Event Id 4107 CAPI2 Repeating

Thomas Grassi
Thomas Grassi used Ask the Experts™
on
Event Id 4107 CAPI2 Repeating over an over

This happens on several servers.

Windows 2012 R2 , Windows 2016 and Windows 2019

I have tried several methods to clears this ignoring event that floods my event viewer daily.

First I set my views to see hidden files  and extensions etc.

then ran this command  

certutil -urlcache * delete


But the events still keeps appearing over and over this all started about 3 months ago after Windows updates were applied.

Has anyone seen this event?   Has any one been able to resolve this?

Thank you

Tom
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Distinguished Expert 2017

Commented:
Thomas GrassiSystems Administrator

Author

Commented:
Arnold

I am only logged on to the server with one account.

I have a couple of accounts on each server

should I logon as each one and run that command?

The servers are all domain joined

should I logon locally as the administrator also?

Thank you

Tom
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Distinguished Expert 2017

Commented:
Yes.

Is the event attributed to a user?
The event based on your info is triggered by other
What do the servers do?
It might be triggered by a service account

I
Thomas GrassiSystems Administrator

Author

Commented:
Arnold,

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          12/8/2019 11:56:32 AM
Event ID:      4107
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      TGCS027-N1.our.network.tgcsnet.com
Description:
Failed extract of third-party root list from auto update cab at: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
    <EventID Qualifiers="0">4107</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2019-12-08T16:56:32.468504200Z" />
    <EventRecordID>33688</EventRecordID>
    <Correlation />
    <Execution ProcessID="2832" ThreadID="8408" />
    <Channel>Application</Channel>
    <Computer>TGCS027-N1.our.network.tgcsnet.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</Data>
    <Data>The data is invalid.
</Data>
  </EventData>
</Event>


These two  are used for SharePoint 2016   they are on Windows 2019 Data Center Servers


Should I just go into each user folder and run the command?

originally I did not have permissions to view the other user folders now I do.  

Thoughts?
Thomas GrassiSystems Administrator

Author

Commented:
I switched to each users folder and ran the command

Then I saw this event message

Can we suppress this event all together?



Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          12/8/2019 12:15:00 PM
Event ID:      4102
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      TGCS027-N1.our.network.tgcsnet.com
Description:
Reached crypt32 threshold of 50 events and will suspend logging for 60 minutes.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
    <EventID Qualifiers="0">4102</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2019-12-08T17:15:00.711137900Z" />
    <EventRecordID>33738</EventRecordID>
    <Correlation />
    <Execution ProcessID="2832" ThreadID="3284" />
    <Channel>Application</Channel>
    <Computer>TGCS027-N1.our.network.tgcsnet.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>50</Data>
    <Data>60</Data>
  </EventData>
</Event>
Distinguished Expert 2017

Commented:
the link includes the deletion of the cached data within the service profiles.

try it on one.
See if those messages go away. then go on to the next.
Not sure I understand you getting access to user's folders. comment.

see if the issue is within the service accounts.
Distinguished Expert 2017

Commented:
The 4102 is the result of too many sequential events of this time in a period and is being suspended addition for 60 minutes.
%windir$\ServiceProfiles.....

Networkservice
Localservice
Localsystem
Thomas GrassiSystems Administrator

Author

Commented:
Arnold,

I do not believe that the command works

Yes it deleted a lot of cache files but the event is still happening. over and over and over.

Someone or something thing should be able to resolve this

Thoughts?
Distinguished Expert 2017

Commented:
have not ran into this.


Do you have an internal proxy through which you can redirect these requests to the correct URL

I..e if you paste this in the browser, http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab you will be redirected to another secure site.
But it seems it runs into issues.
Thomas GrassiSystems Administrator

Author

Commented:
I do not run any proxy here

I opened it on my computer no problem

Servers browsers are locked down.  Only internal sites
Distinguished Expert 2017

Commented:
The error is that the item can not be retrieved or the data retrieved is corrupt.

If you can setup a proxy so that the servers through the proxy can access this the error ...

Potentially disabling the publisher revocation list of certificates may avoid this issue,
Thomas GrassiSystems Administrator

Author

Commented:
Not going to setup no proxy that is a bad idea

This error is crazy and very strange
Distinguished Expert 2017

Commented:
În short, the error is a check on whether there is a certificate that has been revoked. This seems to be micosoft's certificate recokation list URL included in .......
Not sure what triggers it or whether each invocation of a secure channel triggers this verification.

This can be triggered any tine your sharepoint is accessed, presumably is is behind an SSL connection.

It is not a complete proxy, it could be a reverse proxy just for this URL and nothing else as a test.

Alternatively, setup a test VM with eother and see whether imposing the access restrictions and then accessing a sample sharepoint on this system triggers the capi2 error everytime access is attempted.
Thomas GrassiSystems Administrator

Author

Commented:
Arnold

This happens on other servers also a total of 7 of the 30 plus servers I run here.

4 servers are Windows 2012 R2   used by Veeam B&R as proxy servers.
2 servers are Windows 2016    used by Veeam  B&R as proxy servers.
1. is one of the Farm servers for SharePoint Windows 2019  

So it happens across multiple platforms.

Has to be a way to suppress this error

All my certs are current I have a web site that the cert is going to expire in a month have to update that one have the cert file need to schedule time for that change.

If I setup a VM it would be a Proxy Server.   Which roles do I need to accomplish this.
Distinguished Expert 2017

Commented:
I do not think it is an issue with your certs but a repeated validation of Certificate Authorities.

Try this on a workstation
In %windor%\system32\drivers\etc\hosts
Add the ghost of the URL
127.0.0.1 ctldl.windowsupdate.com

And see whether your workstation when using IE or Edge when accessing secure sites generates these errors.

Another option, download the cab, setup the path on an internal webserver and point it there as a test whether these capi2 events go away.
The test deals whether the servers lack access to the URL and this indicates a failure or the servers get the cab but fail or it is corrupt.

Another idea depending on you, setup wireshark on one system and setup a rule to capture traffic to the URL and back to see what is happening. I.e. The access attempt is made an no data flows back. Or data flows back.


A reverse proxy can easily be setup for this specific URL ......

