Crypt32: Failed auto update retrieval of third-party root list sequence

“crypt32 Event ID: 8

Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.”

If like me you find the above message reported hundreds of times in your event logs here is what is going on.

Cypt32 from what I understand is a subsystem that gets used by several products including Mcafee, Crpt32 likes to go off to the internet to get updated root lists, however if you have a proxy server you have to tell crpt32 to use it.

On each client that is getting the message you will need to run

%SystemRoot%\System32\proxycfg.exe -u

There are several switch you could use the -u switch simply imports you Internet Explorer settings.

I triggered the above command from a login script on all of our clients but first I had to create a GPO to modify the registry permissions as the default is users cannot run this command due to not having write access to a reg key. Please comment if you would like more info.

You alternatives are to punch a hole in your firewall or proxy, or you could just live with the message.

13 thoughts on “Crypt32: Failed auto update retrieval of third-party root list sequence”

  1. hi!

    we’re experiencing this error left and right on our more than 1000 xp machines

    and the kb article is askin’ me to do it all manually

    when you said you execute the command %SystemRoot%\System32\proxycfg.exe -u how if i may, step-by-step if you don’t mind?

    thanks in advance

     

    >oliver

    Reply
  2. What is this message is appearing in the Event Viewer of a standalone system (minus the proxy)? It would seem that the same root certificate issue may not apply equally. Any thoughts?

    Reply
  3. The message is caused because Crypt32 on the effected computer(s) is unable to connect to the Internet, generally this is because there is a proxy or a Firewall in the way but if the computer is standalone i.e. not connected to the Internet I would imagine you will get the same Crypt32 error.

    Reply
  4. Hi everyone!

    I have this error in my event viewer and I have a proxy on my net but I can't understand why appears this message because I haver an internal WSUS configured and the machine that has this problem has configured correctly to update to internal WSUS.

    Anyone can help me?

    Thank you

    Reply
  5. Hi,

    This exact message has nothing to do with WSUS the message is generated because the crypt32 is unable to get to on the Internet to perform it's certificate update. The Windows Update on the client however does use proxycfg.exe -u

    Crypt32 does not use Internet Explorers proxy settings and instead uses the proxy setting configured with the tool %SystemRoot%\System32\proxycfg.exe

    Running the command %SystemRoot%\System32\proxycfg.exe -u on the effected computer(s) will import the Internet Explorer proxy setting so crypt32 can get on the net.

    The other option is to put a hole in your firewall.

    I hope this helps, let me know if you need any more info.

    Reply
  6. Hi,

    I run a network in an offline environment, this includes WSUS (we get the updates from somewhere else network enabled and import them).

    My question is to get rid of the errors can I put the ip of the wsus box in the proxy and use the proxycfg root or is there a way to stop/disable the certificate service on the xp 32 workstation? and if there is what effects could this have on the system?

    Thanks

    Reply
  7. I putting your WSUS server into proxycfg will not work but you can turn off the feature.

     

    To turn off the Update Root Certificates component.

    To turn off the Update Root Certificates component, follow these steps:

    In Control Panel, double-click Add/Remove Programs.
    Click Add/Remove Windows Components.
    Click to clear the Update Root Certificates check box, and then continue with the Windows Components Wizard.

    Or, by using a GPO turn off the option.

    Computer Configuration – Administrative Templates – System – Internet Communication Settings
    "Turn off Automatic Root Certificates Update”
    but consider the problems by not updating your CA's

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.