Cryptographic Service Error

Are YOU getting the following error when you try to install a Windows XP Service Pack?

"Service Pack Setup Error:

Setup could not verify the integrity of the file Update.inf. Make sure the Cryptographic service is running on this computer"

Or...

YOU are trying to a Windows XP security patch and are getting a similar error message?...or a later service pack?

In which case this article is for YOU...

However please read these Five side notes Before proceeding...

Side Note 1

NB - When you use the Windows Update Web site to install updates, you may receive a 643 error message... if this is the case please go straight to the end of this article!


Side Note 2

If You have installed patch KB823980 AND Windows Update keeps prompting you to install it again - this is not really a cryptographic service error.

But the good news is that you can update your registry to stop this happening again!

More here: windows update keeps prompting


Side Note 3

If You have used Windows Update and keep getting a 0x800B0004 error - this is not really a cryptographic service error.

But the good news is that you can stop this happening again!

More here: The 0x800B0004 error


Side Note 4

If You have used Windows Update and keep FAILING with this error code 0x800A138F Try this article:

More here: The 0x800A138F error


Side Note 5

If You YOUR problem is that the cryptographic service will NOT start and you get error "126 module not found".

See the 126 error at the end of this article...

Now lets read on and try to solve YOUR problem...

Why is this Cryptographic Service Error happening?

NB - If you get Error codes 126 or 643 then go to the end of this article for more information relating to these specific code errors.

This cryptographic service error issue occurs for one of TWO reasons:

REASON ONE:

The Cryptographic Services that should be running on your computer is for some reason set to Disabled for Startup type...

REASON TWO:

There is log file or database corruption in the Windows\System32\Catroot2 folder

If this makes as much sense to you as Sir Isaac Newton's Universal Law of Gravitation - Don't' PANIC...

You do NOT need to understand what is happening, just follow these remedies:

-----------------------------------------------

1) Follow this if - You are trying to install a Windows XP Service Pack:

The first thing is to be aware of is that Microsoft themselves are aware of this issue and have released a fix to the database corruption issue... But more of that in a moment...

First we must just check the Cryptographic Services is actually running on your machine.

To do this:

Start the Administrative Tools utility in Control Panel.

Double-click Services. (this will open the services window)

Right-click Cryptographic Services, and then click Properties.

Click Automatic for Startup type, and then click Start.

....You can now try to reinstall the Windows XP Service Pack

-----------------------------------------------

Tip 1:

If you CAN NOT start the service try booting your machine in SAFE MODE and then repeating the above.. For SAFE MODE press F8 when your PC starts up but, BEFORE you get the Windows XP screen!


Tip 2:

If you can not start the Cryptographic Service then the likely cause is that the Remote Procedure Call (RPC) is not running. To check this go to the "Services" window by running through the steps detailed above... Now right click the Remote Procedure Call (RPC) service. If the status shows it is not running then it has been disabled!

Since the Cryptographic Service is a dependency of the Remote Procedure Call (RPC) - We MUST get this running. Sadly you will not be able to do this from the the "Services" Window... You will see it is "greyed out"!

Follow these instructions...

You will need to use your XP CD to boot the computer into the Recovery Console, then type the command: Enable RPCSS Service_Auto_Start

Now press the Enter key to submit the command.

Now type: exit and press Enter to restart the computer.

If you are unfamiliar with the Recovery Console this Microsoft Article may help: 314058

Now try and install again...

If it FAILS again...

Click Start menu, and then click the Run icon.
In the small box that Opens, type the three letters: cmd then click the OK button.
In the command prompt window that just opened (a black background and white text), type the following commands, pressing the ENTER key on your keyboard after each line:

net stop cryptsvc
ren %systemroot%\system32\catroot2 oldcatroot2
net start cryptsvc


Now type exit to close the command prompt window, and then try to install Windows XP Service Pack 1 again. It should now work... You may in some rare instances have to reboot your machine again first, so give this a try if it fails again...

If it FAILS again...

Manually delete the contents of %systemroot%\system32\catroot2 and reboot....

As I said earlier Microsoft are aware of this corruption issue and have made a an update available that can correct this issue. To obtain it visit the Windows Update site and download Q817287: Critical Update (Catalogue Database Corruption in Microsoft Windows), this should correct the corruption problem!

Tip:

If you get a reply stating "access denied" try booting your machine in SAFE MODE and then repeating the above.. For SAFE MODE press F8 when your PC starts up but, BEFORE you get the Windows XP screen!

If THAT fails... find the folder called "catroot2" and MANUALLY change it to "catroot2old"

2) Follow this if - You are trying to install a Windows XP Security Patch:

I have been surprised at the amount of emails I continue to received on the subject of cryptographic error messages...! Hopefully this will help you.

First we must just check the Cryptographic Services is actually running on your machine.