How are the 7 that have these errors different from the others from the 30?
What functions/restrictions exists on these 7?
Thomas GrassiSystems Administrator

Author

Commented:
Arnold,

On one of the servers Windows 2012 R2 I am getting the same error on  I go in to the event viewer and find the error

Then I click on the link and it takes me to the site no problem gives me the Open  Save Save As option.

I tried open and it display it failed to open
I changed the settings on IE and now I get

The page can't be displayed


If I choose SAVE option

then click on open   cannot open the cabinet file

I saved again and it allowed me to open it


It looks like the servers can get to the site it is just a bad file

Thoughts?
Distinguished Expert 2017

Commented:
I downloaded the file, but not clear what it is./extracted can, but the data within .....
Other than the link posted from Microsoft, found another link that seemingly had a pair of links that had follow up comments on social.microsoft.com, thread, but the links were dead.

Look by the guid referenced in the error.

Iook at the computer certificates trusted and see if you have expired CA certs and delete them.

One thing the file is accessible and is corrupt.
If you use hosts such that example, whether the failure to access the URL generate these errors as well.

Note the CRL URL is unencrypted, when you use the browser the browser is refirected to a secure site.

My nature is to chase down and try different approaches as I suggested.

Are the 7 that have these issues are older including inline upgrades if any
There has to be something common to them that is not needed or used on the remaining 23
See if these seven have optional root server certs updates available
Thomas GrassiSystems Administrator

Author

Commented:
Arnold

the 7 are all up to date as the others.  one is a Windows 2019 server which is as new as it can be.


See if these seven have optional root server certs updates available

I opened certificates on one of the servers with the issue what am I looking for?

Thanks
Distinguished Expert 2017

Commented:
On old system, that would be for expired certs.
On a new, see if you have two certs for the same thing, one is expiring within the next year.

Since I've not ran into these, trying to narrow down what causes these checks and what process performs them.

The other is to look at different certs that references the URL

What is common to the seven? Web servers?
Distinguished Expert 2017

Commented:
This issue going back almost a decade.
https://blogs.msmvps.com/bradley/2010/09/03/capi2-errors-driving-you-crazy/

There has to be something common ....
Thomas GrassiSystems Administrator

Author

Commented:
Arnold

Yes very old and the paths do not match with windows 2012 R2 Windows 2016 or Windows 2019

just do not undertand why this command certutil -urlcache * delete   does not fix the issue.
Distinguished Expert 2017

Commented:
Are all the events pointing to the same destination from which the auto update should be retrieved?
Potentially the

The certutil, did you run in in an elevated command as well as non elevated command? Just guesstimating/checking.

If you have two 2012 r2 what is the difference between the one with these errors and the one without?
Thomas GrassiSystems Administrator

Author

Commented:
Arnold,

Yes they are all pointing to the same destination the exact same error on all 7

I thought I did but I will make sure.    I just reran it on the Windows 2019 server.  

All my Servers have different roles installed

Wish there was a way to disable this check
Distinguished Expert 2017

Commented:
Having not encountered a similar error, did not have the ... To have chased this issue down.

What roles/features do the 7 have in common, installed software?

Grab the output of netstat -anb
Nslookup the host in the url
Then see which process is making the connections to that ip.
Thomas GrassiSystems Administrator

Author

Commented:
Arnold


AS you can see the servers are mostly basic.  I have installed NSCLIENT for Nagios, TeamViewer for access to.  VMTools for VMware.

PS C:\util> Get-WindowsFeature | Where-Object {$_. installstate -eq "installed"} | Format-List Name,Installstate


Name         : FileAndStorage-Services
InstallState : Installed

Name         : File-Services
InstallState : Installed

Name         : FS-FileServer
InstallState : Installed

Name         : Storage-Services
InstallState : Installed

Name         : NET-Framework-45-Features
InstallState : Installed

Name         : NET-Framework-45-Core
InstallState : Installed

Name         : NET-WCF-Services45
InstallState : Installed

Name         : NET-WCF-TCP-PortSharing45
InstallState : Installed

Name         : FS-SMB1
InstallState : Installed

Name         : User-Interfaces-Infra
InstallState : Installed

Name         : Server-Gui-Mgmt-Infra
InstallState : Installed

Name         : Server-Gui-Shell
InstallState : Installed

Name         : PowerShellRoot
InstallState : Installed

Name         : PowerShell
InstallState : Installed

Name         : PowerShell-ISE
InstallState : Installed

Name         : WoW64-Support
InstallState : Installed

Server 2012 R2 #2

Windows PowerShell
Copyright (C) 2015 Microsoft Corporation. All rights reserved.



    Directory: C:\Util


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         1/6/2018   4:24 PM            557 ClearAllEvetLogs.ps1
-a----       11/24/2018   7:27 PM           1676 events.ps1
-a----        11/5/2015  11:43 AM            441 get-application.ps1
-a----       11/18/2015   6:02 PM             71 get-drivesize.ps1
-a----       10/26/2015   4:57 PM           1423 get-event.ps1
-a----        11/5/2015  11:46 AM            423 get-system.ps1
-a----       11/25/2018   6:23 PM            436 getupdates.ps1
-a----       10/24/2018   8:17 PM            275 patches.ps1
-a----       11/24/2018   4:53 PM            314 serverup.ps1
-a----        3/26/2019  11:55 PM            167 task-start.ps1
-a----       11/18/2015   5:03 PM           4499 tools.ps1
-a----        6/17/2019   3:57 PM            533 wu.ps1
Welcome to TGCSNET Custom PowerShell Environment


PS C:\util> Get-WindowsFeature | Where-Object {$_. installstate -eq "installed"} | Format-List Name,Installstate


Name         : FileAndStorage-Services
InstallState : Installed

Name         : File-Services
InstallState : Installed

Name         : FS-FileServer
InstallState : Installed

Name         : Storage-Services
InstallState : Installed

Name         : NET-Framework-45-Features
InstallState : Installed

Name         : NET-Framework-45-Core
InstallState : Installed

Name         : NET-WCF-Services45
InstallState : Installed

Name         : NET-WCF-TCP-PortSharing45
InstallState : Installed

Name         : FS-SMB1
InstallState : Installed

Name         : User-Interfaces-Infra
InstallState : Installed

Name         : Server-Gui-Mgmt-Infra
InstallState : Installed

Name         : Server-Gui-Shell
InstallState : Installed

Name         : PowerShellRoot
InstallState : Installed

Name         : PowerShell
InstallState : Installed

Name         : PowerShell-ISE
InstallState : Installed

Name         : WoW64-Support
InstallState : Installed


Server 2012 R2 #3

Windows PowerShell
Copyright (C) 2015 Microsoft Corporation. All rights reserved.



