Google Update Helper – Error 1260 – Windows cannot open this program because it has been prevented by a software restriction policy

Background

While chasing down another bug returned back to my Event Viewer and noticed many entries bearing failed “Google Updates“.

Error Message

Listing:

EventViewer-Errors

 

Explanation:

  1. So basically every hour, specifically at the 55th minute, we are registering an error.

Textual:


The description for Event ID ( 11260 ) in Source 
( MsiInstaller ) cannot be found. 

Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a 
software restriction policy.

 

Visual:

EventViewer-Error-EventID-11260

 

Google Search

Google Matches

Performed the per-functional Google Search, and here is what keep came up:

  1. “Windows cannot open this program because it has been prevented by a software restriction policy” error message when a user tries to open a file in Windows Server 2003
    https://support.microsoft.com/en-us/kb/873419

    • Advapi32.dll
      • 5.2.3790.199
      • File Date :- 17-Aug-2004

 

Download & Install

Downloaded and attempted install of the KB 873419.

Receive the message pasted below.

Textual:

Setup has detected that the Service Pack version of this system is newer than the update you are applying.

There is no need to install this update.

 

Image:

KB873419Cropped

 

Google Some More

After a while googled some more.  And, found more promising leads:

  1. ECI DDMS – Removing Windows Security Update KB2918614 & KB3072630
    http://support.ecisolutions.com/doc-ddms/keyop/setup/RemovingWinSecurityUpdateWinServer2003.pdf
  2. IBM – Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy.
    http://www-01.ibm.com/support/docview.wss?uid=swg21690353
  3. SolidWorks

 

Steps

Overview

So following the instructions carefully detailed in the posting by ECI DDMS, here is what we did:

  1. Accessed Windows Registry and enable RemappedElevatedProxiesPolicy
  2. Ensure that hotfix KB3072630 and corresponding hotfixes are no longer offered

 

Windows Registry Change

Accessed registry branch “HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer” and added/set registry entry for RemappedElevatedProxiesPolicy to 1

Script

Read Value


@REM Reg query
@REM https://technet.microsoft.com/en-us/library/Cc742028.aspx
@REM HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer RemappedElevatedProxiesPolicy
set "keyName=HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer"
set "valueName=RemappedElevatedProxiesPolicy"
reg query %keyName% /v %valueName%


Output:

readRegistryOriginal

Effect Change


@REM Reg add
@REM https://technet.microsoft.com/en-us/library/Cc742162.aspx
@REM KeyName = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer 
@REM Item = RemappedElevatedProxiesPolicy
set "keyName=HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer"
set "valueName=RemappedElevatedProxiesPolicy"
set "valueType=REG_DWORD"
set "value=1"
reg add %keyName% /v %valueName% /t %valueType% /d %value%

 

Output:

RegistryOriginalWrite

 

GUI

GUI Original

GUIOriginal

 

GUI Revised

GUIRevised

 

Say No to KB2918614

There are a couple of avenues that are available for availing KB2918614.  Inclusive are:

  1. Desktop Automatic Updates
  2. Microsoft Update Web Site
  3. Corporate

KB Hotfixes

There are corresponding updates that we need to say No to, as well.  Here is the current list:

KB Title Date
KB3072630 MS15-074: Vulnerability in Windows Installer service could allow elevation of privilege: July 14, 2015 2015-July-14
KB2918614 MS14-049: Description of the security update for Windows Installer Service: August 12, 2014 014-August-12

 

 

Desktop Automatic Updates

Access “Automatic Updates” via your Desktop status panel.

StatusPanel

Automatic Updates

Choose updates to install

Here is the “Choose updates to install” window once we unchecked “Updates for Windows Server 2003 (KB2661254)”.

HideUpdates

Hide Updates

Please check “Don’t notify me about these updates again”.

HideUpdatesAfter

 

Repeat

Please repeat same for hot-fixes listed in this post.

 

Issues

Microsoft’s acknowledges there are issues with the KB hotfix.

  1. After you install this security update and try to install any MSI package that uses a mandatory or temporary user profile, the MSI package installation fails, and you receive an error message that resembles the following:
    • The profile for the user is a temporary profile
    • MSI Log :- SECREPAIR: A general error running CryptAcquireContext / Crypt Provider not initialized. Error:-2146893813
  2. After you install this security update, you may receive a User Account Control (UAC) prompt when you try to use remote deployments, centralized deployments, or other local methods to reinstall a program that was already installed before the security update was installed.

 

Workaround

Microsoft’s workaround includes using a tool such as ORCA to get the application’s product code.

Once the code is known one can register that product and others under the SecureRepairWhitelist key.

The operability of this approach is a bit reliant on vendors ensuring that their Application’s product code stays same through maintenance and patches.

 

Summary

MSFT continues to be under intense pressure to protect its surface area. Unfortunately, sometimes that will involve breaking working approaches and applications.

And, force vendors to return to Redmond and work towards new working API and understanding.

One thought on “Google Update Helper – Error 1260 – Windows cannot open this program because it has been prevented by a software restriction policy

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s