Error message when you try to install a large Windows Installer package or a large Windows Installer patch package in Windows Server 2003 Service Pack 2: "Error 1718 File was rejected by digital signature policy"

Symptoms

When you try to install a large Microsoft Windows Installer (.msi) package or a large Microsoft Windows Installer patch (.msp) package on a computer that is running Windows Server 2003 Service Pack 2, you receive the following error message:
Error 1718. File FileName was rejected by digital signature policy.
Additionally, the following event may be logged in the Application log:

Cause

This problem occurs if the Windows Installer process has insufficient contiguous virtual memory to verify that the .msi package or the .msp package is correctly signed.

Resolution

Update download information

The following files are available for download from the Microsoft Download Center:

Download Download the Update for Windows Server 2003 (973825) package now.

Download Download the Update for Windows Server 2003, x64 Edition (973825) package now.

Download Download the Update for Windows Server 2003 for Itanium-based Systems (973825) package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

You must have Windows Server 2003 Service Pack 2 installed to apply this update.

Restart requirement


You must restart your computer after you apply the update.

Update replacement information


This update does not replace any other updates.

File information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Update for Windows Server 2003 (KB973825)

File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Advapi32.dll5.2.3790.4555619,00818-Jul-200915:58x86SP2SP2GDR
Advapi32.dll5.2.3790.4555619,00818-Jul-200916:19x86SP2SP2QFE

Update for Windows Server 2003, x64 Edition (KB973825)

File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Advapi32.dll5.2.3790.45551,052,16018-Jul-200921:45x64SP2SP2GDR
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200921:45x86SP2WOW
Advapi32.dll5.2.3790.45551,065,98418-Jul-200916:32x64SP2SP2QFE
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200916:32x86SP2WOW

Update for Windows Server 2003 for Itanium-based Systems (KB973825)

File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Advapi32.dll5.2.3790.45551,482,75218-Jul-200921:44IA-64SP2SP2GDR
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200921:44x86SP2WOW
Advapi32.dll5.2.3790.45551,483,77618-Jul-200916:32IA-64SP2SP2QFE
Wadvapi32.dll5.2.3790.4555619,00818-Jul-200916:32x86SP2WOW

Workaround

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To work around this problem, change the PolicyScope registry value to 1 before you try to install the package. To do this, follow these steps.

Note If the computer is joined to a domain, a domain policy update may override the registry changes that you make. We strongly recommend that you disconnect the computer from the domain before you follow these steps.
  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Note Before you modify this key, we recommend that you back up this key. To do this, right-click CodeIdentifiers, and then click Export. Save the file to a location where you can find it on the computer.
  3. Change the PolicyScope registry value. To do this, double-click PolicyScope, and then change the setting from 0 to 1.
  4. Close Registry Editor.
  5. Click Start, click Run, type cmd, and then click OK to open a Command Prompt window.
  6. At the command prompt, type the following command, and then press ENTER:
    net stop msiserver
    This command stops the Windows Installer service if the service is currently running in the background. When the service has stopped, close the Command Prompt window, and then go to step 7.


    Note If you receive the following message at the command prompt, close the Command Prompt window, and then go to step 7:
    The Windows Installer service is not started
  7. Install the package that you were trying to install when you received the error message that is mentioned in the "Symptoms" section.
  8. After you install the package, repeat steps 1 and 2. Then, change the PolicyScope registry value back to 0.
  9. If you disconnected the computer from a domain, rejoin the domain, and then restart the computer.

    Note If you did not disconnect the computer from a domain, you do not have to restart the computer.
If the previous steps did not resolve the issue, follow these steps:
  1. Click Start, click Run, type control admintools, and then click OK.
  2. Double-click Local Security Policy.
  3. Click Software Restriction Policies.

    Note If no software restrictions are listed, right-click Software Restriction Policies, and then click Create New Policy.
  4. Under Object Type, double-click Enforcement.
  5. Click All users except local administrators, and then click OK.
  6. Restart the computer.
Important After you follow the previous steps, local administrators can install the .msi package or the .msp package. After the package is installed, reset the enforcement level by following the previous steps. In step 5, click All users instead of All users except local administrators.


Notes
  • The workaround may not work in an Active Directory domain environment. In an Active Directory domain environment, a domain policy refresh operation will overwrite the local Software Restriction Policies.
  • Adding more RAM to the computer will not resolve the problem.

More Information

Starting with Windows XP, a security policy that is named Software Restriction Policies (also known as SAFER) was introduced to help users avoid running unsafe files. Windows Installer uses software restriction policies to verify the signatures of signed .msi package files and signed .msp package files. Windows Installer does this to make sure that the files were not tampered with before they are installed on the computer. Windows XP and Windows Server 2003 require that the whole .msi package file or the whole .msp package file to be loaded into one contiguous piece of memory in the address space of the Windows Installer process.


If an .msi package file or an .msp package file is too large to fit into a contiguous piece of virtual memory, Windows Installer cannot verify that the package is correct. In this scenario, you experience the symptoms that are described in the “Symptoms” section. The fix that is described in this article enables software restriction policies to use less virtual memory to perform the signature verification. Therefore, Windows Installer can verify any size files.
속성

문서 ID: 973825 - 마지막 검토: 2010. 7. 1. - 수정: 1

피드백