    Directory: C:\Util


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         1/6/2018   4:24 PM            557 ClearAllEvetLogs.ps1
-a----       11/24/2018   7:27 PM           1676 events.ps1
-a----        11/5/2015  11:43 AM            441 get-application.ps1
-a----       11/18/2015   6:02 PM             71 get-drivesize.ps1
-a----       10/26/2015   4:57 PM           1423 get-event.ps1
-a----        11/5/2015  11:46 AM            423 get-system.ps1
-a----       11/25/2018   6:23 PM            436 getupdates.ps1
-a----       10/24/2018   8:17 PM            275 patches.ps1
-a----       11/24/2018   4:53 PM            314 serverup.ps1
-a----        3/26/2019  11:55 PM            167 task-start.ps1
-a----       11/18/2015   5:03 PM           4499 tools.ps1
-a----        6/17/2019   3:57 PM            533 wu.ps1
Welcome to TGCSNET Custom PowerShell Environment


PS C:\util> Get-WindowsFeature | Where-Object {$_. installstate -eq "installed"} | Format-List Name,Installstate


Name         : FileAndStorage-Services
InstallState : Installed

Name         : File-Services
InstallState : Installed

Name         : FS-FileServer
InstallState : Installed

Name         : Storage-Services
InstallState : Installed

Name         : NET-Framework-45-Features
InstallState : Installed

Name         : NET-Framework-45-Core
InstallState : Installed

Name         : NET-WCF-Services45
InstallState : Installed

Name         : NET-WCF-TCP-PortSharing45
InstallState : Installed

Name         : FS-SMB1
InstallState : Installed

Name         : User-Interfaces-Infra
InstallState : Installed

Name         : Server-Gui-Mgmt-Infra
InstallState : Installed

Name         : Server-Gui-Shell
InstallState : Installed

Name         : PowerShellRoot
InstallState : Installed

Name         : PowerShell
InstallState : Installed

Name         : PowerShell-ISE
InstallState : Installed

Name         : WoW64-Support
InstallState : Installed

Server 2012 R2 #4

Windows PowerShell
Copyright (C) 2015 Microsoft Corporation. All rights reserved.



    Directory: C:\Util


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         1/6/2018   4:24 PM            557 ClearAllEvetLogs.ps1
-a----       11/24/2018   7:27 PM           1676 events.ps1
-a----        11/5/2015  11:43 AM            441 get-application.ps1
-a----       11/18/2015   6:02 PM             71 get-drivesize.ps1
-a----       10/26/2015   4:57 PM           1423 get-event.ps1
-a----        11/5/2015  11:46 AM            423 get-system.ps1
-a----       11/25/2018   6:23 PM            436 getupdates.ps1
-a----       10/24/2018   8:17 PM            275 patches.ps1
-a----       11/24/2018   4:53 PM            314 serverup.ps1
-a----        3/26/2019  11:55 PM            167 task-start.ps1
-a----       11/18/2015   5:03 PM           4499 tools.ps1
-a----        6/17/2019   3:57 PM            533 wu.ps1
Welcome to TGCSNET Custom PowerShell Environment


PS C:\util> Get-WindowsFeature | Where-Object {$_. installstate -eq "installed"} | Format-List Name,Installstate


Name         : FileAndStorage-Services
InstallState : Installed

Name         : File-Services
InstallState : Installed

Name         : FS-FileServer
InstallState : Installed

Name         : Storage-Services
InstallState : Installed

Name         : NET-Framework-45-Features
InstallState : Installed

Name         : NET-Framework-45-Core
InstallState : Installed

Name         : NET-WCF-Services45
InstallState : Installed

Name         : NET-WCF-TCP-PortSharing45
InstallState : Installed

Name         : FS-SMB1
InstallState : Installed

Name         : User-Interfaces-Infra
InstallState : Installed

Name         : Server-Gui-Mgmt-Infra
InstallState : Installed

Name         : Server-Gui-Shell
InstallState : Installed

Name         : PowerShellRoot
InstallState : Installed

Name         : PowerShell
InstallState : Installed

Name         : PowerShell-ISE
InstallState : Installed

Name         : WoW64-Support
InstallState : Installed

Servers Windows 2016  # 1

PS C:\util> Get-WindowsFeature | Where-Object {$_. installstate -eq "installed"} | Format-List Name,Installstate


Name         : FileAndStorage-Services
InstallState : Installed

Name         : File-Services
InstallState : Installed

Name         : FS-FileServer
InstallState : Installed

Name         : Storage-Services
InstallState : Installed

Name         : NET-Framework-45-Features
InstallState : Installed

Name         : NET-Framework-45-Core
InstallState : Installed

Name         : NET-WCF-Services45
InstallState : Installed

Name         : NET-WCF-TCP-PortSharing45
InstallState : Installed

Name         : FS-SMB1
InstallState : Installed

Name         : Windows-Defender-Features
InstallState : Installed

Name         : Windows-Defender
InstallState : Installed

Name         : Windows-Defender-Gui
InstallState : Installed

Name         : PowerShellRoot
InstallState : Installed

Name         : PowerShell
InstallState : Installed

Name         : PowerShell-ISE
InstallState : Installed

Name         : WoW64-Support
InstallState : Installed

Server Windows 2016 #2
PS C:\Windows\system32> Get-WindowsFeature | Where-Object {$_. installstate -eq "installed"} | Format-List Name,Installs
tate


