capi2 error

VisaVis

Member
Hi:
I am constantly getting this daily error in event viewer . it doesn't cause any major problems except taking up space in the log, I would like to know what causes it though.

Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.


Is this something to do with Windows Update for Vista which is discontinued a few years back. How to stop it ??

If I click on this suggested link in the error message , Windows just prompts where to store the cab file . I do not know what to do with this file if downloaded.

I already looked at one of the solutions online involving deleting some cached files (non browser) in every acccount in Vista.:

LocalService:
%windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
%windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

NetworkService:
%windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
%windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

LocalSystem:
%windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
%windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData


this does not work for me.

Any other suggestions?
Regards
 

VisaVis

Member
Hi:

I do have the update as well as "warning" disabled since Microsoft stopped supporting Vista , but I still keep getting this CAPI2 error in the event viewer. Could there be anything else causing this? I do not have those "Windows could not search for new updates" errors as stated in SHA-1 link you have given.
 

Vistaar

Vista Guru
Could you please go to Control Panel > Security Center, expand Malware protection, take a screenshot of Security Center and post it here? (Otherwise I might have to ask multiple questions even though I am not the one who posted with a question.)
 

lmacri

Vista Pro
Hi VisaVis:

Have you been able to determine what program is causing the CAPI2 errors? See the PeteNet Live article at Event ID 4107, CAPI2 Error Windows 7 | PeteNetLive that describes how they used detailed logging in the Event Viewer to determine that an outdated version of McAfee (that presumably had an expired trust certificate) was causing this CAPI2 error on their machine. As they noted in that article, updating their Microsoft Root Trust certificates and deleting their expired root certificates (as you attempted to do) didn't solved the problem, and an update to the latest available version of McAfee stopped their CAPI2 error.

If an outdated software program isn't the cause, have you recently performed a clean reinstall of your Vista SP2 OS? Many Win XP SP3 and Vista SP2 users who have reinstalled their OS since March 2020 have encountered problems with missing root trust certificates when they try to install newer software updates (see the solution posted in the footnote titled "**** EDIT as of April 2020:" in the instructions on page 1 of m#l's thread Updates not working, it has been searching for updates for hours) but as far as I know this trust certificate problem should not affect Vista SP2 users unless they've performed a clean reinstall since the beginning of 2020.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Premium v3.5.1-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS
 

Vistaar

Vista Guru
I was already thinking in terms of antimalware solutions, which is why I requested a screenshot. (OP might have something running without realizing it.) McAfee hadn’t crossed my mind because it doesn’t support Vista. If “an outdated version of McAfee” is the culprit, then updating to the current version might be a good solution for Windows 7 but unfortunately not for Vista.

Edit: I now think it’s trying but failing to update certificates: https://support.microsoft.com/en-us...ntrusted-certificates-is-available-for-window. The url provided in post #1 matches one provided in the Microsoft link.
 
Last edited:

Vistaar

Vista Guru
Since the question was how to stop the errors, I now think the solution is to uninstall KB2677070 from Installed Updates. If you should later decide to reinstall the update, it’s still available from the catalog.
 

VisaVis

Member
Hi VisaVis:

Have you been able to determine what program is causing the CAPI2 errors? See the PeteNet Live article at Event ID 4107, CAPI2 Error Windows 7 | PeteNetLive that describes how they used detailed logging in the Event Viewer to determine that an outdated version of McAfee (that presumably had an expired trust certificate) was causing this CAPI2 error on their machine. As they noted in that article, updating their Microsoft Root Trust certificates and deleting their expired root certificates (as you attempted to do) didn't solved the problem, and an update to the latest available version of McAfee stopped their CAPI2 error.

If an outdated software program isn't the cause, have you recently performed a clean reinstall of your Vista SP2 OS? Many Win XP SP3 and Vista SP2 users who have reinstalled their OS since March 2020 have encountered problems with missing root trust certificates when they try to install newer software updates (see the solution posted in the footnote titled "**** EDIT as of April 2020:" in the instructions on page 1 of m#l's thread Updates not working, it has been searching for updates for hours) but as far as I know this trust certificate problem should not affect Vista SP2 users unless they've performed a clean reinstall since the beginning of 2020.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Premium v3.5.1-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

sp2 was installed a long long time ago, I don't install anything new for this old system. I also set to stop updating since there is no Microsoft support , no point to have this on. I do not use McAFee. I don't mess the system including clean install. This error message isn't specific to what application or part of the system is trying to contact the cab file link.
 

