locked
0x800710D8 Error when trying to add new Applocker Publisher rule RRS feed

  • Question

  • When trying to add a new Applocker Publisher rule for Office 2010 products to my group policy, I get the following error:

    "The publisher information cannot be extracted from the specified file: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE. Reason: The object identifier does not represent a valid object. (Exception from HRESULT: 0x800710D8)"

    I'm using Windows 7 x64 SP1 and the same happens with any other Microsoft executables I select.

    Any help would be gratefully received.

    Friday, April 8, 2011 2:41 PM

Answers

  • Have resolved the issue using Setreg (part of Windows SDK) to set my Software Publishing State to the following:

    1) Trust the Test Root - FALSE

    2) Use expiration date on certificates - TRUE

    3) Check the revocation list - TRUE

    4) Offline revocation server OK (Individual) - TRUE

    5) Offline revocation server OK (Commercial) - TRUE

    6) Java offline revocation server OK (Individual) - TRUE

    7) Java offline revocation server OK (Commercial) - TRUE

    8) Invalidate version 1 signed objects - FALSE

    9) Check the revocation list on Time Stamp Signer - FALSE

    10) Only trust items found in the Trust DB - FALSE

     

    I can now see the certificates as my Admin account and can also add files to Applocker rules.

    Cheers for your suggestions though.

    Neil


    • Marked as answer by NeilGWood Tuesday, May 17, 2011 10:53 AM
    Tuesday, May 17, 2011 10:52 AM

All replies

  • Hi,

     Does this happen only from a single machine or from any? Do you get the error when you browse for an select the file or at another time? If you open the properties of the file in Windows Explorer and check the Digital Signatures tab, what do you see? Also, when you say any other MS executables, do you just mean office 2010 or other files? what is the result if you select another publisher's file (say Adobe Reader)?

     

    Thanks,

    Guy

    Friday, April 8, 2011 4:25 PM
  • Good morning,

    I get the same error on a couple of machines (both Win7 x64). I get the error when i browse for the file through the Applocker rule wizard, I've not seen the error before. When I look at the Digital Signatures, I get the following:

    "Digital Signature Information. The revocation process could not continue - the certificate(s) could not be checked."

    when I click on View Certificate, I get:

    "Windows cannot determine the validity of this certificate because it cannot locate a valid certificate revocation list from the certification authority that issued this cerificate."

    it also says "Valid from 07/12/2009 to 07/03/2011"

    I did indeed mean other MS Office executeables, however, I've just tried Adobe Reader X and I get the same error. The digital certificate gives the same revocation list error, but the certificate is valid until 05/11/2012.

    There certainly seems to be a certificate issue here, but is that a coinicidence or would that be the root of my problems?



    Monday, April 11, 2011 8:09 AM
  • I think there's a good chance this is the root cause. Windows will not be able to trust the signature if it can't determine revocation status and therefore AppLocker can't create a rule based on the signature. It is possible to turn off revocation checking but that's usually a very bad idea as you may end up trusting a certificate that has been compromised.

    When you view the certificate, on the details tab, there should be a property called 'CRL distribution points'. Check the URL listed here and see if you can reach it. If not, check if it is a name resolution (DNS) issue or connectivity issue and correct the issue before trying again.

     

    Thanks,

    Guy

    Monday, April 11, 2011 3:36 PM
  • The network I'm working on isn't attached to the internet so won't be able to attach to the URL listed in the CRL Distribution Point (shown below)

    URL=http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl

    Strangely, this certificate problem when looking at an executeable file only occurs with my Admin account as my normal account says that the certificate is ok. As such, I'm now trying to find out what the difference is between the policies for Admin and standard users.

    I've spent most of the day trying to find what might be causing the difference, any suggestions where to look? It's unlikely to be a DNS or connectivity problem if it's working as my standard user on the same machine, but I'm willing to try anything! :-)

    Cheers

    Neil

    Monday, April 11, 2011 4:08 PM
  • There's an IE setting that can disable checking for revocation (Advanced tab, Security section). You can try to check if that's a difference between the two.

     

    Thanks,

    Guy

    Monday, April 11, 2011 9:27 PM
  • The IE policies don't appear to differ, so I'm at a loss. We're continuing to investigate, but any further suggestions would be more than gratefully received.

    Cheers

    Neil

    Tuesday, April 19, 2011 10:23 AM
  • Hi,

     Can you set the IE setting to prevent checking for CRLs for your admin account and see if it helps? Also, are there any cert related errors in your event log? I'd check the application and system event logs.

     

    Thanks,

    Guy

    Tuesday, April 19, 2011 3:43 PM
  • Hi,

    I've disabled the option found here:

    Admin Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page > Check for server certificate revocation.

    but with no luck. Is this the correct setting do you think?

    Neil

    Wednesday, April 20, 2011 3:23 PM
  • Yes, assuming it's taking effect. You can always work with the settings locally until you get it working and then translate to a GPO. Any more info in the event log? Are there GPO differences between your admin account and your standard user?

     

    Guy

    Wednesday, April 20, 2011 4:13 PM
  • Have resolved the issue using Setreg (part of Windows SDK) to set my Software Publishing State to the following:

    1) Trust the Test Root - FALSE

    2) Use expiration date on certificates - TRUE

    3) Check the revocation list - TRUE

    4) Offline revocation server OK (Individual) - TRUE

    5) Offline revocation server OK (Commercial) - TRUE

    6) Java offline revocation server OK (Individual) - TRUE

    7) Java offline revocation server OK (Commercial) - TRUE

    8) Invalidate version 1 signed objects - FALSE

    9) Check the revocation list on Time Stamp Signer - FALSE

    10) Only trust items found in the Trust DB - FALSE

     

    I can now see the certificates as my Admin account and can also add files to Applocker rules.

    Cheers for your suggestions though.

    Neil


    • Marked as answer by NeilGWood Tuesday, May 17, 2011 10:53 AM
    Tuesday, May 17, 2011 10:52 AM
  • For reference,

    I ran into this problem on windows 10 setting an applocker exception.  Changing the option in Internet Options->Advanced->Security->check for publisher's certificate revocation worked for me.  I couldn't find the setreg program anywhere.

    Tuesday, November 13, 2018 4:04 PM