Name         : FileAndStorage-Services
InstallState : Installed

Name         : File-Services
InstallState : Installed

Name         : FS-FileServer
InstallState : Installed

Name         : Storage-Services
InstallState : Installed

Name         : NET-Framework-45-Features
InstallState : Installed

Name         : NET-Framework-45-Core
InstallState : Installed

Name         : NET-WCF-Services45
InstallState : Installed

Name         : NET-WCF-TCP-PortSharing45
InstallState : Installed

Name         : FS-SMB1
InstallState : Installed

Name         : Windows-Defender-Features
InstallState : Installed

Name         : Windows-Defender
InstallState : Installed

Name         : Windows-Defender-Gui
InstallState : Installed

Name         : PowerShellRoot
InstallState : Installed

Name         : PowerShell
InstallState : Installed

Name         : PowerShell-ISE
InstallState : Installed

Name         : WoW64-Support
InstallState : Installed

Server Windows 2019 #1    This has SharePoint installed

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> Get-WindowsFeature | Where-Object {$_. installstate -eq "installed"} | Format-List Name,Installs
tate | more


Name         : FileAndStorage-Services
InstallState : Installed

Name         : Storage-Services
InstallState : Installed

Name         : Web-Server
InstallState : Installed

Name         : Web-WebServer
InstallState : Installed

Name         : Web-Common-Http
InstallState : Installed

Name         : Web-Default-Doc
InstallState : Installed

Name         : Web-Dir-Browsing
InstallState : Installed

Name         : Web-Http-Errors
InstallState : Installed

Name         : Web-Static-Content
InstallState : Installed

Name         : Web-Http-Redirect
InstallState : Installed

Name         : Web-Health
InstallState : Installed

Name         : Web-Http-Logging
InstallState : Installed

Name         : Web-Custom-Logging
InstallState : Installed

Name         : Web-Log-Libraries
InstallState : Installed

Name         : Web-Request-Monitor
InstallState : Installed

Name         : Web-Http-Tracing
InstallState : Installed

Name         : Web-Performance
InstallState : Installed

Name         : Web-Stat-Compression
InstallState : Installed

Name         : Web-Dyn-Compression
InstallState : Installed

Name         : Web-Security
InstallState : Installed

Name         : Web-Filtering
InstallState : Installed

Name         : Web-Basic-Auth
InstallState : Installed

Name         : Web-Client-Auth
InstallState : Installed

Name         : Web-Digest-Auth
InstallState : Installed

Name         : Web-Windows-Auth
InstallState : Installed

Name         : Web-App-Dev
InstallState : Installed

Name         : Web-Net-Ext
InstallState : Installed

Name         : Web-Net-Ext45
InstallState : Installed

Name         : Web-Asp-Net
InstallState : Installed

Name         : Web-Asp-Net45
InstallState : Installed

Name         : Web-ISAPI-Ext
InstallState : Installed

Name         : Web-ISAPI-Filter
InstallState : Installed

Name         : Web-Mgmt-Tools
InstallState : Installed

Name         : Web-Mgmt-Console
InstallState : Installed

Name         : Web-Mgmt-Compat
InstallState : Installed

Name         : Web-Metabase
InstallState : Installed

Name         : Web-Lgcy-Scripting
InstallState : Installed

Name         : Web-WMI
InstallState : Installed

Name         : Web-Scripting-Tools
InstallState : Installed

Name         : Web-Mgmt-Service
InstallState : Installed

Name         : NET-Framework-Features
InstallState : Installed

Name         : NET-Framework-Core
InstallState : Installed

Name         : NET-HTTP-Activation
InstallState : Installed

Name         : NET-Non-HTTP-Activ
InstallState : Installed

Name         : NET-Framework-45-Features
InstallState : Installed

Name         : NET-Framework-45-Core
InstallState : Installed

Name         : NET-Framework-45-ASPNET
InstallState : Installed

Name         : NET-WCF-Services45
InstallState : Installed

Name         : NET-WCF-HTTP-Activation45
InstallState : Installed

Name         : NET-WCF-Pipe-Activation45
InstallState : Installed

Name         : NET-WCF-TCP-PortSharing45
InstallState : Installed

Name         : System-DataArchiver
InstallState : Installed

Name         : Windows-Defender
InstallState : Installed

Name         : Windows-Identity-Foundation
InstallState : Installed

Name         : PowerShellRoot
InstallState : Installed

Name         : PowerShell
InstallState : Installed

Name         : PowerShell-V2
InstallState : Installed

Name         : PowerShell-ISE
InstallState : Installed

Name         : WAS
InstallState : Installed

Name         : WAS-Process-Model
InstallState : Installed

Name         : WAS-NET-Environment
InstallState : Installed

Name         : WAS-Config-APIs
InstallState : Installed

Name         : Search-Service
InstallState : Installed

Name         : WoW64-Support
InstallState : Installed

Name         : XPS-Viewer
InstallState : Installed




On the 2019 Server

Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat -anb

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:5666           0.0.0.0:0              LISTENING
 [nscp.exe]
  TCP    0.0.0.0:5666           0.0.0.0:0              LISTENING
 [nscp.exe]
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:10273          0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:12489          0.0.0.0:0              LISTENING
 [nscp.exe]
  TCP    0.0.0.0:12489          0.0.0.0:0              LISTENING
 [nscp.exe]
  TCP    0.0.0.0:16001          0.0.0.0:0              LISTENING
 [Microsoft.Office.Project.Server.Calculation.exe]
  TCP    0.0.0.0:16002          0.0.0.0:0              LISTENING
 [Microsoft.Office.Project.Server.Queuing.exe]
  TCP    0.0.0.0:16003          0.0.0.0:0              LISTENING
 [Microsoft.Office.Project.Server.Eventing.exe]
  TCP    0.0.0.0:22233          0.0.0.0:0              LISTENING
 [DistributedCacheService.exe]
  TCP    0.0.0.0:22234          0.0.0.0:0              LISTENING
 [DistributedCacheService.exe]
  TCP    0.0.0.0:22236          0.0.0.0:0              LISTENING
 [DistributedCacheService.exe]
  TCP    0.0.0.0:32843          0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:32844          0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING
  EventLog
 [svchost.exe]
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49671          0.0.0.0:0              LISTENING
 [lsass.exe]
  TCP    0.0.0.0:49673          0.0.0.0:0              LISTENING
 [lsass.exe]
  TCP    0.0.0.0:49699          0.0.0.0:0              LISTENING
 [spoolsv.exe]
  TCP    0.0.0.0:49729          0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:50922          0.0.0.0:0              LISTENING
 [schedengine.exe]
  TCP    0.0.0.0:51220          0.0.0.0:0              LISTENING
 [schedengine.exe]
  TCP    0.0.0.0:58034          0.0.0.0:0              LISTENING
 [schedengine.exe]
  TCP    0.0.0.0:60384          0.0.0.0:0              LISTENING
 [schedengine.exe]
  TCP    0.0.0.0:61328          0.0.0.0:0              LISTENING
 [schedengine.exe]
  TCP    10.2.8.120:139         0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    10.2.8.120:22233       10.2.8.121:51147       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:22233       10.2.8.121:51148       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:22233       10.2.8.121:51149       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:22233       10.2.8.121:51150       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:22233       10.2.8.121:51151       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:22233       10.2.8.121:51152       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:22233       10.2.8.121:51153       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:22233       10.2.8.121:51154       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:22233       10.2.8.121:51155       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:22233       10.2.8.121:51156       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:22233       10.2.8.121:51157       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:22233       10.2.8.121:51158       ESTABLISHED
 [DistributedCacheService.exe]
  TCP    10.2.8.120:55150       162.250.5.70:5938      ESTABLISHED
