens...... Is it supposed to be nothing regarding whether it installed or not?
And no change in situation after double clicking the rootsupd.exe. CAPI2 event 11 still happens. - Hi Chris, my antivirus protection is uptodate and so is Vista. I run the Malicious Software Tool every now and then and two days ago, everything was fine. I also have Windows Defender. Confuseduser
- Hi Chris, the Root Certificate Update is for XP (I have already pointed this out to Debbie, see above). It might help, if there was a download for Vista. Confuseduser
- Hi confuesduser,
Thanks for posting.
Copied from http://support.microsoft.com/Default.aspx?kbid=931125
"APPLIES TO
- Windows Vista Enterprise 64-bit Edition
- Windows Vista Home Basic 64-bit Edition
- Windows Vista Home Premium 64-bit Edition
- Windows Vista Ultimate 64-bit Edition
- Windows Vista Business
- Windows Vista Business 64-bit Edition
- Windows Vista Enterprise
- Windows Vista Home Basic
- Windows Vista Home Premium
- Windows Vista Starter
- Windows Vista Ultimate
- Microsoft Windows XP 64-Bit Edition Version 2002
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
- Microsoft Windows XP Tablet PC Edition
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
- Microsoft Windows Server 2003, Datacenter x64 Edition
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows Server 2003, Web Edition"
I believe XP is the minimum requirement.
I have installed it on the Vista machine I'm using right now.
Please let us know if this helps.
Chris
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think.- Unproposed As Answer byconfuseduser Friday, June 12, 2009 4:19 AM
- Proposed As Answer byMembrane22 Thursday, June 11, 2009 12:14 PM
- Hi Chris, I have just installed it. Sorry, but I only saw Windows XP (even this time). Confuseduser
- Hello Chris,
I just applied the root update and did a reboot and the message is still there.
Membrane22 - Hi Chris, installing the root update made no difference to me either. Confuseduser
Hi Chris, installing the root update made no difference to me either. Confuseduser
I've got exactly the same problem on my Vista Business x64 installation too. None of the hints in this thread did make any difference. Still get the CAPI2 error after reboot.
I can also confirm that this does not happen on all Vista machines. On my desktop PC it does not occur. I just have this problem on my laptop. On both machines I've upgraded to SP2 using the same network installer - installed on the same day.
As I cleaned the events I cannot say exactly when this problem started.Well I have read everything on the internet that I could find about this and still no one is able to resolve. It seems lots of people are having this issue and no resolution yet. Anyone who has resolved this please post on how you did.
- I had the same problems you all had, gosh what happened with me was that i recently did some hardware changes to my machine and noticed my DATE has been changed to January 1, 2002... so with the improper date no wonder the security was kicking in. Luckily i spoted this when i was looking into the event viewer. Good luck to everyone if this wasn't also the case.
- Hello To ALL,
Still have the same problem. The date is not the issue. Root certificate installed as per Debbie did not work. My license is genuine. Is there another place where we can find an answer?
Thank you. I had the same problems you all had, gosh what happened with me was that i recently did some hardware changes to my machine
I am sure I did not do any hardware upgrade. I am having this error on my HP 8510w - did not even plug USB devices other than memory sticks in the past months. Moreover it's unlikely that many people get the same problem when installing SP2 or more or less at the same date (end of May 2009).
and noticed my DATE has been changed to January 1, 2002... so with the improper date no wonder the security was kicking in. Luckily i spoted this when i was looking into the event viewer. Good luck to everyone if this wasn't also the case.
I've read that several times on different forums but it did not help in my case. I am using a timeserver to synchronize time and my BIOS time is set correctly. Still have the same problem on every reboot. The description on Microsoft web-pages about permissions within the %TEMP% folder does not help either. There is even no user logged on when the error is logged and for sure it's not related to permissions for the logged-in user (SYSTEM/services have full write access to %SystemRoot%\temp of course).I've read that several times on different forums but it did not help in my case. I am using a timeserver to synchronize time and my BIOS time is set correctly.
Actually I found the hint with the system time the most promising to investigate further. I also thought to remember that I read something on the Internet that the cryptography services in Windows do not use the Windows clock/time but instead some weird direct hardware access (RTC?).
Recently I noticed too, that the BIOS on my HP 8510w anyway behaved a bit oddly. The modem entry (to disable the built-in modem) was not showing up any more and the device was missing in the device manager. The solution was to load setup defaults, switch off the machine (remove battery) and then restart the machine.
So I thought let's give it a try, probably the current clock is no properly written to the RTC on Windows shutdown.
So I went to the BIOS and changed the current time (well I assumed if I change any value it will force the BIOS setup to overwrite whatever value is currently stored within the RTC). I just increased the minutes by 1. Then I saved and exited the BIOS setup.
