Question

Q: Cryptographic Services failed while processing the OnIdentity() call

Since UPGARDING to Windows 8.1 on October 17, 2013 have been getting the following error


Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          11/09/13 10:19:48 AM
Event ID:      513
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Michael-HP
Description:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
    <EventID Qualifiers="0">513</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2013-11-09T15:19:48.537403000Z" />
    <EventRecordID>54879</EventRecordID>
    <Correlation />
    <Execution ProcessID="1164" ThreadID="4752" />
    <Channel>Application</Channel>
    <Computer>Michael-HP</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
</Data>
  </EventData>
</Event>


Saw a similar thread Since upgrading Windows backup fails at http://answers.microsoft.com/en-us/windows/forum/windows8_1-system/since-upgrading-windows-backup-fails-cryptographic/aee23306-09df-4182-a549-da1084e20513 and followed the advice there and didn't have issues. There was a link to EventID 513 Capi2 error at http://social.technet.microsoft.com/Forums/windows/en-US/14abbc90-cab5-4fc6-953a-96c1929f9a7b/eventid-513-capi2-error?forum=itprovistasp which goes back to 2009 slightly before Windows 8.1. In any event this article (which I only glanced at) suggest checking 1409 files for errors.

Is this problem another of the newly introduced Windows 8.1 bugs or ishere a solution that can be applied? Thanks.

Answer

A:

Hope I can help to someone.

I had the same issue with the fresh Windows 8.1 Pro.

Couldn't find answer so had to debug Windows to find a solution.

 

"Microsoft Link-Layer Discovery Protocol" binary is \Windows\system32\DRIVERS\mslldp.sys

Its config registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp

 

During backup a VSS process running under NETWORK_SERVICE account calls cryptcatsvc!CSystemWriter::AddLegacyDriverFiles(), which enumerates all the drivers records in Service Control Manager database and tries opening each one of them. , The function fails on MSLLDP record with "Access Denied" error.

 

Turned out it fails because MSLLDP driver's security permissions do not allow NETWORK_SERVICE to access the driver record.

 

The binary security descriptor for the record is located here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp\Security

 

It should be modified, I used SC.EXE and Sysinternals' ACCESSCHK.EXE to fix it.

 

The original security descriptor looked like below:

 

>accesschk.exe -c mslldp

mslldp
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  RW S-1-5-32-549       <- these are server operators
  R  NT SERVICE\NlaSvc

 

No service account is allowed to access MSLLDP driver

 

The security descriptor for the drivers that were processed successfully looked this way:

 

>accesschk.exe -c mup

mup
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  R  NT AUTHORITY\INTERACTIVE
  R  NT AUTHORITY\SERVICE  <- this gives access to services

 

How to add access rights for NT AUTHORITY\SERVICE to MSLLDP service:

 

1. Run: SC sdshow MSLLDP

You'll get something like below (SDDL language is documented on MSDN):

 

D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

 

2. Run: SC sdshow MUP

You'll get:

 

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

 

3. Take NT AUTHORITY\ SERVICE entry, which is (A;;CCLCSWLOCRRC;;;SU) and add it to the original MSLLDP security descriptor properly, right before the last S:(AU... group.

 

4. Apply the new security descriptor to MSLLDP service :

 

sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)


5. Check the result:

 

>accesschk.exe -c mslldp

mslldp
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  RW S-1-5-32-549
  R  NT SERVICE\NlaSvc
  R  NT AUTHORITY\SERVICE

 

6. Run you backup app, the error is gone for my Home Server backup.

!!! Do not forget to use your security descriptor for MSLLDP driver since I guess there can be some rare cases when its different for your machine. Do not copy my SDDL descriptions, just in case. And backup the old descriptor just in case !!!

 

I don't know what reason MS had behind all this, probably some security concerns or probably this is just a bug. Definitely not a security problem in my environment.

 

Good luck!


 

Did this resolve your issue?

Sorry this didn't help.

210 people were helped by this reply



progress
 
Question Info

Views: 112308 Last updated: August 13, 2017 Applies to:
Windows / Windows 8.1 / Devices & drivers