Results 1 to 8 of 8

Thread: Huge folder - Application data\microsoft\crypto\rsa\machine keys

  1. #1
    fox1977 Guest

    Huge folder - Application data\microsoft\crypto\rsa\machine keys

    Hi there,

    I am running a number of windows 2003 sp1 web servers. I am running
    low on disk space on the system disc on one of them. Down to about 195 mb
    today from 250mb yesterday.

    After exploring the different folders i have come across a rather large
    folder that is 1 gb in size and contains over 300,000 files. The
    folder is here:

    C:\Documents and Settings\All Users\Application
    Data\Microsoft\Crypto\rsa\machine keys

    Does anyone know what this folder contains or why it is so big. On
    another similar server the same folder is only 116k and contains 29
    files.

    I am running IIS with a large number of sites and some of them have SSL
    certificates attached to them. I have recently added two new certificates to
    the server in the past few days and i think this is why is has dropped a bit
    in the past few days.

    As i am drastically running out of room is it ok just to compress this
    folder? Can anyone offer any tips on how to reduce the size of this folder?
    I don't want to delete the folder as i'm sure the machine will grind to a
    halt!

    Any tips much appreciated. Getting a bit urgent now. Got to start
    compressing the folder about 19:00 gmt.

    Cheers

  2. #2
    mtstream Guest

    RE: Huge folder - Application data\microsoft\crypto\rsa\machine keys

    I don't know the specific impact of compressing this folder, but would be
    very concerned with changes to it on a IIS production box. You need to know
    more about how/why IIS is creating so many keys.

    When I need space I go after the NTuninstall directories in the %systemroot%
    these aren't huge (a few mb each on average) but you may have 100+. I'll
    keep the last month or two and remove the rest. It's not a long term fix but
    may buy you some time to figure something else out.

    If you're eating up 50mb a day you need a far more dramatic change than
    compressing some folders.

  3. #3
    fox1977 Guest

    RE: Huge folder - Application data\microsoft\crypto\rsa\machine ke

    Just compressed the folder and it is still the same size! Damn

    I have noticed in the event log the time is out of sync with the domain
    controller by about 11 mins and the machine is reporting a problem applying
    the group policy.

    There was also an error in the system log about the server time being to far
    out of sync with the domain controller. Here are a few of the error messages:

    - Windows cannot determine the user or computer name. (Access is denied. ).
    Group Policy processing aborted.

    - Windows cannot query for the list of Group Policy objects. Check the event
    log for possible messages previously logged by the policy engine that
    describes the reason for this. (the previous message is the one about the
    time being too far out of sync with the domain controller)

    - Windows cannot access the file gpt.ini for GPO
    CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=nmspace,DC=net.
    The file must be present at the location
    <\\mydomain.net\sysvol\mydomain.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
    (Configuration information could not be read from the domain controller,
    either because the machine is unavailable, or access has been denied. ).
    Group Policy processing aborted.

    Do you think these issues are related or am I barking up the wrong tree?

    Thanks,

  4. #4
    mtstream Guest

    RE: Huge folder - Application data\microsoft\crypto\rsa\machine ke

    You definitely need to fix the time sync. That should make the GPO issues go
    away. If not check the security settings on the sysvol. Here's an article
    on how to manually sync the time
    http://support.microsoft.com/default...b/555225/en-us

    Will the time issue cause the additional creation of machine keys? I don't
    know. I think you've got an IIS issue - issue may be the wrong word it may
    not be malfunctioning but doing what is required by a particular web page.

    You may want to try the IIS group for some additional ideas. Including
    moving sites to another box or virtual directories somewhere else.

  5. #5
    Brian Delaney [MSFT] Guest

    RE: Huge folder - Application data\microsoft\crypto\rsa\machine ke

    Hi,

    Time Sync as mentioned is a must to fix. It could potentially be a
    contributing factor in the problem.

