On decommissioning of update servers for 2000, XP, (and Vista?) as of July 2019

[AstroSkipper]

@Dave-H Yesterday I had trouble to access Google and other web sites using HTTPSProxy. What had happened? I checked and found out that HTTPSProxy's cacert.pem was faulty. I downloaded a new one manually from this link https://curl.se/ca/cacert.pem and copied it in HTTPSProxy's program folder. I deleted all certificates in certs folder and after starting the proxy I could access all sites without any problems. Updating cacert.pem in SysTray menu is working again. So what is the teaching of that? You have to check and deeply too. Comparing two files only due to size and date is not enough. A binary comparison is necessary or comparing hash values. You can do it for example with Total Commander. So download a fresh cacert.pem from link above and compare it to yours just to be sure your certs are valid and proper in your HTTPSProxy's program folder. Here is a screenshot of my Intermediate Certificate Authorities (there are Microsoft related certificates too): https://imgur.com/G2ogHnj
I don't know if they are relevant, they seem to be expired. And here my Third Party Root Certificate Authorities: https://imgur.com/vY3dnq8
What is your current time server? And please upload a new WindowsUpdate.log! Maybe something has changed.
A lot of Windows users have reported getting error code 0x80072f8f due to activation problems. So my next question. Is your Windows XP Professional properly activated? Do you have Windows Genuine Advantage (WGA) Validation Tool installed and what is your version? As far as I know the latest version for XP is 1.9.40.0. And I know a lot of questions. Sorry!

Edited February 3, 2022 by AstroSkipper
correction

[maile3241]

4 hours ago, Dave-H said:

After a bit of registry editing, this is my IE8 UA now.

No change on Microsoft Update.
I will try disabling Malwarebytes.
I already have Autoruns installed, although the self-protection module might fight it.
As it was that which gave me grief before I'm a bit apprehensive, but i'll give it a go!

 

This root certificate installer is specially designed for ProxhttpsProxy. Try installing it.

ProxHTTPS Cert Install.exe ProxHTTPS Cert UnInstall.exe

[Dave-H]

6 hours ago, AstroSkipper said:

@Dave-H Yesterday I had trouble to access Google and other web sites using HTTPSProxy. What had happened? I checked and found out that HTTPSProxy's cacert.pem was faulty. I downloaded a new one manually from this link https://curl.se/ca/cacert.pem and copied it in HTTPSProxy's program folder. I deleted all certificates in certs folder and after starting the proxy I could access all sites without any problems. Updating cacert.pem in SysTray menu is working again. So what is the teaching of that? You have to check and deeply too. Comparing two files only due to size and date is not enough. A binary comparison is necessary or comparing hash values. You can do it for example with Total Commander. So download a fresh cacert.pem from link above and compare it to yours just to be sure your certs are valid and proper in your HTTPSProxy's program folder. Here is a screenshot of my Intermediate Certificate Authorities (there a Microsoft related certificates too): https://imgur.com/G2ogHnj
I don't know if they are relevant, they seem to be expired. And here my Third Party Root Certificate Authorities: https://imgur.com/vY3dnq8
What is your current time server? And please upload a new WindowsUpdate.log! Maybe something has changed.
A lot of Windows users have reported getting error code 0x80072f8f due to activation problems. So my next question. Is your Windows XP Professional properly activated? Do you have Windows Genuine Advantage (WGA) Validation Tool installed and what is your version? As far as I know the latest version for XP is 1.9.40.0. And I know a lot of questions. Sorry!

HTTPSProxy seems to be working fine here, no problems with any sites at all.
How did you determine that cacert.pem was faulty?
I had updated mine few days ago, and it's dated 26th October 2021.
I tried the disabling of Malwarebytes using Autoruns, which seemed to amount just to the main service and a couple of shell extensions, and it did work and Malwarebytes is OK again now (phew!) but it made no difference to MS Update.
My current time server is still your German one, as we discussed the other day, using the default Windows updating process.
Here's my equivalent of your two Microsoft certificate lists -

I see you have two apparently identical Microsoft Windows Hardware Compatibility certificates too! I don't know why that is.

Windows XP is certainly activated, I've had to do it a few times in recent years due to changes of motherboard, and I'm always relieved that it still works, tedious process though it is doing it on the phone!
My version of WgaTray.exe is indeed 1.9.40.0.

WindowsUpdate.log

[Dave-H]

4 hours ago, maile3241 said:

This root certificate installer is specially designed for ProxhttpsProxy. Try installing it.

ProxHTTPS Cert Install.exe 157.19 kB · 13 downloads ProxHTTPS Cert UnInstall.exe 157.19 kB · 1 download

Those are the same programs that come with ProxHTTPSProxyMII, which I used for years,
I have indeed used them when I still had it installed (I'm using HTTPSProxy at the moment to mirror AstroSkipper's system).
It never made any difference to the current problem with MS Update.

[AstroSkipper]

@Dave-H I've read an interesting article of a person who had same error code and the solution was a missing certificate in a chain of certificates. Check if following certificate exists under Trusted Root Certification Authorities: GTE CyberTrust Global Root valid until 14.08.2018. I know it has expired but I've read that such expired certificates can still be in use. It's just a try.

