Event 11, Capi2
I am receiving the following event log error on a couple of Vista notebooks. ======================= Event ID: 11 Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. ======================= I know the clock is right. Any ideas? Chris.
April 28th, 2008 9:06am

I have exactly the same problem.Source: CAPI2Event ID: 11Does anybody know what it means. My notebook works unstable, sometime it did not start and sometimes it does not log off. I trying to troubleshoot. Could the problem above be related to problems on my laptop?
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2008 2:19am

I have exactly the same problem on a Vista notebook too. I have 30 of these. It started 03/06/2008
August 21st, 2008 7:06am

Exactly same here too - on a desktop. Apart from that, it's running fine. I did manage to download the file quoted in the message, exact the contents with Winzip, and install it directly with no problems. However, it doesn't stop the regular messages appearing in the Event Viewer - looks like every time I restart the machine it tries again to download, and fails again.
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2008 6:35pm

Check Out this page: Event ID 11 Automatic Root Certificates Update Configuration http://technet.microsoft.com/en-us/library/cc734018.aspx also, check out the "How Update Root Certificates Communicates with Sites on the Internet" section of this MS Document: Using Windows Vista: Controlling Communication with the Internet http://download.microsoft.com/download/8/1/5/815557e0-5b76-4001-b229-ac4e45618f9a/Mn_Vista.doc (google cached DOC as HTML) http://74.125.47.132/search?q=cache:9GkwuSXAHNQJ:download.microsoft.com/download/8/1/5/815557e0-5b76-4001-b229-ac4e45618f9a/Mn_Vista.doc+CAPI2+%22third-party+root+list%22&cd=24&hl=en&ct=clnk&gl=us
June 4th, 2009 11:08am

I am getting this same error Application Error 11 Source=Microsoft-Windows-CAPI2 on a windows server 2008. I get it about every minute. The linke drive gave does nothing to resolve this issue. It has been happening since May 2, 2009. Anyone know how to resolve this error?Thanks,
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2009 1:40pm

Same problem here on most of our w2k8 servers. I think that the problem is the "authroot.stl" file itself (which is contained in authrootstl.cab). If you look at the details you will see that it's validity datestarts at 2nd of may. Furthermore you get the following error "The certificate trust list is not valid. The certificate that signed the list is not valid. And if you have a look at the signing certificate you get the message "the certificate is not valid for the selected purpose." Seems like Microsoft used the wrong certificate to sign their certificate trust list.
June 22nd, 2009 3:02am

Seems like Microsoft used the wrong certificate to sign their certificate trust list. Seems to be correct. The same error seems to show up on Vista too: http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/acdf1b25-dace-4cfc-8a3d-cb961c1031cc
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2009 9:57am

I have been monitoring this thread and the similar thread here: http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/acdf1b25-dace-4cfc-8a3d-cb961c1031cc I can confirm this has been happening on a brand new install of Server 2008 Standard since June 16th. The install was from original media, then upgraded to SP2. The server is fully patched except for optional updates. It has the Web Server (IIS) role installed, with the .Net 3.0 Features, Remote Server administration Tools feature, and the Windows Porcess Activation Service features. Since this thread hasn't had any activity, I was just wondering if anyone had found a solution. I agree that it definitely looks like the trust list itself is not valid. As this is a planned web server that will host SSL sites, I am at a stand-still until this is resolved. I'm not going to put websites on it since I have no idea if the certs will report as valid to clients. I'd love to know which root certs would have an issue, if any. I did run sfc /scannow at an elevated command line to verify the system protected file. It reported 100% valid. Just for the heck of it, I reinstalled my MAK license key to make sure there is no licensing typo or something. The CAPI2 error shows at least 8 times a day, every day. Sometimes more.
June 30th, 2009 1:16pm

I have found the source of my error. It ended up being McAfee. To determine the cause of the CAPI2 error, I enabled CAPI2 logging in the event log. You can do this by go to Applications and Services Logs\Microsoft\Windows\CAPI2\Operational in the event viewer. Choose operational and enable logging. I noticed my error occurred every time I rebooted, so rebooted the server and checked that event log by nativating to Applications and Services Logs\Microsoft\Windows\CAPI2\Operational. One of the log items indicated an error and mentioned a mcafee exe. I removed McAfee and rebooted. The error is gone. I know this won't solve everyone's issue, but you could use the same methodology to determine the root cause of your own CAPI2 errors.
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2009 2:14pm

