Event 513 errors when setting a restore point or running backup software

Question

I did a full reset of a Windows 8 installation and upgraded to Windows 8.1 via the store (I would have preferred a clean install, but this was the closest I could get). I have noticed that whenever I backup a partition or set a restore point, that I get errors in the Event Log with description 

 Log Name:      Application

Source:        Microsoft-Windows-CAPI2

Date:          2013-10-20 1:26:22 AM

Event ID:      513

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      FX8120-W81

Description:

Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:

AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:

Access is denied.

"Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol. System Error: Access is denied." 

I'm not sure how serious this error is or what the fix is. Apparently, others have reported this problem without being able to find a solution.

Answer 1

Seems we finally have a solution thanks to user szz743 in the other thread

Here goes:

"Microsoft Link-Layer Discovery Protocol" binary is \Windows\system32\DRIVERS\mslldp.sys

Its config registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp

During backup a VSS process running under NETWORK_SERVICE account calls cryptcatsvc!CSystemWriter::AddLegacyDriverFiles(), which enumerates all the drivers and tries opening each one of them. , The function fails on MSLLDP driver with "Access Denied" error.

Turned out it fails because MSLLDP driver's security permissions do not allow NETWORK_SERVICE to access the driver.

The binary security descriptor for the driver is located here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp\Security

It should be modified, I used SC.EXE and Sysinternals' ACCESSCHK.EXE to fix it.

The original security descriptor looked like below:

> accesschk.exe -c mslldp

mslldp

  RW NT AUTHORITY\SYSTEM

  RW BUILTIN\Administrators

  RW S-1-5-32-549       <- these are server operators

  R  NT SERVICE\NlaSvc

No service account is allowed to access MSLLDP driver

The security descriptor for the drivers that were processed successfully looked this way:

> accesschk.exe -c mup

mup

  RW NT AUTHORITY\SYSTEM

  RW BUILTIN\Administrators

  R  NT AUTHORITY\INTERACTIVE

  R  NT AUTHORITY\SERVICE  <- this gives access to services

How to add access rights for NT AUTHORITY\SERVICE to MSLLDP service:

1. Run: SC sdshow MSLLDP

You'll get something like below (SDDL language is documented on MSDN):

D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

2. Run: SC sdshow MUP

You'll get:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

********* IMPORTANT *********************************************************

Make sure all Command Parameters are in one line without Carriage Returns and Line Feeds as opposed to the way you see them in these instructions! (i.e. switch off word wrapping etc. when you copy and paste through your editor)

****************************************************************************

3. Take NT AUTHORITY\ SERVICE entry, which is (A;;CCLCSWLOCRRC;;;SU) and add it to the original MSLLDP security descriptor properly, right before the last S:(AU... group.
4. Apply the new security descriptor to MSLLDP service (make sure command is in one line!!!):

sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

5. Check the result:

> accesschk.exe -c mslldp

mslldp

  RW NT AUTHORITY\SYSTEM

  RW BUILTIN\Administrators

  RW S-1-5-32-549

  R  NT SERVICE\NlaSvc

  R  NT AUTHORITY\SERVICE

6. Run you backup app, the error is gone for my Home Server backup.

!!! Do not forget to use your security descriptor for MSLLDP driver since I guess there can be some rare cases when its different for your machine. Do not copy my SDDL descriptions, just in case. And backup the old descriptor just in case !!!

Answer 2

I run this

sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)

> accesschk.exe -c mslldp

shows mw this one:

mslldp

  RW NT AUTHORITY\SYSTEM

  RW BUILTIN\Administrators

  R  S-1-5-32-549

  R  NT SERVICE\NlaSvc

  R  NT AUTHORITY\SERVICE

The only difference i see is the S-1-5-32-549 which is for me only "R". In your example you have "RW". What did i do wrong?

I took my own descriptor without wordwrap.

It gave me success:

C:\Windows\system32>sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)

[SC] SetServiceObjectSecurity SUCCESS

I run a partial backup using Macrium and so far so good so maybe it worked :)

How on earth did you even come up with this fix is beyond me but well done sir :D

EDIT: never mind sorry i missed that the last line fixes the problem :) its all good. Thank again.

ps. For the DCOM event error this was the fix for me (i even did it for some other AppID, just find them in regedit and do the same thing as the guide says)

https://xlery.wordpress.com/2014/04/16/windows-8-1-event-10016/

Answer 3

The solution worked for me, but in my case the mslldp last line was

S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)

So solution was applied like this after the line

S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)

line S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) only showed in Mup not Mslldp

windows 10,  problem resolved.

Answer 4

Basically the same error is also responsible for System Image Backup malfunction. It ends up with an error claiming insufficient disk space, without creating the backup.

(This was from a clean install Win 8 x64 Pro to 8.1 x64 Pro.)

Event 513, CAPI2

Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:

AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:

Access is denied.

Followed by:

Event 521, Backup

The backup operation that started at '‎2013‎-‎10‎-‎20T19:34:18.585000000Z' has failed because the Volume Shadow Copy Service operation to create a shadow copy of the volumes being backed up failed with following error code '0x80780119'. Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.

Answer 5

I did a full reset of a Windows 8 installation and upgraded to Windows 8.1 via the store (I would have preferred a clean install, but this was the closest I could get). I have noticed that whenever I backup a partition or set a restore point, that I get errors in the Event Log with description 

 Log Name:      Application

Source:        Microsoft-Windows-CAPI2

Date:          2013-10-20 1:26:22 AM

Event ID:      513

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      FX8120-W81

Description:

Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:

AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:

Access is denied.

"Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol. System Error: Access is denied." 

I'm not sure how serious this error is or what the fix is. Apparently, others have reported this problem without being able to find a solution.