[There's a reason that Yoda is the unofficial mascot of SBS.  Size indeed matters not.] Failed extract of third-party root list from auto update cab -- still - THE OFFICIAL BLOG OF THE SBS DIVA
Thu, Aug 26 2010 23:26 bradley

Failed extract of third-party root list from auto update cab -- still

Event ID 4107 or 11 is logged in the Application Log in Windows Vista or Windows Server 2008 and later:
http://support.microsoft.com/default.aspx?scid=kb;en-us;2328240&sd=rss&spid=14498

On a computer that is running Windows 7 or Windows Server 2008 R2, an error that resembles the following is logged in the Application log:

ME:  Resembles?  Resembles?  How about driving me insane it's logging so much in the Application log!

Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: Date and time
Event ID: 4107
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Computer name
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab) > with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

 Or, on a computer that is running Windows Vista or Windows Server 2008, an error that resembles the following is logged in the Application log:

 Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: Date and time
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Computer name
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab) > with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

This error occurs because the certificate "Microsoft Certificate Trust List Publisher" expired. A copy of the expired certification exists in the CryptnetUrlCache folder.

ME:  No kidding we kinda figured that one out but don't know how to fix this.

To resolve the problem, follow these steps:

ME:  Oh maybe please this sounds promising....

  1. Start a command prompt. To do this, click Start
    click All Programs, click Accessories, and then click Command Prompt.
  2. At the command prompt, type the following command and then press ENTER:
    certutil -urlcache * delete
    Note If the expired certificate is cached in the system profile, you must run the certuil command in the system context. To do this, follow these steps:
    1. Download the PSExec tool from the following Microsoft Web site:
      http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx)
    2. Extract the tool.
    3. Start a command prompt and change to the directory where you save PSExec, and run the following command:
      psexec -i -s cmd.exe
    4. Run the certutil -urlcache * delete command

ME: Oh wow look at the certs that just got expired off and....

...and.. please oh please make this stop...and...

<sigh>

Nope still occuring. 

http://social.microsoft.com/Forums/en/partnerwinclient7rc/thread/ad5ac163-3566-4fad-95a7-e4e34ae1c4a3

Hang loose I'll keep you posted.

P.S. the command is psexec cmd.exe -i -s and then another window pops up

Filed under:

# re: Failed extract of third-party root list from auto update cab -- still

Friday, August 27, 2010 8:06 AM by Pete

I'm glad I'm not the only one having a hard time with this.  The CAPI2 errors cleared themsevles on most of my client's SBS servers except for four.  I've tried everything.  The above I'm trying on one though to see it it works.

Pete

# re: Failed extract of third-party root list from auto update cab -- still

Thursday, October 07, 2010 1:50 PM by GCJG

I've had similar problems.

Could this be related to your hosting company and their Windows Update servers?

Check your Windows Update panel. Does it say:

"You receive updates: Managed by your system administrator"

I wonder if updates coming directly from Microsoft's Windows Update servers have been affected by this problem?

Looking forward to some feedback.

# re: Failed extract of third-party root list from auto update cab -- still

Thursday, October 07, 2010 1:53 PM by bradley

Nope.  I've seen this on standalone PCs as well as WSUS managed ones.

The patches come from MS,  When it says "managed by your system administrator" that doesn't mean the updates come via your ISP, that just means your computer is linked to WSUS.