none
Event 5061 Audit Failures every reboot - Cryptography - Win 10 Pro 64-bit RRS feed

All replies

  • Update your display device driver from manufacturer website, update system to the latest build. The latest build for 1803 is 17134.753, and on my 1809 machine, I don’t see this 5061 5061(S, F): Cryptographic operation.

    From my experience, also delete the expired certificate in the path: Certificates > Trusted Root Certification Authorities > Certificates

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 29, 2019 6:28 AM
    Moderator
  •  

    Teemo -Your second point might be helpful, and I think we're making progress, but we need a bit more detail.  Please advise re following:

    First, I assume you mean to go to Device Manager and update the driver in "Display adaptors".  (In other words, not "Monitors".)

    But my PC doesn't have any video card - not Nvidia and not anything else.  In "Display adaptors", I have only "Intel(R) HD Graphics".  I think someone called this "CPU-GPU".  I just tried an "Update driver", and I already have the most recent one.  So is there anything else to do?

    Second, if I run mmc and add "Certificates (Local Computer)" as a snap-in, and then go to "Trusted Root Certification Authorities - Certificates", there are five from various companies that have expired and two from my own computer that have also expired.  (Those are the only two from my own computer.)   
    Should I delete all seven? 
    -  What happens then? 
    Is it possible to make a back-up first that I can put back in if I have a problem?

    Third, in mmc, I seem to get the same list of "Trusted Root Certification Authorities - Certificates" if I add a slightly different snap-in called
    "Certificates - Service (Cryptographic Services) on Local Computer"
    and then go to "CryptSvc\Trusted Root Certification Authorities - Certificates".
    Should I make the deletions only there, and not in the first place above?

    Fourth, in mmc, the same thing happens a third time if I add the third possible snap-in, which is called "Certificates - Current User".  So I would much appreciate your describing from which one of these three snap-ins I should delete the expired certificates.

    Thanks - please be detailed.  I hope we're on the right path!

     


    glnzglnz
    ☺ In the office, Dell Optiplex 7040 with 8GB RAM, Win 7 Pro 64-bit and Office 2010
    ☻ At home, Dell Optiplex 7010 with 16GB RAM dual-booting Win 7 Pro 64-bit (now with Office 365 Home) and Win 10 Pro 64-bit
    ♥ Also still have Dell Optiplex 755 with 4GB RAM with Win XP Pro SP3 (which still gets updates with the POS hack) and Office 2003



    • Edited by glnzglnz Monday, April 29, 2019 12:51 PM
    Monday, April 29, 2019 12:37 PM
  •  

    Teemo - your post two above might be the only chance of fixing, as other suggestions elsewhere have not worked.

    But please read my post directly above and advise.

    Thanks.

     


    glnzglnz
    ☺ In the office, Dell Optiplex 7040 with 8GB RAM, Win 7 Pro 64-bit and Office 2010
    ☻ At home, Dell Optiplex 7010 with 16GB RAM dual-booting Win 7 Pro 64-bit (now with Office 365 Home) and Win 10 Pro 64-bit
    ♥ Also still have Dell Optiplex 755 with 4GB RAM with Win XP Pro SP3 (which still gets updates with the POS hack) and Office 2003

    Wednesday, May 1, 2019 12:26 PM
  • I did some more digging.

    On reboot just now, there were three Audit Failures, Event 5061, for Cryptographic operation, all noting Process ID 888, which is lsass.exe, Local Security Authority Process

    So I right-clicked on lsass.exe and looked at its related services, and they are:

    Keylso - CNG Key Isolation - running

    SamSs - Security Account Manager - running

    VaultSvc - Credential Manager - running

    Any ideas what this is, or how to fix?


    glnzglnz
    ☺ In the office, Dell Optiplex 7040 with 8GB RAM, Win 7 Pro 64-bit and Office 2010
    ☻ At home, Dell Optiplex 7010 with 16GB RAM dual-booting Win 7 Pro 64-bit (now with Office 365 Home) and Win 10 Pro 64-bit
    ♥ Also still have Dell Optiplex 755 with 4GB RAM with Win XP Pro SP3 (which still gets updates with the POS hack) and Office 2003

    Thursday, May 2, 2019 12:30 PM
  • Sorry for delay, I am on May Day holiday.

    Your steps are correct, certification authority backup is important, go ahead before your delete the expired certificate, the two CA of your computer, ignore, others delete.

    Keylso - CNG Key Isolation:

    The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. Leave this service alone and let Windows determine if it should run or not.

    SamSs - Security Account Manager

    The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept

    requests.  Disabling this service will prevent other services in the system from being notified when the SAM is

    ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.

    VaultSvc - Credential Manager

    The credential manager service saves user names and passwords to other computers on your network or websites so that when you access them later your computer will automatically log in to them.

    Your computer doesn’t need the VaultSvc service to run.

    All of above three services’ state are ok, you don’t need to care them.

    If delete expired CA doesn’t help, I am afraid that you need to in-place upgrade.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 3, 2019 2:47 AM
    Moderator
  • Update – in the detailed copies of the Audit Failure messages in the post in my link at the start here, the [Hex number] is associated with my One Drive, as I discovered in the registry.

    Is that a clue to the reason for the Audit Failures?


    glnzglnz
    ☺ In the office, Dell Optiplex 7040 with 8GB RAM, Win 7 Pro 64-bit and Office 2010
    ☻ At home, Dell Optiplex 7010 with 16GB RAM dual-booting Win 7 Pro 64-bit (now with Office 365 Home) and Win 10 Pro 64-bit
    ♥ Also still have Dell Optiplex 755 with 4GB RAM with Win XP Pro SP3 (which still gets updates with the POS hack) and Office 2003


    • Edited by glnzglnz Saturday, May 4, 2019 3:44 AM
    Saturday, May 4, 2019 3:43 AM
  •  

     Teemo - I just deleted the five expired keys that appear in certmgr and rebooted, but this did NOT fix the problem.

    Before I do an "in place upgrade", I would like to understand why these Audit Failures occur.

    Also, I have a dual-booting machine:  Win 7 Pro 64-bit and this Win 10 Pro 64-bit (version 1803).  Will an "in-place upgrade" preserve my Win 7 and all the needed partitions, or will everything be wrecked?

    Thanks.

     


    glnzglnz
    ☺ In the office, Dell Optiplex 7040 with 8GB RAM, Win 7 Pro 64-bit and Office 2010
    ☻ At home, Dell Optiplex 7010 with 16GB RAM dual-booting Win 7 Pro 64-bit (now with Office 365 Home) and Win 10 Pro 64-bit
    ♥ Also still have Dell Optiplex 755 with 4GB RAM with Win XP Pro SP3 (which still gets updates with the POS hack) and Office 2003

    Saturday, May 4, 2019 5:26 PM
  •  
    IMPORTANT NEW INFO:

    By checking my logs carefully, I can see that the Audit Failures start on the same day that I upgraded from Win 10 Version 1709 to Version 1803 - this past March 17.

    So is this problem baked into 1803?

    But why haven't more people been complaining about it?

    Still need to know how to fix. Thanks.
     

    glnzglnz
    ☺ In the office, Dell Optiplex 7040 with 8GB RAM, Win 7 Pro 64-bit and Office 2010
    ☻ At home, Dell Optiplex 7010 with 16GB RAM dual-booting Win 7 Pro 64-bit (now with Office 365 Home) and Win 10 Pro 64-bit
    ♥ Also still have Dell Optiplex 755 with 4GB RAM with Win XP Pro SP3 (which still gets updates with the POS hack) and Office 2003

    Saturday, May 4, 2019 6:47 PM
  • Hello,

    Here is a link describing the event 5061 with some details about the data, this may be useful in tracking down the underlying issue.