To do this:

Start the Administrative Tools utility in Control Panel.
Double-click Services. (this will open the services window)
Right-click Cryptographic Services, and then click Properties.
Click Automatic for Startup type, and then click Start.

You can now try to reinstall security patch!

If it FAILS again...

If you can not start the Cryptographic Service then the likely cause is that the Remote Procedure Call (RPC) is not running. To check this go to the "Services" window by running through the steps detailed above... Now right click the Remote Procedure Call (RPC) service. If the status shows it is not running then it has been disabled!

Since the Cryptographic Service is a dependency of the Remote Procedure Call (RPC) - We MUST get this running. Sadly you will not be able to do this from the the "Services" Window... You will see it is "greyed out"!

Follow these instructions...

You will need to use your XP CD to boot the computer into the Recovery Console, then type the command: Enable RPCSS Service_Auto_Start

Now press the Enter key to submit the command.

Now type: exit and press Enter to restart the computer.

If you are unfamiliar with the Recovery Console this Microsoft Article may help: 314058

Now Try again...

If that fails, try this:

Click Start menu, and then click the Run icon.

In the small box that Opens, type the three letters: cmd then click the OK button.
In the command prompt window that just opened (a black background and white text), type the following commands, pressing the ENTER key on your keyboard after each line:

net stop cryptsvc
ren %systemroot%\system32\catroot2 oldcatroot2
net start cryptsvc

Now type exit to close the command prompt window, and then try to security patch 823980. It should now work... You may in some rare instances have to reboot your machine again first, so give this a try if it fails again...

Tip:

If you get a reply stating "access denied" try booting your machine in SAFE MODE and then repeating the above.. For SAFE MODE press F8 when your PC starts up but, BEFORE you get the Windows XP screen!

If THAT fails... find the folder called "catroot2" and MANUALLY change it to "catroot2old"

If it FAILS again...

Manually delete the contents of %systemroot%\system32\catroot2 and reboot....


FAILED again?

Well seems to be happening to a few of you... so lets re-register some DLL files. sounds like fun, eh? Onwards and upwards!

Click Start menu, and then click the Run icon.
In the small box that Opens, type the three letters: cmd then click the OK button.
In the command prompt window that just opened (a black background and white text), type the following commands, pressing the ENTER key on your keyboard after each line:

net start cryptsvc
regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll


Now type the word: exit and the window will close. Now Reboot and try and reply the Microsoft Patch again...

NB - If you just can not face typing all that in the command line, simply download this batch file I have made and run it on your machine... It will do the typing for YOU!

Tip:

If you get a reply stating "access denied" try starting your machine in SAFE MODE and then repeating the above.. For SAFE MODE press F8 when your PC starts up but, BEFORE you get the Windows XP screen!

FAILED yet Again?

(The following is ONLY XP Professional - NOT XP Home Edition)

Well, this is going to happen only to a handful of you... I hope!

Without getting too "techie" on you, there is an issue for some Windows XP Professional users where the computers Software Restriction Policy for the Local Computer only allows "Local computer administrators" to select "trusted publishers". This is causing the failure....

This occurs whether the user installing the security patch is an Administrator or not!

This may mean nothing to you and it does not have too.

Here is the work around:

Click Start menu, and then click the Run icon.
In the small box that Opens, type: gpedit.msc then click the OK button.
In the new windows that opens you will see a menu on the left hand side.
Under Computer Configuration you will see a folder called Windows Settings - double click it.
The new options that appear directly below include Security Settings - double click it.
The new options that appear directly below include Software
Restriction Policies - double click it.
Now on the right hand side of the window you will see an object called Trusted Publishers - double click it and a new window appears.

In this window change the setting under Allow the following users to select trusted publishers to the default which should be End Users.

FAILED yet Again?

You're kidding me?

Well, this is the LAST one "up my sleeve" for you...

Thanks to Bill Prentice a Network Administrator from the US for this tip...

It seems that in some patches can be installed with this workaround:

When a patch installs itself it will "unpack" all the files in too a temporary folder on your PC. If the install fails you might just be able to grab the file you need and move it to the folder Windows XP should have put it in...

Here is an example of what I mean.

First look for the following file on your computer: dberr.txt

Open it and look for the entry that matches the patch number you just tried to install. In this example it is the security patch KB823980:

CatalogDB: 10:09:37 AM 8/19/2003: Adding Catalog File: _000000_.cat
CatalogDB: 10:09:37 AM 8/19/2003: DONE Adding Catalog File: _000000_.cat
CatalogDB: 10:09:37 AM 8/19/2003: File #2 at line #2701 encountered error 0x00000002
CatalogDB: 10:09:37 AM 8/19/2003: The following file was not found - C:\WINDOWS\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB823980.cat
CatalogDB: 10:09:37 AM 8/19/2003: File #2 at line #2595 encountered error 0x00000002
CatalogDB: 10:09:37 AM 8/19/2003: File #2 at line #935 encountered error 0x00000002

We can clearly see that the security patch KB823980 failed to install because Windows XP claims it could NOT find it...

