Troubleshooting Steps for CAPI2 Event ID 11 occurring against Windows Update
- We have been getting reports of Certificate issues with the WU ServersIt is not the WU Servers but a conflict with Third Party AVMany people are complaining that this is a problem with the Certificates on the WU ServersIn the issues that I saw the issue was not the certificate on the WU Servers but conflicts from Zone Alarm and Trend Micro and AVG Security Products.The error occurred every time the system is rebootedLog Name: Application
Source: Microsoft-Windows-CAPI2
Date: 27/05/2009 8:42:16 PM
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: XXXXXX
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.Troubleshooting :-
Go to Applications and Services Logs\Microsoft\Windows\CAPI2\Operational in the event viewer.
-
Choose operational and enable logging.
-
Reboot the System
-
Review the Event Log by nativating to Applications and Services Logs\Microsoft\Windows\CAPI2\Operational.
-
One of the log items indicated an error and mentions mcafee exe or vsmon.exe or AVG.exe
-
TrendMicro
-
Zone Alarm
-
AVG
Other Products
-
-
Disabling the AV Product Removes the error
-
Contact the Third party AV Vendor
Robert
1 person got this answerI do too -
Answers
- From another forum:
From the problem description of the post you submitted, my understanding is: Capi2 event 11 is logged every time when Windows Update is looking for updates.If I have misunderstood your concern, feel free to let me know.
Based on my research, the issue can be caused by corrupted certificate data on the server. I suggest you try the following steps to test the issue:
1. Backup and delete the contents of the following folders:
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData2. Backup and delete the certificates listed under "Certificates" key:
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
Then, restart the server to check the result.
If the issue persists, please collect the following information for further troubleshooting:
PFE MPS Report
----------------
1. Download MPSReport tool from the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=00ad0eac-720f-4441-9ef6-ea9f657b5c2f&DisplayLang=en2. Right click the downloaded file and select "Run as administrator". If you are prompted "Include the MSINFO32 report?", please type Y.
3. Please send the result file (CAB file) found to Email removed for privacy with the following subject:fd9bba78-7554-432c-a18c-ef47bc245586/How to resolve Event 11 Capi2 on Windows 2008 Server
Please let me know the results at your earliest convenience. If anything is unclear in my post, please don't hesitate to let me know and I will be glad to help. Thank you for your efforts and time.
Best regards,
Kevin Zhao
Partner Online Technical Community- Proposed As Answer byJonHart Monday, October 19, 2009 7:54 PM
- Marked As Answer byKevin HauMSFT, ModeratorThursday, October 29, 2009 10:26 PM
All Replies
- I don't use TrendMicro, Zone Alarm, nor AVG, and I still get this error message. In fact, I have it so many times on 8/17/2009 at 11:05:44 that I gave up counting at 150 when I was scrolled less than halfway down the page. (in post edit: Duh, right at the top of the viewer screen it says "Operational 472 events) . I am however assuming that I could be classified in your instuctions under item 5, sub item 3 "other products" assuming that other products refers to security programs. So pushing forward with that assumption, I followed your instructions........ Kind of........
On step 2, after choosing operational, my option available option was to DISABLE logging, so I am assuming that logging is already enabled. Should I have disabled it, rebooted, and then re-enabled it and rebooted, (not trying to be obtuse or a smart aleck, but sometimes computers are programmed to make you do silly stuff to get to what you want lol)? I didn't try that but will if I have to. But in the spirit of cooperation I then right clicked on operational again to try to view the log...........
When I right click again on operational I do get the option to open saved logs, however, when I do, I get an open saved logs dialog box that asks for a path and file name. I tried navigating that to Computer> Local Disk C:> Windows> Logs> where I have file icons for CBS, DPX, Restore. When I click any of those, I highlight any of those and hit the open button, I get "no Item match your search." So where is the log file, what is it's name, how do I get there from here?
Additional Info: When I go to Applications and Services Logs\Microsoft\CAPI2\Operational in the event viewer, in the main window the same 6 information items warnings appear repeatedly (in different sequences lol), for the total of 472 events. Event Id's 10, 11, 30, 80,81, and 90.
These are the following task categories:
Event ID's 10 and 11- Build Chain
Event ID 30- Verify Chain
Event ID's 80 and 81- Verify trust
Event ID 90- X509 Objects
When I view them in the default "General" section, they all say "For more details for this event, please refer to the "Details" section." None of them reference a AV program in the details section, they are all windows paths. I don't know how to read the XML view, but they all reference either trusted installer, IE8, or both. I don't know if this additional info told you anything or was just me wasting time with extraneous junk, I'm still trying to learn this stuff lol so forgive me (and tell me please) if it was not pertinent.
Alternate Possible solution: In a web search using EventID 11, I not only found this thread and your AV solution, but I also found a couple of threads on other forums with a completely different solution. They concern the DVD or CDROM drive. The thought is that it is caused by a faulty connection (either IDE or USB depending on the build) between the optical drive and the motherboard. This causes complete system freezes. This solution makes sense to me since I have experienced similar symptoms. When I crash, I have to open my case and wiggle or disconnect and reconnect the USB cable (and the USB power cable, I did both so I never narrowed it down to one or the other)to my optical drive.