Now I rebooted Vista twice and up to now I did not get the error again.
Probably this will help others too... let us know.So I went to the BIOS and changed the current time (well I assumed if I change any value it will force the BIOS setup to overwrite whatever value is currently stored within the RTC). I just increased the minutes by 1. Then I saved and exited the BIOS setup.
Unfortunately I have to report that Event 11 on CAPI2 source returned on my laptop. I might have been cheated by the WLAN I was using at this location (requires login). As reported already the error is not logged immediately if no internet connection can be established. That's probably why it did not happen this afternoon. Now I returned home, booted the machine and here it is again... :-(
Now I rebooted Vista twice and up to now I did not get the error again.
I leave the original message untouched for reference, even if it seems it did not do any change.- Hi Rainer Meier,
Thanks for using the Answers Forum.
It looks like you might want to check your motherboard manufactuer for a firmware/BIOS update or patch.
You may also want to investigate the CMOS battery to see if it needs replacing.
Hope this helps.
Chris
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think. It looks like you might want to check your motherboard manufactuer for a firmware/BIOS update or patch.
As I said already, I just tried to adjust the RTC clock because I read some hints that the cryptography service might not use the Windows time. It turned out not to help.
You may also want to investigate the CMOS battery to see if it needs replacing.
So the Mainboard and CMOS battery are absolutely OK. In addition I don't think all of us here should look for a mainboard/battery replacement and all batteries died within a 1-week timeframe.
In addition this error never happened to me before and also it does not happen on Windows 7 RC. Everything else runs perfectly on the machine and if one Vista service is failing, then I expect Microsoft to have a look at it, trace it and then tell me why it fails. I will accept that all our hardware is broken if Microsoft clearly identifies the source of the problem and tells me which part fails (which seems to be used only by CAPI2).
So it seems very unlikely to me that our hardware is in any way defective. I run Windows XP, Vista-64, Windows 7 and Linux on the machine without any problems.
I get the impression that neither Microsoft/Microsoft stuff nor somebody else has any clue why this error is logged - and I guess developers of the CAPI2 API are not reading here or not interested in solving it.
Let's wait for Windows 7 then and hope we don't have such errors then.- Usually when I google some error I only find some death forum thread whit only couple of messages on it and no solution. So when I saw the length of this page I was sure that there must be a solution here. Now at the end of the page and after dozen reboots I'm a little disappointed.
I have had the same error as everyone above since 27.5.2009. I have Vista Home Basic sp1.
Could one of these Support Engineers answer a few questions for me:
What is CAPI2?
What is authrootstl.cab?
Is this CAPI2 trying to download it as some update?
Can it be done manually?
What on earth happened on 27.5.2009?- Unproposed As Answer byconfuseduser Sunday, June 21, 2009 8:39 AM
- Proposed As Answer byPhilippe V. Sunday, June 21, 2009 8:19 AM
Hi Rainer Meier,
Thanks for using the Answers Forum.
It looks like you might want to check your motherboard manufactuer for a firmware/BIOS update or patch.
You may also want to investigate the CMOS battery to see if it needs replacing.
Hope this helps.
Chris
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think.This is almost getting funny...Please add me to the list of paying customers that have been waiting for a solution to this problem. Might I suggest Microsoft push this to the level 2 support guys (and girls)?- I have the feeling that there is nothing wrong in our computers but thatit happened on Microsoft server sites, where a published list of certificate is not valid.I went to <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> manually, and tool the "authroot.stl" certificate file inside: when you double click on it to view the certificate, it indicates "Cette liste de certificat de confiance n'est pas valide. Le certificat qui a signé la liste n'est pas valide." (which I can translate in EN as "This list of trusted certificates is invalid. The certificate that did sign the lsit is not valid."And indeed, looking at the certificate that signed the list, it appears that it is a certificate is still not in the validity period but is not declared as valid for performing such an action (signing a list of root certificates).I believe the problem will be resolved when Microsoft will realize about the glitch and will fixed the certificate located at this URL (and in that sense, OUR POSTS MIGHT HELP).Until then, I am afraid that we should live without trying to have 100% error-free VISTA event managers. I noticed no side effect in the way applications behave, except the error message.Philippe
- Hi Philippe, you might be right, but I really think that Microsoft should have taken some action by now. As far as I am concerned the issue is not yet resolved. Confuseduser
I have the feeling that there is nothing wrong in our computers but thatit happened on Microsoft server sites, where a published list of certificate is not valid.