So we are going to give it a helping hand...

We will do this by copying the KB823980.cat file from the temporary unpack folder at the root of C: AND placing this copy in the C:\WINDOWS\System32\CatRoot folder... PLEASE do not put the copied file in the CatRoot2 folder by mistake!

(If you can not find the KB823980.cat file in this example, you could use the search facility on the start menu..)

Now run the patch again and it should install for you... :-)

-----------------------------------------------

Well that is all the "fix's" I have at the moment - but I do update this page when I hear of ANY more!

This just in:


27/08/2003 - I received an email from the Head of IT at a Swiss Bank! Some of you might find this helpful.....

-------------------------------------------------------------------------------------------

Hi Marc

First of all: congratulations to your web site - even Microsoft Support
Services are referencing it when using phone support options!

Here another source for possible errors when installing Hot fixes/using
Windows Update with Windows XP (SP1):


We had cloned notebook images (syspreped) where we couldn't install any
hot fix because of "cryptographic services" issues. We opened a MS
Support Case because no hint (including your website) led to the
resolution of the problem. After some in depth debugging we found the
following error:

On those Notebooks we have predefined group policy settings (for local
computer) which were part of the image itself. One of the settings was:

Group Policy -> User Configuration -> Windows Settings -> Internet
Explorer Maintenance -> Security -> Authenticode Settings -> Enable
Trusted Publisher Lockdown

Where the box has been checked. Disabling the checked box made the bug
disappearing (i.e. all hot fix installation & windows update site worked
correctly after this). We were further investigating this behaviour and
found the following:

On a newly installed Windows XP (SP1) machine (or a
cloned, syspreped one) when a user logs in locally for the first time
and the mentioned group policy setting is not active he can't use any
active x controls (e.g. windows update site) and can't install any signed
(Microsoft) hot fixes.

Disabling this group policy setting re-enables the
user for mentioned tasks. On an already installed Windows XP (SP1)
machine where trusted publisher elections (e.g. for windows update
active x controls or hot fix installations) already have been made (once)
the group policy settings has no effect (resp. only disables further
trusted publisher elections for other active x codes / hot fixes from
other trusted publishers).

Please let me know whether you have any questions and whether you could
reproduce the settings -> I think publishing this hint to your website
would be very helpful for the desperate ones who still can't
update/patch their windows machines.
--------------------------------------------------------------------------------------------

ERROR 643

When you use the Windows Update Web site to install updates, you may receive a 643 error message.

If this is the case then we need to delete the database catalogue and let Windows XP rebuild it automatically:

Click Start menu, and then click the Run icon.
In the small box that Opens, type the three letters: cmd then click the OK button.

In the command prompt window that just opened (a black background and white text), type the following command, pressing the ENTER key on your keyboard afterwards:

del /q "%SystemRoot%\System32\Catroot2\Edb.log


Now type exit to close the command prompt window, and then try to install the patch again... This is also worth doing if you find your Windows Media Player is slow to respond...


ERROR 126

Some folks get the message:

Error 126: The specified module could not be found

This is a very "general" error code, however in this instance the following may help:

a) Delete the contents of the "Windows\System32\catroot2" folder and see if that helps resolve the issue.

b) If that fails, then check all the root directories and see if any are set as "Read Only"... this is a common symptom of an incomplete SP1 install. If they are then uncheck them! and try again...

C) Make sure cryptui.dll is in system32 folder and is NOT corrupt!

d) Make sure certcli.dll is in system32 folder and is NOT corrupt!

Use the sfc /scannow utility to check for file corruption in c) and d) http://www.updatexp.com/scannow-sfc.html

e) Re-register DLL Files That Are Associated With the Cryptographic Service
To register .dll files that are associated with Cryptographic Services, follow these steps: (NB - you may have used the batch file in the article above... however this may not have worked so we need to manually un-register then register them...)

Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type the following commands, pressing ENTER after each line:

Note Click OK if you are prompted to do so.

regsvr32 softpub.dll
regsvr32 /u wintrust.dll
regsvr32 /u initpki.dll
regsvr32 /u dssenh.dll
regsvr32 /u rsaenh.dll
regsvr32 /u gpkcsp.dll
regsvr32 /u sccbase.dll
regsvr32 /u slbcsp.dll
regsvr32 /u cryptdlg.dll
regsvr32 /u softpub.dll
exit

Restart your computer.

Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type the following commands (press ENTER after each command):

Note Click OK if you are prompted to do so.

regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll
regsvr32 softpub.dll
exit

Now check to see if the service will now start!