Furthermore I've found another tip that obviously others had helped:

Quote

Adding the program WuauClt.exe into the exception list of firewall fixes the 0x80072f8f problem in some cases.

And one more question: Do you have a normal installation of XP or are you running it in a VM? Is your computer a clent or server in a network or a stand-alone one?

Edited February 2, 2022 by AstroSkipper
correction

[Dave-H]

That GTE CyberTrust Global Root certificate is on my system, dated 13.08.2018, one day before yours!
I doubt that's significant.
Adding WuauClt.exe to the list of Windows firewall exceptions hasn't changed anything.
My XP is a normal installation on a standalone PC, it is on a domestic network but nothing else.

[AstroSkipper]

@Dave-H Ok, thanks for further details! I have compared our lists of certificates intently. If you had compared our lists of certificates intently too you would have realized that only one of them is identical. And that is the list of certificates referring to Microsoft in Third Party Root Certification Authorities. But in my list of Intermediate Certification Authorities I have 8 certificates referring to Microsoft and you only 3. Have a look! That's a big difference. If wanted I can upload these missing certificates via PM so that you can import them under Intermediate Certification Authorities. As I told you two posts above expired certificates can still be required and in use too.

At last I have analyzed your Windows Update Log once again. Here the interesting lines:

2022-02-01    22:53:27:781    1856    9b0    PT    +++++++++++  PT: Synchronizing server updates  +++++++++++
2022-02-01    22:53:27:781    1856    9b0    PT      + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx
2022-02-01    22:53:28:796    1856    9b0    Misc    WARNING: Send failed with hr = 80072f8f.
2022-02-01    22:53:28:796    1856    9b0    Misc    WARNING: SendRequest failed with hr = 80072f8f. Proxy List used: <https=localhost:8080> Bypass List used : <<local>> Auth Schemes used : <>
2022-02-01    22:53:28:796    1856    9b0    PT      + Last proxy send request failed with hr = 0x80072F8F, HTTP status code = 0
.
.
.
2022-02-01    22:53:28:796    1856    9b0    PT    WARNING: GetConfig failure, error = 0x80072F8F, soap client error = 5, soap error code = 0, HTTP status code = 200
2022-02-01    22:53:28:796    1856    9b0    PT    WARNING: PTError: 0x80072f8f
2022-02-01    22:53:28:796    1856    9b0    PT    WARNING: GetConfig_WithRecovery failed: 0x80072f8f
2022-02-01    22:53:28:796    1856    9b0    PT    WARNING: RefreshConfig failed: 0x80072f8f
2022-02-01    22:53:28:796    1856    9b0    PT    WARNING: RefreshPTState failed: 0x80072f8f
2022-02-01    22:53:28:796    1856    9b0    PT    WARNING: Sync of Updates: 0x80072f8f
2022-02-01    22:53:28:796    1856    9b0    PT    WARNING: SyncServerUpdatesInternal failed: 0x80072f8f
2022-02-01    22:53:28:796    1856    9b0    Agent      * WARNING: Failed to synchronize, error = 0x80072F8F
2022-02-01    22:53:28:796    1856    9b0    Agent      * WARNING: Exit code = 0x80072F8F

As we already know Microsoft Update 0x80072f8f error code means ERROR_INTERNET_SECURE_FAILURE ErrorClockWrong. What does it really imply in your case? You can see it in your Windows Update Log. Look at bold text! A client fails to contact its server. In your case client is your computer and server is Microsoft Update Server. Request sent from your computer to MU failed. Synchronizing of client and server failed. Getting configurations failed. That' your problem. What is the conclusion? The connection and synchronization failures between client and server have to be fixed. At first we have to think about what we've already restored and fixed. The Windows Update Agent looks fine and you have reported that all steps of my post "Manually reset Windows Update components (KB971058)" have been performed:

Have you performed step 4 too or have you skipped it as recommended?

Quote

If this is your first attempt at resolving your Windows Update issues by following the steps in this article, you should skip step 4 and go to step 5.

If you skipped step 4 then it should be catched up. Furthermore I added another registering of a DLL component: in step 6:

Quote

And the following added by me (@AstroSkipper):
regsvr32.exe mssip32.dll

Perform this registering to complete step 6.
Now some settimgs: Go to IE Internet Options, Advanced and click to select the Use HTTP 1.1 and the Use HTTP 1.1 through proxy connections check boxes if not already selected.
Next check if system service HTTP-SSL has system been started. If not start it and set it to Auto Start.
Now reboot your computer, try to access MU again and post your Windows Update Log.
If these tips don't solve the problem I have another one: Change your DNS servers to Cloudflare or Google and check if it helped. I use often DNS servers of Cloudflare but at the moment the servers of my provider.
So far from me today!

