CAPI2 Error 4107
Since several days (7/11/2010) I see following errors in the event logs of Windows 7 workstations at home and work:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against
the current system clock or the timestamp in the signed file.
System clock is correct, a manual download and installation does not change anything. Could ignore this, since it seems not to have a visible effect to the computers functionality, but it makes it difficult to quickly trace real errors if checking the
event log of a machine.
The same error from source crypt32 in the event logs of Windows XP workstations.
So when will this be resolved?
Best greetings from Germany
Olaf
July 22nd, 2010 11:41am
Hi Susan,
Thank you for posting!
I also noticed this event error logged on my servers, and have consulted
the Dev team. This error has no impact to functionality and no
troubleshooting is needed.
Here is the information from the Dev team:
The event log error indicates that the signing certificate for the CTL
(certificate trust list) has expired. This was likely caused by the
following issue:
The signing certificate for the automatic root update CTL expired on
7/9. We re-signed the CTL with a renewed certificate and published it on
Windows Update on 7/7. A valid CTL was available on WU before the
signing certificate expired.
However, for any machine that had the older CTL cached, CAPI will first
try to use the cached CTL which would result in the error you are
seeing. Since the cached CTL does not have a time valid signature, CAPI
will retrieve the CTL from WU and obtain the valid CTL. As a result,
certificate validation will not be affected but you will see the error
being logged due to the cached CTL with an expired signing certificate.
Once the updated CTL is retrieved from WU, you will not see this error
and no further action will be required for resolving this.
Thanks!
--------------------------------------------------------------------------------
Best regards,
Tony Ma
Partner Online Technical Community
-----------------------------------------------------------------------------------------
We hope you get value from our new forums platform! Tell us what you think:
http://social.microsoft.com/Forums/en-US/partnerfdbk/threads
------------------------------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2010 9:20am
Hi,
Thanks for posting in Technet.
There are several behaviors that may cause this error in Event Log. The detail information is in the following article. I believe that it will be helpful.
Troubleshooting PKI Problems on Windows Vista
Arthur Xie
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 23rd, 2010 11:31am
I am one of those with this issue...can someone possibly tell me how to do the following suggestion:
Once the updated CTL is retrieved from WU, you will not see this error
and no further action will be required for resolving this
I would prefer a simple solution versus having to use someone else's suggested solution involving registry tweaks.
Thanks so much for any help.
Peter
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2010 4:56am
It' seems that I haven't been able to update since 4/12 due to various errors. This 4107 error pops up in the event viewer, even today. So if it's a problem with the cached CTL, please tell me how/where I can wipe that cache. I've downloaded
the baseline security analyzer, and I get the dreaded "MBSA 2.1.1 error Catalog file is damaged / Invalid catalog error", so I'd really like to solve this issue as apparently my PC's OS is becoming woefully out
of date...
July 30th, 2010 2:38am
Arthur with deepest respect but can you make this answer simpler to follow?
Exactly what steps do we need to do to get this error to stop? That troubleshooting page is too complicated.
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2010 10:26pm
I see this error on many of my servers for about 2 weeks now. How can we resolve this?
August 3rd, 2010 9:44am
On my client PC the error seems to have stopped since about 48 hours.
Since I'm currently in vacation it's hard to say what other PCs do.
Best greetings from Germany
Olaf
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2010 1:01am
Eaxactly how long does the "cache" stay valid and how can we clear it? This has been filling my Application log since 12 July and still going strong.
Windows 7 Ultimate x64 - WU up to date.
EDIT: been digging ... the cache is now irrelevant, WU has issued an invalid root certificate update so until this is fixed (and why hasn't it already?) the errors are staying :(
August 16th, 2010 11:48pm
please follow this KB http://support.microsoft.com/kb/2328240
just been released on 26August 2010
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2010 12:25pm
please follow this KB http://support.microsoft.com/kb/2328240
just been released on 26August 2010
This may work for some but not all: I am still getting hourly CAPI2 4107 errors logged after executing above fix suggestion just the same. RAC Task seems to coincide timewise with error log.
September 2nd, 2010 3:21pm
I have now finally resolved the CAPI2 4107 issue with following method:
Turn off UAC, restart machine and delete all files found in:
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\*username*\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\*username*\AppData\LocalLow\Microsoft\CryptnetUrlCache\Metadata
Delete all keys under:
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
Turn back on UAC, restart
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2010 11:45pm
Internet Explorer->Tools Dropdown->Internet Options->Content Tab->Certificates Button:
under every tab, (exept for Untrusted Publishers) delete all entries. I had hudreds and hundreds of them.
I.E. seems more sprightly, certainly lighter after doing this. If any Certs. are needed I'm sure they'll be back there
needing clean up in time.
Maybe Cert. handler has a max of 1024 and becomes confused.
November 24th, 2010 4:23pm
Does anyone know what to do or what the problem is if the certificates cannot be deleted?
I have a 10 week old system Windows 7 64 bit and the radio button for "Remove" in Trusted Root Certification Authorities is non-functional/Grayed out; therefore I cannot remove any of the 300+ certificates that have somehow crept onto my system--and
did so in the first two weeks. I started with 9.
I had the 4107 error on my system--hundreds of them-- and what was worse, Windows Updates wouldn't function at all for some time. Drove me nuts!
This is why the radio button issue concerns me...
Free Windows Admin Tool Kit Click here and download it now
November 3rd, 2011 6:35am