KB2918614 breaks Windows Installer Service

I didnt know where best to post a bug report about KB2918614.

This is for Windows 8.1 Pro

It appears on August 13 I received KB2918614 and immediately after I began having trouble with certain MSI installations, especially those that required any version of Visual C++ Redistributable to be installed.

Now, of course I have most of those already installed, but the install process of many programs runs those redistributables before the actual install runs.  It would always give me the error of "key not valid for use in specified state" and exit with a 1603 event.

I didnt know what caused the problem at the time and went through many troubleshooting steps including sfc/scannow, registry modifications (which have all been switched back to their original values), and attempts at re-installing the Windows Installer Service for Windows 8.1 (5.0) which apparently does not have its own redistributable install file.

Eventually I determined that I received a large number of updates on 8/13, so I removed them all.  This immediately fixed my problem.

As I didnt know if that was a fluke and I didnt know which specific update caused the problem, on reboot they all re-installed.

The problem returned as soon as I started back into windows.

I went through each of the knowledgebase articles and located KB2918614 as being the only one that modifies the MSI Windows installer service files.

I have now removed and hidden this update.

I wanted to notify Microsoft of this issue but did not know the best method to do so, so I am posting it in the Microsoft community in the event another user has the same problem as I did in order to work around it.
 

Discussion Info


Last updated March 19, 2020 Views 72,580 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

This is the word from the MS Enterprise Support folks.

Apparently they are not aware of any fix to this. At-least as of now.

All they are saying that this KB is to fix a security loophole.

I don't understand what kind of a security fix this is- one that allows a Fresh Install without an UAC prompt, but throws an UAC prompt only for the Upgrade.

Workaround 1: Distributing hash.

Capture the Hash file* in one machine and distribute them to other machines.

Hash files are created under “%windir%\installer” directory. The naming convention is as follows: “SourceHash<product GUID>

* This file is created only when a Product is installed with KB2918614 installed on the machine.This directory is hidden. Open cmd prompt using 'run as administrator'. Traverse to this path and open the folder using "explorer ." command.

[I couldn't solve the issue using this approach- may be because accessing this directory requires administrator privileges which the Windows Installer itself might not have]

Workaround 2: Whitelisting.

Only if you trust the application that it is always digitally signed and doesn't contain anything malicious(even in the future).

Step 1: Enable Whitelisting

Under Key “HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer”, create a DWORD: “SecureRepairPolicy” and set its Value to 2.

Step 2: Add the application to the whitelist

Create a new key “SecureRepairWhitelist” under "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer” and create StringValues with the product codes(Including flower brackets {}) of the product.

-------

Sadly though, both these workarounds need admin privileges!


Hi,  I just ran into this problem when trying to install (push) the updated Backup Exec agent.  When you uninstall the update is a reboot of the machine required?

C:\Users\xxx\AppData\Roaming\Microsoft\Crypto\RSA

Delete content in the above location, and the problem will be resolved.

After reading a ton of materials, I can't believe this simple solution works beautifully for me. I did not even delete anything, just moved the entire folder under RSA folder to the desktop and boom...I can install any msi application. It's been a couple of months fighting with this ****. Thank you very much user Robert Aldwinckle!! You are the man sir.

C:\Users\xxx\AppData\Roaming\Microsoft\Crypto\RSA

Delete content in the above location, and the problem will be resolved.

Thank you very much user

Notice who you replied to?   Poster  Aznarepse  deserves the credit for this discovery I think.   ; )

Thanks for confirming the suggestion.

There may be a need to reboot if you want to install something else, for instance the msi database might end up where it needs a reboot to finish its process before it can be in a ready state.

C:\Users\xxx\AppData\Roaming\Microsoft\Crypto\RSA

Delete content in the above location, and the problem will be resolved.

Thank you very much user

Notice who you replied to?   Poster  Aznarepse  deserves the credit for this discovery I think.   ; )

Thanks for confirming the suggestion.

Sorry...my bad!

Uninstalling this update, and then "hiding" it has helped me.

Not sure what Microsoft did, but updates are working again. Even able to install Java now :).

thanks MS.

"The profile for the user is a temporary profile" error when you install
a MSI package in Windows:
http://support.microsoft.com/kb/3000988

See if this fixes your issue please?

"The profile for the user is a temporary profile" error when you install
a MSI package in Windows:
http://support.microsoft.com/kb/3000988

See if this fixes your issue please?

Could you please provide the KB ID of this Windows Update.

Thanks.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.