Application\CAPI2 Event 513 - Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object
Mathias R. Jessen got me pointed in the right direction, the ever famous WinSxS folder. However I did not see any of the VSS errors in the Event Log which made me a little hesitant to just nuke all the NTFS permissions lest I break something else.
Lesson 1: Read
I went back and read Event ID 513 TechNet reference again and noted that under the Verify section it was recommended that I check to see the System Writer
was available as VSS writer using vssadmin list writers
and sure enough it was NOT. Lesson Learned #1: Read the whole KB/TechNet/Blog
Lesson 2: Reproduce
Doing a bit more researching I came across Missing System Writer Case Explained which seemed to indicate the issue was originating with Cryptographic Services. I found that I could reproduce by CAPI2
error at will by stopping and starting the CryptSVC
service. Lesson Learned #2: Try to figure out a way to reproduce your error at will.
Using ProcMon
At this point, I pretty much followed the post's instructions. I located the PID of which instance of svchost
was wrapping CryptSVC
using Task Manager. You could alternatively force CryptSVC
to run as its own process using sc config if you can reboot the server in question. Depending on how deep you get into ProcMon it is worth isolating services under a single PID just to cut down the amount of events you have to sort through.
From here it is back to good old ProcMon. Setup a filter to exclude all PIDs that are not the one used by the svchost
process that is wrapping CryptSVC
:
Lesson 3: Love ProcMon
I applied my trusty first pass filter which is to exclude all events that have the results of SUCCESS
. This reduced the events from 31,118 to a much more manageable 139 and at the bottom I found the ACCESS DENIED
event I was looking for, not surprisingly in the WinSxS
folder (C:\Windows\winsxs\FileMaps\$$.cdf-ms
). Lesson Learned #3: Learn to use and love ProcMon
Lesson 4: Verify
Now what? KB2009272 that Mathias linked has the solution but now I know why. Lesson Learned #4: Don't guess, know!
Lesson 5: Start small
The resolution is exactly as explained in KB2009272. Take ownership and reset the permissions of the FileMaps
folder and then restart CryptSVC
:
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant BUILTIN\Users:(RX)
net stop cryptsvc
net start cryptsvc
and... we have lift off! The System Writer
is now available as a VSS writer. No need to change the permissions for the PendingRename
folder. Lesson Learned #5: Start with the smallest changes and work your way out to changes that effect more things.
C:\Users\administrator>vssadmin list writers
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.
Writer name: 'System Writer'
Writer Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Instance Id: {98c52075-429a-4487-8b77-e42b18767458}
State: [1] Stable
Last error: No error
Restarting CryptSVC
at will no longer produced the CAPI2
error and after a day or two of monitoring it looks resolved.