Update.inf error, be sure crypto service is running

[DelJo63]

Update.inf error, be sure crypto service is running [no longer worth chasing]

my my; I can't install anything downloaded from MS

this KB addresses the issue, but the solution(s) are ineffective

This problem may occur if one or more of the following conditions are true:

* Log file or database corruption exists in the %Systemroot%\System32\Catroot2 folder.
* Cryptographic Services is set to disabled. FALSE
* Other Windows files are corrupted or missing. very helpful; NOT
* The timestamp signature or certificate could not be verified or is malformed.(*)
* The hidden attribute is set for the %Windir% folder or one of its subfolders. FALSE
* The Unsigned non-driver installation behavior Group Policy setting (Windows 2000 only) is set to Do not allow installation or Warn but allow installation, or the Policy binary value is not set to 0 in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Non-Driver Signing
* The Enable trusted publisher lockdown Group Policy setting is turned on, and you do not have the appropriate certificate in your Trusted Publishers certificate store. This Group Policy setting is located under User Configuration, under Windows Settings, under Internet Explorer Maintenance, under Security, under Authenticode Settings in the Group Policy MMC snap-in.
* You are installing Internet Explorer 6 SP1, and the 823559 (MS03-023) security update is installed. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
828031 (http://support.microsoft.com/kb/828031/ ) "The software you are installing has not passed Windows Logo testing..."
error message when you try to install Internet Explorer 6 Service Pack 1 FALSE, FF 3.5 user
* The software distribution folder is corrupted. ?hummm?
​

(*) Root Certificates were update and the word on the street is to leave all the expired certs inplace

SFC /SCANNOW was performed but nothing was seen to be replaced - - perms/attr changes could not be seen or verified.

The system32\catroot2 was renamed (with some effort too) at least three times; no effect.

looks as if the software distribution folder is my last choice - -

suggestions? (oh please :wave

 

[brucethetech]

honestly, I would have tried the software distribution folder before all of that MS stuff. can you install anything at all or os it just ms stuff. (installer engine vs. digital signature)

does the install go through and roll back at the end?

 

[DelJo63]

can you install anything at all or os it just ms stuff. (installer engine vs. digital signature)

does the install go through and roll back at the end?

Yes I can install other software; just installed Quickbooks without any issues.

the only problem is in decrypting the MS downloads; ie I can fetch and save to HD but not install.

 

[brucethetech]

let me know if you ever find a fix for this. I havent seen this issue before.

 

[gbhall]

Time/date problem? can fox anyone, not having the right date and time.
catroot corrupt? I'm sure you have tried chkdsk /r
CatRoot2 ? mine is called CatRoot, the subdirectory {F750E6C3-38EE-11D1-85E5-00C04FC295EE} is where all the KB files...cat go.
There are all sorts of odd settings, in CatRoot and CatRoot2 and I'm sure you can compare with a working system. Special read-only settings, special settings for system user and administration user. Each sub-dir has two subdirs, with the same {....} names and the timestamp file in the first is different in each one.
In CatRoot2 each of the two sub-dirs has a catdb. If either is corrupt, I've no idea how to correct it, but a system restore ought to help.
No, wait - try http://technet.microsoft.com/en-us/library/cc734109(WS.10).aspx esentutl tool-where do MS get these barmy ideas from?

 

[DelJo63]

thanks. I've done the "Create a new catroot2 folder" multiple times and that's not it

 

[gbhall]

Umm, so you have run the esentutl utility and not been told the catdb is corrupt?

You have worked your way all through the nasty kb822798 ? and kb943144? and kb555615?

You did the Open a CMD.EXE prompt and type:
RD /S /Q %SystemRoot%\System32\Catroot2 ?

Checked for infections?

BTW are you on XP,Vista or Win7?

 

[DelJo63]

System is XP/Pro SP2

Checking database integrity.

                     Scanning Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................


Integrity check successful.

RD /S /Q %SystemRoot%\System32\Catroot2

no errors are reported

 

[gbhall]

Well, it seems that MS now requires SP3 in order to install ANY MS updates. This would fit their policy of ceasing support permanently for SP2 on July 13th 2010. In fact this is the quote from MS

Important notice for users of Windows XP with Service Pack 2 (SP2): The support for your product ended July 13, 2010! To ensure that you will receive all important security updates for Windows you need to upgrade to Windows XP with Service Pack 3 (SP3) or later versions such as Windows 7.
[\Quote]

and this link makes it clearer still http://windows.microsoft.com/en-US/windows/help/what-does-end-of-support-mean and specifies all updates. instead of security updates.

