J
Jud McCranie
About 5 or 6 days ago I got an update (I use automatic updates),
KB931784. It says that it installed, but every time I reboot or dun
Updates, it wants to update again. On the Windows Update website, it
says that it is already downloaded. I called Microsoft and they told
me to go to "add/remove programs" and check "show updates" and that
would fix it. It didn't. Then they emailed me the message below,
with 8 steps to try, any of which might work. I've tried the first
six (it took several hours) but the problem is still here.
Is there any way to keep this update from keep re-offering itself?
============================
Updates Re-offered After Download and Install
Any one or all of the following 9 steps may work. Test after each
step.
1. Rename the Edb.log file
Start, Run, type command, and then click OK.
At the DOS prompt, type:
ren %systemroot%\system32\catroot2\Edb.log *.tst
2. Set Cryptographic Services to automatic.
Start the Administrative Tools utility in Control Panel.
Double-click Services.
Right-click Cryptographic Services, and then click Properties.
Click Automatic for Startup type, and then click Start.
Note: Windows 2000 does not list Cryptographic Services in the
SERVICES Administrative Utility.
3. Rename the Catroot2 folder.
Important: Do not rename the Catroot folder. The Catroot2 folder is
automatically recreated by Windows, but the Catroot folder is not
recreated if it is renamed.
Click Start, Run, type command, and click OK.
At the DOS prompt, type the following commands, pressing ENTER after
each line:
net stop cryptsvc
ren %systemroot%\System32\Catroot2 oldcatroot2
net start cryptsvc
exit
4. Reregister DLL files that are associated with Cryptographic
Services
Click Start, Run, type command, and click OK.
At the DOS prompt, type the following commands, pressing ENTER after
each line and click OK if you are prompted:
regsvr32 /u softpub.dll
regsvr32 /u wintrust.dll
regsvr32 /u initpki.dll
regsvr32 /u dssenh.dll
regsvr32 /u rsaenh.dll
regsvr32 /u gpkcsp.dll
regsvr32 /u sccbase.dll (This .dll is not in Win 2000, just omit it)
regsvr32 /u slbcsp.dll
regsvr32 /u mssip32.dll
regsvr32 /u cryptdlg.dll
exit
Reboot the computer at this point. When it reboots,
Click Start, Run, type command, and click OK. At the DOS prompt, type
the following commands, pressing ENTER after each line and click OK if
you are prompted:
regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll (This .dll is not in Win 2000, justomit it)
regsvr32 slbcsp.dll
regsvr32 mssip32.dll
regsvr32 cryptdlg.dll
exit
Reboot the computer again.
5. Remove the hidden attribute from %Windir% and from its subfolders
Click Start, Run, type command, and click OK.
At the DOS prompt, type the following commands, pressing ENTER after
each command:
attrib -s -h %windir%
attrib -s -h %windir%\system32
attrib -s -h %windir%\system32\catroot2
exit
6. Set non-driver signing policy to silently succeed
Windows 2000:
Set the Unsigned non-driver installation behavior Group Policy setting
to Silently succeed.
This setting is located under:
Computer Configuration
Windows Settings
Security Settings
Local Policies
Security Options in the Group Policy MMC snap-in.
Windows XP: Click Start, click Run, type regedit, and then click OK.
Locate and click key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Non-Driver Signing
Right-click the Policy binary value and click Modify.
The Value data will appear in a format like: 0000 02 (Example)
Press DELETE to remove the current value (02 in this example)
Type 0 (the current value will now appear as 00).
Click OK, and close Registry Editor.
7. Temporarily turn off Trusted Publishers Lockdown and install the
appropriate certificates in the trusted publishers certificate store.
First, download the update that you want to install from the Microsoft
Download Center or from the Windows Update Catalog.
Create a temporary folder in C: and extract the update package to that
folder.
(The command-line command that you use to do this depends on the
update that you are trying to install. Check the KB article associated
with the update to determine the command-line switches you will use to
extract the package. For example, to extract the 824146 security
update for Windows XP to the C:\824146 folder, run
Windowsxp-kb824146-x86-enu -x:c:\824146. To extract the 828750
security update for Windows XP to the C:\828750 folder, run
q828750.exe /c /t:c:\828750.)
Right-click the KBNumber.cat file from the product update package in
the temporary folder you created above and click Properties. The
KBNumber.cat file may be in a subfoler (for example,
C:\824146\sp1\update or C:\824146\sp2\update).
