.NET 4 updates fail to install (KB2600217, KB2656368)

Monopoly money comes in many flavors: 7, Vista, XP, 2K, ME, 98, etc.

Moderators: Flying Fox, Ryu Connor

.NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Wed Apr 11, 2012 2:20 pm

Anyone else run into this?

http://social.technet.microsoft.com/For ... f014e39b62

The gist of it is that .NET 4 updates fail to install due to trust issues and the only way around it is to either install them as a local admin who was created before the machine was joined to the domain or to manually install a cert from the standalone installer and then muddy through it that way.

It doesn't look all that common but it's still vexing. Any ideas?
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Wed Apr 11, 2012 2:34 pm

There's a .NET update preparation tool that you can download from Microsoft that eventually fixed this issue on one of my PCs. You can find it by following the troubleshooting links from Windows Update.
i7-4770K, H70, Gryphon Z87, 16 GiB, R9-290, SSD, 2 HD, Blu-ray, SB ZX, TJ08-E, SS-660XP², 3007WFP+2001FP, RK-9000BR, MX518
JustAnEngineer
Gerbil God
Gold subscriber
 
 
Posts: 15385
Joined: Sat Jan 26, 2002 7:00 pm
Location: The Heart of Dixie

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Fri Apr 13, 2012 10:05 am

Ugh. Long post, forum timed me out so I lost it all. Here's a shorter version then.

KB2656351, KB2656368, KB2600217 all fail, all are .NET 4 updates. Tried running a cleaning tool from http://blogs.msdn.com/b/astebner/archiv ... 04493.aspx which did not help. Did a standalone installer, didn't help. I used this: http://www.microsoft.com/download/en/de ... n&id=12493 and it didn't give me any info I didn't already have.

Looking at http://social.msdn.microsoft.com/Forums ... 946d940c26 I am going to try http://www.microsoft.com/download/en/de ... n&id=18844 on a Win7 machine (most of our machines are WinXP).

However, that thread also had this:

After some searching I found out that it had to do with the Group Policy Object of our domain. So a security policy verifies the certificate for some reason. I still don't know which policy it is. I am even Administrator on my machine.

GPO is possibly to blame? I'm not sure where to even begin to look.
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Fri Apr 13, 2012 10:06 am

Also I couldn't find any .NET update preparation tool. Maybe Win7 has different "click here to fix this" things than WinXP when updates fail. I'll pursue that next.
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Fri Apr 13, 2012 10:35 am

There's no local admin account that was used to initially set up the OS?
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37636
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Fri Apr 13, 2012 2:22 pm

Yeah, but I can't log in as it due to the fingerprint solution we have in place. It doesn't allow logins to the local machine, only the domain. So I guess I could boot into safe mode to try. Or, I can use the main MAIN domain admin since it's the same non-standard name as the initial local admin we use to set up the machine.

But I'd rather us use our "admin" accounts which are special IT staff accounts that are also domain admins rather than the generic main domain admin account. As it is, I have a workaround, kinda, but I'd rather find out what the issue is. If it's our domain causing a problem, that should be fixed!

It's nothing with the firewall. Stuff not on the domain on the inside network can update just fine. So it's definitely related to the domain and I guess the GPO. But why just .NET 4 updates? And only some of 'em? I started trolling through the event viewer and got a bunch of pain.

Found this in Event Viewer > Windows Logs: Application

2 identical entries that correspond to an update attempt.

EventID 513
EventSourceName Microsoft-Windows-CAPI2 aka CAPI2
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details: TraverseDir : Unable to FindFirstFile. System Error: Access is denied.


And nothing new here, this is Event Viewer > Windows Logs: System

EventID 20
EventSourceName WindowsUpdateClient
errorCode 0x80070643
updateTitle Security Update for Microsoft .NET Framework 4 on XP, Server 2003, Vista, Windows 7, Server 2008, Server 2008 R2 for x64 (KB2656368)


I don't get any of these events when trying the standalone patch installer.