 [TeamViewer_Service.exe]
  TCP    10.2.8.120:55162       40.117.135.216:443     ESTABLISHED
 [iexplore.exe]
  TCP    10.2.8.120:60875       10.2.8.177:445         ESTABLISHED
 Can not obtain ownership information
  TCP    10.2.8.120:62777       10.2.8.86:49325        ESTABLISHED
  LanmanWorkstation
 [svchost.exe]
  TCP    10.2.8.120:62779       10.2.8.86:49325        ESTABLISHED
  LanmanWorkstation
 [svchost.exe]
  TCP    10.2.8.120:63270       10.2.8.87:49277        ESTABLISHED
  LanmanWorkstation
 [svchost.exe]
  TCP    10.2.8.120:63272       10.2.8.87:49277        ESTABLISHED
  LanmanWorkstation
 [svchost.exe]
  TCP    10.2.8.120:64409       169.57.91.229:80       ESTABLISHED
 [TeamViewer_Service.exe]
  TCP    10.2.8.120:64410       169.57.91.229:80       ESTABLISHED
 [TeamViewer_Service.exe]
  TCP    127.0.0.1:5939         0.0.0.0:0              LISTENING
 [TeamViewer_Service.exe]
  TCP    127.0.0.1:5939         127.0.0.1:55151        ESTABLISHED
 [TeamViewer_Service.exe]
  TCP    127.0.0.1:5939         127.0.0.1:57047        ESTABLISHED
 [TeamViewer_Service.exe]
  TCP    127.0.0.1:55151        127.0.0.1:5939         ESTABLISHED
 [TeamViewer_Desktop.exe]
  TCP    127.0.0.1:57047        127.0.0.1:5939         ESTABLISHED
 [TeamViewer.exe]
  TCP    127.0.0.1:57049        127.0.0.1:57050        ESTABLISHED
 [TeamViewer.exe]
  TCP    127.0.0.1:57050        127.0.0.1:57049        ESTABLISHED
 [TeamViewer.exe]
  TCP    127.0.0.1:62167        127.0.0.1:62168        ESTABLISHED
 [TeamViewer_Service.exe]
  TCP    127.0.0.1:62168        127.0.0.1:62167        ESTABLISHED
 [TeamViewer_Service.exe]
  TCP    [::]:80                [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:135               [::]:0                 LISTENING
  RpcSs
 [svchost.exe]
  TCP    [::]:445               [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:5666              [::]:0                 LISTENING
 [nscp.exe]
  TCP    [::]:5985              [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:8080              [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:10273             [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:12489             [::]:0                 LISTENING
 [nscp.exe]
  TCP    [::]:16001             [::]:0                 LISTENING
 [Microsoft.Office.Project.Server.Calculation.exe]
  TCP    [::]:16002             [::]:0                 LISTENING
 [Microsoft.Office.Project.Server.Queuing.exe]
  TCP    [::]:16003             [::]:0                 LISTENING
 [Microsoft.Office.Project.Server.Eventing.exe]
  TCP    [::]:22233             [::]:0                 LISTENING
 [DistributedCacheService.exe]
  TCP    [::]:22234             [::]:0                 LISTENING
 [DistributedCacheService.exe]
  TCP    [::]:22236             [::]:0                 LISTENING
 [DistributedCacheService.exe]
  TCP    [::]:32843             [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:32844             [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:47001             [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:49664             [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:49665             [::]:0                 LISTENING
  EventLog
 [svchost.exe]
  TCP    [::]:49667             [::]:0                 LISTENING
  Schedule
 [svchost.exe]
  TCP    [::]:49671             [::]:0                 LISTENING
 [lsass.exe]
  TCP    [::]:49673             [::]:0                 LISTENING
 [lsass.exe]
  TCP    [::]:49699             [::]:0                 LISTENING
 [spoolsv.exe]
  TCP    [::]:49729             [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:50922             [::]:0                 LISTENING
 [schedengine.exe]
  TCP    [::]:51220             [::]:0                 LISTENING
 [schedengine.exe]
  TCP    [::]:58034             [::]:0                 LISTENING
 [schedengine.exe]
  TCP    [::]:60384             [::]:0                 LISTENING
 [schedengine.exe]
  TCP    [::]:61328             [::]:0                 LISTENING
 [schedengine.exe]
  TCP    [::1]:22233            [::1]:55146            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55147            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55148            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55149            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55152            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55153            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55154            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55155            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55165            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55166            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55167            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55168            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55169            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55170            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55171            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55172            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55173            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55174            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55175            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22233            [::1]:55176            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:22234            [::1]:50335            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:50335            [::1]:22234            ESTABLISHED
 [DistributedCacheService.exe]
  TCP    [::1]:55146            [::1]:22233            ESTABLISHED
 [OWSTIMER.EXE]
  TCP    [::1]:55147            [::1]:22233            ESTABLISHED
 [OWSTIMER.EXE]
  TCP    [::1]:55148            [::1]:22233            ESTABLISHED
 [OWSTIMER.EXE]
  TCP    [::1]:55149            [::1]:22233            ESTABLISHED
 [OWSTIMER.EXE]
  TCP    [::1]:55152            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55153            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55154            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55155            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55165            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55166            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55167            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55168            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55169            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55170            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55171            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55172            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55173            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55174            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55175            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  TCP    [::1]:55176            [::1]:22233            ESTABLISHED
 [w3wp.exe]
  UDP    0.0.0.0:123            *:*
  W32Time
 [svchost.exe]
  UDP    0.0.0.0:5353           *:*
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:55713          *:*
 [TeamViewer_Service.exe]
  UDP    0.0.0.0:65531          *:*
 [TeamViewer_Service.exe]
  UDP    10.2.8.120:137         *:*
 Can not obtain ownership information
  UDP    10.2.8.120:138         *:*
 Can not obtain ownership information
  UDP    10.2.8.120:5353        *:*
 [TeamViewer_Service.exe]
  UDP    127.0.0.1:50860        *:*
 [PowerShell.exe]
  UDP    127.0.0.1:57323        *:*
  gpsvc
 [svchost.exe]
  UDP    127.0.0.1:57324        *:*
 [wmiprvse.exe]
  UDP    127.0.0.1:58008        *:*
  iphlpsvc
 [svchost.exe]
  UDP    127.0.0.1:59511        *:*
 [lsass.exe]
  UDP    127.0.0.1:63627        *:*
 [Explorer.EXE]
  UDP    127.0.0.1:64005        *:*
  NlaSvc
 [svchost.exe]
  UDP    [::]:123               *:*
  W32Time
 [svchost.exe]
  UDP    [::]:55714             *:*
 [TeamViewer_Service.exe]
  UDP    [::1]:5353             *:*
 [TeamViewer_Service.exe]

