The case of the failing signed driver install

February 11, 2010

I was asked recently to look at a couple of support cases that had been logged where installations of our Application Manager and Performance Manager products were failing. The logs from the failed installations, obtained from invoking msiexec with the /l*vx syntax, gave the following error:

(Error code 0x800B0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.)

A web search for the error gave many matches which didn’t really help so I then tried to reproduce the error in a Windows Server 2003 x86 virtual machine but the installation worked fine, as it usually does. Analysis of the msiexec log from the failing system indicated that the error was occurring when installing our signed device drivers. So next I ran the great Process Monitor tool from SysInternals, now Microsoft, to try and understand what was happening, file system and registry wise, during the installation, particularly around the area where the msiexec process installs the device drivers.

What this showed me was immediately before our driver catalog (.cat) file was read, the “State” registry value in the following key was being read:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

Given the error text from the failed installation, this looked relevant. A quick web search threw up a number of interesting articles, namely:

http://msdn.microsoft.com/en-us/library/aa388201(VS.85).aspx

and

http://blogs.msdn.com/spatdsg/archive/2006/06/05/618082.aspx

which led me to try changing the “state” value in the registry in my test VM from 0x23c00 to 0x40000  (WTPF_ALLOWONLYPERTRUST as per the MSDN link above and the wintrust.h header file so effectively much more restrictive than what was in this value by default).

Retrying the previously successful installation in my test VM then gave exactly the same error that our customers had been experiencing. On passing this information on, both customers confirmed that their “state” registry values were either not as per the default or were missing, due to the parent key being absent, and that setting the “state” value to the default allowed the drivers to be successfully installed.

Case(s) solved! But this leaves me with the desire to know what caused this to happen, particularly as we have had two cases from different customers logged so closely together, given that I stopped believing in coincidences many years ago. This is the main reason for me blogging about this issue – I hope that by the power of search engine indexing that if others suffer this issue then they will be brought here and their problem solved.

Guy Leech

10th Feb 2010






NEW FEATURE No. 11 – AppSense Environment Manager 8.0 Service Pack 2 – Registry Hive Exclusions

September 17, 2009

This is the eleventh installment in a series of posts about the new features and options in AppSense Version 8 Service Pack 2.  (If you have not yet downloaded this latest release, you can read more info and download it from here )

AppSense Environment Manager 8.0 Service Pack 2 introduces new functionality to the Registry Hive action – Registry Hive Exclusions.

This feature allows the administrator to specify registry settings to hive out at a specific level and then exclude certain keys or values beneath that level in order to reduce the registry file size on disk. For example, you could hive out the whole Microsoft Office key, but exclude settings for Microsoft Access.

Note: You can use wildcards for the key name and you can explicitly exclude a key name with an embedded wildcard character by enclosing the key name with quotes “”. However, it is not possible to specify a key path with a leading wildcard such as *\Software”wildcardkey*”.

Note: It is not advised to use keys that start with HKEY_CURRENT_USER since the software does not use this key internally

Note: Registry Hive Exclusions currently only work when hiving out settings rather than hiving them in. This is the preferred method since it reduces the amount of required storage space on the network.

P:S
As this is an ever growing blog topic, the previous posts on the other new features we have detailed can be found below:

NEW FEATURE No. 1 – AppSense Environment Manager 8.0 Service Pack 2 – Run As

NEW FEATURE No. 2 – AppSense Environment Manager 8.0 Service Pack 2 – Connect As

NEW FEATURE No. 3 – AppSense Environment Manager 8.0 Service Pack 2 – Improved compression and data handling protocol

NEW FEATURE No. 4 – AppSense Environment Manager 8.0 Service Pack 2 – Manipulation of files in Personalization Analysis

NEW FEATURE No. 5 – AppSense Environment Manager 8.0 Service Pack 2 – Run Once

NEW FEATURE No. 6 – AppSense Environment Manager 8.0 Service Pack 2 – Group SID Refresh

NEW FEATURE No. 7 – AppSense Environment Manager 8.0 Service Pack 2 – Trigger Action Time Audit Event

NEW FEATURE No. 8 – AppSense Environment Manager 8.0 Service Pack 2 – Stop If Fails

NEW FEATURE No. 9 – AppSense Environment Manager 8.0 Service Pack 2 – New Application Categories in the User Interface

NEW FEATURE No. 10 – AppSense Environment Manager 8.0 Service Pack 2 – Refresh

NEW FEATURE No. 11 – AppSense Environment Manager 8.0 Service Pack 2 – Registry Hive Exclusions



NEW FEATURE No. 10 – AppSense Environment Manager 8.0 Service Pack 2 – Refresh

September 14, 2009

This is the tenth installment in a series of posts about the new features and options in AppSense Version 8 Service Pack 2.  (If you have not yet downloaded this latest release, you can read more info and download it from here )

AppSense Environment Manager 8.0 SP2 includes an automatic refresh of items which use the following registry keys, or subkeys:

control panel\accessibility\stickykeys
control panel\appearance
control panel\colors
control panel\cursors
control panel\desktop
control panel\international
control panel\keyboard
control panel\mouse
keyboard layout
software\microsoft\plus!
software\microsoft\windows\currentversion\policies\explorer
software\microsoft\windows\currentversion\policies\system\wallpaper
software\microsoft\windows\currentversion\themes

These registry keys are all refreshed by using the SystemParametersInfo win32 function to individually set known items.

