DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2328240 - Last Review: January 14, 2014 - Revision: 9.0

Symptoms

On a computer that is running Windows 7 or Windows Server 2008 R2, an error that resembles the following is logged in the Application log:
Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: Date and time
Event ID: 4107
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Computer name
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab) > with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Or, on a computer that is running Windows Vista or Windows Server 2008, an error that resembles the following is logged in the Application log:
Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: Date and time
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Computer name
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab) > with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Cause

This error occurs because the Microsoft Certificate Trust List Publisher certificate expired. A copy of the CTL with an expired signing certificate exists in the CryptnetUrlCache folder.

Resolution

To have us resolve the problem for you, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it myself" section.

Fix it for me


Collapse this imageExpand this image

To fix this problem automatically, click the Fix it button or link. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.

For Windows 8, Windows8.1, Windows Server 2012, Windows Server 2012 R2
Collapse this imageExpand this image

Collapse this imageExpand this image
Fix this problem (http://go.microsoft.com/?linkid=9842951)
Microsoft Fix it 20125
Collapse this imageExpand this image

Collapse this imageExpand this image

For Windows 7, Windows Vista, Windows XP, Windows Server 2008 or Windows Server 2008 R2
Collapse this imageExpand this image

Collapse this imageExpand this image
Fix this problem (http://go.microsoft.com/?linkid=9746381)
Microsoft Fix it 50531
Collapse this imageExpand this image

Collapse this imageExpand this image

Notes
Collapse this imageExpand this image
  • This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
  • If you are not on the computer that has the problem, save the Fix it solution to a flash drive or a CD and then run it on the computer that has the problem.
  • We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me (http://blogs.technet.com/fixit4me/) " blog or send us an email (mailto:fixit4me@microsoft.com?Subject=KB) message.
Collapse this imageExpand this image

Collapse this imageExpand this image



Let me fix it myself

Collapse this imageExpand this image
To resolve the problem, follow these steps:
  1. Open a command prompt. To do this, click Start
    Collapse this imageExpand this image
    Start button
    , click All Programs, click Accessories, and then click Command Prompt.
  2. At the command prompt, type the following command, and then press ENTER:
    certutil -urlcache * delete
    Note The certutil command must be run for every user on the workstation. Each user must login and follow steps 1 and 2 above.
  3. If the expired certificate is cached in one of the local system profiles, you must delete the contents of some directories by using Windows Explorer. To do this, follow these steps:
    1. Start Windows Explorer. To do this, click Start, click All Programs, click Accessories, and then click Windows Explorer.

      Note You must enable hidden folders to view the directories whose contents you must delete. To enable hidden files and folders, follow these steps:
      1. Click Organize, and then click Folder and search options.
      2. Click the View tab.
      3. Click to select the Show hidden files and folders check box.
      4. Click to clear the Hide extensions for known file types check box.
      5. lick to clear the Hide protected operating system files check box.
      6. Click Yes to dismiss the warning, and then click OK to apply the changes and to close the dialog box.
    2. Delete the contents of the directories that are listed here. (%windir% is the Windows directory.)

      Note You may receive a message that states that you do not have permission to access the folder. If you receive this message, Click Continue.

      LocalService:

      %windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
      %windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

      NetworkService:
      %windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
      %windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

      LocalSystem:
      %windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
      %windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
Collapse this imageExpand this image

More information

Additionally, event ID 4107 can also be logged with a “The data is invalid” error instead of the “A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file” error.

This error “Data is invalid” indicates the object returned from the network was not a valid cab file and hence Windows could not parse it correctly. Instances of such an error can occur when the network retrieval attempt for the cab file fails to go through a proxy. If the proxy returns some data or message instead of a standard HTTP error code, Windows will try to parse the message received from the proxy expecting it to be the cab. This will fail with the "data is invalid” error.

To address this error, you need to remove the invalid entry in the cache by clearing the cache following the steps outlined in the “Resolution” section.



Applies to
  • Windows Server 2012 Standard
  • Windows Server 2012 Essentials
  • Windows Web Server 2008 R2
  • Windows Server 2008 R2 for Itanium-Based Systems
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Web Server 2008
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Ultimate
  • Windows 7 Enterprise
  • Windows 7 Home Basic
  • Windows 7 Home Premium
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows Server 2008 R2 Service Pack 1
  • Windows Server 2012 R2 Datacenter
  • Windows Server 2012 R2 Standard
  • Windows 8.1 Enterprise
  • Windows 8.1 Enterprise N
  • Windows 8.1 Pro
  • Windows 8.1 Pro N
Keywords: 
kbfixme kbmsifixme KB2328240
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support