C:\Windows\system32>nslookup
Default Server:  tgcs011.our.network.tgcsnet.com
Address:  10.2.8.30

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Server:  tgcs011.our.network.tgcsnet.com
Address:  10.2.8.30

*** tgcs011.our.network.tgcsnet.com can't find http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab: Non-existent domain
Distinguished Expert 2017

Commented:
The difficulty is how to identify the application that accesses the resource that triggers this check.
Thomas GrassiSystems Administrator

Author

Commented:
yes that is the problem Microsoft should be more careful in sending updates out
this is very troubled
Distinguished Expert 2017
Commented:
It is unclear whether it is an actual "update" it seems they built-in a mechanism into crypto libraries (speculation) that triggers a check of a certificate to see if it has been revoked.
In Internet options, advanced settings you gave an option to disable checks for publishers which includes verifying whether a CA certificate has been revoked.
Thomas GrassiSystems Administrator

Author

Commented:
Arnold

IE Settings on one
This what your talking about?  Check or uncheck?
Thomas GrassiSystems Administrator

Author

Commented:
Still getting this very ignoring error on my servers over and over and over.

I am hoping someone has a clue on how to resolve this one.

Thank you

Tom
Thomas GrassiSystems Administrator

Author

Commented:
update

I just ran this

2.Delete the contents of the directories that are listed here. (%windir% is the Windows directory.)

Note You may receive a message that states that you do not have permission to access the folder. If you receive this message, Click Continue.

LocalService:

%windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
%windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

NetworkService:
%windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
%windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

LocalSystem:
%windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
%windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

they stayed away for a while checked back and the error was there again.  

Also the files I deleted came back

very frustrating on why this is.
Distinguished Expert 2017

Commented:
That is the common sentiment associated with all post related to this type of error.

Try the following
Do nslookup on the host in the auto update.

Then grab netstat -anb to see which process if captured is going to the IP
While not conclusive, may identify the process, and hopefully it will be only one versus different ones.
Process explorer, From sysinternals

Try psexec to run the certiutil to clear cache under the system account.
The guid in your error matches guilds in similar complaints going back to 2010

Looking through Microsoft certs to see which CRL URL it is pointing to to locate the certificate that uses this CRL.url. Or matching the guid in the error.
Thomas GrassiSystems Administrator

Author

Commented:
Arnold,

nslookup does not have an autoupdate feature that I know of.
Netstat does

psexec gave same results

Looked thru the certs and could not find any thing related.

Also I noticed that now I am getting the event 4107 two at a time before it was 9 to 12 before it would stop.

So some improvement.

But the error still occurs

Any other ideas?
Distinguished Expert 2017

Commented:
In this case, the issue is related to a certificate/s that have http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab as the validation url.

Try the following:
https://support.microsoft.com/en-us/help/3004394/support-for-urgent-trusted-root-updates-for-windows-root-certificate-p

if you can look through the mmc, certificates, computer local. and see if you have trusted root ca publishers that have expired certs. if you can test on a similar system where these errors occur, to delete expired certs. and see if these CAPI2 messages go away.

Identifying the source application could help.

netstat -an is to capture network activity in a moment in time
The nslookup is to gather the two IPs this host is known for 23.12.146.154 23.12.146.149 in some cases, MS may have regionally distributed these.

and in your case it might be different IPs.
when running netstat -an or using netmon to capture the process that generates a request to one of those IPs and then work out through the application to see why or how it can be corrected...
Thomas GrassiSystems Administrator

Author

Commented:
Arnold,

First how do I found the certificates that have that URL?
I looked at all my expired certificates and none had a URL   where is the information kept?  Example please.

Second the link you posted is not valid very old article and the links on that fail to open.
Was hoping when I saw it there was a fix but not so lucky.


I compared a server getting the 4107 and one that is not and they have the same certs in Trusted Root Certificates  >Certificates under Local Computer


I am at a loss on why this effects only a certain number of servers.

Thanks for your continued interest in helping me on this error.

Tom
Distinguished Expert 2017

Commented:
The second link was related to root cert updates, did not check whether the packages were still a downloadable option.

Usually, within the certificate there is a CRL reference. It is commonly a line item.
Looked through my Mmc certificates and the trusted root certs did not have CRL references.

Since this capi2 showed up ver time, I might as well try and help you solve your issue that shoukd it occur in environments I deal with, I'd be half way done.

