Friday, June 18, 2010

C:\WINDOWS\Installer\fbf6b0f.msp was rejected by digital signature policy.

When you try to install a large Microsoft Windows Installer (.msi) package or a large Microsoft Windows Installer patch (.msp) package on a computer that is running Windows Server 2003 Service Pack 2, you receive the following error message:
Error 1718. File FileName was rejected by digital signature policy.
Additionally, the following event may be logged in the Application log:
Type: Error
Source: MsiInstaller
Category: None
Event ID: 1008
Date: Date
Time: Time
User: N/A
Computer: ComputerName

Description:
The installation of FileName is not permitted due to an error in software restriction policy processing. The object cannot be trusted.
Back to the top

CAUSE
This problem occurs if the Windows Installer process has insufficient contiguous...

This problem occurs if the Windows Installer process has insufficient contiguous virtual memory to verify that the .msi package or the .msp package is correctly signed.
Back to the top

RESOLUTION
Update download information The following files are available for download from...

Update download information

The following files are available for download from the Microsoft Download Center:

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2003 (973825) package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=d79fb7bd-a16c-45f0-9b32-a309b3763951)

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2003, x64 Edition (973825) package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=f1ebf2c8-0573-4686-adbc-099feeafcc9b)

Collapse this imageExpand this image
Download
Download the Update for Windows Server 2003 for Itanium-based Systems (973825) package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=5367c44d-2260-44a6-b4c1-2ce9e2b00e2d)

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/ ) How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

You must have Windows Server 2003 Service Pack 2 installed to apply this update.

Restart requirement

You must restart your computer after you apply the update.

Update replacement information

This update does not replace any other updates.

File information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Back to the top

Update for Windows Server 2003 (KB973825)

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Advapi32.dll5.2.3790.4555619,00818-Jul-200915:58x86SP2SP2GDR
Advapi32.dll5.2.3790.4555619,00818-Jul-200916:19x86SP2SP2QFE
Back to the top

Update for Windows Server 2003, x64 Edition (KB973825)

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Advapi32.dll5.2.3790.45551,052,16018-Jul-200921:45x64SP2SP2GDR
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200921:45x86SP2WOW
Advapi32.dll5.2.3790.45551,065,98418-Jul-200916:32x64SP2SP2QFE
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200916:32x86SP2WOW
Back to the top

Update for Windows Server 2003 for Itanium-based Systems (KB973825)

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Advapi32.dll5.2.3790.45551,482,75218-Jul-200921:44IA-64SP2SP2GDR
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200921:44x86SP2WOW
Advapi32.dll5.2.3790.45551,483,77618-Jul-200916:32IA-64SP2SP2QFE
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200916:32x86SP2WOW
Back to the top

WORKAROUND
Important This section, method, or task contains steps that tell you how to modi...

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
To work around this problem, change the PolicyScope registry value to 1 before you try to install the package. To do this, follow these steps.

Note If the computer is joined to a domain, a domain policy update may override the registry changes that you make. We strongly recommend that you disconnect the computer from the domain before you follow these steps.
  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Note Before you modify this key, we recommend that you back up this key. To do this, right-click CodeIdentifiers, and then click Export. Save the file to a location where you can find it on the computer.
  3. Change the PolicyScope registry value. To do this, double-click PolicyScope, and then change the setting from 0 to 1.
  4. Close Registry Editor.
  5. Click Start, click Run, type cmd, and then click OK to open a Command Prompt window.
  6. At the command prompt, type the following command, and then press ENTER:
    net stop msiserver
    This command stops the Windows Installer service if the service is currently running in the background. When the service has stopped, close the Command Prompt window, and then go to step 7.

    Note If you receive the following message at the command prompt, close the Command Prompt window, and then go to step 7:
    The Windows Installer service is not started
  7. Install the package that you were trying to install when you received the error message that is mentioned in the "Symptoms" section.
  8. After you install the package, repeat steps 1 and 2. Then, change the PolicyScope registry value back to 0.
  9. If you disconnected the computer from a domain, rejoin the domain, and then restart the computer.

    Note If you did not disconnect the computer from a domain, you do not have to restart the computer.
If the previous steps did not resolve the issue, follow these steps:
  1. Click Start, click Run, type control admintools, and then click OK.
  2. Double-click Local Security Policy.
  3. Click Software Restriction Policies.

    Note If no software restrictions are listed, right-click Software Restriction Policies, and then click Create New Policy.
  4. Under Object Type, double-click Enforcement.
  5. Click All users except local administrators, and then click OK.
  6. Restart the computer.
Important After you follow the previous steps, local administrators can install the .msi package or the .msp package. After the package is installed, reset the enforcement level by following the previous steps. In step 5, click All users instead of All users except local administrators.

Notes
  • The workaround may not work in an Active Directory domain environment. In an Active Directory domain environment, a domain policy refresh operation will overwrite the local Software Restriction Policies.
  • Adding more RAM to the computer will not resolve the problem.
Back to the top

MORE INFORMATION
Starting with Windows XP, a security policy that is named Software Restriction P...

Starting with Windows XP, a security policy that is named Software Restriction Policies (also known as SAFER) was introduced to help users avoid running unsafe files. Windows Installer uses software restriction policies to verify the signatures of signed .msi package files and signed .msp package files. Windows Installer does this to make sure that the files were not tampered with before they are installed on the computer. Windows XP and Windows Server 2003 require that the whole .msi package file or the whole .msp package file to be loaded into one contiguous piece of memory in the address space of the Windows Installer process.

If an .msi package file or an .msp package file is too large to fit into a contiguous piece of virtual memory, Windows Installer cannot verify that the package is correct. In this scenario, you experience the symptoms that are described in the “Symptoms” section. The fix that is described in this article enables software restriction policies to use less virtual memory to perform the signature verification. Therefore, Windows Installer can verify any size files.
Posted by at
Labels:

1 comment:

  1. laurenMarch 18, 2011 at 5:57 PM

    As I remember that last year i had Windows Server 2003 and whenever I tried to install a large Microsoft Windows Installer (.msi) package It used to give same error .I interpreted that may be files are corrupted but as you said that the cause is not this.Now I use my laptop with Windows XP and not this issue but Thanks for clearing my doubts
    digital signatures sharepoint

    ReplyDelete

Subscribe to: Post Comments (Atom)