Microsoft's Cryptography Service is one of the more invisible and less widely-discussed services in Windows 2000 and XP. It is also one of the more important, as it provides a broad variety of services to Windows: encoding and decoding files stored in encrypted folders, for instance, or affirming that digital signatures are in fact valid.
The latter is actually one of the most important "silent" functions in Windows, since digital signatures are used to sign device drivers, applications and other Windows executables. A system patched with Windows XP Service Pack 2, for instance, is designed to warn the user if the system tries to run application without an appropriate signature. This could be an ActiveX control, an installer for a device driver or application, a Windows Update download or an encryption certificate.
If the Cryptography service is disabled, either manually or through a Group Policy operation, or its support files are damaged, a great variety of things can go wrong. Application installs may fail with a warning that the integrity of a file could not be verified or that it has not passed Windows Logo testing, that a digital signature could not be found, or that a package was not signed properly.
- If the problem is that new certificates cannot be added, the Trusted Publishers Lockdown policy may be in effect. This forces the system only to use existing trusted certificates and will prevent new ones from being added. Turn off this policy first for the machine(s) in question, add the certificates, and then turn the policy back on.
- Look in the Administrative Tools utility in Control Panel, then Services. Make sure the Cryptography Service is running. If it isn't, set its Startup Type to Automatic and then start it manually. If for some reason the Cryptography Service fails to start, then supporting files may be damaged.
- Try renaming the EDB.LOG file, which is found in %systemroot%\system32\catroot . A damaged .LOG file (which is generated automatically) may prevent the Cryptography Service from starting correctly.
- Also try renaming the directory %systemroot%\system32\Catroot2, which is the automatically-created root catalog directory for the certificate store. If this is also damaged, it will be regenerated automatically. (You will need to stop the Cryptography Service before you do this and restart it afterwards.)
Re-register the DLLs associated with cryptography. This can be done from the command line by typing:
regsvr32 /u wintrust.dll
regsvr32 /u initpki.dll
regsvr32 /u dssenh.dll
regsvr32 /u rsaenh.dll
regsvr32 /u gpkcsp.dll
regsvr32 /u sccbase.dll (not found in Windows 2000)
regsvr32 /u slbcsp.dll
regsvr32 /u cryptdlg.dll
regsvr32 /u licdll.dll
regsvr32 /u regwizc.dll
regsvr32 /u softpub.dll
and then the same sequence of commands without the /u switch. Reboot afterwards to make sure the changes take effect.
- If Windows Updates are failing, make sure the certificates for IE are working correctly. In IE, look in Tools | Internet Options | Content | Certificates | Trusted Root Certification Authorities, and make sure the Microsoft Root Authority certificate is present. If it's missing, go to another computer, export the Microsoft Root Authority certificate as a DER encoded Binary x.509(.CER) file, copy it to the other computer and import it.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!
This was first published in July 2004