Look in the certificate store of services.
Personal certificates.

Oh, since it points to a URL on windowsupdate.... See whether your Windows update client on these systems is up to date on these systems.

Still try guess which application is triggering these checks/requests to capi2.
Distinguished Expert 2017

Commented:
See if the following helps identify the source, or whether it identifies a way to turn off the events.... Or limit them.
https://blogs.msdn.microsoft.com/benjaminperkins/2013/09/30/enable-capi2-event-logging-to-troubleshoot-pki-and-ssl-certificate-issues/
Thomas GrassiSystems Administrator

Author

Commented:
Arnold.

Great maybe this might narrow things down.

I enabled the log on two of the problem servers lets see what gets logged over night.

Check back in the AM

Thanks
Tom
Thomas GrassiSystems Administrator

Author

Commented:
Arnold,

Log Name:      Microsoft-Windows-CAPI2/Operational
Source:        Microsoft-Windows-CAPI2
Date:          12/17/2019 8:05:24 AM
Event ID:      11
Task Category: Build Chain
Level:         Error
Keywords:      Path Discovery,Path Validation
User:          OUR\spadmin
Computer:      TGCS027-N1.our.network.tgcsnet.com
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
    <EventID>11</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>11</Task>
    <Opcode>2</Opcode>
    <Keywords>0x4000000000000003</Keywords>
    <TimeCreated SystemTime="2019-12-17T13:05:24.485222300Z" />
    <EventRecordID>12033</EventRecordID>
    <Correlation ActivityID="{30000001-0000-ff00-70b9-b036b820dc19}" />
    <Execution ProcessID="8376" ThreadID="2376" />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>TGCS027-N1.our.network.tgcsnet.com</Computer>
    <Security UserID="S-1-5-21-3054588571-1341459584-784128302-1148" />
  </System>
  <UserData>
    <CertGetCertificateChain>
      <Certificate fileRef="A95540C10F5F5FE05E4263B57DFD4E997CAD59CD.cer" subjectName="*.big.telemetry.microsoft.com" />
      <AdditionalStore>
        <Certificate fileRef="83DA05A9886F7658BE73ACF0A4930C0F99B92F01.cer" subjectName="Microsoft Secure Server CA 2011" />
        <Certificate fileRef="A95540C10F5F5FE05E4263B57DFD4E997CAD59CD.cer" subjectName="*.big.telemetry.microsoft.com" />
      </AdditionalStore>
      <ExtendedKeyUsage orMatch="true">
        <Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
        <Usage oid="1.3.6.1.4.1.311.10.3.3" />
        <Usage oid="2.16.840.1.113730.4.1" />
      </ExtendedKeyUsage>
      <Flags value="40000000" CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT="true" />
      <ChainEngineInfo context="serial" />
      <AdditionalInfo>
        <NetworkConnectivityStatus value="1" _SENSAPI_NETWORK_ALIVE_LAN="true" />
      </AdditionalInfo>
      <CertificateChain chainRef="{FD112922-4E5D-45B1-AF87-7A3A2D930A9E}">
        <TrustStatus>
          <ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
          <InfoStatus value="100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
        </TrustStatus>
        <ChainElement>
          <Certificate fileRef="A95540C10F5F5FE05E4263B57DFD4E997CAD59CD.cer" subjectName="*.big.telemetry.microsoft.com" />
          <SignatureAlgorithm oid="1.2.840.113549.1.1.11" hashName="SHA256" publicKeyName="RSA" />
          <PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
          <TrustStatus>
            <ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
            <InfoStatus value="122" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_AUTO_UPDATE_END_REVOCATION="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
          </TrustStatus>
          <ApplicationUsage>
            <Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
            <Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />
          </ApplicationUsage>
          <IssuanceUsage />
          <RevocationInfo>
            <RevocationResult value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</RevocationResult>
          </RevocationInfo>
        </ChainElement>
        <ChainElement>
          <Certificate fileRef="83DA05A9886F7658BE73ACF0A4930C0F99B92F01.cer" subjectName="Microsoft Secure Server CA 2011" />
          <SignatureAlgorithm oid="1.2.840.113549.1.1.11" hashName="SHA256" publicKeyName="RSA" />
          <PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="4096" />
          <TrustStatus>
            <ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
            <InfoStatus value="112" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_AUTO_UPDATE_CA_REVOCATION="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
          </TrustStatus>
          <ApplicationUsage any="true" />
          <IssuanceUsage />
          <RevocationInfo>
            <RevocationResult value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</RevocationResult>
          </RevocationInfo>
        </ChainElement>
        <ChainElement>
          <Certificate fileRef="8F43288AD272F3103B6FB1428485EA3014C0BCFE.cer" subjectName="Microsoft Root Certificate Authority 2011" />
          <SignatureAlgorithm oid="1.2.840.113549.1.1.11" hashName="SHA256" publicKeyName="RSA" />
          <PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="4096" />
          <TrustStatus>
            <ErrorStatus value="0" />
            <InfoStatus value="13C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_AUTO_UPDATE_CA_REVOCATION="true" CERT_TRUST_AUTO_UPDATE_END_REVOCATION="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
          </TrustStatus>
          <ApplicationUsage any="true" />
          <IssuanceUsage any="true" />
          <RevocationInfo>
            <RevocationResult value="0" />
          </RevocationInfo>
        </ChainElement>
      </CertificateChain>
      <EventAuxInfo ProcessName="wermgr.exe" impersonateToken="S-1-5-21-3054588571-1341459584-784128302-1148" />
      <CorrelationAuxInfo TaskId="{7384C16A-249A-4960-98D5-F0DEB7B6D5B4}" SeqNumber="7" />
      <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>
    </CertGetCertificateChain>
  </UserData>
</Event>