I went to <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab > manually, and tool the "authroot.stl" certificate file inside: when you double click on it to view the certificate, it indicates "Cette liste de certificat de confiance n'est pas valide. Le certificat qui a signé la liste n'est pas valide." (which I can translate in EN as "This list of trusted certificates is invalid. The certificate that did sign the lsit is not valid."And indeed, looking at the certificate that signed the list, it appears that it is a certificate is still not in the validity period but is not declared as valid for performing such an action (signing a list of root certificates).I believe the problem will be resolved when Microsoft will realize about the glitch and will fixed the certificate located at this URL (and in that sense, OUR POSTS MIGHT HELP).Until then, I am afraid that we should live without trying to have 100% error-free VISTA event managers. I noticed no side effect in the way applications behave, except the error message.Philippe
No side effect?
I'm not sure if it's because of this error or if I also have some other issues but something halts my computer while starting into a white screen for time that variates between a few seconds and ten minutes. Is anyone else having this? Someone mentioned blue screen during start-up.- Tabagaras, you face another issue I am afraid.The lack of update of root certificates should imho not have immediate impact: this will be gradual and the ones that will be complaining the most to MS will be e-governement, merchands, etc. For the end user, it would require at the worst manual installation of root certificate authorities.What puzzle me is the fact that the error message happens at each boot time, prior to opening a network connection (WIFI in case of notebooks), which seems to indicate that an automatic update has downloaded and cached <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>Still the online file itself is indeed not fixed at this stage by Microsoft.Philippe
I have the feeling that there is nothing wrong in our computers but thatit happened on Microsoft server sites, where a published list of certificate is not valid.
I think you are completely right here. When I open the Certificiate Trust List it immediately presents a warning/error:
Certificate Trust List Information
This certificate trust list is not valid. The certificate that signed the list is not valid.
Then click on "View Signature" and you will get another error displayed:
Digital Signature Information
The certificate is not valid for the requested usage.
Clicking on "View Certificate" reveals the following:
Certificate Information
This certificate is not valid for the selected purpose.
In the "Details" tab under "Key Usage" it reads "Digital Signature (80)" and the icon has a yellow exclamation mark.
Going to the "Certification Path" tab shows the following path:
Microsoft Root Certificate Authority
Microsoft Certificate Trust List PCA
Microsoft Certificate Trust List Publisher
The last one seems to be the guilty one (see above properties).
Going one step down to the "Microsoft Certificate Trust List PCA" certificate it shows the following in the "Key Usage" field: "Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)" and it has a green arrow within the icon (compared to the yellow exclamation mark of the Microsoft Certificate Trust List Publisher certificate).
I've verified this on two Vista machines - one of them does not show the CAPI2 error.
So it seems that the "Microsoft Certificate Trust List Publisher" certificate is broken and contains wrong key usage flags.- Edited byRainer Meier Tuesday, June 23, 2009 6:56 AM
- Rainer,I am a bit scared about your statement than only one of your VISTA machines demonstrated this. For sure, we are quite a few in this thread to experience the problem at the last days of May 2009. I hope it remains a pure MS server issue (invalid certificate), and that our local "root of the root certificate or so" (if any) has not been broken by 'mistake' during a MS update.Fyi, I have opened yesterday a ticket to MS, associating this to the free-support "Windows Update" topic that relates to it. Unfortunately, my suggestion was not considered as the reply was "please follow the following instruction in order to pay for a ticket that we will (only then) process" :(Quite disappointing for a 17-years professional experience master in IT engineering that spent time reporting an issue! Moreover, this let me think that if I pay I wil have to fight again for the issue to be taken seriously (ie with no reply à la "reinstall from scratch or so")Ph.
- I'm having the CAPI2 Event 11 issue on two Small Business Server 2008 servers I administrator. No luck finding a solution either.
Pete
As I stated the CAPI2 error only appears on one of the machines I have (my Laptop, Vista Business 64). On my desktop at home (Vista Business 64) and on my office machine (Vista Enterprise 32) the CAPI2 message does not appear. But this does not really irritate me. I assume that the certificate trust list is not updated very frequently. It might have happened that our machines showing the problem just started to update the certificate trust list in the wrong moment. Maybe the machines which still work (because they do not try yet to upgrade the trust list) keep an old list but they might enter the same mode any time (maybe if you visit an SSL/HTTPS page which uses a certificate signed by unknown CA?).I am a bit scared about your statement than only one of your VISTA machines demonstrated this. For sure, we are quite a few in this thread to experience the problem at the last days of May 2009. I hope it remains a pure MS server issue (invalid certificate), and that our local "root of the root certificate or so" (if any) has not been broken by 'mistake' during a MS update.Fyi, I have opened yesterday a ticket to MS, associating this to the free-support "Windows Update" topic that relates to it. Unfortunately, my suggestion was not considered as the reply was "please follow the following instruction in order to pay for a ticket that we will (only then) process" :(Quite disappointing for a 17-years professional experience master in IT engineering that spent time reporting an issue! Moreover, this let me think that if I pay I wil have to fight again for the issue to be taken seriously (ie with no reply à la "reinstall from scratch or so")
Probably somebody knows how to manually issue a certificate trust list update or how to disable this automatic update. Personally I am not aware what I did to trigger it on my Laptop.