VisaVis

Member
Since the question was how to stop the errors, I now think the solution is to uninstall KB2677070 from Installed Updates. If you should later decide to reinstall the update, it’s still available from the catalog.

I do not have KB2677070 and reluctant to install anything new to this old system. I learnt a long time ago, Microsoft updates can also be the culprit , they had updates for an update because it was causing problems. Good luck for those using Windows 10 which is forcing updates on users.

There is only one entry under Control Panel > Security Center > Malware , the firewall I am using, nothing else is there as it should be .
 
Last edited:

Vistaar

Vista Guru
Well at least we’re getting somewhere now. The link in post #6 related to KB2677070 did mention Vista’s “existing automatic root update mechanism” prior to the update. Upon closer scrutiny, the url that you provided in post #1 does not exactly match the url in that KB article, but it does exactly match the url in the older article Certificate Support and Resulting Internet Communication in Windows Vista under the heading “How Update Root Certificates Communicates with Sites on the Internet.” I’m quite convinced that this is the cause of the errors, and I quite agree that another Windows update won’t solve anything in August 2020. (If you want to update root certificates, you will have to do so manually now.)

As for stopping the errors, are you running a version of Vista such as Ultimate or Enterprise that has a Group Policy UI? If so, my latest Microsoft link includes instructions.
 

lmacri

Vista Pro
sp2 was installed a long long time ago, I don't install anything new for this old system. I also set to stop updating since there is no Microsoft support , no point to have this on. I do not use McAFee. I don't mess the system including clean install. This error message isn't specific to what application or part of the system is trying to contact the cab file link.

Hi VisaVis:

I only mentioned McAfee because that was the example used in the PeteNet Live article at Event ID 4107, CAPI2 Error Windows 7 | PeteNetLive . Any software with a expired certificate can throw one of these CAPI2 errors. That tutorial simply shows you how to used detailed logging in the Event Viewer to determine the specific file on your own system that is causing the CAPI2 error.

From the footnote titled "**** EDIT as of April 2020:" in the instructions on page 1 of m#l's thread Updates not working, it has been searching for updates for hours) I mentioned in post # 5 , just in case your root trust certificates are out of date:

..."To fix this error, download the MicrosoftRootCertificateAuthority2011.cer file from http://go.microsoft.com/fwlink/?linkid=747875&clcid=0x409 and save it to the root C:\ directory of your computer (i.e.., so the location is C:\MicrosoftRootCertificateAuthority2011.cer), open an elevated command prompt with Administrator rights, and enter the command certutil -addstore "Root" "C:\MicrosoftRootCertificateAuthority2011.cer" to apply the required trust certificate. See the MS support article Known Issue for Security Update 3136000 for the .NET Framework 4.6.1/4.6 and Security Update 3135996 for the .NET Framework 4.5.2 in Windows Vista SP2... for more information. Kudos to greenhillmaniac for posting about this fix in his 06-Apr-2020 post in the MSFN thread Certificate Trust Provider Error Installing Updates."
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Premium v3.5.1-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS
 

Vistaar

Vista Guru
If someone asked how to update root certificates, I would probably just provide the MSFN link where Great White North first learned about the problem and solution (as mentioned in a footnote to the footnote in the lengthy post about a Windows Update issue that no longer exists).
 

VisaVis

Member
"To fix this error, download the MicrosoftRootCertificateAuthority2011.cer file from http://go.microsoft.com/fwlink/?linkid=747875&clcid=0x409 and save it to the root C:\ directory of your computer (i.e.., so the location is C:\MicrosoftRootCertificateAuthority2011.cer), open an elevated command prompt with Administrator rights, and enter the command certutil -addstore "Root" "C:\MicrosoftRootCertificateAuthority2011.cer" to apply the required trust certificate. See the MS support article Known Issue for Security Update 3136000 for the .NET Framework 4.6.1/4.6 and Security Update 3135996 for the .NET Framework 4.5.2 in Windows Vista SP2... for more information. Kudos to greenhillmaniac for posting about this fix in his 06-Apr-2020 post in the MSFN thread Certificate Trust Provider Error Installing Updates."

