Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

The following event is recorded in the Application log:

Event Type: Error
Event Source: Crypt32
Event Category: None
Event ID: 8
Date: 3/15/2010
Time: 11:27:57 AM
User: N/A
Computer: SERVER1
Description:
Failed auto update retrieval of third-party root list sequence number from: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt with error: The server name or address could not be resolved.

The following similar event may also be recorded:

Event Type: Error
Event Source: Crypt32
Event Category: None
Event ID: 8
Date: 3/15/2010
Time: 11:27:57 AM
User: N/A
Computer: SERVER1
Description:
Failed auto update retrieval of third-party root list sequence number from: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt with error: This network connection does not exist.

These events may be recorded at continuously, at regular intervals (e.g., every 10 minutes) or they may only be recorded when you start a particular application.

Also, the computer on which the events are recorded does not have connectivity to the Windows Update web site due to router or proxy configuration.

These events are recorded despite the fact that no applications or services installed on the computer fail to start, or encounter any operational errors.

Symptoms

This behavior is expected under the following conditions:

  • The computer is unable to access the Windows Update web site due to router or proxy configuration.

  • An application has been installed that has been designed to interact with the Windows Security Center (WSC) on Windows Vista or higher. Example applications include third-party virus software, malware scanners or firewall products.


Cause

There are three options for handling these events.

  1. Disregard these events. They are benign and can be safely ignored.

  2. Modify router or proxy configuration to allow computers recording these events to connect to Windows Update.

  3. Disable Automatic Root Updates on computers recording these events.

    1. In Control Panel, double-click Add/Remove Programs.

    2. Click Add/Remove Windows Components.

    3. Click to clear the Update Root Certificates check box, and then continue with the Windows Components Wizard.



Resolution

On Windows Vista and higher, Microsoft requires that any software the registers and interacts with the Windows Security Center (WSC) be signed with a digital certificate that chains up to an internal Microsoft code signing root certification authority (CA). This CA is called the Microsoft Code Verification Root CA (MSCV). Microsoft has cross-certified the MSCV with multiple third-party code-signing CAs allowing these vendors to continue issuing valid code-signing certificates to their customers.

The MSCV certificate is embedded in the kernel on Windows Vista and higher, but it is not available as part of the Automatic Trusted Root Update service. Whenever the digital signature on one of these applications is checked on Windows XP, Windows Server 2003 or Windows Server 2003 R2, the chain of the vendor's code signing certificate is built up to both the root CA of the third-party that issued the code signing certificate and, by virtue of the cross-CA certificate issued by Microsoft, also to the MSCV. In short, two chains are built and the validity of both are verified.

The MSCV certificate is not embedded in the kernel on Windows XP, Windows Server 2003 or Windows Server 2003 R2 so Windows determines that that CA is not trusted. If Automatic Trusted Root Updates are enabled then Windows will attempt to contact Windows Update to determine if the MSCV certificate is published by Microsoft as part of the Trusted Root Program. The MSCV is not available through that program, so this lookup fails.

Windows quickly determines that the MSCV is not trusted and that chain is eliminated. This leaves the other chain that leads to a third-party root CA, which is probably valid, allowing the application's signature to be successfully validated. Thus, there are no errors or failures associated with the application.

If Windows is able to successfully contact Windows Update then no events are recorded in the Application log. Failure to locate an arbitrary untrusted root CA certificate on Windows Update is a handled failure and requires no special reporting. On the other hand, if Automatic Trusted Root Updates are enabled, but Windows is unable to contact the Windows Update site, then that is an error that requires reporting through the events and errors documented above.

These events are not recorded on Windows Vista or higher because the MSCV certificate is embedded in the Windows kernel. The MSCV is therefore inherently trusted and there is no need to look for the certificate on Windows Update.


More Information

Facebook LinkedIn Email

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×