In addition I can confirm again, that the trust list it tries to download shows an invalid signature on ALL the machines (even the ones which do not log the CAPI2 error yet).
Unfortunately I get the same feeling that Microsoft does not care too much about issues like this and I don't feel like paying just to report an issue for a product I already paid licenses for. Especially because it seems to be obvious that at least the certificate trust list it tries to download is broken on Microsoft servers. There must be quite some downloads of this file every day but it does not look like it reaches a limit where Microsoft notices that something is wrong. At least my machine is downloading and discarding it 2-5 times a day.
By the way, there is a thread on technet about the same topic too:
http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/fdf97ac2-21b7-49af-9fc5-d8b2dc3e8d83
It seems to affect w2k8 servers (technical base identical to Vista) but it's probably even worse there - one user reported that the error is logged every minute.
br,
Rainer
Helo,It seems to affect w2k8 servers (technical base identical to Vista) but it's probably even worse there - one user reported that the error is logged every minute.
I can confirm that on our Exchange Win2008 standard 64bit servers there is the same problem since last days of May 2009 and these events are reported every minute . On our domain controllers we don't have these problems...
Mac- Hi all, I am having the same CAPI2 error which started since 27 May 2009.
I am from Singapore and currently using Vista Ultimate SP1. Of course my Windows is activated.
This error in Event Log has been ongoing in my PC too. - Cross-post from technet.... just trying to get some answers
I have been monitoring this thread and the similar thread here: http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/fdf97ac2-21b7-49af-9fc5-d8b2dc3e8d83?prof=required
I can confirm this has been happening on a brand new install of Server 2008 Standard since June 16th. The install was from original media, then upgraded to SP1. The server is fully patched except for optional updates. It has the Web Server (IIS) role installed, with the .Net 3.0 Features, Remote Server administration Tools feature, and the Windows Porcess Activation Service features.
Since this thread hasn't had any activity, I was just wondering if anyone had found a solution. I agree that it definitely looks like the trust list itself is not valid.
As this is a planned web server that will host SSL sites, I am at a stand-still until this is resolved. I'm not going to put websites on it since I have no idea if the certs will report as valid to clients. I'd love to know which root certs would have an issue, if any.
I did run sfc /scannow at an elevated command line to verify the system protected file. It reported 100% valid.
Just for the heck of it, I reinstalled my MAK license key to make sure there is no licensing typo or something.
The CAPI2 error shows at least 8 times a day, every day. Sometimes more. Hello,
It sounds like there might be some corrupt or bad information in the cache, we can try the steps below to see if it resolves the errors in the Event Logs:
· Click Start
· In the ‘Search’ field type ‘cmd’
· When cmd.exe is located, right click and select ‘Run as Administrator’
o Note – you may get prompted for User Account Control Credentials if it’s enabled
· Type the following command: Certutil –urlcache * delete
o This command will clear the cache that is stored for certs and such
o When this command is run you will probably see lots of scrolling text
o When this is complete we should see a message that states it was completed successfully
Give this a try and let us know if it resolves the errors you are seeing.
Thanks
Michael
Microsoft Answers Support Engineer
Visit our Microsoft Answers Feedback Forum and let us know what you think.- OK I just cleared the certutil cache and am still receiving this error in the event log.
- I have found the source of my error on Server 2008. It ended up being McAfee.
To determine the cause of the CAPI2 error, I enabled CAPI2 logging in the event log.
You can do this by go to Applications and Services Logs\Microsoft\Windows\CAPI2\Operational in the event viewer. Choose operational and enable logging.
I noticed my error occurred every time I rebooted, so rebooted the server and checked that event log by nativating to Applications and Services Logs\Microsoft\Windows\CAPI2\Operational. One of the log items indicated an error and mentioned a mcafee exe.
I removed McAfee and rebooted. The error is gone.
I know this won't solve everyone's issue, but you could use the same methodology to determine the root cause of your own CAPI2 errors. - OK I might know how you can atleast tell what is causing this error.. ..
You need to first turn on logging for CAPI and to do this...
go to Applications and Services Logs\Microsoft\Windows\CAPI2\Operational in the event viewer. Right click and enable logging for this service. Then give the log about 10 minutes to log stuff. You should get some informational logs and then some errors. Open the error and click the details tab. Scroll down and it should atleast tell you the process that is causing the error.