 

[DelJo63]

yea, seen all that - - but some bits are not updates but functionality
eg LLTP-XP-KB922120-v5-x86-ENU.exe
the LLTP component to allow Win/7 to access XP (this is the component I'm attempting to install)

it appears to be more prolific than just MS Updates (which whine re the crypto service)

eg: jre_6u22 will not install for a similar reason
>> error 1303, invalid signature on data1.cab
even though the jdk_6u21 does install; apparently is unsigned.

There's a rash of msinstaller events,
1033, 11707, 1042, 1040, 1035, 11729, 1034, 11708

it would appear that anything that is signed (regardless of origin) can not be installed.

I've been chasing those installer events,
most all contain comments with

The description for Event ID ( 1035 ) in Source ( MsiInstaller ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer.​

goofy to me as these are self-contained installer files like xyz.exe of several mb
(thus no remote access to download bits and pieces).

it is true that RDP is set to manual start as is
Help/Support, Remote Access Auto Connect , Remote Registry.
IMO - - that's all red herrings . . .

Thanks for your feedback and time. You may well be correct that XP SP2 can
no longer install squat - - a tad draconian if you ask me.

 

[DelJo63]

Well, I got coersive and did the work manually
(I'll have to find the article that lead to the discovery)

steps were:
1) expand the package ppp -x:dirName
into a new directory which created
sp2gdr\ sp2qfe\ update\

2) right-clk on update\*.cat -> properties -> click on Digital Signatures
click on the entery and then Details
click View ->Install Cert (yes it's expired but valid)

at this point update\update.exe should have worked, but still got issue
with update.inf branches

3) sp2qfe\ip\

rspndr.exe ->copy to %systemroot%\system32\
rspndr.sys ->copy to %systemroot%\system32\drivers\​

4) sp2gdr\ip

copy rspndr.* %systemroot%\inf\​

get a cmd prompt to install the service rspndr
%systemroot%\system32\rspndr.exe -i

service is started manually with

net start rspndr​

and rspndr does not show up in services.msc (to be resolved)

sc create will build an entry but it seems to fail "not a win32 program"

I'll work it out later

 

[gbhall]

Thanks for your feedback and time. You may well be correct that XP SP2 can
no longer install squat - - a tad draconian if you ask me.

I know you are highly experienced, and I am sure you have good reason for not having updated to SP3. But.....

I personally would (if asked) say that update is mandatory now. Not just because of the missing critical updates, but in terms of having all the nuts and bolts of the OS still fitting each other correctly.

 

[DelJo63]

The LLTP was issued for SP2 (kb922120) and the update\branches.inf was obviously
structured for SP2, not SP3

RTMQFE_NAME = "RTMQFE"
SP1RTM_NAME = "SP1RTM"
SP1QFE_NAME = "SP1QFE"
SP2BTA_NAME = "SP2BETA"
SP2RC1_NAME = "SP2RC1"
SP2RC2_NAME = "SP2RC2"
SP2IDX_NAME = "SP2IDX"
SP2RTM_NAME = "SP2RTM"
SP2GDR_NAME = "SP2GDR"
SP2QFE_NAME = "SP2QFE"​

whereas SP3 should have SP3xxx entries - - making this all the more puzzling.


Yes, I really should install the SP3 CD which is in-house, but the first time I tried it,
it took several days to put the system back together so I've put it off until I feel like
flagellating myself once more :grin:

again, thanks for your time, Jeff

 

[gbhall]

It looks likely that you have identified that only digitally signed installs fail to work. Since digital signing depends upon the crypto subsystem, it seems highly likely that the entire method of signing has changed under SP3. This would be because of 128-bit encryption. I cannot remember if Windows universally adopted 128-bit encryption with SP2 or SP3, but the ache in my left knee suggests it was SP3. This would account for all your symptoms.

As for the SP3 update - yes there were a lot of troubles with it, I hit a problem myself caused by some attempt to update the music beethoven3 used somewhere in Windows, for which the subdirectory was missing on my PC (OEM install). Due to the predictable incompetance of MS programmers, this halted the install, and would not proceed further until I (at length) discovered a post mentioning it, and provided the necessary directory.

Similarly, there eventually appeared on the web several very complete lists of precautions to take that finally made the update work every time. http://www.itexpertmag.com/client/d...solve-incompatibility-and-installation-issues and http://windowssecrets.com/2008/09/11/02-Dont-let-XP-Service-Pack-3-hose-your-system are the only ones I can find right now. Hope you give it a try. Oh and don't use the CD of SP3 - download a fresh copy from MS, because I strongly suspect it was reissued several times due to the kind of problem I just mentioned.

PS I just re-read the 1st post I report, and it says "Microsoft kernel mode cryptographic module (new)
FIPS.SYS, the software-based general purpose cryptographic module, is now part of the XP kernel in the form of an export driver than can be run as a kernel-mode DLL to better handle cryptographic requests at the application layer. It’s been updated to support SHA2 hashing algorithms for cryptographic key management and has been certified according to the Federal Information Processing Standard (FIPS) 140-2 standard.". Looks like I might be right, eh?