On the Digital Signatures tab, click the digital signature and then
click Details.
Click View Certificate, and then click Install Certificate.
Click Next to start the Certificate Import Wizard.
Click Place all certificates in the following store, and then click
Browse.
Click Trusted Publishers, and then click OK.
Click Next, click Finish, and then click OK.
8. Verify the status of all certificates in the certification path and
import missing or damaged certificates from another computer.
Step 1: Verify Microsoft certificates
- Open Internet Explorer, click Tools, Internet Options, Content tab,
click Certificates.
- On the Trusted Root Certification Authorities tab, double-click
Microsoft Root Authority. If this certificate is missing, go to step 2
below.
- On the General tab, make sure that the Valid from dates are
1/10/1997 to 12/31/2020.
- On the Certification Path tab, verify that This certificate is OK
appears under Certificate Status.
- Click OK, and then double-click the NO LIABILITY ACCEPTED
certificate.
- On the General tab, make sure that the Valid from dates are
5/11/1997 to 1/7/2004.
- On the Certification Path tab, verify that either This certificate
has expired or is not yet valid or This certificate is OK appears
under Certificate Status. (Although this certificate is expired, it
will continue to work. he operating system may not work correctly if
the certificate is missing or revoked.)
- Click OK, and then double-click the GTE CyberTrust Root certificate.
You may see more than one of these certificates with the same name.
Check the certificate that has an expiration date of 2/23/2006.
- On the General tab, make sure that the Valid from dates are
"2/23/1996 to 2/23/2006."
- On the Certification Path tab, verify that This certificate is OK
appears under Certificate Status.
Step 2: Import missing or damaged certificates
If one or more of these certificates are missing or corrupted, export
the missing or corrupted certificates to another computer, and then
install the certificates on your computer. To export certificates on
another computer, follow these steps:
- Open Internet Explorer, click Tools, Internet Options, Content tab,
click Certificates.
- On the Trusted Root Certification Authorities tab, click the
certificate that you want to export.
- Click Export, and then follow the instructions to export the
certificate as a DER encoded Binary x.509(.CER) file.
- After the certificate file has been exported, copy it to the
computer where you want to import it.
- On the computer where you want to import the certificate,
double-click the certificate.
- Click Install certificate, and then click Next.
- Click Finish, and then click OK.
====================
KB931784. It says that it installed, but every time I reboot or dun
Updates, it wants to update again. On the Windows Update website, it
says that it is already downloaded. I called Microsoft and they told
me to go to "add/remove programs" and check "show updates" and that
would fix it. It didn't. Then they emailed me the message below,
with 8 steps to try, any of which might work. I've tried the first
six (it took several hours) but the problem is still here.
Is there any way to keep this update from keep re-offering itself?
============================
Updates Re-offered After Download and Install
Any one or all of the following 9 steps may work. Test after each
step.
1. Rename the Edb.log file
Start, Run, type command, and then click OK.
At the DOS prompt, type:
ren %systemroot%\system32\catroot2\Edb.log *.tst
2. Set Cryptographic Services to automatic.
Start the Administrative Tools utility in Control Panel.
Double-click Services.
Right-click Cryptographic Services, and then click Properties.
Click Automatic for Startup type, and then click Start.
Note: Windows 2000 does not list Cryptographic Services in the
SERVICES Administrative Utility.
3. Rename the Catroot2 folder.
Important: Do not rename the Catroot folder. The Catroot2 folder is
automatically recreated by Windows, but the Catroot folder is not
recreated if it is renamed.
Click Start, Run, type command, and click OK.
At the DOS prompt, type the following commands, pressing ENTER after
each line:
net stop cryptsvc
ren %systemroot%\System32\Catroot2 oldcatroot2
net start cryptsvc
exit
4. Reregister DLL files that are associated with Cryptographic
Services
Click Start, Run, type command, and click OK.
At the DOS prompt, type the following commands, pressing ENTER after
each line and click OK if you are prompted:
regsvr32 /u softpub.dll
regsvr32 /u wintrust.dll
regsvr32 /u initpki.dll
regsvr32 /u dssenh.dll
regsvr32 /u rsaenh.dll
regsvr32 /u gpkcsp.dll
regsvr32 /u sccbase.dll (This .dll is not in Win 2000, just omit it)
regsvr32 /u slbcsp.dll
regsvr32 /u mssip32.dll
regsvr32 /u cryptdlg.dll
exit
Reboot the computer at this point. When it reboots,
Click Start, Run, type command, and click OK. At the DOS prompt, type
the following commands, pressing ENTER after each line and click OK if
you are prompted:
regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll (This .dll is not in Win 2000, justomit it)
regsvr32 slbcsp.dll
regsvr32 mssip32.dll
regsvr32 cryptdlg.dll
exit
Reboot the computer again.