Hope this helps!!! - Using this method revealed "wmpnetwk.exe" to cause the error to be logged. This process seems to provide the Windows Media Player Network Sharing Service. It was set to "Auatomatic (Delayed)" start on my machine. Stopping it and setting the start method to "Manual" made the CAPI2 error disappear until now. However I think this is rather a work-around than a solution. Disabling this service will most probably disable media sharing capabilities of WMP - so if you don't use/need it this might be an acceptable solution. But if you want to use media sharing, then this is probably not helpful at all. Moreover I have the feeling that WMP is not the only application which triggers the Certificate Trust List (CTL) update. So the error might re-appear. Apparently the CTL provided by Microsoft on their pages is broken (signed by wrong certificate) which causes the error to be logged by WMP. This might be related to some DRM-code too which requires certificates to verify licenses (another reason to avoid DRM-systems). So disabling the "Windows Media Player Netwrok Sharing Service" might help some people here to work around the problem.
- Proposed As Answer byKevin HauMSFT, ModeratorTuesday, October 06, 2009 4:24 PM
I am getting this recurring on Winxp Pro SP3 too.
Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 03/07/2009
Time: 10:50:50 AM
User: N/A
Computer: XXX
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.- Hello,
we have at 4 different customers and at our own office with SBS2008-SP2 exactly the same problem since 27.05.2009. The certificate-trust-list (authroot.stl) show the same error like at the diskussion above (the certicate that sign this list is not correct). I search allready for the solution, but i am sure, that MS make something wrong. The rtc onboard the server are syncronized at ntp server here in germany and the timezone is correct. Hardware wasn´t changed. The MS-sites are included the trusted sites and are not running over any proxy, this mistake is known too... Deactivated the Trendmicro virusscanner at our office: no result. Only SBS and Trendmicro are running at the SBS2008, nothing more. No addons. All is functionaly (at moment) only this error is all time at the event-log.
Let´s look, if after one MS-update, or a new trust list with correct sign, next time the error are away ;) I have found the source of my error on Server 2008. It ended up being McAfee.
To determine the cause of the CAPI2 error, I enabled CAPI2 logging in the event log.
You can do this by go to Applications and Services Logs\Microsoft\Windows\CAPI2\Operational in the event viewer. Choose operational and enable logging.
I noticed my error occurred every time I rebooted, so rebooted the server and checked that event log by nativating to Applications and Services Logs\Microsoft\Windows\CAPI2\Operational. One of the log items indicated an error and mentioned a mcafee exe.
I removed McAfee and rebooted. The error is gone.
I know this won't solve everyone's issue, but you could use the same methodology to determine the root cause of your own CAPI2 errors.
Hi, I followed your method and logged CAPI2 error. It was determined to be vsmon.exe which happens to be ZoneAlarm Free.
Since removal of ZoneAlarm Free, I had not seen this error anymore on my Vista Ultimate and WXP SP3.Hi, I followed your method and logged CAPI2 error. It was determined to be vsmon.exe which happens to be ZoneAlarm Free.
Since removal of ZoneAlarm Free, I had not seen this error anymore on my Vista Ultimate and WXP SP3.
Well this issue seems to be clearly related to the crypto API (CAPI2) of Windows. So the error can be triggered by basically any application using the crypto API. Obviously it's related to certificate verification which triggers an updated of the certificate trust list (CTL).
As a result anybody experiencing this problem might have a different source for the problem. While on one of my machines it was the media sharing it might be an anti-virus in another case (using HTTPS connection for signature update probably) or anything else. Most probably CAPI2 is updating the CTL only once when it's first invoked - so uninstalling antivirus might prevent the error on Windows boot but it might show up later during Windows operation when another application first uses the API. Obviously not a lot of applications are using the crypto API (e.g. Firefox was not using it properly until version 3.5.1 to acquire random numbers/entropy).
By the way I have been at a customer today which showed exactly the same error on Windows XP SP3 when running Windows Update. So it's not limited to Vista. The CTL is definitely broken. Please Microsoft, fix it!- Hi, not that it will help, but I meanwhile have established that when I logged CAPI2 error, I got a reference to AVG. Confuseduser P.S. Maybe somebody could inform Microsoft what is happening.
Hi again, apparently the link below is a link to Microsoft. Maybe somebody (who can cope with all the technical details) could send them the information. Confuseduser
https://connect.microsoft.com/default.aspx
What's Connect?This site is a connection point between you and Microsoft, and ultimately the larger community. Your feedback enables Microsoft to make software and services the best that they can be, and you can learn about and contribute to exciting projects- I just recently noticed this error in my Event Viewer as well:
Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: 8/8/2009 1:56:04 PM
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: user-PC
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
<EventID Qualifiers="49154">11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-08-08T17:56:04.000Z" />
<EventRecordID>15024</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>user-PC</Computer>
<Security />
</System>
<EventData>
<Data>http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</Data>
<Data>A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
</Data>
</EventData>
</Event>
I noticed that my first incidence of this CAPI2 error began on June 23, 2009 of this year after upgrading to Windows Service Pack 2 on my Windows Vista 32-bit OS. I have tried typing "Certutil -urlcache * delete" in cmd and running sf /scannow and the error still occurs. If I click on the link given in the Even Viewer (http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab) it simply asks me if I wish to open, save or cancel the the 27.9KB authrootstl.cab download. I have gone to Applications and Services\Logs\Microsoft\Windows\CAPI2\Operational and enabled logging. However, none of the errors in the Event Viewer come up during logging.
