Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Server TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Windows
Windows Server
Events and Errors
Core Security
CryptoAPI 2.0
 Event ID 11 — Automatic Root Certif...
Event ID 11 — Automatic Root Certificates Update Configuration

Updated: November 30, 2007

Applies To: Windows Server 2008

yellow

The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site. Specifically, there is a list of trusted root certification authorities (CAs) stored on the local computer. When an application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer.

Event Details

Product: Windows Operating System
ID: 11
Source: Microsoft-Windows-CAPI2
Version: 6.0
Symbolic Name: MSG_ROOT_LIST_AUTO_UPDATE_EXTRACT_ERROR
Message: Failed extract of third-party root list from auto update cab at: <%1> with error: %2.

Resolve

Check permissions on the temporary directory

The Automatic Root Certificates Update component downloads a cabinet (.cab) file to the temporary directory on the local computer, extracts the contents of the file, and then updates the root certificate list. The correct permissions must be applied to the temporary directory in order for the cabinet file to install correctly.

To check the permissions on the temporary directory:

  1. Navigate to the temporary directory on the local computer. By default, the temporary directory is located at %userprofile%\AppData\Local\Temp.
  2. Right-click the temporary directory, and then click Properties.
  3. Click the Security tab.
  4. Ensure that the user account logged on to the computer has Full Control permissions.

Verify

You can verify that the Automatic Root Certificates Update component is working properly by using a Web browser to open a Web site that requires the Automatic Root Certificates Update component. When you open this Web site, a new root certificate is downloaded from the Microsoft Windows Update Web site. If the certificate is downloaded successfully, Event ID 1 in the Microsoft-Windows-CAPI2 event source will be written to the event log.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that Event ID 1 is being written to the event log:

  1. Click Start, and then click Control Panel.
  2. Double-click Administrative Tools, and then click Event Viewer.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Expand Windows Logs, and then click Application.
  5. Look for an event with a Source named CAPI2 and an Event ID of 1.

Related Management Information

Automatic Root Certificates Update Configuration

Core Security

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Example link to "... Web site that requires the Automatic Root Certificates Update component"      dkpruett ... turbotech   |   Edit   |   Show History
Could you give an example link to a "... Web site that requires the Automatic Roomt Certificates Update component"?
Flag as ContentBug
How to solv an id event 11      Netopie ... mcrom901   |   Edit   |   Show History
Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: 04/06/2009 17:14:02
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
<EventID Qualifiers="49154">11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-06-04T15:14:02.000Z" />
<EventRecordID>2747</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer></Computer>
<Security />
</System>
<EventData>
<Data>http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</Data>
<Data>A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
</Data>
</EventData>
</Event>
Tags What's this?: Add a tag
Flag as ContentBug
Check permissions on the temporary directory ...      hadu   |   Edit   |   Show History
Hello,
there is no account logged on while the event occurs.
All user accounts in the profiles folder have full access on the TEMP folder.
Do you have more tipps?

Thanks!

Tags What's this?: Add a tag
Flag as ContentBug
Seaport.exe      Sten-Arne   |   Edit   |   Show History
By enabling logging of CAPI2 in the event viewer, I managed to find that it is seaport.exe that creates these errors. Confirmed by disabling seaport in services. These errors disappeared.

Enabling seaport in Services immediately brought back the problem.

no seaport.exe      Hermanni   |   Edit   |   Show History
Our case there is no seaport.exe. Access to temp folder is checked. Any other tricks I could try?
Tags What's this?: Add a tag
Flag as ContentBug
Better CAPI2 error messages      JonHart   |   Edit   |   Show History
You could enable CAPI2 logging. To do so, go to Applications and Services Logs\Microsoft\Windows\CAPI2\Operational in the event viewer. Enable logging for that service.

My problem occurred when the server booted up. If that's not the case, just wait for the error to occur. That location in the event log will then have more descriptive errors.

My problem ended up being McAfee antivirus. But you could use this methodology to at least get better error messages for your problem.
Tags What's this?: Add a tag
Flag as ContentBug
THIS SOLVED MY PROBLEM      mcrom901   |   Edit   |   Show History
downloaded & installed this file.....

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

but check the error log in your event viewer... this was my message

Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
.
Log Name: Application
Source: CAPI2

and the name of the file in the temp folder which caused the problem was tmp9ccc.vbs

i also faced other errors.... 513 and 1002

check your services...... the properties of each service

i guess all programs mentioned in the dependency tap should be on automatic

http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Vista_Services.doc

Tags What's this?: Add a tag
Flag as ContentBug
Another possible solution      Emkay1001   |   Edit   |   Show History
I've had this error on Windows Vista SP2. To be precise it stated that:
"Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."

I've enabled the CAPI2 log in Event Viewer and the application that was causing the issue turned out to be infocard.exe, which is run as Windows CardSpace service (idsvc) . Every time I would start the service the error message in the Event Log would appear.
The solution that worked for me was from this thread: http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/685e65f6-72a7-4986-b02c-f17e8be78926 (post by Susan Bradley).
"From another forum (information by Kevin Zhao):
From the problem description of the post you submitted, my understanding is: Capi2 event 11 is logged every time when Windows Update is looking for updates.
If I have misunderstood your concern, feel free to let me know.
Based on my research, the issue can be caused by corrupted certificate data on the server. I suggest you try the following steps to test the issue:
1. Backup and delete the contents of the following folders:
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2. Backup and delete the certificates listed under "Certificates" key:
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
Then, restart the server to check the result."

This worked like a charm... Afterwards (just in case) I have installed the latest available root certificates (http://www.microsoft.com/downloads/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0).

By the way - if you are troubleshooting the problem using the CAPI2 log you may want to increase the log size to 10 MB at least (there is a lot of data and you may miss the error with the information about the process causing the error).
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker