There is nothing worse than wasting valuable time working around bugs in Microsoft's products, most notably, just getting them installed.
This is why I'm seldom coerced into pointless upgrades.
I had already encountered many issues getting the Visual Studio install layout working on multiple machines, and now
I had to deal with another buggy Microsoft downloader tool just to access the offline help. Why offline help wasn't a couple
ISO images is beyond me. Why couldn't offline help be integrated into the Visual Studio install layout?
Why is the whole Visual Studio installation process and new help file formats so needlessly complicated?
Once you choose your "books" in the "Add and Remove Content" tab of the
Microsoft Help Viewer, you will have to wait for up to many GB to download, depending on your selections.
After the download is complete, you might see the following error:
"An error occurred while updating content: File XYZ.cab was not signed by Microsoft"
Additionally, each time you re-try the download process, such as after re-installing root certificates
or other measures, the program isn't smart enough to retain the downloads. It deletes them.
Gigabytes of download time wasted, just to see that Microsoft can't validate files coming from their own servers.
By the way, the digital signatures on the downloaded CAB files are fine. They are all signed by a Microsoft cert whose
chain is valid down to the issuing Microsoft Root CA. Microsoft is enforcing driver-level security on help files
which I personally think is overkill.
If you search for a solution, you will find many people have
experienced this bug in all recent Visual Studio versions (2015, 2017 and 2019).
This issue was supposedly fixed in 2019 according to Microsoft's blog posts,
however many people have posted on these same forums that the problem is still occurring.
Microsoft engineers have repeatedly responded that they can't reproduce the bug on
their clean machines, or on Windows 10 and opt to close the issue. They also claim
people aren't submitting proper bug reports for them to diagnose the problem.
The only solutions provided by the posts, were to un-install Help Viewer then update the Visual Studio layout
and re-install the Help Viewer; or, install some ancient 2013 KB-updates, whose downloads have been removed
from Microsoft download servers.
It has been reported by one of my website visitors that
when this occurs on Windows 7 (x64) using the current version of Visual Studio (2022 Preview 3.1; Help 2.3.31530.272), the issue
is resolved by installing the following Microsoft fixes in the order shown below.
I have not personally tested this.
- KB2670838
- KB3033929
- KB4490628
- KB4474419
- KB4536952
- KB4534310
I had been experiencing this problem using Visual Studio 2017 on a Windows 7 x64 machine by the way, and I had already wasted a day fiddling
with the Help Viewer Content Manager downloader.
Seeing that I would waste less time just fixing the program myself, I started by analyzing the
Help Viewer process' executable at "C:\Program Files (x86)\Microsoft Help Viewer\v2.3\HlpViewer.exe". From the PE Headers, we can see
that it is a .NET executable, so the next step is to open it up in a .NET decompiler. I happened to use
.NET Reflector in hopes of finding
the certificate validation routine.
Drilling down into the executable and its references I eventually ended up at:
Microsoft.VisualStudio.Help.CacheLib.CabManager.VerifyMicrosoftChain()
private SignatureStatus VerifyMicrosoftChain(IntPtr pData, SignatureAlgorithm signatureAlgorithm, bool testRootAllowed);
Declaring Type: Microsoft.VisualStudio.Help.CacheLib.CabManager
Assembly: Microsoft.VisualStudio.Help, Version=2.3.0.0
At the bottom of the function, you can see the return value is either 1 or 0 depending on the previous conditional branches.
Activating the Reflexil plugin, and scrolling to the bottom of the IL opcodes, we see the last 4 instructions are:
ldc.i4.1
ret
ldc.i4.0
ret
These group of instructions represent both exit branches. To always return success, you can either change the first instruction to a
"ldc.i4.0" (load zero) or NOP-out the first two instructions so both paths drop through to the return zero branch, resulting in the same effect.
This will bypass the annoying error and allow installation to proceed.
Now after saving the patched "Microsoft.VisualStudio.Help.dll" file, don't worry about applying a new digital signature or removing the strong name signing when prompted.
The saved file by default will not contain any a digital signature. Also note that due to the way .NET executables can be decompiled and recompiled natively using Reflection
and whatever mojo is employed by the Reflexil plugin, you'll notice not only a dramatic change in file size, but a hex-diff of the contents will indicate that the file was
re-built from scratch. Nevertheless, the patch works without a hitch.
This is one of many instances where Visual Studio doesn't check the validity of the digital signatures of its own DLLs.
In typical Microsoft fashion, they employ rigorous security checks to ensure the help content in not only signed, but signed with a Software Publishing Certificate
whose chain verifies back to a Microsoft Root CA. This is well and good, but not a single check to verify the DLL we just patched even has a digital signature. :)
Anyhow, copy the patched DLL over to "C:\Program Files (x86)\Microsoft Help Viewer\v2.3\Microsoft.VisualStudio.Help.dll" (using admin privileges as needed),
but don't forget to back up the original. Restart the Help Viewer download and you'll find that Microsoft's own CAB files install without an issue.
For those worried about the possibility of this patch allowing malicious CAB files, I wouldn't worry about it.
The digital signatures of the CAB files are still checked; its just that whatever is causing the validation
chain to fail to find Microsoft's Root CA is bypassed. If you've read this far, you probably already have a clue
that the CAB files are indeed coming from Microsoft and if you were presented with a checkbox to "[ ] Bypass Rigorous Security" you
would check it so you can move on with your life.
Once the help content is downloaded and installed, you can safely revert the patched file back to the original as this check is only performed during book-install.
In fact, you can archive the entire offline help directory at "C:\ProgramData\Microsoft\HelpLibrary2\Catalogs\VisualStudio15", move it to another machine
and the Visual Studio Help will automatically pick up the content without needing the patch or any additional downloads from Microsoft. I'm thankful Microsoft got
that part of the Help Viewer right.
If you happen to be running the same version of Microsoft.VisualStudio.Help.dll I was using (see below), you can download the
patch I created for myself.
This patch was created from version 2.3.28107.0.
NOTE: this is the same version as HlpViewer.exe and HlpCtntMgr.exe. The ORIGINAL file details are as follows:
C:\Program Files (x86)\Microsoft Help Viewer\v2.3\Microsoft.VisualStudio.Help.dll
version=2.3.28107.0
md5=907a19c35a67d1b2b4f2fef7783d89b3
sha256=cbeb973cffdfcc0497d8beb2ca3a4c1d39a7d6d058eb26b84b06c9c05b9ff5f3
This patch may even work for slightly different versions of the Visual Studio modules described above. If you'd like to try it out, let me know using the comment link
below if it works for you and what version of HlpViewer.exe was installed.
<END OF ARTICLE>
Questions or Comments?
2021-08-27 * added Microsoft KB fix update
2020-02-09 * initial version