What is this thing?!? And, has anyone found a way of getting rid of it? I have followed about 5 steps listed on this forum by "technicians" and I still keep getting this error. I have noticed others have logged events and were able to determine the cause, but no errors appear in the logging for me -- only in the event viewer. What is this thing?!? And, has anyone found a way of getting rid of it? I have followed about 5 steps listed on this forum by "technicians" and I still keep getting this error. I have noticed others have logged events and were able to determine the cause, but no errors appear in the logging for me -- only in the event viewer.
From what I know about it CAPI2 is the Crypto API of Windows. It looks like the CTL (Certificate Trust List) Microsoft currently offers on their update sites is broken (invalid signature). So Windows does not accept it for security reason. If Windows would accept it, then anybody could forge a fake certificate trust list and inject it which would open an attack vector for intruders.
Most probably the error is simply triggered by any application using SSL connections with the help of the crypto API (CAPI2). So the first application using the API might trigger the (still pending since id did not succeed) CTL update which fails each time because the CTL provided by Microsoft is invalid.
On some machines the error does not occur. This might be related to the fact that some people switch off WU or did not apply some patches. I noticed that the certificate revocation list update is an optional update on Windows Update which I usually apply to all machines. Maybe this triggers the problem. Installation of SP2 might trigger it too because it might contain a related update.
In some cases enabling CAPI2 logging helps to find the process which actually triggers the CTL update. This might allow you to disable it. In my case it was the "Windows Media Player Network Sharing Service" which is a Microsoft built-in service. Disabling (or setting startup type to "manual") made the CAPI2 error to disappear on my machine.
What irritates me is the fact that it seems the CAPI2 error completely disappeared from my system logs. So my statement above might not be true in any case (first application using crypto API triggers the error). Maybe the error is triggered only if CAPI2 is invoked too early at the boot stage (when starting services). Unfortunately you might not be able to fix it if an antivirus program (which needs to run as a service on system boot) triggers the error too early.
I think we made a lot of good conclusions and findings in this thread. It's now about Microsoft to fix the issue.- Hi all.
I hope this thread still have some readers. After all, the solution is not there yet, it seems.
I run Vista Home Premiun and update everything I can from Wndows. I can see that I have had the error since june 3, so the timing is the same as yours. I have just opgraded to service pack 2 a few days ago. So the error is not related to this update specifically.
I think that some more attention should be paid to this part of the error message: "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."
I am not a Windows guru, but I have had 11 years as SAP supporter on a fairly high level. And based on this experience I would think that the actual description in the error text should make it possible for a Windows guru to perform a simple test with different date/time settings. In SAP you should never ignore what the system itself tells you are wrong. Perhaps it is also the case with Vista.
I first really noticed the problem when I resently installed version 9 of IOLO's System Mechanic. Then I started getting erros like "Acces violation at address 1339A131 in module 'IOLOSM~DLL'. Read of address 00000004". I have not (yet!?) seen this error message after I reinstalled the System Mechanic program. But the certificate error persists.
To me the Microsoft Responces look a lot like the first-level answers you get from SAP too. Very helpfund and friendly supporters look at all ther existing internal notes and send some of them them to us. But apparrently they have not set up a test environmelt to reproduce the error message. Hopfully they will do that in the end. With such a clear message and with such nice users who are willing to help with all the experiments it should be possible to reproduce the error and then find the solution. - If you're running a virus program, you must allow it to load the update.
Hi all.
I hope this thread still have some readers. After all, the solution is not there yet, it seems.
I run Vista Home Premiun and update everything I can from Wndows. I can see that I have had the error since june 3, so the timing is the same as yours. I have just opgraded to service pack 2 a few days ago. So the error is not related to this update specifically.
I think that some more attention should be paid to this part of the error message: "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."
I am not a Windows guru, but I have had 11 years as SAP supporter on a fairly high level. And based on this experience I would think that the actual description in the error text should make it possible for a Windows guru to perform a simple test with different date/time settings. In SAP you should never ignore what the system itself tells you are wrong. Perhaps it is also the case with Vista.
