Error message when you try to install a large Windows Installer package or a large Windows Installer patch package in Windows Server 2003 Service Pack 2: "Error 1718 File was rejected by digital signature policy"

Symptoms

When you try to install a large Microsoft Windows Installer (.msi) package or a large Microsoft Windows Installer patch (.msp) package on a computer that is running Windows Server 2003 Service Pack 2, you receive the following error message:

Error 1718. File FileName was rejected by digital signature policy.

Additionally, the following event may be logged in the Application log:

Cause

This problem occurs if the Windows Installer process has insufficient contiguous virtual memory to verify that the .msi package or the .msp package is correctly signed.

Resolution

Update download information

The following files are available for download from the Microsoft Download Center:

Download Download the Update for Windows Server 2003 (973825) package now.

Download Download the Update for Windows Server 2003, x64 Edition (973825) package now.

Download Download the Update for Windows Server 2003 for Itanium-based Systems (973825) package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

You must have Windows Server 2003 Service Pack 2 installed to apply this update.

Restart requirement


You must restart your computer after you apply the update.

Update replacement information


This update does not replace any other updates.

File information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Update for Windows Server 2003 (KB973825)

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Advapi32.dll

5.2.3790.4555

619,008

18-Jul-2009

15:58

x86

SP2

SP2GDR

Advapi32.dll

5.2.3790.4555

619,008

18-Jul-2009

16:19

x86

SP2

SP2QFE

Update for Windows Server 2003, x64 Edition (KB973825)

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Advapi32.dll

5.2.3790.4555

1,052,160

18-Jul-2009

21:45

x64

SP2

SP2GDR

Wadvapi32.dll

5.2.3790.4555

619,008

18-Jul-2009

21:45

x86

SP2

WOW

Advapi32.dll

5.2.3790.4555

1,065,984

18-Jul-2009

16:32

x64

SP2

SP2QFE

Wadvapi32.dll

5.2.3790.4555

619,008

18-Jul-2009

16:32

x86

SP2

WOW

Update for Windows Server 2003 for Itanium-based Systems (KB973825)

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Advapi32.dll

5.2.3790.4555

1,482,752

18-Jul-2009

21:44

IA-64

SP2

SP2GDR

Wadvapi32.dll

5.2.3790.4555

619,008

18-Jul-2009

21:44

x86

SP2

WOW

Advapi32.dll

5.2.3790.4555

1,483,776

18-Jul-2009

16:32

IA-64

SP2

SP2QFE

Wadvapi32.dll

5.2.3790.4555

619,008

18-Jul-2009

16:32

x86

SP2

WOW

Workaround

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in WindowsTo work around this problem, change the PolicyScope registry value to 1 before you try to install the package. To do this, follow these steps.

Note If the computer is joined to a domain, a domain policy update may override the registry changes that you make. We strongly recommend that you disconnect the computer from the domain before you follow these steps.

  1. Click Start, click Run, type regedit, and then click OK.

  2. In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Note Before you modify this key, we recommend that you back up this key. To do this, right-click CodeIdentifiers, and then click Export. Save the file to a location where you can find it on the computer.

  3. Change the PolicyScope registry value. To do this, double-click PolicyScope, and then change the setting from 0 to 1.

  4. Close Registry Editor.

  5. Click Start, click Run, type cmd, and then click OK to open a Command Prompt window.

  6. At the command prompt, type the following command, and then press ENTER:

    net stop msiserverThis command stops the Windows Installer service if the service is currently running in the background. When the service has stopped, close the Command Prompt window, and then go to step 7.


    Note If you receive the following message at the command prompt, close the Command Prompt window, and then go to step 7:

    The Windows Installer service is not started

  7. Install the package that you were trying to install when you received the error message that is mentioned in the "Symptoms" section.

  8. After you install the package, repeat steps 1 and 2. Then, change the PolicyScope registry value back to 0.

  9. If you disconnected the computer from a domain, rejoin the domain, and then restart the computer.

    Note If you did not disconnect the computer from a domain, you do not have to restart the computer.

If the previous steps did not resolve the issue, follow these steps:

  1. Click Start, click Run, type control admintools, and then click OK.

  2. Double-click Local Security Policy.

  3. Click Software Restriction Policies.

    Note If no software restrictions are listed, right-click Software Restriction Policies, and then click Create New Policy.

  4. Under Object Type, double-click Enforcement.

  5. Click All users except local administrators, and then click OK.

  6. Restart the computer.

Important After you follow the previous steps, local administrators can install the .msi package or the .msp package. After the package is installed, reset the enforcement level by following the previous steps. In step 5, click All users instead of All users except local administrators.


Notes

  • The workaround may not work in an Active Directory domain environment. In an Active Directory domain environment, a domain policy refresh operation will overwrite the local Software Restriction Policies.

  • Adding more RAM to the computer will not resolve the problem.

More Information

Starting with Windows XP, a security policy that is named Software Restriction Policies (also known as SAFER) was introduced to help users avoid running unsafe files. Windows Installer uses software restriction policies to verify the signatures of signed .msi package files and signed .msp package files. Windows Installer does this to make sure that the files were not tampered with before they are installed on the computer. Windows XP and Windows Server 2003 require that the whole .msi package file or the whole .msp package file to be loaded into one contiguous piece of memory in the address space of the Windows Installer process.


If an .msi package file or an .msp package file is too large to fit into a contiguous piece of virtual memory, Windows Installer cannot verify that the package is correct. In this scenario, you experience the symptoms that are described in the “Symptoms” section. The fix that is described in this article enables software restriction policies to use less virtual memory to perform the signature verification. Therefore, Windows Installer can verify any size files.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Any additional feedback? (Optional)

Thank you for your feedback!

×