The customer reported an issue with a large number of files under the MachineKeys directory (under C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys). He reported that he had 2.4 million files in the MachineKeys folder (he was trying to clean up this folder and it caused an issue with our AppPools: The worker process for application pool 'Symantec Agent AppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist). He restored a copy of this Machinekeys folder and now it is up and running again but he was concerned about the number of keys created under it.

Question:

Does SMP create machinekeys (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys) as part of its procedures? 
 

ITMS 8.1, 8.5, 8.6

Answer:

We create files under the MachineKeys folder and these files are created during CEM certificate generation. 

A new tool has been developed called "CryptoCleaner.exe" and it is attached to this article. It was released as part of our product with the ITMS 8.6 RU1 release.

This utility enumerates key files in the MachineKeys folder and collects statistics for potential duplicates that can be safely removed. It can be used in SMP 8.5 and later. 

• Start it with /? cmd for usage details.
• Read known certificates from NS
• Build public key map
• Read key information from MachineKeys
• Detect what key files belong to our certificates
• The tool can collect stats
• Backup keys that are counted as "trash" in the backup folder (archived in zips)
• Perform cleanup (with or without backup).

Tool usage:

• Started with from command line without any parameters specified, tool examines local system and collects trash machine keys statistics
• Started with /? parameter tool shows possible usage scenario information with corresponding command line description.
• Backup: -backup –bkppath params. Tool will detect all files that will be deleted and backup them to specified folder compressed in zips. By default, it will place 10000 files in each zip file, this number can be specified from cmd. Nothing will be deleted in this mode.
• Clean: -clean. Tool will detect all files that will be deleted and backup them to specified folder. Then files will be deleted form MachineKeys folder. Backup can be disabled from cmd. It is recommended first to perform backup, and then execute clean operation, suppressing backup option (-nb).
• Restore: -r –bkppath. Tool will perform restore form backup folder by extracting zips content in MachineKeys folder.
• Tool asks user to confirm execution of selected operation. It can be suppressed by –q switch (useful if you want to route output to file).

Note: It is recommended to restart "Altiris Services" service after tool execution with -clean cmd.

You can output the results from the command prompt to a text file:

CryptoCleaner.exe > c:\results.txt