I first really noticed the problem when I resently installed version 9 of IOLO's System Mechanic. Then I started getting erros like "Acces violation at address 1339A131 in module 'IOLOSM~DLL'. Read of address 00000004". I have not (yet!?) seen this error message after I reinstalled the System Mechanic program. But the certificate error persists.
To me the Microsoft Responces look a lot like the first-level answers you get from SAP too. Very helpfund and friendly supporters look at all ther existing internal notes and send some of them them to us. But apparrently they have not set up a test environmelt to reproduce the error message. Hopfully they will do that in the end. With such a clear message and with such nice users who are willing to help with all the experiments it should be possible to reproduce the error and then find the solution.
I got the error message and my Acer laptop (Home Premium) keeps shut down nexpected. Today I tried to upgrade to Ultimate and it was shut down agian when "Feature and Update". CAPI2 shows in the event viewers.
As a Technet Plus users, I'm really disappoint to MS' support.- I agree that no solution seems to have been found. What some of the above posts suggest is to stop the application or utility that is requesting the "authrootstl.cab" file from getting downloaded. This is not practical in some cases. For use, this "authrootstl.cab" file is being requested via lsass.exe which is part of the normal login process.
I would like to simplify things by asking the following:
1) Go to http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab and download this CAB file to your local computer.
2) Open the CAB file and extract the authroot.stl file to your local computer.
3) Double-click on the STL file. I'm assuming, near the top, you will see the following: "This certificate trust list is not valid. The certificate that signed the list is not valid."
All the problems seem to be tied to this STL file (Microsoft's certificate trust list) not being valid.
Can someone (i.e. Microsoft) explain why this is not valid? Can it be made valid? Etc.
Thanks, - Hi Purdue, further up in the thread, there was a suggestion, that one should inform Microsoft. Maybe you could do it. The link below is a link to Microsoft. Maybe somebody (who can cope with all the technical details) could send them the information. Confuseduse
https://connect.microsoft.com/default.aspx
- I'm sorry to add to the list of users with problems and no resolutions, but we're having this problem on two W2k8 x64 servers.
both servers are in the same domain and they're DCs
We have another 2008 DC (also runs exchange) and the error is NOT appearing on that server. There's another 2003 DC but that's not getting the error.
Signing up to this thread as it seems the most in-depth one, although there's been no more posts since August by the looks of things. I'm sorry to add to the list of users with problems and no resolutions, but we're having this problem on two W2k8 x64 servers.
Probably people have been busy preparing the Windows 7 update or already migrated. At least I am running Windows 7 RTM since a while where I did not yet have this problem. Although I think Microsoft should not ignore it since Vista is still under support and they sold millions of copies. So just ignoring problems is not really the most nice way to go.
..
although there's been no more posts since August by the looks of things.Solved?
My Exchangeserver 2007 on windows 2008 had the same problem -88 time a day.
I solved this by giving the ExchangeServer computer in our ISA server Unlimited access to the internet.
- Proposed As Answer byHans van Dijk Friday, October 16, 2009 9:52 AM
- Unproposed As Answer byconfuseduser Sunday, October 18, 2009 4:44 AM
- Hi, it does not work on my PC (home user). Confuseduser
- Finally a possible solution for the CAPI2 Event 11 errors:
http://social.microsoft.com/Forums/en-US/partnerwinserver/thread/fd9bba78-7554-432c-a18c-ef47bc245586
Pete Hi Pete
It seems like this link is not open to public, may you post the solution here?
Thanks
Yves- From another forum:
Based on my research, the issue can be caused by corrupted certificate data on the server. I suggest you try the following steps to test the issue:
1. Backup and delete the contents of the following folders:
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData2. Backup and delete the certificates listed under "Certificates" key:
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
Then, restart the server to check the result.
I did this on one of the servers on which I have an error.
Let me stress this... DO THE BACKUPs IT MENTIONS AS MESSING WITH THE REGISTRY CAN HAVE VERY SERIOUS SIDE EFFECTS.
I have been struggling with this issue for about 3 months on 4 2008 servers, some physical and some VMs.
I deleted the folders as suggested by Kevin Zhao above. After a reboot, I now get CAPI2 eventID 13 Informational messages stating: Successful auto property update of third-party root certificate...etc.
I'm going to continue to monitor the server on which I attempted this remedy. If it holds, I think we have a winner.
- Proposed As Answer byEmkay1001 Wednesday, October 28, 2009 8:57 PM
- Proposed As Answer byJonHart Monday, October 19, 2009 8:03 PM
- Unproposed As Answer byconfuseduser Tuesday, October 20, 2009 3:27 AM
- Hi, I only have a home computer and this does not seem to apply. Confuseduser P.S. However, it might help the people with servers.
