You cannot
install some updates or programs –
SYMPTOMS
When
you try to download an ActiveX control, install an update to Windows or to a
Windows component, install a service pack for Windows or for a Windows
component, or install a Microsoft or third-party software program, you may
experience one or more of the following symptoms:
|
•
|
You may receive the
following error message when you try to install a program or update:
Digital Signature Not Found
The Microsoft digital signature affirms that software has been tested with Windows and that the software has not been altered since it was tested. The software you are about to install does not contain a Microsoft digital signature. Therefore, there is no guarantee that this software works correctly with Windows. Name of software package If you want to search for Microsoft digitally signed software, visit the Windows Update Web site at http://windowsupdate.microsoft.com to see if one is available. Do you want to continue the installation?
If you click More Info, you receive the following
message:
Microsoft Windows
The signature on the software package you want to install is invalid. The software package is not signed properly.
After you click OK in the first error message dialog
box, you may receive a message that states that the installation was
successful, or you may receive the following error message:
Name of Update Package
The cryptographic operation failed due to a local security option setting. |
||||||||
|
•
|
When you try to install an
update or to install a service pack, you may receive an error message that is
similar to one of the following:
|
||||||||
|
•
|
When you try to install a
Windows XP service pack, you may receive an error message that is similar to
the following:
Service Pack 1 Setup could not verify
the integrity of the file. Make sure the Cryptographic service is running on
this computer
|
||||||||
|
•
|
When you attempt to install
Microsoft Data Access Components (MDAC) 2.8 you may receive an error message
that is similar to the following:
INF Install failure. Reason: The
timestamp signature and/or certificate could not be verified or is malformed.
|
||||||||
|
•
|
The %WINDIR%\System32\CatRoot2\Edb.log
may grow to 20 megabytes (MB) even though the file is typically less than 1
MB.
|
||||||||
|
•
|
When you try to install a
package from the Windows Update Web site or from the Microsoft Update Web
site, you may receive a message that is similar to the following:
The software has not passed Windows logo
testing and will not be installed.
|
CAUSE
This problem may occur if one or more of the following conditions are
true:
|
•
|
Log file or database corruption exists
in the %Systemroot%\System32\Catroot2 folder.
|
|
•
|
Cryptographic Services is set to disabled.
|
|
•
|
Other Windows files are corrupted or
missing.
|
|
•
|
The timestamp signature or certificate
could not be verified or is malformed.
|
|
•
|
The hidden attribute is set for the
%Windir% folder or one of its subfolders.
|
|
•
|
The Unsigned non-driver installation behavior Group Policy setting (Windows 2000 only) is set to Do not allow installation or Warn but
allow installation, or the Policy binary value is not set to 0 in the
following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Non-Driver
Signing
|
|
•
|
The Enable trusted publisher lockdown Group Policy setting is turned on, and you do not have the appropriate
certificate in your Trusted Publishers certificate store. This Group Policy
setting is located under User
Configuration, under Windows Settings, under Internet Explorer Maintenance, under Security, under Authenticode
Settings in the Group Policy MMC snap-in.
|
|
•
|
You are installing Internet Explorer 6
SP1, and the 823559 (MS03-023) security update is installed.
|
|
•
|
The software distribution folder is
corrupted.
|
RESOLUTION
To resolve this problem, use
the following methods. After you perform the steps in each method, test to see
whether the problem is resolved before you go on to the next method. If the
problem is resolved by any method, you do not have to use the remaining
methods.
Method 1: Rename
the Edb.log file
Rename the Edb.log file, and
then try to install the program again. To rename the Edb.log file, follow these
steps:
|
1.
|
Click Start,
click Run, type cmd in the Open box, and then OK.
|
|
2.
|
At the
command prompt, type the following command, and then press ENTER:
ren
%systemroot%\system32\catroot2\Edb.log *.tst
|
Method 2: Set
Cryptographic Services to automatic
Set the Cryptographic
Services to Automatic, and then try to install the program again. To set the
Cryptographic Services to Automatic, follow these steps:
|
1.
|
Start the Administrative
Tools utility in Control Panel.
|
|
2.
|
Double-click Services.
|
|
3.
|
Right-click Cryptographic
Services, and then click Properties.
|
|
4.
|
Click Automatic for Startup
type, and then click Start.
|
Note Windows 2000 does not
list Cryptographic Services in the SERVICES Administrative Utility.
Method 3: Rename
the Catroot2 folder
Rename the Catroot2 folder
(Windows XP and Windows Server 2003 only), and then try to install the program
again.
Note Skip this method if the operating system is Windows 2000/Windows VISTA.
To rename the Catroot2 folder, follow these steps:
Note Skip this method if the operating system is Windows 2000/Windows VISTA.