    5061(S, F): Cryptographic operation


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Saturday, May 4, 2019 7:08 PM
  •  

    Darrell - Your link absolutely IS 100% relevant - very nice!

    Problem is that I'm not a tech and don't know how to apply that info to the data I have.  Might I ask you to look at my more detailed post on these forums at

    https://social.technet.microsoft.com/Forums/en-US/48425e2a-54c2-480d-8957-383415be2381/audit-failures-every-reboot-event-5061-cryptographic-operation-win-10-pro-64bit?forum=win10itprosetup

    -- which starts with a paste of all the info from five of my Audit Failures -- and suggest what I might do next?

    Or maybe you'll see something that applies to your link above?

    Thanks.


    glnzglnz
    ☺ In the office, Dell Optiplex 7040 with 8GB RAM, Win 7 Pro 64-bit and Office 2010
    ☻ At home, Dell Optiplex 7010 with 16GB RAM dual-booting Win 7 Pro 64-bit (now with Office 365 Home) and Win 10 Pro 64-bit
    ♥ Also still have Dell Optiplex 755 with 4GB RAM with Win XP Pro SP3 (which still gets updates with the POS hack) and Office 2003

    Saturday, May 4, 2019 9:18 PM
  • Hello,

    This is outside of my area of expertise, I suspect the ACLS are not correct on some of the keys.

    So your user account does not have the correct access to one of the crypto keys.

    Ideally check with a working system.

    From an elevated CMD prompt run

    cd\ to get to the root directory

    Try checking these first. Use >crypto.txt to dump the data into a text file.

    Icacls c:\Programdata\Microsoft\Crypto >Crypto.txt


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Saturday, May 4, 2019 9:55 PM
  • Darrell - this is what it looks like on my Win 10 machine with the Audit FaIlure problem:

    c:\Programdata\Microsoft\Crypto
    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
    BUILTIN\Administrators:(I)(OI)(CI)(F)
    BUILTIN\Users:(I)(OI)(CI)(RX)
    Everyone:(I)(OI)(CI)(RX)
    Successfully processed 1 files; Failed processing 0 files

    Do you see anything that would help with my AUDIT FAILURE problem?

    Thanks.


    glnzglnz
    ☺ In the office, Dell Optiplex 7040 with 8GB RAM, Win 7 Pro 64-bit and Office 2010
    ☻ At home, Dell Optiplex 7010 with 16GB RAM dual-booting Win 7 Pro 64-bit (now with Office 365 Home) and Win 10 Pro 64-bit
    ♥ Also still have Dell Optiplex 755 with 4GB RAM with Win XP Pro SP3 (which still gets updates with the POS hack) and Office 2003

    • Edited by glnzglnz Tuesday, May 21, 2019 1:44 PM
    Tuesday, May 21, 2019 1:43 PM
  • Hello,

    Sorry I missed a switch in the commandline, need to add the /T to parse all the subdirectories and file below c:\programdata\microsoft\Crypto.

    The line I used only shows the ACLS on the folder c:\programdata\microsoft\Crypto.

    So this should be the commandline

    Icacls c:\Programdata\Microsoft\Crypto /T >Crypto.txt 

    Should look like this:

    c:\Programdata\Microsoft\Crypto NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                    BUILTIN\Administrators:(I)(OI)(CI)(F)
                                    BUILTIN\Users:(I)(OI)(CI)(RX)
                                    Everyone:(I)(OI)(CI)(RX)
    c:\Programdata\Microsoft\Crypto\DSS NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                        BUILTIN\Administrators:(I)(OI)(CI)(F)
                                        BUILTIN\Users:(I)(OI)(CI)(RX)
                                        Everyone:(I)(OI)(CI)(RX)
    c:\Programdata\Microsoft\Crypto\Keys NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                         BUILTIN\Administrators:(OI)(CI)(F)
                                         Everyone:(OI)(CI)(R)
    c:\Programdata\Microsoft\Crypto\PCPKSP NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                           BUILTIN\Administrators:(I)(OI)(CI)(F)
                                           BUILTIN\Users:(I)(OI)(CI)(RX)
                                           Everyone:(I)(OI)(CI)(RX)
    c:\Programdata\Microsoft\Crypto\RSA NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                        BUILTIN\Administrators:(I)(OI)(CI)(F)
                                        BUILTIN\Users:(I)(OI)(CI)(RX)
                                        Everyone:(I)(OI)(CI)(RX)
    c:\Programdata\Microsoft\Crypto\SystemKeys NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                                               BUILTIN\Users:(I)(OI)(CI)(RX)
                                               Everyone:(I)(OI)(CI)(RX)
    c:\Programdata\Microsoft\Crypto\DSS\MachineKeys NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                                    BUILTIN\Administrators:(I)(OI)(CI)(F)
                                                    BUILTIN\Users:(I)(OI)(CI)(RX)
                                                    Everyone:(I)(OI)(CI)(RX)
    c:\Programdata\Microsoft\Crypto\PCPKSP\WindowsAIK NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                      BUILTIN\Administrators:(OI)(CI)(F)
                                                      NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(F)
    c:\Programdata\Microsoft\Crypto\PCPKSP\WindowsAIK\fcef55dc2c9785a041bd1d41397c5cf593a94d91 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                                                                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                                                                                               NT AUTHORITY\LOCAL SERVICE:(I)(OI)(CI)(F)
    c:\Programdata\Microsoft\Crypto\PCPKSP\WindowsAIK\fcef55dc2c9785a041bd1d41397c5cf593a94d91\fb795632abfa22e9fad1700565d5c4527e380379.PCPKEY NT AUTHORITY\SYSTEM:(I)(F)
                                                                                                                                               BUILTIN\Administrators:(I)(F)
                                                                                                                                               NT AUTHORITY\LOCAL SERVICE:(I)(F)
    c:\Programdata\Microsoft\Crypto\RSA\MachineKeys NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                                    BUILTIN\Administrators:(I)(OI)(CI)(F)
                                                    BUILTIN\Users:(I)(OI)(CI)(RX)
                                                    Everyone:(I)(OI)(CI)(RX)
    c:\Programdata\Microsoft\Crypto\RSA\S-1-5-18 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                                 BUILTIN\Administrators:(I)(OI)(CI)(F)
                                                 BUILTIN\Users:(I)(OI)(CI)(RX)
                                                 Everyone:(I)(OI)(CI)(RX)
    c:\Programdata\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_4d08862b-04ca-40a2-8778-983c299f1f8a NT AUTHORITY\NETWORK SERVICE:(R)
                                                                                                                          NT AUTHORITY\SYSTEM:(F)
                                                                                                                          BUILTIN\Administrators:(R)
                                                                                                                          BUILTIN\Administrators:(F)
                                                                                                                          BUILTIN\Users:(RX)
                                                                                                                          Everyone:(RX)
                                                                                                                          NT AUTHORITY\SYSTEM:(I)(F)
                                                                                                                          BUILTIN\Administrators:(I)(F)
                                                                                                                          BUILTIN\Users:(I)(RX)
                                                                                                                          Everyone:(I)(RX)
    c:\Programdata\Microsoft\Crypto\RSA\S-1-5-18\47fc86db1fb7aac2bd7965130dbaf78b_199d231f-bb60-41f6-a3bb-106e413abed5 NT AUTHORITY\SYSTEM:(I)(F)
                                                                                                                       BUILTIN\Administrators:(I)(F)
                                                                                                                       BUILTIN\Users:(I)(RX)
                                                                                                                       Everyone:(I)(RX)
    c:\Programdata\Microsoft\Crypto\RSA\S-1-5-18\4a291f798cde9e44ee41e161f0a62140_199d231f-bb60-41f6-a3bb-106e413abed5 NT AUTHORITY\SYSTEM:(I)(F)
                                                                                                                       BUILTIN\Administrators:(I)(F)
                                                                                                                       BUILTIN\Users:(I)(RX)
                                                                                                                       Everyone:(I)(RX)
    c:\Programdata\Microsoft\Crypto\RSA\S-1-5-18\9411eeadffa896fcb3d9b25457933d68_e83cfe4d-9c26-481b-88ac-7725ba95b972 NT AUTHORITY\SYSTEM:(I)(F)
                                                                                                                       BUILTIN\Administrators:(I)(F)
                                                                                                                       BUILTIN\Users:(I)(RX)
                                                                                                                       Everyone:(I)(RX)
    c:\Programdata\Microsoft\Crypto\SystemKeys\08fc720c0ee27916086f3e4c6ba4c04e_199d231f-bb60-41f6-a3bb-106e413abed5 NT AUTHORITY\SYSTEM:(I)(F)
                                                                                                                     BUILTIN\Administrators:(I)(F)
                                                                                                                     BUILTIN\Users:(I)(RX)
                                                                                                                     Everyone:(I)(RX)
    c:\Programdata\Microsoft\Crypto\SystemKeys\2f77d6f2119147ad4fa5bf86b944128d_199d231f-bb60-41f6-a3bb-106e413abed5 NT AUTHORITY\SYSTEM:(I)(F)
                                                                                                                     BUILTIN\Administrators:(I)(F)
                                                                                                                     BUILTIN\Users:(I)(RX)
                                                                                                                     Everyone:(I)(RX)
    c:\Programdata\Microsoft\Crypto\SystemKeys\c6172cfca79fd0279cc9135f518cc540_4d08862b-04ca-40a2-8778-983c299f1f8a NT AUTHORITY\SYSTEM:(I)(F)
                                                                                                                     BUILTIN\Administrators:(I)(F)
                                                                                                                     BUILTIN\Users:(I)(RX)
                                                                                                                     Everyone:(I)(RX)