- I don't see any reason the solution above would not work in Vista. I see the same folder structure and registry entries on Vista.If you are not familiar with the registry, here is a very detailed instruction set on how to delete entries: http://support.microsoft.com/kb/136393Be sure to use the export option before deleting entries in order to back them up.
- Marked As Answer byconfuseduser Wednesday, October 21, 2009 5:51 AM
- Hi Jon, I actually asked, whether a home user needs to go to all that trouble. I have tracked it down to the fact that it probably has something to do with AVG (in one of the emails above, this was suggested). I also have Vista. However, meanwhile I have come to the conclusion that the error does not seem to affect anything (although in the Event Viewer under Security it also appears as a problem). I really do not want to make so many changes in the registry, especially as I am not really sure whether it will work or not. Confuseduser
I think a lot of the confusion surrounding this problem is becuase many of us are solving our individual cases of why/when the authrootstl.cab file is getting called. In have seen enough scenarios in this thread and others on the web to make me think that this authrootstl.cab file gets called/referenced many different times for different reasons. Therefore, many of the posted "solutions" that involve doing something on the client do not usually work for other users who are in a different situation. I still believe that there is a fundamental problem with the authrootstl.cab file itself (http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab). If you manually download this file, extract the contained authroot.stl file, double-click on it to view it, then you will see that it is "invalid".
I'm probably wrong, but it seems that if we (i.e. Microsoft) could fix this underlying issue, then maybe all of our individual problems would go away.
Thanks,
P.S . Here are the steps to download, extract, and view the file in question.
1) Go to http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab and download this CAB file to your local computer.
2) Open the CAB file and extract the authroot.stl file to your local computer.
3) Double-click on the STL file. I'm assuming, near the top, you will see the following: "This certificate trust list is not valid. The certificate that signed the list is not valid."- I think all the other solutions I've found ... except the one I posted about cleaning the root files and registry entries .... treat the symptoms, not the problem. Turning off ISA restrictions, virus scans, etc, all create their own problems. In fact, I had turned off McAfee for a short time to test the problem myself. But that's not a realistic solution because it doesn't treat the root problem of bad certificate authority lists and creates real security threats.I'm thinking that the root authority file itself may contain a corruption of some sort that MS definitely should fix. My guess is that since it is not causing critical problems for folks and they are unlikely to remedy it.If you are uncomfortable messing with the registry, you can probably ignore the error and move on. This is probably no issue for home users of Vista. If you like your machine logs to look nice and clean, the registry and file deletion may be the only remedy that you ever see. Just make sure you do backups before you go down that road. I don't have a lot of faith that MS is going to do anything about it since its been so long since the problem started.I have a 2008 domain controller that is having this error and I'm hesitating to apply this remedy. I will probably demote it from its role before attempting it, just to be safe. It does not have any of the major FSMO roles, so I can do that. But I don't want to see that error in reports for the next few years that server is running.
From another forum:
Based on my research, the issue can be caused by corrupted certificate data on the server. I suggest you try the following steps to test the issue:
1. Backup and delete the contents of the following folders:
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData2. Backup and delete the certificates listed under "Certificates" key:
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
Then, restart the server to check the result.
I did this on one of the servers on which I have an error.
Let me stress this... DO THE BACKUPs IT MENTIONS AS MESSING WITH THE REGISTRY CAN HAVE VERY SERIOUS SIDE EFFECTS.
I have been struggling with this issue for about 3 months on 4 2008 servers, some physical and some VMs.
I deleted the folders as suggested by Kevin Zhao above. After a reboot, I now get CAPI2 eventID 13 Informational messages stating: Successful auto property update of third-party root certificate...etc.
I'm going to continue to monitor the server on which I attempted this remedy. If it holds, I think we have a winner.
I can confirm that this indeed works (at least in my scenario). I've stumbled on the problem on 32-bit Vista SP2. According to CAPI2 log in the Event Log infocard.exe was responsible for the failed attempt to update the certificates. Every time I would start the Windows Cardspace service the error would be logged. The issue didn't occur on a fresh install of Windows Vista (SP2, root certificates updated to May 2009) on a virtual machine. I figure that even though viewing the STL file from the CAB does show that "it's not valid" - it's not the issue. After reboot the root certificates where automatically updated without any problem (just in case I've downloaded the root certificates from May 2009 as mentioned in this thread earlier)
I've tried the above solution. And it worked (at least so far).
Thank you very much for posting this.- NOTE: The solution above is not working on a domain controller. After trying this the machine would not boot up again. It stops at "Applying computer settings" forever! Still having these issues on my SBS 2008 computer
- I too concur with the last post. The above fix does not work on SBS2008 and the server stops at "Applying computer settings". I had to restore the settings in Safe Mode in order for the servers to start up normally.
Pete