Have you heard of this approach Robert? I have a rather expensive BluRay burner so I was unwilling to just replace it (the warranty is expired even though this has been randomly occurring since I built this computer), but I think it may be worth a $20 liteon to see if this actually is the problem........
EDIT: When I web searched this problem, I saw it occuring to folks during an update and a system restore as well as randomly like mine......... I added this because I just saw that this thread is in the update section.........
- From another forum:
From the problem description of the post you submitted, my understanding is: Capi2 event 11 is logged every time when Windows Update is looking for updates.If I have misunderstood your concern, feel free to let me know.
Based on my research, the issue can be caused by corrupted certificate data on the server. I suggest you try the following steps to test the issue:
1. Backup and delete the contents of the following folders:
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData2. Backup and delete the certificates listed under "Certificates" key:
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
Then, restart the server to check the result.
If the issue persists, please collect the following information for further troubleshooting:
PFE MPS Report
----------------
1. Download MPSReport tool from the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=00ad0eac-720f-4441-9ef6-ea9f657b5c2f&DisplayLang=en2. Right click the downloaded file and select "Run as administrator". If you are prompted "Include the MSINFO32 report?", please type Y.
3. Please send the result file (CAB file) found to Email removed for privacy with the following subject:fd9bba78-7554-432c-a18c-ef47bc245586/How to resolve Event 11 Capi2 on Windows 2008 Server
Please let me know the results at your earliest convenience. If anything is unclear in my post, please don't hesitate to let me know and I will be glad to help. Thank you for your efforts and time.
Best regards,
Kevin Zhao
Partner Online Technical Community- Proposed As Answer byJonHart Monday, October 19, 2009 7:54 PM
- Marked As Answer byKevin HauMSFT, ModeratorThursday, October 29, 2009 10:26 PM
- I have been struggling with this issue for about 3 months on 4 2008 servers, some physical and some VMs.
I deleted the folders as suggested by Kevin Zhao above. After a reboot, I now get CAPI2 eventID 13 Informational messages stating: Successful auto property update of third-party root certificate...etc.
I'm going to continue to monitor the server on which I attempted this remedy. If it holds, I think we have a winner. System: Packard Bell, Vista (fully updated), Zonealarm firewall, Avast antviirus.
symptoms:
-for a longer period (not sure how long) at startup after welcome screen comes a black screen for several seconds, but after that normal functioning.
-in the last few weeks in some cases the system keeps on hanging in the black screen; the only way out then is ctrl+alt+del to reboot.
-sometimes after reboot it happens again, sometimes i get a 'normal' startup.
-in windows log 'applications' i've found series of CAPI2 - 11 errors back to May 2009
I found out that -in my case- the errors are caused by Zonealarm; disabling the Zonealarm firewall results in errorfree booting.
Instead I tried Windows Firewall, but this caused (many) other problems (failing internet connection), and gives very limited control over what happens 'behind your back'.
I switched back to Zonealarm, tried all kinds of settings, but i can't get these CAPI2 errors to dissapear.
QUESTION: best settings for Zonealarm? Is it possible to use it and NOT get CAPI2 errors?
Another interesting link about this problem (but with quite complicated advises) is:
http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/acdf1b25-dace-4cfc-8a3d-cb961c1031cc
Thanks very much for your reply!
Fred- I too did the deletes as described above with no success. Checked the folders where certs were deleted and nothing has been added, folders are empty. I never saw any mention of McAfee or AV programs in any of the event logs. What to try next?
From another forum:
I can confirm that this indeed works (at least in my scenario). I've stumbled on the problem on 32-bit Vista SP2. According to CAPI2 log in the Event Log infocard.exe was responsible for the failed attempt to update the certificates. Every time I would start the Windows Cardspace service the error would be logged. Since the issue didn't occur on a fresh install of Windows Vista on a virtual machine I've tried the above solution. And it worked (at least so far).
From the problem description of the post you submitted, my understanding is: Capi2 event 11 is logged every time when Windows Update is looking for updates.If I have misunderstood your concern, feel free to let me know.
Based on my research, the issue can be caused by corrupted certificate data on the server. I suggest you try the following steps to test the issue:
1. Backup and delete the contents of the following folders:
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData2. Backup and delete the certificates listed under "Certificates" key:
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
Then, restart the server to check the result.
Thank you very much for posting this.- After some hesitation I tried this method also: my PC is now working just fine again; bye bye CAPI2-11 !!!!!!
Thanks very much for the advise!
- I'm having the same problem on fresh install of Win7, its actualy causing the system to grind to a halt (boots in to windows no problem) before recovering in a few seconds. All started on Nov 1st for me. Before that i never noticed it. I thought it may be a hardware issue, but now i'm not so sure.
Update: This fix didn't work for me, still had consent.exe causing a CAPI2 --->time for a clean install