To rename the Catroot2 folder, follow these steps:
|
1.
|
Click Start,
click Run, type cmd, and then click OK.
|
|
2.
|
At the
command prompt, type the following commands, and then press ENTER after each
line:
net stop
cryptsvc
ren %systemroot%\System32\Catroot2 oldcatroot2 net start cryptsvc exit |
|
3.
|
Remove all
tmp*.cat files from the following folder:
%systemroot%\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
If no files that start with tmp exist in this folder, do not remove any other files. The .cat files in this folder are necessary for installing hotfixes and service packs. |
Important - Do not rename the Catroot folder. The Catroot2 folder is
automatically recreated by Windows, but the Catroot folder is not recreated if
the Catroot folder is renamed.
Method 4:
Reregister DLL files that are associated with Cryptographic Services
To register .dll files that
are associated with Cryptographic Services, follow these steps:
|
1.
|
Click Start,
click Run, type cmd in the Open box, and then OK.
|
|
2.
|
At the
command prompt, type the following commands, and press ENTER after each
command:
regsvr32 /u
softpub.dll
regsvr32 /u wintrust.dll regsvr32 /u initpki.dll regsvr32 /u dssenh.dll regsvr32 /u rsaenh.dll regsvr32 /u gpkcsp.dll regsvr32 /u sccbase.dll regsvr32 /u slbcsp.dll regsvr32 /u mssip32.dll regsvr32 /u cryptdlg.dll exit
Note Click OK
if you are prompted.
Note Microsoft Windows 2000 does not include the Sccbase.dll file. If you are running a version of Windows 2000, omit the Sccbase.dll file. |
|
3.
|
Restart your
computer.
|
|
4.
|
Click Start,
click Run, type cmd in the Open box, and then click OK.
|
|
5.
|
At the
command prompt, type the following commands, and press ENTER after each
command:
regsvr32
softpub.dll
regsvr32 wintrust.dll regsvr32 initpki.dll regsvr32 dssenh.dll regsvr32 rsaenh.dll regsvr32 gpkcsp.dll regsvr32 sccbase.dll regsvr32 slbcsp.dll regsvr32 mssip32.dll regsvr32 cryptdlg.dll exit
Note Click OK
if you are prompted.
Note Microsoft Windows 2000 does not include the Sccbase.dll file. If you are running a version of Windows 2000, omit the Sccbase.dll file. |
|
6.
|
Restart the
computer.
|
Method 5: Remove the hidden attribute from %Windir% and from its
subfolders
|
1.
|
Click Start,
click Run, type cmd in the Open box, and then OK.
|
|
2.
|
At the
command prompt, type the following commands, pressing ENTER after each line:
attrib -s -h
%windir%
attrib -s -h %windir%\system32 attrib -s -h %windir%\system32\catroot2 exit |
Method 6: Set
non-driver signing policy to silently succeed
If you are running a version
of Windows 2000, set the Unsigned non-driver installation behavior Group Policy
setting to Silently succeed. This Group Policy setting is located under
Computer Configuration, under Windows Settings, under Security Settings, under
Local Policies, under Security Options in the Group Policy MMC snap-in. If you
are running Windows XP or a later version of Windows, this Group Policy setting
is no longer supported. In this case, follow these steps to resolve this
problem:
|
1.
|
Click Start,
click Run, type regedit, and then click OK.
|
|
2.
|
Locate, and
then click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Non-Driver
Signing
|
|
3.
|
Right-click
the Policy binary value, and then click Modify.
|
|
4.
|
The Value data will appear
in the following format:
0000 02
Press DELETE to remove the current value (02 in this example), and then type 0 (the current value will now appear as 00). |
|
5.
|
Click OK, and
then quit Registry Editor.
|
Method 7:
Temporarily turn off Trusted Publishers Lockdown and install the appropriate
certificates to your trusted publishers certificate store
You can continue to use the Enable trusted
publisher lockdown Group Policy setting, but
you must first add the appropriate certificates to your Trusted Publishers
certificate store. To do this, turn off the Enable trusted publisher lockdown Group Policy setting, install the appropriate certificates in
your Trusted Publishers certificate store, and then turn the Enable trusted
publisher lockdown Group Policy setting back
on. To install the appropriate certificate for Microsoft Windows and Microsoft
Internet Explorer product updates, follow these steps:
|
1.
|
Download the Microsoft
product update that you want to install from the Microsoft Download Center,
from the Windows Update Catalog, or from the Microsoft Update Catalog
|
|
2.
|
Extract the product update package to a temporary folder. The
command-line command that you use to do this depends on the update that you
are trying to install. View the Microsoft Knowledge Base article that is
associated with the update to determine the appropriate command-line switches
that you will use to extract the package. For example, to extract the 824146
security update for Windows XP to the C:\824146 folder, run
Windowsxp-kb824146-x86-enu -x:c:\824146. To extract the 828750 security
update for Windows XP to the C:\828750 folder, run q828750.exe /c
/t:c:\828750.
|
|
3.
|
Right-click the KBNumber.cat file from the product update package in
the temporary folder you created in step 2, and then click Properties.