    I haven't seen this happen before but I did a quick test and have a theory
    on something that could cause this (assuming of course you don't have
    300000.certificates installed on that machine :))

    The Crypto\RSA\MachineKeys folder stores the private key of each
    certificate on the machine. Whenever a certificate request is generated
    for the machine, a new file is created in this location. This is true even
    if the certificate request fails.

    My test included creating a certificate template that I knew my computers
    would fail when requesting and publishing it to one of my enterprise
    issuing CAs, granting my computers Read, Enroll and Autoenroll permissions.
    I then repeatedly forced autoenrollment on a few of the machines and found
    that every time this was done a new private key was created in the
    MachineKeys folder and the CA logged a failed certificate request. Given
    enough time the number of private keys in this store could potentially be
    in the 100000+

    What I would recommend doing is checking all Enterprise CAs you have in the
    environment and looking for failed certificate requests. If you can find a
    significant amount, investigate the certificate template listed in the
    error and correct it or unpublish it from all the CAs. Once
    corrected/unpublished wait 24 hours to see if the buildup in the
    MachineKeys folder stops.

    Of course there are other ways that this could build up, the most likely
    culprit however is autoenrollment. If autoenrollment is not the issue at
    hand here, check for any batch jobs on the machiens that may cause a manual
    enrollment using certreq for example.


    Hope this helps,

    Brian Delaney
    Microsoft Canada
    --

  6. #6
    cixlar Guest

    C:_Documents and Settings_All Users_ApplicationData_Microsoft_Crypto_RSA_Machine Keys

    Amazing, I could open some keys to view in hexeditor, but there are some I cannot even see them. Could some files be deleted? If one dares, how to delete these files? My question is how one can delete during pre-boot session under HKEY_LOCAL_MACHINE_SYSTEM_CurrentControlSet_Control_Lsa

    Thanks for suggestions and help.

    NET Developer Portal of Choice

  7. #7
    Join Date
    Aug 2007
    Posts
    1
    How to delete large number of files in MachineKeys
    Problem:
    Large number of files in the folder C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA eating up Disk Storage.
    Warning: If you have application that runs on IIS, it would need to be re-installed/configured after this process.
    1. Stop IIS (iisreset /stop)
    2. Go to Windows Add/Remove and uninstall IIS (If it asks you to uninstall ASP say yes)
    3. Go to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA and rename the folder “MachineKeys” to “OLDMachineKeys”
    4. Install IIS from Windows Add/Remove (and asp if that was installed earlier)
    5. Delete the folder “OLDMachineKeys” by using the following command line: RD /S /Q OLDMachineKeys. Depending on the number of files this may take long.
    6. From the folder: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727, run aspnet_regiis.exe -i
    Tip: If you disable the anti-virus during this process it will speed things up. But don’t do it without your system admin’s approval.

  8. #8
    Join Date
    Jul 2009
    Posts
    1

    Re: Huge folder - Application data\microsoft\crypto\rsa\machine keys

    This is a very old post but the problem of drive space is most likely fixed but trimming the web logs.

Similar Threads

  1. How to unlock the application data folder
    By Campbel in forum Windows Software
    Replies: 8
    Last Post: 10-05-2012, 11:36 AM
  2. Multiple nested copies of Application Data folder
    By I'm Legend in forum Operating Systems
    Replies: 6
    Last Post: 15-04-2011, 09:59 AM
  3. Folder redirection cannot redirect application data
    By deepakbabbar in forum Operating Systems
    Replies: 5
    Last Post: 15-06-2009, 07:31 PM
  4. Unable to Access the Application Data Folder
    By Aamin in forum Networking & Security
    Replies: 2
    Last Post: 18-02-2009, 08:18 PM
  5. Access denied to application data folder
    By drumz in forum Vista Help
    Replies: 3
    Last Post: 17-02-2009, 04:42 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,717,008.92103 seconds with 17 queries