KB925336 Updated with Better Workaround

KB925336 Updated with Better Workaround

  • Comments 2

When installing Visual Studio 2005 Service Pack 1, users may see an error that reads,

Error 1718.File D:\WINDOWS\Installer\50baad.msp was rejected by digital signature policy.

While the filename will be different, the result is that the patch will not install. We first ran into this problem with the beta internally, and through investigation I found that this was caused by SAFER on Windows XP and Windows Server 2003 attempting to map the whole file into memory. On Windows Vista this operation is properly streamed.

I posted workaround steps using the management snap-in. This was used as the basis for KB925336 which, at the time, contained only those workaround instructions. I also helped mitigate the issue informing users of the support article if they ran into this problem later during installation, with a message that reads,

Error 1718.File D:\WINDOWS\Installer\50baad.msp did not pass the digital signature check. For more information about a possible resolution for this problem, see http://go.microsoft.com/fwlink/?LinkId=73863.

That link goes to KB925336. When VS 2005 SP1 was released, the workaround didn't work for everyone. It turns out that active domain policies were overriding the local workaround where default domain policies existed. I helped develop a new workaround that explicitly set the registry value controlling the SAFER check. The existing support article, KB925336, was updated to reflect the new workaround. It does not today, however, document that you should leave the domain. This step is optional, but recommended. If the domain policy is refreshed, your local registry edit could be overwritten and the install might fail later.

Please note that the registry edit is also recommended over the user interface approach, and that the size of the patch should not dictate which approach you use. If you run into the failure with error code 1718 or want to preempt the digital signature check failure, please use the registry edit.

Update: KB925336 was updated to recommend only the registry edit, and to recommend leaving the domain to avoid having the domain overwrite your local policy change.

Leave a Comment
  • Please add 3 and 7 and type the answer here:
  • Post
  • Your admin won't be particularly happy about you leaving the domain, since he'll probably need to provide credentials to let you rejoin.

    Seriously, why hasn't a patch yet been made to Windows Installer 3.x to stop the idiocy of loading the whole file into memory? I realise I'm asking the wrong person here!

  • I posted a comment on this blog a few months ago about my problems installing this service pack. I couldn't leave the domain, so gave up on this service pack, until now. Using info from this site along with tips posted in comments, I assembled a script that combines several solutions posted to this blog. The service pack installed successfully in 10 minutes! Hopefully, this script will work for others who had similar problems. MANY thanks to Heath and other posters who made this possible!

    If this script doesn't post correctly to this site, then I can supply the batch file itself.

    IMPORTANT: Unplug your network cable right before running this script (in case domain overwrites new settings during install). Also, make sure the patch file is in the same folder as the script.


    REM *** BACKUP all settings. ***

    REM Backup the registry key before changing it to save the current values

    reg export HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers "%TMP%\safer.reg" /y

    REM backup and set installer cache setting to speed up process.

    reg export HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer "%TMP%\installer.reg" /y

    REM *** Change all settings to allow patch installation. ***

    REM Set the new [SAFER] value.

    reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers /v PolicyScope /t REG_DWORD /d 1 /f

    REM Set the new [Installer Cache] value.

    reg add HKLM\Software\Policies\Microsoft\Windows\Installer /v MaxPatchCacheSize /t REG_DWORD /d 0 /f

    REM Stop the MSIServer so it will be forced to reload (when patch is run) with new settings.

    net stop msiserver

    REM *** Run the patch. ***

    start /wait VS80sp1-KB926601-X86-ENU.exe /L*v+ "%TMP%\VS80sp1-KB926601-X86-ENU.log" /quiet

    REM *** Revert all settings back to previous values. ***

    REM Restore [SAFER] values.

    reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers /v PolicyScope /f

    reg import "%TMP%\safer.reg"

    REM Restore [Installer Cache] values.

    reg delete HKLM\Software\Policies\Microsoft\Windows\Installer /v MaxPatchCacheSize /f

    reg import "%TMP%\installer.reg"

    REM * Finished. Please reboot now if there were no errors. *

Page 1 of 1 (2 items)