Application\CAPI2 Event 513 - Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object

Mathias R. Jessen got me pointed in the right direction, the ever famous WinSxS folder. However I did not see any of the VSS errors in the Event Log which made me a little hesitant to just nuke all the NTFS permissions lest I break something else.

Lesson 1: Read

I went back and read Event ID 513 TechNet reference again and noted that under the Verify section it was recommended that I check to see the System Writer was available as VSS writer using vssadmin list writers and sure enough it was NOT. Lesson Learned #1: Read the whole KB/TechNet/Blog

Lesson 2: Reproduce

Doing a bit more researching I came across Missing System Writer Case Explained which seemed to indicate the issue was originating with Cryptographic Services. I found that I could reproduce by CAPI2 error at will by stopping and starting the CryptSVC service. Lesson Learned #2: Try to figure out a way to reproduce your error at will.

Using ProcMon

At this point, I pretty much followed the post's instructions. I located the PID of which instance of svchost was wrapping CryptSVC using Task Manager. You could alternatively force CryptSVC to run as its own process using sc config if you can reboot the server in question. Depending on how deep you get into ProcMon it is worth isolating services under a single PID just to cut down the amount of events you have to sort through.

From here it is back to good old ProcMon. Setup a filter to exclude all PIDs that are not the one used by the svchost process that is wrapping CryptSVC:

ProcMon Exclude Filter

Lesson 3: Love ProcMon

I applied my trusty first pass filter which is to exclude all events that have the results of SUCCESS. This reduced the events from 31,118 to a much more manageable 139 and at the bottom I found the ACCESS DENIED event I was looking for, not surprisingly in the WinSxS folder (C:\Windows\winsxs\FileMaps\$$.cdf-ms). Lesson Learned #3: Learn to use and love ProcMon

ProcMon ACCESS DENIED on C:\Windows\winsxs\FileMaps\$$.cdf-ms

Lesson 4: Verify

Now what? KB2009272 that Mathias linked has the solution but now I know why. Lesson Learned #4: Don't guess, know!

Lesson 5: Start small

The resolution is exactly as explained in KB2009272. Take ownership and reset the permissions of the FileMaps folder and then restart CryptSVC:

Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant BUILTIN\Users:(RX)

net stop cryptsvc
net start cryptsvc



and... we have lift off! The System Writer is now available as a VSS writer. No need to change the permissions for the PendingRename folder. Lesson Learned #5: Start with the smallest changes and work your way out to changes that effect more things.

C:\Users\administrator>vssadmin list writers
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

Writer name: 'System Writer'
   Writer Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Instance Id: {98c52075-429a-4487-8b77-e42b18767458}
   State: [1] Stable
   Last error: No error


Restarting CryptSVC at will no longer produced the CAPI2 error and after a day or two of monitoring it looks resolved.