• July 17, 2017
    Announcement: New site design for Microsoft Community

    In July, Microsoft will roll out the first of ongoing site improvements aimed to modernize Microsoft Community and help customers get the most out of their community experience.

    • During the roll out period, you may see the old or new site design depending on your location

    • We expect the roll out to finish by 31 July

    Note: Past private message conversations will not move to the new site design. Please save any private messages you would like to keep.

     Learn more about the upcoming site improvements in this thread.

    Thank you for being part of Microsoft Community!

 
Question
29923 views

Event 513 errors when setting a restore point or running backup software

RobertInkol asked on

I did a full reset of a Windows 8 installation and upgraded to Windows 8.1 via the store (I would have preferred a clean install, but this was the closest I could get). I have noticed that whenever I backup a partition or set a restore point, that I get errors in the Event Log with description 

 Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          2013-10-20 1:26:22 AM
Event ID:      513
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      FX8120-W81
Description:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.


"Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol. System Error: Access is denied." 


I'm not sure how serious this error is or what the fix is. Apparently, others have reported this problem without being able to find a solution.

150 people had this question

Abuse history


Most Helpful Reply
Win7ine replied on

Seems we finally have a solution thanks to user szz743 in the other thread

Here goes:

"Microsoft Link-Layer Discovery Protocol" binary is \Windows\system32\DRIVERS\mslldp.sys
Its config registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp
 
During backup a VSS process running under NETWORK_SERVICE account calls cryptcatsvc!CSystemWriter::AddLegacyDriverFiles(), which enumerates all the drivers and tries opening each one of them. , The function fails on MSLLDP driver with "Access Denied" error.
 
Turned out it fails because MSLLDP driver's security permissions do not allow NETWORK_SERVICE to access the driver.
 
The binary security descriptor for the driver is located here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp\Security
 
It should be modified, I used SC.EXE and Sysinternals' ACCESSCHK.EXE to fix it.
 
The original security descriptor looked like below:
 
> accesschk.exe -c mslldp
mslldp
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  RW S-1-5-32-549       <- these are server operators
  R  NT SERVICE\NlaSvc
 
No service account is allowed to access MSLLDP driver
 
The security descriptor for the drivers that were processed successfully looked this way:
 
> accesschk.exe -c mup
mup
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  R  NT AUTHORITY\INTERACTIVE
  R  NT AUTHORITY\SERVICE  <- this gives access to services
 
How to add access rights for NT AUTHORITY\SERVICE to MSLLDP service:
 
1. Run: SC sdshow MSLLDP
You'll get something like below (SDDL language is documented on MSDN):
 
D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
 
2. Run: SC sdshow MUP
You'll get:
 
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
 

********* IMPORTANT *********************************************************

Make sure all Command Parameters are in one line without Carriage Returns and Line Feeds as opposed to the way you see them in these instructions! (i.e. switch off word wrapping etc. when you copy and paste through your editor)

****************************************************************************

3. Take NT AUTHORITY\ SERVICE entry, which is (A;;CCLCSWLOCRRC;;;SU) and add it to the original MSLLDP security descriptor properly, right before the last S:(AU... group.
 
4. Apply the new security descriptor to MSLLDP service (make sure command is in one line!!!):
 
sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

5. Check the result:
 
> accesschk.exe -c mslldp
mslldp
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  RW S-1-5-32-549
  R  NT SERVICE\NlaSvc
  R  NT AUTHORITY\SERVICE
 
6. Run you backup app, the error is gone for my Home Server backup.
!!! Do not forget to use your security descriptor for MSLLDP driver since I guess there can be some rare cases when its different for your machine. Do not copy my SDDL descriptions, just in case. And backup the old descriptor just in case !!!

73 people found this helpful

Abuse history


progress