Using this method revealed "wmpnetwk.exe" to cause the error to be logged. This process seems to provide the Windows Media Player Network Sharing Service. It was set to "Auatomatic (Delayed)" start on my machine. Stopping it and setting the start method to "Manual" made the CAPI2 error disappear until now. However I think this is rather a work-around than a solution. Disabling this service will most probably disable media sharing capabilities of WMP - so if you don't use/need it this might be an acceptable solution. But if you want to use media sharing, then this is probably not helpful at all. Moreover I have the feeling that WMP is not the only application which triggers the Certificate Trust List (CTL) update. So the error might re-appear. Apparently the CTL provided by Microsoft on their pages is broken (signed by wrong certificate) which causes the error to be logged by WMP. This might be related to some DRM-code too which requires certificates to verify licenses (another reason to avoid DRM-systems). So disabling the "Windows Media Player Netwrok Sharing Service" might help some people here to work around the problem.
July 15th, 2009 5:14am

See:Description of the System Update Readiness Tool for Windows Vista, for Windows Server 2008, and for Windows 7http://support.microsoft.com/kb/947821http://support.microsoft.com/default.aspx/kb/947821 What Windows Update installation errors can the System Update Readiness Tool potentially address? The following table lists error messages that you might receive when you try to install a software update. These errors might be caused by a system irregularity that the System Update Readiness Tool might be able to resolve. However, the tool might be unable to fix all instances in which these errors occur. Code Error Description 0x80070002 ERROR_FILE_NOT_FOUND The system cannot find the file specified. 0x8007000D ERROR_INVALID_DATA The data is invalid. 0x800F081F CBS_E_SOURCE_MISSING The source for the package or file not found. 0x80073712 ERROR_SXS_COMPONENT_STORE_CORRUPT The component store is in an inconsistent state. 0x800736CC ERROR_SXS_FILE_HASH_MISMATCH A component's file does not match the verification information present in the component manifest. 0x800705B9 ERROR_XML_PARSE_ERROR Unable to parse the requested XML data. 0x80070246 ERROR_ILLEGAL_CHARACTER An invalid character was encountered. 0x8007370D ERROR_SXS_IDENTITY_PARSE_ERROR An identity string is malformed. 0x8007370B ERROR_SXS_INVALID_IDENTITY_ATTRIBUTE_NAME The name of an attribute in an identity is not within the valid range. 0x8007370A ERROR_SXS_INVALID_IDENTITY_ATTRIBUTE_VALUE The value of an attribute in an identity is not within the valid range. 0x80070057 ERROR_INVALID_PARAMETER The parameter is incorrect. 0x800B0100 TRUST_E_NOSIGNATURE No signature was present in the subject. 0x80092003 CRYPT_E_FILE_ERROR An error occurred while Windows Update reads or writes to a file. 0x800B0101 CERT_E_EXPIRED A required certificate is not within its validity period when verifying against the current system clock or the time stamp in the signed file. 0x8007371B ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE One or more required members of the transaction are not present.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2009 11:33am

I am having it as well. Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. Just started popping up.
July 13th, 2010 7:43pm

Same here: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. . I downloaded and am installing the System Update Readiness Tool (KB947821) that "ThanksABunch" gave in the links. So far, it has been churning away for almost 90 minutes. It is banging away on my hard drive so it's still active, but the progress bar is just sitting there at about 80% done. Hopefully it will finish soon and I can report on it's effectiveness. Ah, it's done. Now I guess I just wait and see if I get any more CAPI errors. I used JonHart's method also to see if I can get more details. Bill
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2010 8:48pm

Here is just one of the errors that pop up in the log for CAPI2 logging. This was AFTER downloading and installing the System Update Readiness applet. As near as I can tell, this error is coming from some sort of activity dealing with certificates, but I can't narrow it down any more than that. There were a batch of them around 0200 (2AM) when I have my systen set to do some Microsoft SyncToy echos using the scheduler. http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20Secure%20Server%20Authority(8).crl The way I see it, the errors are being caused by a failure at Microsoft's end, not mine. Bill
July 15th, 2010 10:45am

I guess I am the official thread killer here. Every thread I have started or commented in has stopped dead after my post. Bill
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2010 3:36pm