Hi:

Have tried the above , didn't work. Still getting the CAPI 2 error . Looked into the log details, doesn't say anything about the application causing this . It only says Microsoft Windwos CAPI2 , I can't find the error code either. The error seems to have occurred during loading of Vista. It doesn't occur when it is in Safe Mode (with networking) , have not tried Safe mode without Networking. Maybe I will unload some of the Startup programs to see any one of them is causing it.

I do not have those updates KB3205638, KB4012583 ,KB4015380 , KB4019204 , etc as mentioned in
 
Last edited:

VisaVis

Member
Well at least we’re getting somewhere now. The link in post #6 related to KB2677070 did mention Vista’s “existing automatic root update mechanism” prior to the update. Upon closer scrutiny, the url that you provided in post #1 does not exactly match the url in that KB article, but it does exactly match the url in the older article Certificate Support and Resulting Internet Communication in Windows Vista under the heading “How Update Root Certificates Communicates with Sites on the Internet.” I’m quite convinced that this is the cause of the errors, and I quite agree that another Windows update won’t solve anything in August 2020. (If you want to update root certificates, you will have to do so manually now.)

As for stopping the errors, are you running a version of Vista such as Ultimate or Enterprise that has a Group Policy UI? If so, my latest Microsoft link includes instructions.

Just HOME version , no group policy UI.
 

lmacri

Vista Pro
I do not have those updates KB3205638, KB4012583 ,KB4015380 , KB4019204 , etc as mentioned in.....

Hi VisaVis:

If you do not have the 4 or 5 "speed up" patches mentioned in the instructions on page in m#l's thread Updates not working, it has been searching for updates for hours [e.g., KB3205638 (rel. 13-Dec-2016); KB4012583 (rel. 14-Mar-2017); KB4015380 (rel. 11-Apr-2017), etc.] then you were likely affected by the Windows Update "Checking for updates..." hang discussed in that thread that was first was first reported by Vista SP2 users in August 2015. These slow Windows Updates became progressively worse over time and many Vista SP2 users who have never performed a reset to factory condition or clean reinstall of their OS are still discovering that they are missing around 40 to 60 security updates released between approx. June 2016 and the end of Vista SP2 extended support on 11-Apr-2017.

Launch your IE9 browser and go to Help | About Internet Explorer, and let us know the Update Versions of your IE9 browser as shown below. An IE9 browser patched to 11-Apr-2017 would have Update Versions 9.0.60 / KB4014661 (Cumulative Security Update for Internet Explorer 9: April 11, 2017) and the KB number of your own last IE9 update should give us an approximate idea of the last month that Windows Update ran to completion on your machine.

IE9 Version KB4014661 April 2017.png

Unfortunately, installing those 4 or 5 "speed up" patches mentioned in m#l's thread Updates not working, it has been searching for updates for hours will no longer be able to fix Vista SP2 machines that were affected by these Windows Update "Checking for updates..." hangs now that Microsoft has permanently deactivated Windows Update on Win XP and Vista computers as of 03-Aug-2020 (see Windows Update SHA-1 Based Endpoints Discontinued for Older Windows Devices). The good news is that you should still be able to manually download and install your missing updates. There are different ways to do this, but greenhillmaniac's 08-Aug-2020 thread Windows Vista Update Repository (until April 2017+) in the MSFN forum includes a link to his MEGA repository with .msu and .cab files for all Vista security updates released prior to end of support as well as batch files you can run to install those updates. Once you have an idea when Windows Update stopped running on your machine greenhillmaniac should be able to guide you through the process of downloading and installing your missing updates and patching you back to 11-Apr-2017.

Patching your Vista OS to end of support may not fix your CAPI2 error but I'd suggest patching your OS first and then worry about the file causing your CAPI2 error later if it still persists. I have another question about your CAPI2 error and will post in a separate reply in a short while.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Premium v3.5.1-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS
 
Last edited:

lmacri

Vista Pro
....I already looked at one of the solutions online involving deleting some cached files (non browser) in every acccount in Vista.:

LocalService:
%windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
%windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
...

Hi VisaVis:

Was the solution you tried from the section titled "Let Me Fix It Myself" in the MS support article Event ID 4107 or Event ID 11 is Logged in the Application Log in Windows and in Windows Server, and if so did you perform every step those instructions (including running the command certutil -urlcache * delete from an elevated command prompt from every user account to clear the main CryptnetUrlCache folder) before you manually deleted copies of any expired Microsoft Certificate Trust List Publisher certificates (CTLs) that might also exist your hidden ...\AppData\LocalLow\... folders?

I'm not suggesting you run this certutil command now since I have no idea what effect clearing the main CryptnetUrlCache folder would have now that Windows Update has been permanently deactivated on Vista SP2 machines - someone who has more experience with CLTs and the certutil command might be able to tell you that. For now I'm just wondering if you completed each step in those instructions.

Depending on the actual executable that is causing your CAPI2 error, there might not even be a software update or newer trust certificate available that you can download and install to replace the expired trust certificate. You might not have even known about this CPAI2 error until you opened your Event Viewer, so if all your third-party software is running correctly once you get your OS patched to end of support on 11-Apr-2017 you'll have to decide for yourself how much more time you want to spend trying to track down the source of this CAPI2 error.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Premium v3.5.1-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS
 
Last edited:

Vistaar

Vista Guru
Just HOME version , no group policy UI.
Anything that can be done with Group Policy can also be done by editing the registry. Unfortunately, Microsoft did not include registry changes in the articles pertaining to Update Root Certificates (the feature that contacts the url you provided in post #1), and I doubt that anyone at this forum would be able to figure out what registry changes would be required. You might be well-advised to just stop worrying about the errors.

I see you are now being advised to install more old patches first and worry about this thread’s topic later (if at all). AFAIK the only missing update that would affect Update Root Certificates is the update I mentioned in post #7 above, which (like all updates) is still available from Microsoft Update Catalog.
 

Vistaar

Vista Guru
...Launch your IE9 browser and go to Help | About Internet Explorer, and let us know the Update Versions of your IE9 browser...should give us an approximate idea of the last month that Windows Update ran to completion on your machine...Patching your Vista OS to end of support may not fix your CAPI2 error but I'd suggest patching your OS first and then worry about the file causing your CAPI2 error later...
Perhaps I can save you both some time and trouble. It was established in post #9 that VisaVis does not have KB2677070, which was released in 2012 - long before the Windows Update issue that has been endlessly written about. The probable explanation is that VisaVis reinstalled Vista SP2 sometime after the issue became acute, and therefore has no post-SP2 updates at all, including IE9 (unless it was manually installed using a standalone installer).
 

lmacri

Vista Pro
sp2 was installed a long long time ago, I don't install anything new for this old system. I also set to stop updating since there is no Microsoft support , no point to have this on. I do not use McAFee. I don't mess the system including clean install. This error message isn't specific to what application or part of the system is trying to contact the cab file link.
Perhaps I can save you both some time and trouble. It was established in post #9 that VisaVis does not have KB2677070, which was released in 2012 - long before the Windows Update issue that has been endlessly written about. The probable explanation is that VisaVis reinstalled Vista SP2 sometime after the issue became acute, and therefore has no post-SP2 updates at all, including IE9 (unless it was manually installed using a standalone installer).

Hi VisaVis:

I understood from your answer in post # 8 that you have never performed a reinstall of your Vista SP2 OS and didn't turn off Windows Update until after Vista SP2 reached end of support on 11-Apr-2017. If that's incorrect then please clarify how you've been managing updates for your Vista SP2 OS since Service Pack 2 (released May 2009) was installed. Your list of installed updates at Control Panel | Programs and Features | View Installed Updates (sorted by the Installed On date) might give you some idea about the last date that files for your Vista SP2 operating system and Internet Explorer browser were successfully updated by Windows Update.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Premium v3.5.1-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS
 
Top