I saw this random event in security but am unsure if it's related:

SceCli
EventID 1202
[ Qualifiers] 32768
0x4b8 : An extended error has occurred. Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

It took a little while, but finally got events showing up in Event Viewer > Applications and Services Logs > Microsoft > Windows > CAPI2: Operational

The meat of it is I found this:

- [CertRejectedRevocationInfo]
[SubjectCertificate fileRef="8849D1C0F147A3C8327B4038783AEC3E06C76F5B.cer" subjectName="Microsoft Corporation" /]
[IssuerCertificate fileRef="FDD1314ED3268A95E198603BA8316FA63CBCD82D.cer" subjectName="Microsoft Code Signing PCA" /]
[CertificateRevocationList location="UrlCache" url="http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl" fileRef="F047D9EE59F574A90B91448C69A337CCFEB517DC.crl" issuerName="Microsoft Code Signing PCA" /]
- [Action name="IsCrlSignatureValid"]
[Error value="80090006"]Invalid Signature.[/Error]
[/Action]

So... why is the sig invalid on the domain but these install just fine not on the domain? I'm pretty sure I didn't set a GPO for "TotallyJack.NET4Certs" but a coworker might have...
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Fri Apr 13, 2012 2:27 pm

And for some other random junk, I get an error with this:

- [Action name="Call_WinHttpGetProxyForUrl"]
[Error value="2F94"]The Proxy Auto-configuration URL was not found.[/Error]
[/Action]

But from what I read, this was in the NoProxy action container (or whatever) so it shouldn't have been looking for a proxy anyway? We don't use any web proxy 'ere. I also see a few:

[Result value="80092013"]The revocation function was unable to check revocation because the revocation server was offline.[/Result]
[Result value="800B010E"]The revocation process could not continue - the certificate(s) could not be checked.[/Result]

- [TrustStatus]
[ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" /]
[InfoStatus value="100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" /]
[/TrustStatus]

However, when I look at where it's tryin' to go, like thus:

- [RevocationInfo freshnessTime="P24DT22H15M7S"]
[RevocationResult value="0" /]
[CertificateRevocationList location="UrlCache" url="http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl" fileRef="FCC745F63DF3E1D01FBCFB3804FCA457EDFCC851.crl" issuerName="Microsoft Root Certificate Authority" /]
[/RevocationInfo]

I can get to http://crl.microsoft.com/pki/crl/produc ... otcert.crl and http://mscrl.microsoft.com/pki/mscorp/c ... uthority(8).crl just fine. I don't quite get the fileRef stuff, though, is that meant to say it's looking for http://crl.microsoft.com/pki/crl/produc ... FCC851.crl or something? THAT can't be found but I'm unsure if that's the right URL or if it's some other thing goin' on. Certainly, the response via http seems to be all nice:

- [HTTPRequestHeadersInfo]
[Header]GET /pki/mscorp/crl/Microsoft%20Secure%20Server%20Authority(8).crl HTTP/1.1[/Header]
[Header]Accept: */*[/Header]
[Header]If-None-Match: "482927d818cd1:0"[/Header]
[Header]If-Modified-Since: Wed, 11 Apr 2012 17:25:12 GMT[/Header]
[Header]Cache-Control: max-age = 900[/Header]
[Header]User-Agent: Microsoft-CryptoAPI/6.1[/Header]
[Header]Connection: Keep-Alive[/Header]
[/HTTPRequestHeadersInfo]
- [HTTPResponseHeadersInfo]
[Header]HTTP/1.1 304 Not Modified[/Header]
[Header]Connection: keep-alive[/Header]
[Header]Date: Fri, 13 Apr 2012 18:30:10 GMT[/Header]
[Header]Content-Type: application/pkix-crl[/Header]
[Header]Expires: Fri, 13 Apr 2012 18:43:26 GMT[/Header]
[Header]Age: 104[/Header]
[/HTTPResponseHeadersInfo]
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Fri Apr 13, 2012 2:45 pm

Ok we use a MSUS server for managing our updates. Still not sure why the original/domain admin logging in would skip that since it's a machine policy and should still be downloading/checking from our MSUS server regardless, but perhaps this is the problem.
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Fri Apr 13, 2012 2:47 pm