I got the same error failing to extract this ominous capi 2 issue with the authrootstl.cab file. The answer to the problem was by downloading the best practices analyzer with Small Business Server. Unfortunately Windows Server 2008 does not come with the Best Practiczes Security Analyzer which can be downloaded for Small Business Server 2008 which points to the answer with three error events. Because it fixed this problem, I will reconstruct it because it involves using the registry. Open the registry either on SBS 2008 or Windows Server 2008. Event A. The Company value does not exist in the BackConnectionHostNames registry key. Below is information which is specified below in Event B. Event B. The BackConnectionHostNames registry does not exist. The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Right-click MSV1_0. Point to New, and then click Multi.-String value. Type BackConnectionHostNames , and then Press ENTER. Event C. Company value or FQDN(remote.???.???) does not exist in the BackConnectionHostNames registry. The BackConnectionHostNames key should include the value remote.???.???. To resolve this issue, open registry editor, and then locate and click HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\Lsa\MSV1_0\BackConnectionHostNames . Right-click BackConnectionHostNames and then click Modify. In the Value data box, type remote.???.??? (whichever you have!), and then click OK. This will immediately resolve the issue and there will be no more errors in Server Manager in the Event Viewer. I did not find any more errors on my second Server with Windows 2008 on it. Both run on a Dell T300 in a Hyper-V environment. I imagine it needs the BackConnectionHostNames reference in Windows 2008 irrespective whether you own a SBS 2008 Premium or a regular Windows 2008 Server alone with the CAPI 2 because Encryption works with Active Directory. Let me know whether it works in a Standalone Environment with Windows Server 2008! Now you may own a Visa notebook and I have a T300 Dell with SBS 2008 Premium running with two servers in a Hyper-V environment, but the those two OSs are related!
July 18th, 2010 2:31pm

Sorry. I understood every word you said in your post ViennacabSocial, but I fail to see how it applies to me at all. I'm running a plain-Jane version of Vista Home Premium (with SP and patches) and not any flavor of Windows Servers. This also occurs in my Windows 7 Home Premium (with applicable patches). It is some sort of Microsoft problem and I hope it will be addressed in a future update. It is not causing me any system slowdowns or anything, but it IS very annoying to open an event log and have hundreds of these errors appearing. Thanks for trying. Bill
Free Windows Admin Tool Kit Click here and download it now
July 18th, 2010 4:36pm

Well, nothing has changed after applying "ThanksABunch"'s links to KB947821. I ran the tool, it took about ten minutes, and didn't change anything. Both my Vista and my Win7 machcines are still throwing hundred of these stupid errors every day. Come on Microsoft, get your stuff together and make this right. Bill
July 20th, 2010 9:34pm

Hi, just wanted to say that if misery loves company, please know that you have such company...I also have been noting this issue with my HP Pavilion notebook running Vista 64 SP2...I cannot tell that it is actually slowing down my system, but I can't imagine that this enhances it either. There are a couple of other threads on here which address this, involving registry tweaks...I have not tried it yet, but I did just create an image of my hard drive, so I may try it knowing that I can just restore my system if needed. Here are the steps they mentioned: I purged and updated the root certificate list per: http://technet.microsoft.com/en-us/library/cc734018%28WS.10%29.aspx http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/685e65f6-72a7-4986-b02c-f17e8be78926 i.e. 1. Backup and delete the contents of the following folders: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData 2. Backup and delete the certificates listed under "Certificates" key: HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates Then, restart the server to check the result. After restart, the 3 root certs referenced by http://support.microsoft.com/kb/293781/en-us were present. I then updated the root cert list using [May 2010 Update for Root Certificates]: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e4f9b573-66d7-4dda-95d5-26c7d0f6c652 Everything seems to look OK at the moment. I also enabled CAPI2 logging and will update y'all within 24 hours. An invalid certificate may actually be in the May 2010 update, so I don't know what it's impact will be i.e. I probably should have skipped the May 2010 update (we'll see). This is the link to the other discussion thread: http://social.technet.microsoft.com/Forums/en/w7itproinstall/thread/1e7d815a-4d31-44d1-8f1c-373a8d091582 Good luck...hope this helps... Peter
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2010 2:27pm

For anyone Searching this was my problem, and how I fixed it http://www.petenetlive.com/KB/Article/0000304.htm
August 2nd, 2010 7:03am

Microsoft finally released an KB article. This solution works on our servers http://support.microsoft.com/kb/2328240/
Free Windows Admin Tool Kit Click here and download it now
September 16th, 2010 2:59am

If it didn't help, you can do the following. It worked here. From a command prompt run --> REG DELETE HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates /f
May 30th, 2012 3:56am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics