Slow Windows OS performance after Cryptographic Services catalog corrupted by Windows Update
book
Article ID: 285937
calendar_today
Updated On:
Products
Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
System slowness
Excessive CPU resource utilization by repmgr.exe, svchost.exe and/or Cryptographic Services
Opening system utilities (such as Task Manager, Explorer, etc) takes minutes to open
Placing the sensor in "BYPASS" mode fixes the slowness.
Environment
Carbon Black Cloud sensor: 3.7.0.1253 and Higher
Endpoint Standard
Audit and Remediation
Microsoft Windows Endpoint OS: Win10 x64 Professional and Higher
Microsoft Windows Server OS: Windows Server 2012 R2 and Higher
Cause
Delays were caused by corruption in the native Microsoft Cryptographic Services database
Resolution
Stop Windows Update Service
Stop the Cryptographic Services service
Move the contents of "C:\Windows\System32\catroot2" to another location, keeping the files as a backup until the contents have rebuilt properly
Restart the Cryptographic Services service
Restart Windows Update Service
Additional Information
These steps can be scripted for cmdline execution:
net stop wuauserv
net stop cryptsvc
ren %systemroot%\system32\catroot2 catroot2.bak
net start cryptsvc
net start wuauserv
If the problem persists, try the following steps:
Rebuild search index on the device, as well as purge old Windows 10 update files
To rebuild search index:
Open the Indexing Options screen in windows
Hit “Advanced” at the bottom
Select the “Rebuild” option in troubleshooting
To flush the older Windows Updates:
Open the Disk Cleanup Utility
Select the option in the bottom left to “Clean up System Files”
Wait for the information to populate
Select all options, then hit “OK”
Confirm the deletion of the files
Reboot the device once completed
Apply Microsoft February 2021 patches – KB4598291 and KB4598299 (related to ESENT 642 event log warnings)
If the none of the above resolves the issue, collect a full memory dump, Process Monitor capture and WPR trace while reproducing the issue and open a case with Support