In addition, any change to the desktop folders causes an icon refresh to be sent and AppSense Environment Manager also broadcasts a system wide policy update message.

Refreshes are sent after all other actions have taken place.

A broadcast message for environment variables is sent whenever Environment Manager updates any variables. Environment Manager listens for broadcasts from other programs, such as VBScripts, to pick up any environment variable changes from within them.

Tip: If the key you are setting requires a refresh but is not in the list above, try setting a dummy value that matches one of the above registry keys. This forces a refresh.

P:S
As this is an ever growing blog topic, the previous posts on the other new features we have detailed can be found below:

NEW FEATURE No. 1 – AppSense Environment Manager 8.0 Service Pack 2 – Run As

NEW FEATURE No. 2 – AppSense Environment Manager 8.0 Service Pack 2 – Connect As

NEW FEATURE No. 3 – AppSense Environment Manager 8.0 Service Pack 2 – Improved compression and data handling protocol

NEW FEATURE No. 4 – AppSense Environment Manager 8.0 Service Pack 2 – Manipulation of files in Personalization Analysis

NEW FEATURE No. 5 – AppSense Environment Manager 8.0 Service Pack 2 – Run Once

NEW FEATURE No. 6 – AppSense Environment Manager 8.0 Service Pack 2 – Group SID Refresh

NEW FEATURE No. 7 – AppSense Environment Manager 8.0 Service Pack 2 – Trigger Action Time Audit Event

NEW FEATURE No. 8 – AppSense Environment Manager 8.0 Service Pack 2 – Stop If Fails

NEW FEATURE No. 9 – AppSense Environment Manager 8.0 Service Pack 2 – New Application Categories in the User Interface

NEW FEATURE No. 10 – AppSense Environment Manager 8.0 Service Pack 2 – Refresh

NEW FEATURE No. 11 – AppSense Environment Manager 8.0 Service Pack 2 – Registry Hive Exclusions


NEW FEATURE No. 8 – AppSense Environment Manager 8.0 Service Pack 2 – Stop If Fails

September 7, 2009

This is the eigth installment in a series of posts about the new features and options in AppSense Version 8 Service Pack 2.  (If you have not yet downloaded this latest release, you can read more info and download it from here )

AppSense Environment Manager 8.0 Service Pack 2 introduces a new option – Stop If Fails.

In order to emulate functionality from earlier versions of Environment Manager, the Stop If Fails option can be utilized to prevent subsequent processing of child nodes. This does not alter the existing behavior of other actions and parallel nodes.

Note: By default, any action or condition that fails automatically stops the processing of subsequent child actions or child conditions.

On upgrading from a 7.x Environment Manager configuration, all rules are converted to reusable conditions and Stop If Fails is applied to each condition where referenced in the main configuration body.

Note: Stop If Fails is not available from within either reusable nodes or reusable conditions. Copying or moving nodes or conditions that contain the Stop If Fails option to reusable nodes or reusable conditions results in those Stop If Fails options being removed. However, Stop If Fails can still be applied to the reusable node when referenced from within the main body of the configuration.

P:S
As this is an ever growing blog topic, the previous posts on the other new features we have detailed can be found below:

NEW FEATURE No. 1 – AppSense Environment Manager 8.0 Service Pack 2 – Run As

NEW FEATURE No. 2 – AppSense Environment Manager 8.0 Service Pack 2 – Connect As

NEW FEATURE No. 3 – AppSense Environment Manager 8.0 Service Pack 2 – Improved compression and data handling protocol

NEW FEATURE No. 4 – AppSense Environment Manager 8.0 Service Pack 2 – Manipulation of files in Personalization Analysis

NEW FEATURE No. 5 – AppSense Environment Manager 8.0 Service Pack 2 – Run Once

NEW FEATURE No. 6 – AppSense Environment Manager 8.0 Service Pack 2 – Group SID Refresh

NEW FEATURE No. 7 – AppSense Environment Manager 8.0 Service Pack 2 – Trigger Action Time Audit Event

NEW FEATURE No. 8 – AppSense Environment Manager 8.0 Service Pack 2 – Stop If Fails

NEW FEATURE No. 9 – AppSense Environment Manager 8.0 Service Pack 2 – New Application Categories in the User Interface

NEW FEATURE No. 10 – AppSense Environment Manager 8.0 Service Pack 2 – Refresh

NEW FEATURE No. 11 – AppSense Environment Manager 8.0 Service Pack 2 – Registry Hive Exclusions