Edited February 3, 2022 by AstroSkipper
addition

[Dave-H]

I did do step 4 when I did the rest of them, just for completeness. I couldn't see any reason not to in this case.
I registered the extra dll.
I've now checked 'Use HTTP 1.1', but strangely 'Use HTTP 1.1 through proxy connections' isn't there.
That is puzzling. I don't remember ever seeing it!
I found that my 'HTTP SSL' service was disabled. I have no idea why, I can only assumed it was one of the services deemed to be unnecessary when I went through the system years ago following recommendations to disable all unnecessary running processes to speed up boot time and performance.
I've put it on Automatic now.
Sadly, after a reboot, nothing had changed.

WindowsUpdate.log

[AstroSkipper]

Here the DNS servers I suggested: Google Public DNS. 8.8.8.8. 8.8.4.4. and Cloudflare. 1.1.1.1. 1.0.0.1.
Try them!
And here's another fix referring to error code 0x80072f8f I have found while researching:
Open in a registry editor the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\LastRestorePointSetTime. Here you can see a date and a time (that's my idea to find a suitable point in time).
Now go back to this date and time plus for example one hour. Try to access MU. Reboot. Then adjust clock to current date and time. Do a synchronization. Reboot. Then try again!
The idea is to go back in time to the last successful update on MU web site and try to access the MU server. Some people had success with turning back time to solve error code 0x80072f8f.
And here a screenshot of my Internet Options - Advanced referring to HTTP settings: https://imgur.com/EHW7rix

Edited February 3, 2022 by AstroSkipper
correction

[AstroSkipper]

@Dave-H Maybe your Internet Explorer installation is faulty. Just a guess!

[AstroSkipper]

@Dave-H What about the 5 missing certificates under Intermediate Certification Authorities? You didn't mention it.

In the next days I'll post another very interesting solution to fix your problem. I still have to work it out a bit. Of course if turning back time doesn't help! Now I'll go to bed. Cheers!

Edited February 3, 2022 by AstroSkipper
correction

[AstroSkipper]

@Dave-H
Due to the fact that the Microsoft service HTTP-SSL was disabled in your system I think it is a good idea to compare our Microsoft services and their status generally to be sure all necessary system services are still working. There might be some services not being essential but anyway in my system Microsoft Update is working properly. To do that download the tool ServiWin 1.71 from NirSoft. Here is the homepage link: https://www.nirsoft.net/utils/serviwin.html and here the download link:  https://www.nirsoft.net/utils/serviwin.zip. It's portable so there is nothing to install. I've taken two screeshots of all Microsoft services existing in my system listed by ServiWin. Columns with German description have been faded out. So it's much easier for comparing. Here they are: https://imgur.com/az67Jo6 and https://imgur.com/bIQ2jIN.

 

[maile3241]

19 hours ago, AstroSkipper said:

@Dave-H Maybe your Internet Explorer installation is faulty. Just a guess!

I am also of this opinion.

[Dave-H]

20 hours ago, AstroSkipper said:

Here the DNS servers I suggested: Google Public DNS. 8.8.8.8. 8.8.4.4. and Cloudflare. 1.1.1.1. 1.0.0.1.
Try them!
And here's another fix referring to error code 0x80072f8f I have found while researching:
Open in a registry editor the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\LastRestorePointSetTime. Here you can see a date and a time (that's my idea to find a suitable point in time).
Now go back to this date and time plus for example one hour. Try to access MU. Reboot. Then adjust clock to current date and time. Do a synchronization. Reboot. Then try again!
The idea is to go back in time to the last successful update on MU web site and try to access the MU server. Some people had success with turning back time to solve error code 0x80072f8f.
And here a screenshot of my Internet Options - Advanced referring to HTTP settings: https://imgur.com/EHW7rix

Changing the DNS servers made no difference.
I've looked at that registry key, and unfortunately it's a date where I can't tell whether it's in American format or the sensible format that the rest of the world uses.
Do you know which it is? I'm guessing US format, but just wanted to be sure.
Our Internet Options Advanced tabs are actually the same, sorry I had a "senior moment" there!
Both the 'Use HTTP 1.0' options are checked.
As for the missing certificates, I honestly have absolutely no idea why they're not there. I've never deleted any, so I can only assume that they have never been there!
And I have absolutely no reason to think that there's anything fundamentally wrong with my IE8 installation, it works fine (with HTTPSProxy) on every other website I've tried it on that it will still display, which is not that many now of course! That's not because it's faulty of course, it's just now much too far out of date to cope with current sites! If the installation were faulty it would be malfunctioning far more I'm sure, but it's only Windows Update and Microsoft Update which have a problem as far as I can see. Even they are loading their ActiveX controls and displaying absolutely fine, it's just the scanning which is failing, which must be just a certificate problem.

 

[AstroSkipper]

@Dave-H Do you want me to upload these missing certificates via PM or not? Your decision. By the way I found out that on platform imgur images in jpg format have a bad quality due to strong compression. Therefore here a link of my two screeshots of all Microsoft services existing in my system listed by ServiWin but more readable plus all services in a txt file: https://www.mediafire.com/file/odq8y7iyx7i5kdf/Microsoft_services_-_AstroSkipper.7z/file