Share via

Cryptographic Services failed while processing the OnIdentity() call

Anonymous
2013-11-09T16:45:39+00:00

Since UPGARDING to Windows 8.1 on October 17, 2013 have been getting the following error

Log Name:      Application

Source:        Microsoft-Windows-CAPI2

Date:          11/09/13 10:19:48 AM

Event ID:      513

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      Michael-HP

Description:

Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:

AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:

Access is denied.

.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />

    <EventID Qualifiers="0">513</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8080000000000000</Keywords>

    <TimeCreated SystemTime="2013-11-09T15:19:48.537403000Z" />

    <EventRecordID>54879</EventRecordID>

    <Correlation />

    <Execution ProcessID="1164" ThreadID="4752" />

    <Channel>Application</Channel>

    <Computer>Michael-HP</Computer>

    <Security />

  </System>

  <EventData>

    <Data>

Details:

AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:

Access is denied.

</Data>

  </EventData>

</Event>

Saw a similar thread Since upgrading Windows backup fails at http://answers.microsoft.com/en-us/windows/forum/windows8_1-system/since-upgrading-windows-backup-fails-cryptographic/aee23306-09df-4182-a549-da1084e20513 and followed the advice there and didn't have issues. There was a link to EventID 513 Capi2 error at http://social.technet.microsoft.com/Forums/windows/en-US/14abbc90-cab5-4fc6-953a-96c1929f9a7b/eventid-513-capi2-error?forum=itprovistasp which goes back to 2009 slightly before Windows 8.1. In any event this article (which I only glanced at) suggest checking 1409 files for errors.

Is this problem another of the newly introduced Windows 8.1 bugs or ishere a solution that can be applied? Thanks.

Windows for home | Previous Windows versions | Devices and drivers

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments
Answer accepted by question author
  1. Anonymous
    2014-01-23T22:34:19+00:00

    Hope I can help to someone.

    I had the same issue with the fresh Windows 8.1 Pro.

    Couldn't find answer so had to debug Windows to find a solution.

    "Microsoft Link-Layer Discovery Protocol" binary is \Windows\system32\DRIVERS\mslldp.sys

    Its config registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp

    During backup a VSS process running under NETWORK_SERVICE account calls cryptcatsvc!CSystemWriter::AddLegacyDriverFiles(), which enumerates all the drivers records in Service Control Manager database and tries opening each one of them. , The function fails on MSLLDP record with "Access Denied" error.

    Turned out it fails because MSLLDP driver's security permissions do not allow NETWORK_SERVICE to access the driver record.

    The binary security descriptor for the record is located here:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp\Security

    It should be modified, I used SC.EXE and Sysinternals' ACCESSCHK.EXE to fix it.

    The original security descriptor looked like below:

    >accesschk.exe -c mslldp

    mslldp

      RW NT AUTHORITY\SYSTEM

      RW BUILTIN\Administrators

      RW S-1-5-32-549       <- these are server operators

      R  NT SERVICE\NlaSvc

    No service account is allowed to access MSLLDP driver

    The security descriptor for the drivers that were processed successfully looked this way:

    >accesschk.exe -c mup

    mup

      RW NT AUTHORITY\SYSTEM

      RW BUILTIN\Administrators

      R  NT AUTHORITY\INTERACTIVE

      R  NT AUTHORITY\SERVICE  <- this gives access to services

    How to add access rights for NT AUTHORITY\SERVICE to MSLLDP service:

    1. Run: SC sdshow MSLLDP

    You'll get something like below (SDDL language is documented on MSDN):

    D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    1. Run: SC sdshow MUP

    You'll get:

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    1. Take NT AUTHORITY\ SERVICE entry, which is (A;;CCLCSWLOCRRC;;;SU) and add it to the original MSLLDP security descriptor properly, right before the last S:(AU... group.
    2. Apply the new security descriptor to MSLLDP service :

    sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    1. Check the result:

    >accesschk.exe -c mslldp

    mslldp

      RW NT AUTHORITY\SYSTEM

      RW BUILTIN\Administrators

      RW S-1-5-32-549

      R  NT SERVICE\NlaSvc

      R  NT AUTHORITY\SERVICE

    1. Run you backup app, the error is gone for my Home Server backup.

    !!! Do not forget to use your security descriptor for MSLLDP driver since I guess there can be some rare cases when its different for your machine. Do not copy my SDDL descriptions, just in case. And backup the old descriptor just in case !!!

    I don't know what reason MS had behind all this, probably some security concerns or probably this is just a bug. Definitely not a security problem in my environment.

    Good luck!

    257 people found this answer helpful.
    0 comments

225 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2014-10-14T12:20:43+00:00

    Event ID 513 . . . CAPI2

    Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol. System Error: Access is denied.

    Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Whenever I created a Restore Point, it always said it was "Successful."

    Also, I think I have done a successful System Restore, when this error would have been present.

    It says:  "AddLegacyDriverFiles" . . . Maybe the word "Legacy" indicates that mslldp.sys is there "just in case" for some unknown reason, but it's not used in how System Restore currently works.

    No one wants to see the word "Error" in their Event Viewer, but apparently, if one is there, it probably doesn't mean much, just that there was an error - like, they missed something in coding.

    If you right-click / Filter the Application log, maybe the only Event you have to worry about is if it's "Critical" - Errors and Warnings can slide, so that's how this one got through.

    0 comments
  2. Anonymous
    2014-11-14T14:06:14+00:00

    With just a little of your help, I was able to get mine resolved.

    Cheers, Dave

    0 comments
  3. Anonymous
    2014-12-01T21:36:08+00:00

    szz743 has a nice find but it gives almost any service a bunch of rights to mslldp. I was able to fix this by giving only SERVICE_QUERY_CONFIG to only CryptSvc. The difference in the instructions is to add (A;;CC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459) to the list of rights instead.

    1. Run: SC sdshow MSLLDP

    You'll get something like below (SDDL language is documented on MSDN):

    D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    1. This step is only a note: Checking the SDDL for another service isn't used.
    2. Take the NT SERVICE\CryptSvc SDDL, which is (A;;CC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459) and add it to the original MSLLDP security descriptor properly, right before the last S:(AU... group.
    3. Apply the new security descriptor to MSLLDP service :

    sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    1. Check the result (CryptSvc is at the bottom):

    >accesschk.exe -v -c mslldp

    mslldp

      Medium Mandatory Level (Default) [No-Write-Up]

      RW NT AUTHORITY\SYSTEM

            SERVICE_ALL_ACCESS

      RW BUILTIN\Administrators

            SERVICE_QUERY_STATUS

            SERVICE_QUERY_CONFIG

            SERVICE_CHANGE_CONFIG

            SERVICE_INTERROGATE

            SERVICE_ENUMERATE_DEPENDENTS

            SERVICE_PAUSE_CONTINUE

            SERVICE_START

            SERVICE_USER_DEFINED_CONTROL

            DELETE

            READ_CONTROL

            WRITE_DAC

            WRITE_OWNER

      RW S-1-5-32-549

            SERVICE_ALL_ACCESS

      R  NT SERVICE\NlaSvc

            SERVICE_QUERY_STATUS

            SERVICE_START

            SERVICE_STOP

    R  NT SERVICE\CryptSvc

    SERVICE_QUERY_CONFIG

    0 comments
  4. Anonymous
    2014-12-20T18:51:15+00:00

    I did it szz743's way and got the success result and good accesschk result.

    Also no new CAPI2 error with a new Create System Restore Point.  Thanks!!

    However, is Fearless96's approach better and safer?

    If yes, how do I now go back?

    Also, Fearless says:

    "3. Take the NT SERVICE\CryptSvc SDDL, which is (A;;CC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)"

    Is my NT SERVICE\CryptSvc SDDL the same as Fearless's above?  How do I know or get it directly?

    And there's a hyphen in Fearless's code string - should it be there?

    Just FYI, right now, after running szz743's fix, I see from the verbose accesschk:

    mslldp

      Medium Mandatory Level (Default) [No-Write-Up]

      RW NT AUTHORITY\SYSTEM

            SERVICE_ALL_ACCESS

      RW BUILTIN\Administrators

            SERVICE_QUERY_STATUS

            SERVICE_QUERY_CONFIG

            SERVICE_CHANGE_CONFIG

            SERVICE_INTERROGATE

            SERVICE_ENUMERATE_DEPENDENTS

            SERVICE_PAUSE_CONTINUE

            SERVICE_START

            SERVICE_USER_DEFINED_CONTROL

            DELETE

            READ_CONTROL

            WRITE_DAC

            WRITE_OWNER

      RW S-1-5-32-549

            SERVICE_ALL_ACCESS

      R  NT SERVICE\NlaSvc

            SERVICE_QUERY_STATUS

            SERVICE_START

            SERVICE_STOP

      R  NT AUTHORITY\SERVICE

            SERVICE_QUERY_STATUS

            SERVICE_QUERY_CONFIG

            SERVICE_INTERROGATE

            SERVICE_ENUMERATE_DEPENDENTS

            SERVICE_USER_DEFINED_CONTROL

            READ_CONTROL

    Many thanks to both szz743 and Fearless !!

    EDIT:

    After taking a little time to figure it out, I have now run Fearless's changes, got the success, and my new verbose accesschk matches Fearless's above.  A new Create Restore Point also does not create any new CAPI2 errors.

    Whew - never did anything like this before!

    Thanks again.

    0 comments