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, May 29, 2019 11:23 PM
  • Darrell - Your new Icacls command generated over 100 pages of results.

    Also, there are many many 69-digit sub-subfolder names in subfolders like "RSA keys", and they seem to be confidential strings, so I don't want to post them here.

    I'm thinking of looking in those results for the 69-digit numbers that I described in my other Technet thread (link at top of this thread).  What do you think?

    Thanks.


    glnzglnz
    ☺ In the office, Dell Optiplex 7040 with 8GB RAM, Win 7 Pro 64-bit and Office 2010
    ☻ At home, Dell Optiplex 7010 with 16GB RAM dual-booting Win 7 Pro 64-bit (now with Office 365 Home) and Win 10 Pro 64-bit
    ♥ Also still have Dell Optiplex 755 with 4GB RAM with Win XP Pro SP3 (which still gets updates with the POS hack) and Office 2003


    • Edited by glnzglnz Thursday, May 30, 2019 12:44 AM
    Thursday, May 30, 2019 12:44 AM
  • Hello,

    I think that is a good idea, I would not want you to post all 100 pages of information.

    this is just a suspicion on my part, that this could be the cause of your issue.


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, May 31, 2019 10:16 PM
  • Updating to 1903 has solved this problem. Too bad MS won't fix it for 1803 or 1809.

     


    glnzglnz
    ☺ In the office, Dell Optiplex 7040 with 8GB RAM, Win 7 Pro 64-bit and Office 2010
    ☻ At home, Dell Optiplex 7010 with 16GB RAM dual-booting Win 7 Pro 64-bit (now with Office 365 Home) and Win 10 Pro 64-bit
    ♥ Also still have Dell Optiplex 755 with 4GB RAM with Win XP Pro SP3 (which still gets updates with the POS hack) and Office 2003


    • Edited by glnzglnz Monday, June 17, 2019 5:35 PM
    Monday, June 17, 2019 5:34 PM