<-- Articles Index / Microsoft Visual Studio Offline Help Fix - Error: CAB was not signed by Microsoft 
1
Microsoft Visual Studio Offline Help Fix - Error: CAB was not signed by Microsoft

Date: Feb 8, 2020
Last-Modified: Feb 8, 2020

RANT:
There is nothing worse than wasting valuable time working around bugs in Microsoft's products, most notably, just getting them installed. This is why I'm seldom coerced into pointless upgrades. I had already encountered many issues getting the Visual Studio install layout working on multiple machines, and now I had to deal with another buggy Microsoft downloader tool just to access the offline help. Why offline help wasn't a couple ISO images is beyond me. Why couldn't offline help be integrated into the Visual Studio install layout? Why is the whole Visual Studio installation process and new help file formats so needlessly complicated?

THE PROBLEM:
Once you choose your "books" in the "Add and Remove Content" tab of the Microsoft Help Viewer, you will have to wait for up to many GB to download, depending on your selections. After the download is complete, you might see the following error:

Help Viewer Error: Cab Not Signed by Microsoft

"An error occurred while updating content: File XYZ.cab was not signed by Microsoft"
Additionally, each time you re-try the download process, such as after re-installing root certificates or other measures, the program isn't smart enough to retain the downloads. It deletes them. Gigabytes of download time wasted, just to see that Microsoft can't validate files coming from their own servers. By the way, the digital signatures on the downloaded CAB files are fine. They are all signed by a Microsoft cert whose chain is valid down to the issuing Microsoft Root CA. Microsoft is enforcing driver-level security on help files which I personally think is overkill.

If you search for a solution, you will find many people have experienced this bug in all recent Visual Studio versions (2015, 2017 and 2019). This issue was supposedly fixed in 2019 according to Microsoft's blog posts, however many people have posted on these same forums that the problem is still occurring. Microsoft engineers have repeatedly responded that they can't reproduce the bug on their clean machines, or on Windows 10 and opt to close the issue. They also claim people aren't submitting proper bug reports for them to diagnose the problem. The only solutions provided by the posts, were to un-install Help Viewer then update the Visual Studio layout and re-install the Help Viewer; or, install some ancient 2013 KB-updates, whose downloads have been removed from Microsoft download servers.

THE FIX:
I had been experiencing this problem using Visual Studio 2017 on a Windows 7 x64 machine by the way, and I had already wasted a day fiddling with the Help Viewer Content Manager downloader. Seeing that I would waste less time just fixing the program myself, I started by analyzing the Help Viewer process' executable at "C:\Program Files (x86)\Microsoft Help Viewer\v2.3\HlpViewer.exe". From the PE Headers, we can see that it is a .NET executable, so the next step is to open it up in a .NET decompiler. I happened to use .NET Reflector in hopes of finding the certificate validation routine.

Drilling down into the executable and its references I eventually ended up at:

    Microsoft.VisualStudio.Help.CacheLib.CabManager.VerifyMicrosoftChain()

    private SignatureStatus VerifyMicrosoftChain(IntPtr pData, SignatureAlgorithm signatureAlgorithm, bool testRootAllowed);
     
    Declaring Type: Microsoft.VisualStudio.Help.CacheLib.CabManager 
    Assembly: Microsoft.VisualStudio.Help, Version=2.3.0.0 
.NET Reflector Reflexil View of Microsoft.VisualStudio.Help.dll

At the bottom of the function, you can see the return value is either 1 or 0 depending on the previous conditional branches. Activating the Reflexil plugin, and scrolling to the bottom of the IL opcodes, we see the last 4 instructions are:

ldc.i4.1
ret
ldc.i4.0
ret
These group of instructions represent both exit branches. To always return success, you can either change the first instruction to a "ldc.i4.0" (load zero) or NOP-out the first two instructions so both paths drop through to the return zero branch, resulting in the same effect. This will bypass the annoying error and allow installation to proceed.

Now after saving the patched "Microsoft.VisualStudio.Help.dll" file, don't worry about applying a new digital signature or removing the strong name signing when prompted. The saved file by default will not contain any a digital signature. Also note that due to the way .NET executables can be decompiled and recompiled natively using Reflection and whatever mojo is employed by the Reflexil plugin, you'll notice not only a dramatic change in file size, but a hex-diff of the contents will indicate that the file was re-built from scratch. Nevertheless, the patch works without a hitch.

This is one of many instances where Visual Studio doesn't check the validity of the digital signatures of its own DLLs. In typical Microsoft fashion, they employ rigorous security checks to ensure the help content in not only signed, but signed with a Software Publishing Certificate whose chain verifies back to a Microsoft Root CA. This is well and good, but not a single check to verify the DLL we just patched even has a digital signature. :)

Anyhow, copy the patched DLL over to "C:\Program Files (x86)\Microsoft Help Viewer\v2.3\Microsoft.VisualStudio.Help.dll" (using admin privileges as needed), but don't forget to back up the original. Restart the Help Viewer download and you'll find that Microsoft's own CAB files install without an issue. For those worried about the possibility of this patch allowing malicious CAB files, I wouldn't worry about it. The digital signatures of the CAB files are still checked; its just that whatever is causing the validation chain to fail to find Microsoft's Root CA is bypassed. If you've read this far, you probably already have a clue that the CAB files are indeed coming from Microsoft and if you were presented with a checkbox to "[ ] Bypass Rigorous Security" you would check it so you can move on with your life.

Once the help content is downloaded and installed, you can safely revert the patched file back to the original as this check is only performed during book-install. In fact, you can archive the entire offline help directory at "C:\ProgramData\Microsoft\HelpLibrary2\Catalogs\VisualStudio15", move it to another machine and the Visual Studio Help will automatically pick up the content without needing the patch or any additional downloads from Microsoft. I'm thankful Microsoft got that part of the Help Viewer right.

DOWNLOAD PATCH:
If you happen to be running the same version of Microsoft.VisualStudio.Help.dll I was using (see below), you can download the patch I created for myself. This patch was created from version 2.3.28107.0.
NOTE: this is the same version as HlpViewer.exe and HlpCtntMgr.exe. The ORIGINAL file details are as follows:

C:\Program Files (x86)\Microsoft Help Viewer\v2.3\Microsoft.VisualStudio.Help.dll
version=2.3.28107.0
md5=907a19c35a67d1b2b4f2fef7783d89b3
sha256=cbeb973cffdfcc0497d8beb2ca3a4c1d39a7d6d058eb26b84b06c9c05b9ff5f3
This patch may even work for slightly different versions of the Visual Studio modules described above. If you'd like to try it out, let me know using the comment link below if it works for you and what version of HlpViewer.exe was installed.

<END OF ARTICLE>


Questions or Comments?


 1:1