The following event is recorded in the Application log:
Event Type: Error Event Source: Crypt32 Event Category: None Event ID: 8 Date: 3/15/2010 Time: 11:27:57 AM User: N/A Computer: SERVER1 Description: Failed auto update retrieval of third-party root list sequence number from: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt with error: The server name or address could not be resolved.
The following similar event may also be recorded:
Event Type: Error Event Source: Crypt32 Event Category: None Event ID: 8 Date: 3/15/2010 Time: 11:27:57 AM User: N/A Computer: SERVER1 Description: Failed auto update retrieval of third-party root list sequence number from: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt with error: This network connection does not exist.
These events may be recorded at continuously, at regular intervals (e.g., every 10 minutes) or they may only be recorded when you start a particular application.
Also, the computer on which the events are recorded does not have connectivity to the Windows Update web site due to router or proxy configuration.
These events are recorded despite the fact that no applications or services installed on the computer fail to start, or encounter any operational errors.
This behavior is expected under the following conditions:
The computer is unable to access the Windows Update web site due to router or proxy configuration.
An application has been installed that has been designed to interact with the Windows Security Center (WSC) on Windows Vista or higher. Example applications include third-party virus software, malware scanners or firewall products.
There are three options for handling these events.
Disregard these events. They are benign and can be safely ignored.
Modify router or proxy configuration to allow computers recording these events to connect to Windows Update.
Disable Automatic Root Updates on computers recording these events.
In Control Panel, double-click Add/Remove Programs.
Click Add/Remove Windows Components.
Click to clear the Update Root Certificates check box, and then continue with the Windows Components Wizard.
On Windows Vista and higher, Microsoft requires that any software the registers and interacts with the Windows Security Center (WSC) be signed with a digital certificate that chains up to an internal Microsoft code signing root certification authority (CA). This CA is called the Microsoft Code Verification Root CA (MSCV). Microsoft has cross-certified the MSCV with multiple third-party code-signing CAs allowing these vendors to continue issuing valid code-signing certificates to their customers.
The MSCV certificate is embedded in the kernel on Windows Vista and higher, but it is not available as part of the Automatic Trusted Root Update service. Whenever the digital signature on one of these applications is checked on Windows XP, Windows Server 2003 or Windows Server 2003 R2, the chain of the vendor's code signing certificate is built up to both the root CA of the third-party that issued the code signing certificate and, by virtue of the cross-CA certificate issued by Microsoft, also to the MSCV. In short, two chains are built and the validity of both are verified.
The MSCV certificate is not embedded in the kernel on Windows XP, Windows Server 2003 or Windows Server 2003 R2 so Windows determines that that CA is not trusted. If Automatic Trusted Root Updates are enabled then Windows will attempt to contact Windows Update to determine if the MSCV certificate is published by Microsoft as part of the Trusted Root Program. The MSCV is not available through that program, so this lookup fails.
Windows quickly determines that the MSCV is not trusted and that chain is eliminated. This leaves the other chain that leads to a third-party root CA, which is probably valid, allowing the application's signature to be successfully validated. Thus, there are no errors or failures associated with the application.
If Windows is able to successfully contact Windows Update then no events are recorded in the Application log. Failure to locate an arbitrary untrusted root CA certificate on Windows Update is a handled failure and requires no special reporting. On the other hand, if Automatic Trusted Root Updates are enabled, but Windows is unable to contact the Windows Update site, then that is an error that requires reporting through the events and errors documented above.
These events are not recorded on Windows Vista or higher because the MSCV certificate is embedded in the Windows kernel. The MSCV is therefore inherently trusted and there is no need to look for the certificate on Windows Update.