- This topic has 21 replies, 2 voices, and was last updated 3 years ago by .
-
Posts
-
The above error in BP is thrown.
I have five hosts on my closed network here. Three are tablets running Win8.1 and then two desktops running Win7. I downloaded the cab file this morning and ran BP to “Retrieve consolidated url list of available updates”. 4 of the 5 hosts threw an error, the two desktops produced what is in the title. 2 of the tablets produced a HRESULT: -2147024894. I ran a TaskKill on the 4 faulty hosts. I ran the “Retrieve…” again and tablets took this time, but the workstations continue to show the error in the title above.
I read the forum posts on this issue about the erroneous cab file from Microsoft and bad certs. All the certs checked out, but I re downloaded anyway, deleted the first downloaded cab, pasted new cab in cache folder, and tried again, same error message. Then I went to my two desktops and removed the cab file from the C:Program FilesBatchPatch folders and try again with a THIRD downloaded cab file from Microsoft.
The credentials all match. The cab files have all matched and contained all the same certs. The cab file copies correctly to all hosts.
Why did the tablets work out but not the desktops? I am using BP on one of the desktops to do all of this work so the other desktop just sits idle, just like the tablets. I don’t understand why the tablets worked fine but not the desktops?
I just tried it for a fourth time, this time using a different thumb drive and the error was just thrown again.
The file does copy correctly and it appears to begin Executing BatchPatchRemoteAgent.exe… but 90 seconds later the error message is shown.
Error -198 indicates that there was a problem when BatchPatch tried to add the scan package service for the WsusScn2.cab file. The HRESULT value is the reason code.
HRESULT -2147024894 translates to:
0x80070002 -2147024894 ERROR_FILE_NOT_FOUND
The System cannot find the file specifiedThis would only happen if the file itself did not exist on the target computer when the scan was initiated. It sounds like you got this resolved.
HRESULT -2146762487 translates to:
0x800B0109 -2146762487 CERT_E_UNTRUSTEDROOT
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust providerThis indicates that the certificate on the WsusScn2.cab was signed by an untrusted CA. This is not the same problem that you read about in other forum postings that described some cases where the WsusScn2.cab file contains no digital certificate. In this case the .cab file is signed, but the issue is that the certificate is not trusted by the target computer(s). I suspect that you have not used Windows Update on these target computers for a very long time, and now the certificate authority that Microsoft is using to the sign the cab file is not in the trusted root store of the target computers. This does not mean that there is a problem with the WsusScn2.cab file. Probably the file itself is fine and legitimately signed. However, since your target computers are probably either an old OS (you didn’t mention which OS they are) and/or they have not been updated in a very long time, the trusted root store simply does not contain the CA that Microsoft used to sign the .cab file.
I think you just need to get the CA to be included in the trusted root store on the target computers in question. I’m not sure the exact path to make this happen. You might be able to simply view the details of the certificate (right click on the WsusScn2.cab file and then select the ‘digital certificate’ tab, and dig in to ‘view certificate’), and then once viewing the certificate you might be able to simply click a button to import that cert. I think this might depend on which OS you are running on the targets, and I’m not 100% certain that this is the exact correct method. When I look at the cert for the most recent .cab file that I just downloaded, the CA is ‘Microsoft Code Signing PCA.’ I believe historically the way that Microsoft has modified the trusted root store on Windows computers is by publishing a Windows Update with the desired/needed updates. In your case since the computers do not have internet access it seems like you would need another way to get the trusted root store updated. If the method that I described above does not work, then I wonder if maybe you can export the cert from a computer that has it to then import on the computers that do not have it. I’m not sure, but hopefully I’ve given you enough information to go on so that you can get it worked out. If/when you get it worked out it would be great if you could post here with the exact steps you took to get the trusted root store updated.
-Doug
Very peculiar. At the moment I don’t have any great thoughts, though it might be interesting to see if the old WsusScn2.cab is still able to scan successfully without producing this error. Are you able to test with the old .cab file that you used successfully back in May?
I don’t think this issue is due to a service being stopped. You can see which services need to run for BP here. However, what you are experiencing is not a BP error, per se. It’s being thrown by the Windows Update Agent, and the HRESULT code in this case is *not* ambiguous. It would be highly unlikely that CERT_E_UNTRUSTEDROOT exception is somehow being thrown erroneously due to some other problem. The issue has pretty much got to be somehow relating to the certificate and root store. It’s very peculiar that you would see the same issue now occur with both the old and new WsusScn2.cab file even though in May the old WsusScn2.cab file did not cause any problems. I believe Windows has, in addition to the trusted root store, an untrusted root store. This is described here: https://blogs.technet.microsoft.com/srd/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store/
Perhaps somehow your problem machines have revoked a valid cert and maybe even the cert that was used to sign the .cab file is located in the untrusted store?
If you believe the issue occurred from a previously installed update, you could consider removing the last group of updates that you applied in May to see if there is an effect. I unfortunately do not have any better suggestions at the moment. If I think of anything I will post it here.
Thanks,
Doug
I can’t imagine how the HomeGroup Listener service would have anything to do with producing the error that you are seeing.
