ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

MachineKeys folder is growing too large

book

Article ID: 212574

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

The customer reported an issue with a large amount of files under MachineKeys directory (under C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys). He reported that he had 2.4 million files in the MachineKeys folder (he was trying to clean-up this folder and it caused an issue with our AppPools: The worker process for application pool 'Symantec Agent AppPool' encountered an error 'Failed to decrypt attribute 'password' because the keyset does not exist). He restored a copy of this machinekeys folder and now it is up and running again but he was concerned about the number of keys created under it.

Question:
Do SMP create machinekeys (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys) as part of its procedures? 
 

Environment

ITMS 8.1, 8.5, 8.6

Resolution

Answer:

We in fact create files under MachineKeys folder, these files are created during CEM certificates generation. 

 

A new tool has been developed called "CryptoCleaner.exe". Attached to this article. It will be released as part of our product with ITMS 8.6 RU1 release.

This utility enumerates key files in MachineKeys folder and collects statistic for potential duplicates that can be safely removed. It can be used in SMP 8.5 and later. 

  • Start it with /? cmd for usage details.
  • Read known certificates from NS
  • Build public key map
  • Read key information from MachineKeys
  • Detect what key files belong to our certificates
  • Tool can collects stats
  • Backup keys that are counted as "trash" in backup folder (archived in zips)
  • Perform cleanup (with or without backup).

 

Tool usage:

  • Started with from command line without any parameters specified, tool examines local system and collects trash machine keys statistics
  • Started with /? parameter tool shows possible usage scenario information with corresponding command line description.
  • Backup: -backup –bkppath params. Tool will detect all files that will be deleted and backup them to specified folder compressed in zips. By default, it will place 10000 files in each zip file, this number can be specified from cmd. Nothing will be deleted in this mode.
  • Clean: -clean. Tool will detect all files that will be deleted and backup them to specified folder. Then files will be deleted form MachineKeys folder. Backup can be disabled from cmd. It is recommended first to perform backup, and then execute clean operation, suppressing backup option (-nb).
  • Restore: -r –bkppath. Tool will perform restore form backup folder by extracting zips content in MachineKeys folder.
  • Tool asks user to confirm execution of selected operation. It can be suppressed by –q switch (useful if you want to route output to file).

Note: It is recommend to restart "Altiris Services" service after tool execution with -clean cmd.

 

You can output the results from the command prompt to a text file:
CryptoCleaner.exe > c:\results.txt

Attachments

CryptoCleaner_1618428478174.zip get_app