5. Remove the hidden attribute from %Windir% and from its subfolders
Click Start, Run, type command, and click OK.
At the DOS prompt, type the following commands, pressing ENTER after
each command:
attrib -s -h %windir%
attrib -s -h %windir%\system32
attrib -s -h %windir%\system32\catroot2
exit
6. Set non-driver signing policy to silently succeed
Windows 2000:
Set the Unsigned non-driver installation behavior Group Policy setting
to Silently succeed.
This setting is located under:
Computer Configuration
Windows Settings
Security Settings
Local Policies
Security Options in the Group Policy MMC snap-in.
Windows XP: Click Start, click Run, type regedit, and then click OK.
Locate and click key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Non-Driver Signing
Right-click the Policy binary value and click Modify.
The Value data will appear in a format like: 0000 02 (Example)
Press DELETE to remove the current value (02 in this example)
Type 0 (the current value will now appear as 00).
Click OK, and close Registry Editor.
7. Temporarily turn off Trusted Publishers Lockdown and install the
appropriate certificates in the trusted publishers certificate store.
First, download the update that you want to install from the Microsoft
Download Center or from the Windows Update Catalog.
Create a temporary folder in C: and extract the update package to that
folder.
(The command-line command that you use to do this depends on the
update that you are trying to install. Check the KB article associated
with the update to determine the command-line switches you will use to
extract the package. For example, to extract the 824146 security
update for Windows XP to the C:\824146 folder, run
Windowsxp-kb824146-x86-enu -x:c:\824146. To extract the 828750
security update for Windows XP to the C:\828750 folder, run
q828750.exe /c /t:c:\828750.)
Right-click the KBNumber.cat file from the product update package in
the temporary folder you created above and click Properties. The
KBNumber.cat file may be in a subfoler (for example,
C:\824146\sp1\update or C:\824146\sp2\update).
On the Digital Signatures tab, click the digital signature and then
click Details.
Click View Certificate, and then click Install Certificate.
Click Next to start the Certificate Import Wizard.
Click Place all certificates in the following store, and then click
Browse.
Click Trusted Publishers, and then click OK.
Click Next, click Finish, and then click OK.
8. Verify the status of all certificates in the certification path and
import missing or damaged certificates from another computer.
Step 1: Verify Microsoft certificates
- Open Internet Explorer, click Tools, Internet Options, Content tab,
click Certificates.
- On the Trusted Root Certification Authorities tab, double-click
Microsoft Root Authority. If this certificate is missing, go to step 2
below.
- On the General tab, make sure that the Valid from dates are
1/10/1997 to 12/31/2020.
- On the Certification Path tab, verify that This certificate is OK
appears under Certificate Status.
- Click OK, and then double-click the NO LIABILITY ACCEPTED
certificate.
- On the General tab, make sure that the Valid from dates are
5/11/1997 to 1/7/2004.
- On the Certification Path tab, verify that either This certificate
has expired or is not yet valid or This certificate is OK appears
under Certificate Status. (Although this certificate is expired, it
will continue to work. he operating system may not work correctly if
the certificate is missing or revoked.)
- Click OK, and then double-click the GTE CyberTrust Root certificate.
You may see more than one of these certificates with the same name.
Check the certificate that has an expiration date of 2/23/2006.
- On the General tab, make sure that the Valid from dates are
"2/23/1996 to 2/23/2006."
- On the Certification Path tab, verify that This certificate is OK
appears under Certificate Status.
Step 2: Import missing or damaged certificates
If one or more of these certificates are missing or corrupted, export
the missing or corrupted certificates to another computer, and then
install the certificates on your computer. To export certificates on
another computer, follow these steps:
- Open Internet Explorer, click Tools, Internet Options, Content tab,
click Certificates.
- On the Trusted Root Certification Authorities tab, click the
certificate that you want to export.
- Click Export, and then follow the instructions to export the
certificate as a DER encoded Binary x.509(.CER) file.
- After the certificate file has been exported, copy it to the
computer where you want to import it.
- On the computer where you want to import the certificate,
double-click the certificate.
- Click Install certificate, and then click Next.
- Click Finish, and then click OK.
====================