 

[DelJo63]

It looks likely that you have identified that only digitally signed installs fail to work. Since digital signing depends upon the crypto subsystem, it seems highly likely that the entire method of signing has changed under SP3. This would be because of 128-bit encryption. I cannot remember if Windows universally adopted 128-bit encryption with SP2 or SP3, but the ache in my left knee suggests it was SP3. This would account for all your symptoms.

Agree. I'm leaning toward this conclusion ...

As for the SP3 update - yes there were a lot of troubles with it, ...

Similarly, there eventually appeared on the web several very complete lists of precautions to take that finally made the update work every time. http://www.itexpertmag.com/client/d...solve-incompatibility-and-installation-issues and http://windowssecrets.com/2008/09/11/02-Dont-let-XP-Service-Pack-3-hose-your-system are the only ones I can find right now. Hope you give it a try.

Thanks for the input

Oh and don't use the CD of SP3 - download a fresh copy from MS, because I strongly suspect it was reissued several times due to the kind of problem I just mentioned.

HMM; The download I attempted ~4 months ago scrambled the system badly - - which is why I orderd the CD. For a certain I'll get a System State before I attempt anything !!!!!

PS I just re-read the 1st post I report, and it says "Microsoft kernel mode cryptographic module (new)
FIPS.SYS, the software-based general purpose cryptographic module, is now part of the XP kernel in the form of an export driver than can be run as a kernel-mode DLL to better handle cryptographic requests at the application layer. It’s been updated to support SHA2 hashing algorithms for cryptographic key management and has been certified according to the Federal Information Processing Standard (FIPS) 140-2 standard.". Looks like I might be right, eh?

hmm; just visited MS site re
Microsoft kernel mode cryptographic module dated 10/13/2000 ... not so new after all? I'll keep looking :wave:

 

[DelJo63]

Microsoft Kernel Mode Cryptographic Module. Microsoft Kernel Mode Cryptographic Module (Fips.sys) is a FIPS 140-1 Level 1–compliant, general purpose, software-based, cryptographic module in the kernel mode level of the Windows operating system. It runs as a kernel mode export driver (a kernel-mode DLL) and encapsulates several different cryptographic algorithms in an easy-to-use cryptographic module accessible by other kernel mode drivers. It can be linked to other kernel mode services to permit the use of FIPS 140-1 Level 1–compliant cryptography.​

Feature listed for SP3 :wave:

 

[gbhall]

Feature listed for SP3 :wave:

So if a current install expects to use this feature, "FIPS 140-1 Level 1–compliant, general purpose, software-based, cryptographic module in the kernel mode level of the Windows operating system", which is in SP3 and you don't have it, the install won't work. QED.

I'll leave you to it now Jeff, it's been fun.

 

[DelJo63]

second symptom: net start apache2 fails

[Sat Nov 13 15:20:49 2010] [notice] Digest: generating secret for digest authentication ...
[Sat Nov 13 15:20:49 2010] [notice] Digest: done
[Sat Nov 13 15:20:49 2010] [notice] Apache configured -- resuming normal operations
[Sat Nov 13 15:20:49 2010] [notice] Server built: Oct 9 2005 19:16:56
[Sat Nov 13 15:20:49 2010] [crit] (OS 2)The system cannot find the file specified. : Parent: Unable to connect child stdout to NUL.
[Sat Nov 13 15:20:49 2010] [crit] (OS 2)The system cannot find the file specified. : master_main: create child process failed. Exiting.​

If the digest is the issue, then crypto is D.O.A
if the Find File is the issue, lot's to do ...

I'll desist from further noise on this subject and go off and stick my head the lou!
(maybe I'll just return to the Mac platform)

Again, thanks for playing the devil's advocate ---

 

[DelJo63]

FYI anyone following:

second symptom: net start apache2 fails

[Sat Nov 13 15:20:49 2010] [notice] Server built: Oct 9 2005 19:16:56
[Sat Nov 13 15:20:49 2010] [crit] (OS 2)The system cannot find the file specified. : Parent: Unable to connect child stdout to NUL.
[Sat Nov 13 15:20:49 2010] [crit] (OS 2)The system cannot find the file specified. : master_main: create child process failed. Exiting.​

Missing non-PnP device NULL was this issue

device mgr-- (show hidden devices) missing NULL device​

and attempting to apply fix.reg from the net uncovered registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum permissions contained ONLY system (FC), Everyone (RO)​

Added Administrators (FC) and added the NULL device controls solved Unable to connect child stdout to NUL.
Net Start Apache2 is now sucessful