Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object. (CAPI2 Event ID 513)

SUMMARY

Windows Event Log shows a failure for the CAPI2 service

ISSUE

Event ID 513 when running VSS in Windows Server 2016 and Windows Server Version 1709

In Windows Server 2016 and Windows Server Version 1709, when an application calls the Volume Shadow Copy Service (VSS) to run a backup, event 513 may be generated:

Log Name: Application
Source: Microsoft-Windows-CAPI2
Event ID: 513
Task Category: none
Level: Error

Description:
An error occurred in Cryptographic Services while processing the OnIdentity()call in System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

RESOLUTION


You will need to:

  1. Give permission to the user NT Authority\System to perform the work on the Server (Microsoft KB 2009272)
  2. Give NT Authority\System access to the mslldp.dll (Microsoft Link-Layer Discovery Protocol) driver (Microsoft KB 3209092)

To resolve this issue, follow the Microsoft KB Articles on this matter. We strongly recommend engaging Microsoft in resolving this issue. For your convenience, below are the commands that need to be executed from an elevated command prompt from Microsoft KB 2009272.:

Takeown /f %windir%\winsxs\temp\PendingRenames /a
icacls %windir%\winsxs\temp\PendingRenames /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames /grant BUILTIN\Users:(RX)
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant BUILTIN\Users:(RX)

net stop cryptsvc
net start cryptsvc


Type the following command to verify that the System Writer is listed and shows State: [1] Stable .:

vssadmin list writers
 

To grant the required permission to the Microsoft Link-Layer Discovery Protocol driver (Mslldp.dll) to process System Writer, follow these steps taken from Microsoft KB 3209092.:

  1. Open an administrative Command Prompt window, and then run the following command to check the current permissions:

sc sdshow mslldp

The output will be used as the <string> below

  1. Copy the output string from step 1, append it with (A;;CCLCSWLOCRRC;;;SU), and then run the following command to add the access permission to Mslldp.dll:

sc sdset mslldp <string>(A;;CCLCSWLOCRRC;;;SU)

Example of Input (Do not copy-n-paste the variable below for execution as this contains unique sample data.):

sc sdset mslldp D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SO)(A;;LCRPWP;;;S-1-5-80-3141625172-2055838035-1754248212-2405740060-3916470453)(A;;CCLCSWLOCRRC;;;SU)

CAUSE

This problem occurs because VSS System Writer does not have permission to read the NT AUTHORITY\SERVICE (service account). When System Writer runs as a cryptographic service and tries to read the Mslldp.sys information from a Microsoft Link-Layer Discovery Protocol driver, the "access denied" error is generated. Consequently, the Microsoft System Writer fails because permissions to files in the %windir%\winsxs\filemaps\ or %windir%\winsxs\temp\PendingRenames directories are incorrect.
 

You can verify the issue by performing the following:

  1. Download the Microsoft Sysinternals file called accesschk.exe.
  2. Open an elevated (Administrative) Windows Command Prompt (not powershell).
  3. Type the following command:  accesschk.exe -c mslldp

The output should look like this below, with NT Authority\System listed. If it does not, follow the instructions under the Cause and Resolution.

mslldp
    RW NT AUTHORITY\SYSTEM
    RW BUILTIN\Administrators
    RW S-1-5-32-549
    R  NT SERVICE\NlaSvc

    R  NT Authority\Service

User-added image

NOTES

Microsoft Knowledge Base Articles on this topic:
https://support.microsoft.com/en-us/help/2009272/system-state-backup-using-windows-server-backup-fails-with-error-syste
https://support.microsoft.com/en-us/help/3209092/event-id-513-when-running-vss-in-windows-server
 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us