Slow Windows OS performance after Cryptographic Services catalog corrupted by Windows Update
search cancel

Slow Windows OS performance after Cryptographic Services catalog corrupted by Windows Update

book

Article ID: 285937

calendar_today

Updated On:

Products

Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops) Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • System slowness
  • Excessive CPU resource utilization by repmgr.exe, svchost.exe and/or Cryptographic Services
  • Opening system utilities (such as Task Manager, Explorer, etc) takes minutes to open
  • Placing the sensor in "BYPASS" mode fixes the slowness.

Environment

  • Carbon Black Cloud sensor: 3.7.0.1253 and Higher
    • Endpoint Standard
    • Audit and Remediation
  • Microsoft Windows Endpoint OS: Win10 x64 Professional and Higher
  • Microsoft Windows Server OS: Windows Server 2012 R2 and Higher

Cause

Delays were caused by corruption in the native Microsoft Cryptographic Services database

Resolution

  1. Stop Windows Update Service
  2. Stop the Cryptographic Services service
  3. Move the contents of "C:\Windows\System32\catroot2" to another location, keeping the files as a backup until the contents have rebuilt properly
  4. Restart the Cryptographic Services service
  5. Restart Windows Update Service

Additional Information

  1. These steps can be scripted for cmdline execution:
    net stop wuauserv
    net stop cryptsvc
    ren %systemroot%\system32\catroot2 catroot2.bak
    net start cryptsvc
    net start wuauserv 
  2. If the problem persists, try the following steps:
    1. Rebuild search index on the device, as well as purge old Windows 10 update files
      1. To rebuild search index: 
        1. Open the Indexing Options screen in windows
        2. Hit “Advanced” at the bottom
        3. Select the “Rebuild” option in troubleshooting
      2. To flush the older Windows Updates:
        1. Open the Disk Cleanup Utility
        2. Select the option in the bottom left to “Clean up System Files”
        3. Wait for the information to populate
        4. Select all options, then hit “OK”
        5. Confirm the deletion of the files
        6. Reboot the device once completed
      3. Apply Microsoft February 2021 patches – KB4598291 and KB4598299 (related to ESENT 642 event log warnings)
  3. If the none of the above resolves the issue, collect a full memory dump, Process Monitor capture and WPR trace while reproducing the issue and open a case with Support