Log Name:      Microsoft-Windows-CAPI2/Operational
Source:        Microsoft-Windows-CAPI2
Date:          12/17/2019 8:05:24 AM
Event ID:      30
Task Category: Verify Chain Policy
Level:         Error
Keywords:      Path Validation
User:          OUR\spadmin
Computer:      TGCS027-N1.our.network.tgcsnet.com
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
    <EventID>30</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>30</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000001</Keywords>
    <TimeCreated SystemTime="2019-12-17T13:05:24.487527500Z" />
    <EventRecordID>12034</EventRecordID>
    <Correlation ActivityID="{30000001-0000-ff00-70b9-b036b820dc19}" />
    <Execution ProcessID="8376" ThreadID="2376" />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>TGCS027-N1.our.network.tgcsnet.com</Computer>
    <Security UserID="S-1-5-21-3054588571-1341459584-784128302-1148" />
  </System>
  <UserData>
    <CertVerifyCertificateChainPolicy>
      <Policy type="CERT_CHAIN_POLICY_SSL" constant="4" />
      <Certificate fileRef="A95540C10F5F5FE05E4263B57DFD4E997CAD59CD.cer" subjectName="*.big.telemetry.microsoft.com" />
      <CertificateChain chainRef="{FD112922-4E5D-45B1-AF87-7A3A2D930A9E}" />
      <Flags value="0" />
      <SSLAdditionalPolicyInfo authType="server" serverName="watson.telemetry.microsoft.com">
        <IgnoreFlags value="0" />
      </SSLAdditionalPolicyInfo>
      <PinRules AUTO_UPDATE_PIN_RULES_FLAG="true" EXPIRED_PIN_RULES_FLAG="true" domain="watson.telemetry.microsoft.com" thisUpdate="‎Wednesday, ‎May ‎31, ‎2017 6:28:59 PM" sequenceNumber="01D2DA65ADDB403?" />
      <Status chainIndex="0" elementIndex="0" />
      <EventAuxInfo ProcessName="wermgr.exe" impersonateToken="S-1-5-21-3054588571-1341459584-784128302-1148" />
      <CorrelationAuxInfo TaskId="{EE231AF2-25FA-4A14-9F8A-B4C658C50745}" SeqNumber="1" />
      <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>
    </CertVerifyCertificateChainPolicy>
  </UserData>
</Event>

Log Name:      Microsoft-Windows-CAPI2/Operational
Source:        Microsoft-Windows-CAPI2
Date:          12/17/2019 8:05:24 AM
Event ID:      30
Task Category: Verify Chain Policy
Level:         Error
Keywords:      Path Validation
User:          OUR\spadmin
Computer:      TGCS027-N1.our.network.tgcsnet.com
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
    <EventID>30</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>30</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000001</Keywords>
    <TimeCreated SystemTime="2019-12-17T13:05:24.487966800Z" />
    <EventRecordID>12035</EventRecordID>
    <Correlation ActivityID="{30000001-0000-ff00-70b9-b036b820dc19}" />
    <Execution ProcessID="8376" ThreadID="2376" />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>TGCS027-N1.our.network.tgcsnet.com</Computer>
    <Security UserID="S-1-5-21-3054588571-1341459584-784128302-1148" />
  </System>
  <UserData>
    <CertVerifyCertificateChainPolicy>
      <Policy type="CERT_CHAIN_POLICY_SSL" constant="4" />
      <Certificate fileRef="A95540C10F5F5FE05E4263B57DFD4E997CAD59CD.cer" subjectName="*.big.telemetry.microsoft.com" />
      <CertificateChain chainRef="{FD112922-4E5D-45B1-AF87-7A3A2D930A9E}" />
      <Flags value="0" />
      <SSLAdditionalPolicyInfo authType="server" serverName="watson.telemetry.microsoft.com">
        <IgnoreFlags value="0" />
      </SSLAdditionalPolicyInfo>
      <PinRules AUTO_UPDATE_PIN_RULES_FLAG="true" EXPIRED_PIN_RULES_FLAG="true" domain="watson.telemetry.microsoft.com" thisUpdate="‎Wednesday, ‎May ‎31, ‎2017 6:28:59 PM" sequenceNumber="01D2DA65ADDB403?" />
      <Status chainIndex="0" elementIndex="0" />
      <EventAuxInfo ProcessName="wermgr.exe" impersonateToken="S-1-5-21-3054588571-1341459584-784128302-1148" />
      <CorrelationAuxInfo TaskId="{6034A41E-B442-4F60-8314-6671E17BCBC5}" SeqNumber="1" />
      <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>
    </CertVerifyCertificateChainPolicy>
  </UserData>
</Event>



In the CAPI2 event log I get these over and over does this help?  now some other servers are getting this same event.
Distinguished Expert 2017

Commented:
The destination in the example is going to watson.telemetry.microsoft.com

The certificate for *.big.telemetry.microsoft.com

See whether disabling the location option on the server currently generating these event, compare whether those who do not report have location off
Thomas GrassiSystems Administrator

Author

Commented:
Arnold,

I have been looking all over for that certificate *.big.telemetry.microsoft.com     can not find it at ALL

Also how would I disable the location option ?
Distinguished Expert 2017

Commented:
Non 2016,2019 and possibly 2012 if you hit the notification, right bottom corner expand ...
It is part of cortana

What service does spadmin ?

Check taskmgr process user running.
Thomas GrassiSystems Administrator

Author

Commented:
Arnold


capi2.PNG

spadmin is the user account that I logon to this server with.
Distinguished Expert 2017

Commented:
<PinRules AUTO_UPDATE_PIN_RULES_FLAG="true" EXPIRED_PIN_RULES_FLAG="true" domain="watson.telemetry.microsoft.com" thisUpdate="‎Wednesday, ‎May ‎31, ‎2017 6:28:59 PM"

Look within the user certificate store for this expired cert.
Wermgr.exe ?

<Certificate fileRef="8F43288AD272F3103B6FB1428485EA3014C0BCFE.cer" subjectName="Microsoft Root Certificate Authority 2011" />
In the preceding errors as the signer of the *.telemetry.microsoft.com

Not sure whether these are used as a check of the network connection tests if the system is reaching the Internet.

There has to be sonething common to the those that gave this issue versus those that do not.
Distinguished Expert 2017

Commented:
Wermgr.exe is an error reporting process/mechanism check whether the server you are on is under the setting sett to provide feedback to MS to improve .......
Thomas GrassiSystems Administrator

Author

Commented:
Issue was in my Meraki firewall.

I had to whitelist the servers after doing so the error stopped appearing. matter of fact I received capi2 messages in the event log showing successful events .

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial