CAPI2 Error 4107
Since several days (7/11/2010) I see following errors in the event logs of Windows 7 workstations at home and work: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. System clock is correct, a manual download and installation does not change anything. Could ignore this, since it seems not to have a visible effect to the computers functionality, but it makes it difficult to quickly trace real errors if checking the event log of a machine. The same error from source crypt32 in the event logs of Windows XP workstations. So when will this be resolved? Best greetings from Germany Olaf
July 22nd, 2010 11:41am

Hi Susan, Thank you for posting! I also noticed this event error logged on my servers, and have consulted the Dev team. This error has no impact to functionality and no troubleshooting is needed. Here is the information from the Dev team: The event log error indicates that the signing certificate for the CTL (certificate trust list) has expired. This was likely caused by the following issue: The signing certificate for the automatic root update CTL expired on 7/9. We re-signed the CTL with a renewed certificate and published it on Windows Update on 7/7. A valid CTL was available on WU before the signing certificate expired. However, for any machine that had the older CTL cached, CAPI will first try to use the cached CTL which would result in the error you are seeing. Since the cached CTL does not have a time valid signature, CAPI will retrieve the CTL from WU and obtain the valid CTL. As a result, certificate validation will not be affected but you will see the error being logged due to the cached CTL with an expired signing certificate. Once the updated CTL is retrieved from WU, you will not see this error and no further action will be required for resolving this. Thanks! -------------------------------------------------------------------------------- Best regards, Tony Ma Partner Online Technical Community ----------------------------------------------------------------------------------------- We hope you get value from our new forums platform! Tell us what you think: http://social.microsoft.com/Forums/en-US/partnerfdbk/threads ------------------------------------------------------------------------------------------ This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2010 9:20am

Hi, Thanks for posting in Technet. There are several behaviors that may cause this error in Event Log. The detail information is in the following article. I believe that it will be helpful. Troubleshooting PKI Problems on Windows Vista Arthur Xie TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 23rd, 2010 11:31am

I am one of those with this issue...can someone possibly tell me how to do the following suggestion: Once the updated CTL is retrieved from WU, you will not see this error and no further action will be required for resolving this I would prefer a simple solution versus having to use someone else's suggested solution involving registry tweaks. Thanks so much for any help. Peter
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2010 4:56am

It' seems that I haven't been able to update since 4/12 due to various errors. This 4107 error pops up in the event viewer, even today. So if it's a problem with the cached CTL, please tell me how/where I can wipe that cache. I've downloaded the baseline security analyzer, and I get the dreaded "MBSA 2.1.1 error Catalog file is damaged / Invalid catalog error", so I'd really like to solve this issue as apparently my PC's OS is becoming woefully out of date...
July 30th, 2010 2:38am

Arthur with deepest respect but can you make this answer simpler to follow? Exactly what steps do we need to do to get this error to stop? That troubleshooting page is too complicated.
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2010 10:26pm

I see this error on many of my servers for about 2 weeks now. How can we resolve this?
August 3rd, 2010 9:44am

On my client PC the error seems to have stopped since about 48 hours. Since I'm currently in vacation it's hard to say what other PCs do. Best greetings from Germany Olaf
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2010 1:01am

Eaxactly how long does the "cache" stay valid and how can we clear it? This has been filling my Application log since 12 July and still going strong. Windows 7 Ultimate x64 - WU up to date. EDIT: been digging ... the cache is now irrelevant, WU has issued an invalid root certificate update so until this is fixed (and why hasn't it already?) the errors are staying :(
August 16th, 2010 11:48pm

please follow this KB http://support.microsoft.com/kb/2328240 just been released on 26August 2010
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2010 12:25pm

please follow this KB http://support.microsoft.com/kb/2328240 just been released on 26August 2010 This may work for some but not all: I am still getting hourly CAPI2 4107 errors logged after executing above fix suggestion just the same. RAC Task seems to coincide timewise with error log.
September 2nd, 2010 3:21pm

I have now finally resolved the CAPI2 4107 issue with following method: Turn off UAC, restart machine and delete all files found in: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\*username*\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\*username*\AppData\LocalLow\Microsoft\CryptnetUrlCache\Metadata Delete all keys under: HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates Turn back on UAC, restart
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2010 11:45pm

Internet Explorer->Tools Dropdown->Internet Options->Content Tab->Certificates Button: under every tab, (exept for Untrusted Publishers) delete all entries. I had hudreds and hundreds of them. I.E. seems more sprightly, certainly lighter after doing this. If any Certs. are needed I'm sure they'll be back there needing clean up in time. Maybe Cert. handler has a max of 1024 and becomes confused.
November 24th, 2010 8:24am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics