DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 973825 - Last Review: July 1, 2010 - Revision: 3.0

On This Page

SYMPTOMS

When you try to install a large Microsoft Windows Installer (.msi) package or a large Microsoft Windows Installer patch (.msp) package on a computer that is running Windows Server 2003 Service Pack 2, you receive the following error message:
Error 1718. File FileName was rejected by digital signature policy.
Additionally, the following event may be logged in the Application log:

Type: Error
Source: MsiInstaller
Category: None
Event ID: 1008
Date: Date
Time: Time
User: N/A
Computer: ComputerName

Description:
The installation of FileName is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

CAUSE

This problem occurs if the Windows Installer process has insufficient contiguous virtual memory to verify that the .msi package or the .msp package is correctly signed.

RESOLUTION

Update download information

The following files are available for download from the Microsoft Download Center:

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2003 (973825) package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=d79fb7bd-a16c-45f0-9b32-a309b3763951)

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2003, x64 Edition (973825) package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=f1ebf2c8-0573-4686-adbc-099feeafcc9b)

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2003 for Itanium-based Systems (973825) package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=5367c44d-2260-44a6-b4c1-2ce9e2b00e2d)

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/ ) How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

You must have Windows Server 2003 Service Pack 2 installed to apply this update.

Restart requirement

You must restart your computer after you apply the update.

Update replacement information

This update does not replace any other updates.

File information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Update for Windows Server 2003 (KB973825)

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Advapi32.dll5.2.3790.4555619,00818-Jul-200915:58x86SP2SP2GDR
Advapi32.dll5.2.3790.4555619,00818-Jul-200916:19x86SP2SP2QFE

Update for Windows Server 2003, x64 Edition (KB973825)

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Advapi32.dll5.2.3790.45551,052,16018-Jul-200921:45x64SP2SP2GDR
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200921:45x86SP2WOW
Advapi32.dll5.2.3790.45551,065,98418-Jul-200916:32x64SP2SP2QFE
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200916:32x86SP2WOW

Update for Windows Server 2003 for Itanium-based Systems (KB973825)

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Advapi32.dll5.2.3790.45551,482,75218-Jul-200921:44IA-64SP2SP2GDR
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200921:44x86SP2WOW
Advapi32.dll5.2.3790.45551,483,77618-Jul-200916:32IA-64SP2SP2QFE
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200916:32x86SP2WOW

WORKAROUND

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
To work around this problem, change the PolicyScope registry value to 1 before you try to install the package. To do this, follow these steps.

Note If the computer is joined to a domain, a domain policy update may override the registry changes that you make. We strongly recommend that you disconnect the computer from the domain before you follow these steps.
  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Note Before you modify this key, we recommend that you back up this key. To do this, right-click CodeIdentifiers, and then click Export. Save the file to a location where you can find it on the computer.
  3. Change the PolicyScope registry value. To do this, double-click PolicyScope, and then change the setting from 0 to 1.
  4. Close Registry Editor.
  5. Click Start, click Run, type cmd, and then click OK to open a Command Prompt window.
  6. At the command prompt, type the following command, and then press ENTER:
    net stop msiserver
    This command stops the Windows Installer service if the service is currently running in the background. When the service has stopped, close the Command Prompt window, and then go to step 7.

    Note If you receive the following message at the command prompt, close the Command Prompt window, and then go to step 7:
    The Windows Installer service is not started
  7. Install the package that you were trying to install when you received the error message that is mentioned in the "Symptoms" section.
  8. After you install the package, repeat steps 1 and 2. Then, change the PolicyScope registry value back to 0.
  9. If you disconnected the computer from a domain, rejoin the domain, and then restart the computer.

    Note If you did not disconnect the computer from a domain, you do not have to restart the computer.
If the previous steps did not resolve the issue, follow these steps:
  1. Click Start, click Run, type control admintools, and then click OK.
  2. Double-click Local Security Policy.
  3. Click Software Restriction Policies.

    Note If no software restrictions are listed, right-click Software Restriction Policies, and then click Create New Policy.
  4. Under Object Type, double-click Enforcement.
  5. Click All users except local administrators, and then click OK.
  6. Restart the computer.
Important After you follow the previous steps, local administrators can install the .msi package or the .msp package. After the package is installed, reset the enforcement level by following the previous steps. In step 5, click All users instead of All users except local administrators.

Notes
  • The workaround may not work in an Active Directory domain environment. In an Active Directory domain environment, a domain policy refresh operation will overwrite the local Software Restriction Policies.
  • Adding more RAM to the computer will not resolve the problem.

MORE INFORMATION

Starting with Windows XP, a security policy that is named Software Restriction Policies (also known as SAFER) was introduced to help users avoid running unsafe files. Windows Installer uses software restriction policies to verify the signatures of signed .msi package files and signed .msp package files. Windows Installer does this to make sure that the files were not tampered with before they are installed on the computer. Windows XP and Windows Server 2003 require that the whole .msi package file or the whole .msp package file to be loaded into one contiguous piece of memory in the address space of the Windows Installer process.

If an .msi package file or an .msp package file is too large to fit into a contiguous piece of virtual memory, Windows Installer cannot verify that the package is correct. In this scenario, you experience the symptoms that are described in the “Symptoms” section. The fix that is described in this article enables software restriction policies to use less virtual memory to perform the signature verification. Therefore, Windows Installer can verify any size files.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.

APPLIES TO
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Security Essentials
Keywords: 
kbexpertisebeginner kbexpertiseinter atdownload kbsurveynew kbqfe KB973825
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support