Note The KBNumber.cat file may be in a subfolder. For example, the file may be in the C:\824146\sp1\update folder or in the C:\824146\sp2\update folder. |
|
4.
|
On the Digital Signatures tab, click the digital signature and
then click Details.
|
|
5.
|
Click View Certificate, and then click Install Certificate.
|
|
6.
|
Click Next to start
the Certificate Import Wizard.
|
|
7.
|
Click Place all certificates in the following store, and then click Browse.
|
|
8.
|
Click Trusted Publishers, and then click OK.
|
|
9.
|
Click Next, click Finish, and then
click OK.
|
Method 8: Verify
the status of all certificates in the certification path and import missing or
damaged certificates from another computer
To verify certificates in the
certificate path for a Windows or Internet Explorer product update, follow
these steps:
Step 1: Verify Microsoft
certificates
|
1.
|
In Internet Explorer, click
Tools, and then
click Internet Options.
|
|
2.
|
On the Content tab,
click Certificates.
|
|
3.
|
On the Trusted Root Certification Authorities tab, double-click Microsoft Root
Authority. If this
certificate is missing, go on to step 2.
|
|
4.
|
On the General tab, make
sure that the Valid from dates are 1/10/1997 to 12/31/2020.
|
|
5.
|
On the Certification Path tab,
verify that This certificate is OK appears under Certificate Status.
|
|
6.
|
Click OK, and then double-click the
NO LIABILITY ACCEPTED certificate.
|
|
7.
|
On the General tab, make
sure that the Valid from dates are 5/11/1997 to 1/7/2004.
|
|
8.
|
On the Certification Path tab,
verify that either This certificate has expired or is not yet valid or This certificate is
OK appears under Certificate Status.
Note Although this certificate is expired, the certificate will continue to work. The operating system may not work correctly if the certificate is missing or revoked. |
|
9.
|
Click OK, and then double-click the
GTE CyberTrust Root certificate. You may have more than one of these certificates
with the same name. Check the certificate that has an expiration date of
2/23/2006.
|
|
10.
|
On the General tab, make
sure that the Valid from dates are "2/23/1996 to 2/23/2006."
|
|
11.
|
On the Certification Path tab,
verify that This certificate is OK appears under Certificate Status.
Note Although this certificate is expired, the certificate will continue to work. The operating system may not work correctly if the certificate is missing or revoked. |
|
12.
|
Click OK, and then double-click Thawte Timestamping CA.
|
|
13.
|
On the General tab, make
sure that the Valid from dates are "12/31/1996 to 12/31/2020."
|
|
14.
|
On the Certification Path tab,
verify that This certificate is OK appears under Certificate Status.
|
Step 2: Import missing or
damaged certificates
If one or more of these
certificates are missing or corrupted, export the missing or corrupted
certificates to another computer, and then install the certificates on your
computer. To export certificates on another computer, follow these steps:
|
1.
|
In Internet Explorer, click
Tools, and then
click Internet Options.
|
|
2.
|
On the Content tab,
click Certificates.
|
|
3.
|
On the Trusted Root Certification Authorities tab, click the certificate that you want to export.
|
|
4.
|
Click Export, and then
follow the instructions to export the certificate as a DER encoded Binary x.509(.CER) file.
|
|
5.
|
After the certificate file
has been exported, copy it to the computer where you want to import it.
|
|
6.
|
On the computer where you
want to import the certificate, double-click the certificate.
|
|
7.
|
Click Install certificate, and then
click Next.
|
|
8.
|
Click Finish, and then
click OK.
|
Method 9: Clear
the temporary file and restart the hotfix installation or the service pack
installation
Note Skip this method if the
operating system is Windows 2000.
To clear the temporary file and restart the hotfix installation or the service pack installation, follow these steps:
To clear the temporary file and restart the hotfix installation or the service pack installation, follow these steps:
|
1.
|
Delete all the tmp*.cat
files in the following folders:
%systemroot%\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE} %systemroot%\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} |
|
2.
|
Delete all the kb*.cat files in the following folders:
%systemroot%\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
%systemroot%\System32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE} |
|
3.
|
Delete all the oem*.* files from the %systemroot%\inf folder.
|
|
4.
|
At the command prompt, type
the following commands. Press ENTER after each command.
net stop
cryptsvc
ren %systemroot%\System32\Catroot2 oldcatroot2 net start cryptsvc exit |
|
5.
|
Restart the
failed hotfix installation or service pack installation.
|
Method 10: Empty the software distribution folder
|
1.
|
Click Start,
click Run, type services.msc, and then click OK.
|
|
2.
|
In the
Services (Local) pane, right-click Automatic Updates, and then click Stop.
|
|
3.
|
Minimize the
Services (local) window.
|
|
4.
|
Select all
the contents of the Windows distribution folder, and then delete them.
Note By default, the Windows distribution folder is located in the drive:\Windows\SoftwareDistribution folder. In this location, drive is a placeholder for the drive where Windows is installed. |
|
5.
|
Make sure
that the Windows distribution folder is empty, and then maximize the Services
(local) window.
|
|
6.
|
In the
Services (Local) pane, right-click Automatic Updates, and then click Start.
|
|
7.
|
Restart the
computer, and then run Windows Update again.
|
If after doing the above
steps still you are not able to Install some Updates or Programs, then do a
Complete Format Re-Installation of Operating System.
No comments:
Post a Comment