...and on the same note, I'm also going to be lookin' into this: http://support.microsoft.com/kb/982606/en-us
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Fri Apr 13, 2012 2:56 pm

I find senseless breakage like this to be extremely frustrating/aggravating. Makes me really glad that there's a new guy at the office who has taken over some of the day-to-day Windows sysadmin stuff, so I don't have to do all of it myself any more.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37636
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Tue May 08, 2012 11:20 am

Last edited by Scrotos on Wed May 09, 2012 10:45 am, edited 1 time in total.
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Tue May 08, 2012 1:26 pm

I'm not sure if it's been mentioned already, but try running the below via command prompt or run them in a batch file. This fixes my .NET problems 9 times out of 10:

Code: Select all
regsvr32 softpub.dll /s
regsvr32 wintrust.dll /s
regsvr32 initpki.dll /s
regsvr32 mssip32.dll /s
regsvr32 scrrun.dll /s

Even though it's not mentioned in the KB article, Link, re-registering scrrun.dll (aka File System Object) fixes a lot of install problems, regardless if they're dependent on .NET.
Heavy is good, heavy is reliable. If it doesn't work, you can always hit them with it.
Dizik
Grand Gerbil Poohbah
Gold subscriber
 
 
Posts: 3018
Joined: Sun Jan 02, 2005 3:57 pm

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Tue May 08, 2012 5:35 pm

Now look here, son, everything is pointing towards some GPO issue, not a DLL registration issue. So why don't you...

...what's this now? It fixed it on one of the XP machines? The hell? But but but... ARGH! What's going on here?

Thanks for the heads up with this. I can deploy that as part of a login.bat to most of the machines in the organization if it works on other XP machines as well. Doesn't seem to help with Win7, though, and initpki.dll isn't there for Win7 (or not where it's expecting it to be). I'll take a looksee in the morn and see what more I can discern.

Thanks again!
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Wed May 09, 2012 8:01 am

Well, I've been using that as a batch file for years, which is why it still calls for initpki.dll. I would suggest that you try running the update package found in the "Windows 7, Windows Vista or Windows Server 2008" section in the link that I posted.

Also, as a last resort, you can try to uninstall .NET and reinstall. That can be a bit of a pain sometimes, especially if you have software installed that is dependent on .NET. Link.
Heavy is good, heavy is reliable. If it doesn't work, you can always hit them with it.
Dizik
Grand Gerbil Poohbah
Gold subscriber
 
 
Posts: 3018
Joined: Sun Jan 02, 2005 3:57 pm

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Wed May 09, 2012 9:36 am

More failures on KB2604121 and KB2656406 today. I'm doing some more testing and it seems like initpki.dll is the main culprit. Yeah, I was hoping to get around the Win7-specific "fix" because it's a 300 MB .msu I'll have to run. Ugh.

Have done the .NET uninstall and reinstall before, didn't help.
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Wed May 09, 2012 9:42 am

Did you uninstall just .NET 4, or .NET 3 and/or .NET 3.5? Also, do you have a full install of 4, or just the client profile?
Heavy is good, heavy is reliable. If it doesn't work, you can always hit them with it.
Dizik
Grand Gerbil Poohbah
Gold subscriber
 
 
Posts: 3018
Joined: Sun Jan 02, 2005 3:57 pm

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Wed May 09, 2012 10:34 am

Just the client profile. I don't believe I did 3 and 3.5 but this is an organization-wide thing and I don't really want to have to do this for each machine, know what I mean?

regsvr32 initpki.dll /s

This seems to be the key. It does not seem to last, though. I don't know if the next .NET 4 update kills it or if it dies on a reboot. I do know that I have to run it again for the next round of .NET 4 updates. I also ran it and had an office 2010 update and the malicious software update fail, 16 out of 18 worked, then upon reboot I had 18 again to do and this time it was the 2 .NET updates that failed. Another reboot, re-register that dll, run the updates, and it worked fine.