With regard to your question about PsExec: On the computer running BatchPatch you would see psexec.exe in task manager processes list only *during* execution of remote actions. Also note that not all remote actions will utilize psexec, so you will only see it running for actions that do utilize it. Additionally on the remote computer you will see psexesvc.exe running in the task manager processes list during execution.
NOTE: the certificate error that you are receiving would be completely unrelated to psexec. Psexec appears to be running properly in your case. The certificate error is occurring *after* psexec is already successfully running and after the batchpatchremoteagent.exe is already successfully running on the target computer. The batchpatchremoteagent.exe tells the Windows Update Agent (WUA) to load the WsusScn2.cab file. It’s during this process when the WUA tries to load the .cab file that the WUA returns the HRESULT -2146762487 to the batchpatchremoteagent.exe. This HRESULT means that the certificate chain terminated in an untrusted root certificate. I cannot imagine any scenario in which this error could/would occur for any reason other than something relating to certificates and the trusted root on the target computer.
I hope this helps.
-Doug
FYI for the sake of google searching I would recommend that you search the HEX representation of the HRESULT, which is 0x800B0109. Searching the decimal representation (-2146762487) probably won’t yield as much.
-Doug
I think you are misunderstanding how it all works. You might consider reviewing general PKI concepts to better understand how it all works, or you may just reach out to a coworker who has experience with PKI and security fundamentals to help you troubleshoot, but essentially the WsusScn2.cab file is signed by Microsoft. The act of “signing” is a way to authenticate that the file actually came from Microsoft. When the scan is initiated the WUA attempts to validate the signature. It sees that the file was signed by ‘Microsoft Code Signing PCA’ and then it looks in its trusted root store to see if it has a corresponding certificate for Microsoft Code Signing PCA which is what tells is that it can trust or not trust a file that was signed by Microsoft Code Signing PCA. If the trusted root does not contain the proper certificate, then it will say that it can’t trust the file. This is not an outright rejection saying that the file is invalid or bogus or cannot ever be trusted. In your case it’s just saying something along the lines of “we don’t know if we can trust this file because our trusted root store does not have a signature that says we can trust it.” Considering that your previous WsusScn2.cab file worked fine in May but no longer works due to this error implies that somehow the trusted root store has been modified, and it no longer contains a certificate for Microsoft Code Signing PCA even though it used to contain the cert and should still contain the cert. But if you can get the appropriate certificate imported once again into the trusted root, then the WsusScn2.cab file should pass the certification check. It’s unclear to me what would have removed the cert from your trusted root. This is peculiar, unless an administrator came in and emptied the trusted root store. Perhaps another option would be to use System Restore and see if you are able to revert the computer back to a time prior to May when things were working properly. This will also end up uninstalling updates that were installed since that time. But that would/should be ok because you can then just install them anew.
-Doug
Ok no worries. Sorry about that. Based on viewing the cert chain on the WsusScn2.cab file I would think that the certificate that needs to be in the trusted root store is the Microsoft Root Certificate Authority. I conclude this based on looking at the ‘certification path’ tab of the certificate for the WsusScn2.cab. The path ends with the Microsoft Root Certificate Authority. And I can confirm that I have this Microsoft Root Certificate Authority listed in my trusted root CAs snap-in. If I were you I would look to see if you have it showing and if you can see that the dates on it are valid. I hope this helps. Let me know what you find.
-Doug
My trusted root store shows the same CAs as yours. This is so weird. Are you absolutely sure that you have been providing me with the correct error and HRESULT? Is there any possibility that you mixed things up? The -198 error can occur with a number of different HRESULTS, so possibly you saw -198 but assumed the HRESULT was the same when it was not? This might be a stretch, but I want to confirm because it has happened before with other users.
I think the likelihood of being able to disable signature validation is almost nil. I think that you have a couple of more realistic options…
0. Try running the Microsoft Baseline Security Analyzer on the targets. It uses the WsusScn2.cab also (at least it used to, but I have not used it in a very long time) https://www.microsoft.com/en-us/download/details.aspx?id=7558 See if it scans successfully or if it throws a similar certificate error. If it works and gives you the list of available security updates, then you can download these and install them manually or download them and then use BP to deploy them with the ‘Deploy’ feature in BP.
1. If possible, provide temporary internet access to these computers, and then perform the scan in online instead of offline mode.
2. Manually figure out what updates Microsoft has released for these computers in the past few months, and then download all of them manually for installation. Since Microsoft switched to cumulative update model not that long ago, it might not be that challenging or time consuming to do this (unless Windows 7 isn’t using that same cumulative model– I can’t remember off the top of my head if it is or is not). You could still use BP to deploy the standalone updates to the computers using the ‘Deploy’ feature in BP. But you would need to obtain the correct updates from Microsoft manually first.
3. Try uninstalling May’s updates from these computers and see what happens.
Good luck and keep me posted.
Excellent. Keep me posted on how things progress!
Thanks,
Doug
More recently we’ve learned of two possible causes for this error. 1: If you are trying to apply updates to an operating system that Microsoft is no longer supporting and delivering updates for. If you have not purchased an Extended Security Update (ESU) package from Microsoft, you might need to do this. 2: You have not installed the most recent servicing stack update (SSU). Try manually applying the most recent SSU for the OS in question, and it’s likely this error will go away.
- You must be logged in to reply to this topic.