C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys is filling my disk space [Answered]RSS

4 replies

Last post Apr 17, 2015 07:02 AM by XaviN

  • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys is filling my disk space

    Apr 16, 2015 03:25 AM|XaviN|LINK

    Hello,

    Our web application send and receive information from remote web services. Each time that our application make connection to remote web service (https) to obtain some information, one or more files are created into C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.

    We detected that this directory has a size of 1Gb and has more than 900.000 files but we don't understand what is the reason about the creation of this file.

    This files has names like...

    00a0f6194244925d4efbd8bf34102cf6_d9c7d19b-1530-402c-ae67-0ded0f59bb2c
    00b742b793de0705c893602dd8ab4689_d9c7d19b-1530-402c-ae67-0ded0f59bb2c
    00b906c620a140eec67558e8fd7dac2a_d9c7d19b-1530-402c-ae67-0ded0f59bb2c
    ...

    There are a problem about IIS Service If I try to empty this directory, because IIS store some encryption keys about iisConfigurationKey, NetFrameworkConfigurationKey and iisWasKey.

    Someone is happening the same situation?

    Thanks!

    Xavi

  • Re: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys is filling my disk space

    Apr 16, 2015 10:34 PM|Ken Schaefer|LINK

    Do you have any security software installed on the machine? There's various reports on the internet that software like ESET perform "MITM" SSL inspection, and thus can end up issuing vast amounts of fake SSL certs to perform this.

  • Re: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys is filling my disk space

    Apr 16, 2015 10:36 PM|Pengzhen Song - MSFT|LINK

    Hi,

    The MachineKeys folder stores certificate pair keys for both the computer and users. Whenever a certificate request is generated for the machine, a new file is created in this location.  This is true even if the certificate request fails.

    What I would recommend doing is checking all Enterprise CAs you have in the environment and looking for failed certificate requests. If you can find a significant amount, investigate the certificate template listed in the error and correct it or unpublish it from all the CAs.  Once
    corrected/unpublished wait 24 hours to see if the buildup in the MachineKeys folder stops.

    For more information, please refer to the discussion:

    http://forums.techarena.in/windows-server-help/633085.htm

    To delete the files in the folder, we can find the unusefull files and delete it. Please refer to the discussion:

    http://forums.whirlpool.net.au/archive/1683713

    http://serverfault.com/questions/39768/can-i-clear-down-the-machine-keys-folder

    Hope it can help you.

    We are trying to better understand customer views on social support experience. Click HERE to participate the survey.
    Thanks!
  • Re: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys is filling my disk space

    Apr 17, 2015 05:12 AM|XaviN|LINK

    Hi,

    Thank you for your comments. Now, we are investigating about your approaches. When I find the issue originator I will write back.

    Best regards,

    Xavi

  • Re: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys is filling my disk space

    Apr 17, 2015 07:02 AM|XaviN|LINK

    Hello,

    We found the problem. It happens when we sign the SAML ticket with the certificate (X509Certificate Class) before sending it to remote web service (SSL).

    At the end of the process to sign SAML there wasn't the Reset method who frees all resources related with used certificate.

    After this change, we have seen that the keys into MachineKeys directory emerge when we sign the SAML ticket and then they disapear when I perform X509Certificate.Reset().

    In the other hand, we focused to remove all non used keys into this directory. Firstly, we are identified the main keys related with encryption windows components. Our list is the next:

     - Microsoft Internet Information Server -> c2319c42033a5ca7f44e731bfd3fa2b5 ...
     - NetFrameworkConfigurationKey          -> d6d986f09a1ee04e24c949879fdb506c ...
     - iisWasKey                             -> 76944fb33636aeddb9590521c2e8815a ...
     - WMSvc Certificate Key Container       -> bedbf0b4da5f8061b6444baedf4c00b1 ...
     - iisConfigurationKey                   -> 6de9cb26d2b98c01ec4e9e8b34824aa2 ...
     - MS IIS DCOM Server                    -> 7a436fe806e483969f48a894af2fe9a1 ...
     - TSSecKeySet1                          -> f686aace6942fb7f7ceb231212eef4a4 ...

    Now, we are working to build a script to remove all keys except it starts with previous name keys.

    Thank you for your help.

    See you soonCool

    Xavi