Failed extract of third-party root list from auto update cab

Background

This is an annoying message that shows up in the Event Log on Windows servers and computers and won’t go away. The error was initially caused by a certificate update published by Microsoft at the end of 2010 containing expired root certificates. The error has continued to surface on systems though, so I am starting to wonder if it has more than one cause. One theory is that this happens when an administrator is logged or has an active but disconnected session on the computer while another administrator or some form of automation tries to install updates from Windows Update.

Symptoms and findings

The error is detected in the Application Event Log. On Windows server 2008 it looks like this:

SNAGHTML1083d214

Event 11 from Microsoft-Windows-CAPI2

Or like this:

SNAGHTML8f7d7b

Event 4017 from CAPI2

On Windows Server 2003:

SNAGHTML108e5b5f

Event 11 from crypt32

Solution

Microsoft has released a fixit that has solved this problem for me on most of the servers I have applied it to: Fix it 50531. See KB 2328240 for details and a manual method. This fixit only works on Windows 2008/7 though, but the manual method should work for older versions as well, provided you substitute “Documents and settings” were it says “Users” in the KB.

The solution is to delete the files in the folders referenced in the KB. You have to check all users and system accounts, unless you know which user ran windows update when the problem first appeared on your system.

Service account profile folder locations:

  • %windir%\ServiceProfiles\[Service Account]\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
  • %windir%\ServiceProfiles\[Service Account]\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

User account profile folder locations:

    • C:\Users\[Account]\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
    • C:\Users\[Account]\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

    SNAGHTML895cf0

    After deleting the files, check back a couple of hours and see if the error resurfaces. If you want to test it immediately, download the “authrootstl.cab” file from the link in the event and try to install it.

    Update: 20121018

    A colleague of mine has written a small powershell script that seems to do the trick on Win2008R2 servers:

    get-childitem -path 'c:\users' | where-object { $_.psiscontainer -eq $true } | foreach-object {
        $contentfolder  = join-path -path $_.fullname -childpath 'appdata\locallow\microsoft\cryptneturlcache\content\'
        $metadatafolder = join-path -path $_.fullname -childpath 'appdata\locallow\microsoft\cryptneturlcache\metadata'
        if (test-path -path $contentfolder ) { remove-item -path "$contentfolder\*"  -force -verbose }
        if (test-path -path $metadatafolder) { remove-item -path "$metadatafolder\*" -force -verbose }
        }
    

    This is quicker to implement than the “Fix it” or manual approach, and all our attempts have been successful so far.

    Author: DizzyBadger

    SQL Server DBA, Cluster expert, Principal Analyst

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.