So for my particular scenario, it seems like I have to install the .NET updates by themselves after they fail lest I somehow jack up the rest of the update process. Still doing some testing but these aren't the fastest machines anymore so it's takin' a bit o' time.
Last edited by Scrotos on Tue Jan 08, 2013 11:00 am, edited 1 time in total.
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Wed May 09, 2012 10:40 am

http://translate.google.com/translate?s ... 2600217%2F

I will try Bent Schrader's answer:

The key is to change the Software Publishing State Key Value within the registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing]

Change the DWORD Key "State" with value 0xc9 to the value 0x22849. See my blog post for further information (It's in german language but google will help you translate it).
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Wed May 09, 2012 10:46 am

That was going to be my next suggestion.
Heavy is good, heavy is reliable. If it doesn't work, you can always hit them with it.
Dizik
Grand Gerbil Poohbah
Gold subscriber
 
 
Posts: 3018
Joined: Sun Jan 02, 2005 3:57 pm

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Wed May 09, 2012 3:30 pm

Scrotos wrote:regsvr32 initpki.dll /s

This seems to be the key. It does not seem to last, though.


It's because re-registering this sets the default values for the setreg stuff upon reboot it reapplies the domain GPO that overwrites the setting that allows the updates to work.

This appears to be exactly it. For those German-impaired:

http://translate.google.com/translate?s ... 2600217%2F

It's some kind of crazy hex bitmask.

Yes, to get TRUE you must use negative values on some of them.

Code: Select all
 1) Trust the Test Root........................... TRUE  0xA0
 2) Use expiration date on certificates........... TRUE -0x100
 3) Check the revocation list..................... TRUE -0x200
 4) Offline revocation server OK (Individual)..... TRUE  0x400
 5) Offline revocation server OK (Commercial)..... TRUE  0x800
 6) Java offline revocation server OK (Individual) TRUE  0x1000
 7) Java offline revocation server OK (Commercial) TRUE  0x2000
 8) Invalidate version 1 signed objects........... TRUE  0x10000
 9) Check the revocation list on Time Stamp Signer TRUE -0x20000
10) Only trust items found in the Trust DB........ TRUE  0x40000


I don't understand exactly how this bitmask works. It hurts my head with the negative values. I guess the baseline is 0x20300 instead of 0x00.

At some point someone who set up the domain said, "these values are for SECURITY!" and for only .NET 4 it jacks up the updates. I might take a gander at something like http://www.nsa.gov/ia/_files/app/I731-008R-2006.pdf to see if I can understand more about what these settings do and what risks are involved with our current default settings.
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Wed May 09, 2012 4:35 pm

Yeah .Net is what I was updating when it kind of screwed up. Have to do a reinstall, I don't want to take any chances. What does .Net do for you?
RAMBO
Gerbil Team Leader
 
Posts: 273
Joined: Sun May 01, 2011 11:34 am

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Wed May 09, 2012 5:37 pm

It's Microsoft's version of JAVA (write managed code to a virtual machine target, right?) and programs use it. I think even ATI's Catalyst Control Center uses/requires it as well? So at some point you'll want SOME version of it installed.
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: .NET 4 updates fail to install (KB2600217, KB2656368)

Postposted on Tue Jan 08, 2013 10:15 am

Well, I need to fix the security bitmask in the GPO one day, but for now when we get random .NET 4 install fails, I have a .bat I run:

@echo off
setreg 5 true

Run it then re-try the install/updates. Or, run it first and then do the updates. It's temporary so next reboot or GPO refresh it'll set back to the previous value.

You get SETREG from a previous post in here, I think it's in .NET 1.1 or .NET 1.1 SDK, I forget offhand. I think maybe only 4 times I've run into this on WinXP and Win7 in the last year or two.

I would also like to note that the SETREG method is the least invasive to your system to try out. The other possible solutions involve reinstalling or deregistering/reregistering DLLs and such. I'd give that a shot first and then see where you go from there.
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.


Return to Windows

Who is online

Users browsing this forum: No registered users and 2 guests