Windows Event Log shows a failure for the CAPI2 service
Event ID 513 when running VSS in Windows Server 2016 and Windows Server Version 1709
In Windows Server 2016 and Windows Server Version 1709, when an application calls the Volume Shadow Copy Service (VSS) to run a backup, event 513 may be generated:
Log Name: Application
Event ID: 513
Task Category: none
An error occurred in Cryptographic Services while processing the OnIdentity()call in System Writer Object.
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
Access is denied.
You will need to:
- Give permission to the user NT Authority\System to perform the work on the Server (Microsoft KB 2009272)
- Give NT Authority\System access to the mslldp.dll (Microsoft Link-Layer Discovery Protocol) driver (Microsoft KB 3209092)
To resolve this issue, follow the Microsoft KB Articles on this matter. We strongly recommend engaging Microsoft in resolving this issue. For your convenience, below are the commands that need to be executed from an elevated command prompt from Microsoft KB 2009272.:
Takeown /f %windir%\winsxs\temp\PendingRenames /a
icacls %windir%\winsxs\temp\PendingRenames /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames /grant BUILTIN\Users:(RX)
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant BUILTIN\Users:(RX)
net stop cryptsvc
net start cryptsvc
Type the following command to verify that the System Writer is listed and shows State:  Stable .:
vssadmin list writers
To grant the required permission to the Microsoft Link-Layer Discovery Protocol driver (Mslldp.dll) to process System Writer, follow these steps taken from Microsoft KB 3209092.:
- Open an administrative Command Prompt window, and then run the following command to check the current permissions:
sc sdshow mslldp
The output will be used as the <string> below
- Copy the output string from step 1, append it with (A;;CCLCSWLOCRRC;;;SU), and then run the following command to add the access permission to Mslldp.dll:
sc sdset mslldp <string>(A;;CCLCSWLOCRRC;;;SU)
Example of Input (Do not copy-n-paste the variable below for execution as this contains unique sample data.):
sc sdset mslldp D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SO)(A;;LCRPWP;;;S-1-5-80-3141625172-2055838035-1754248212-2405740060-3916470453)(A;;CCLCSWLOCRRC;;;SU)
This problem occurs because VSS System Writer does not have permission to read the NT AUTHORITY\SERVICE (service account). When System Writer runs as a cryptographic service and tries to read the Mslldp.sys information from a Microsoft Link-Layer Discovery Protocol driver, the "access denied" error is generated. Consequently, the Microsoft System Writer fails because permissions to files in the %windir%\winsxs\filemaps\ or %windir%\winsxs\temp\PendingRenames directories are incorrect.
You can verify the issue by performing the following:
- Download the Microsoft Sysinternals file called accesschk.exe.
- Open an elevated (Administrative) Windows Command Prompt (not powershell).
- Type the following command: accesschk.exe -c mslldp
The output should look like this below, with NT Authority\System listed. If it does not, follow the instructions under the Cause and Resolution.
RW NT AUTHORITY\SYSTEM
R NT SERVICE\NlaSvc
R NT Authority\Service
Microsoft Knowledge Base Articles on this topic: