CryptAcquireContext returns NTE_BAD_KEY_STATE?

Skip to first unread message

Michael Pflug

Feb 11, 2004, 6:58:25 PM2/11/04
I have one certain Win2003-Server (so far), where a call to


will always result in NTE_BAD_KEY_STATE / 0x8009000B (note: _not_
would be a common result).

The MSDN-Help doesn't even mention the possibility of this result for

To make sure, I made a small program, that does nothing else but:


which results in NTE_BAD_KEY_STATE

and another


which results in NTE_EXISTS.

On several other PCs with varying Windows-versions, it works (it's a
that is supposed to create a new server certificate with a private key).

How - and when - can this happen?



John Banes [MS]

Feb 12, 2004, 1:10:16 AM2/12/04
The Microsoft software CSPs encrypt the private keys using DPAPI
(CryptProtectData), which encrypts this using a master key. The master key
is encrypted with the user password.

Things get a little tricky when the user's password is changed. The
NTE_BAD_KEY_STATE error code is returned when the master key can't be
decrypted. Typically, this is because the user's password has changed and
DPAPI wasn't able to deal with it. Have you changed you password recently?

The most common issue in this area occurs when a local (non-domain) user's
password is administratively reset. On WinXP, this causes all data protected
by DPAPI (including user private keys) to be lost; at least until the
password is set back. This is by design, and in fact is an important
security feature.


John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

"Michael Pflug" <> wrote in message

Michael Pflug

Feb 12, 2004, 3:40:24 PM2/12/04
Thank you, that sounds reasonable.
I can't tell whether the password has changed - it's a customer having this
I'll ask him.

So if I understand you right - the procedure should work, when another user
logs on (no workaround for the
problem, but a way to check if it is really a user-related problem)?
And: in case the original password of the failing user's account (it's the
local Admin!) can't be reset,
maybe because it's nont known anymore - is there a way to remove the old
keyset (there's nothing to be lost)
and regenerate a new?
Or in short: how do we get this PC back to work?

There is another symptom, I'd just like to know, if it is related:
There is also a routine to check whether there is a certificate in the
MY-store, that matches
certain criteria: usage: "Server Auth" and private key available.

This is actually the original problem - the server already had a working
certificate, but at once
the application started crashing, when trying to open the required

It goes
CertOpenStore(Prov: NULL, Store: "MY")
which crashes. This only happens on the trouble-causing machine.

Also: what definitively was changed: the user added the "Internet
authentication service" and
"Certification service" before problems started (I hope I translated
correctly, I only know the
German localized terms).
Can these have any effect?



"John Banes [MS]" <> schrieb im Newsbeitrag

Michael Pflug

Feb 12, 2004, 6:54:56 PM2/12/04
I just got a reply from the customer, he says the Admins password was never
And the whole thing worked before, so something happened in between -
the suspects are, as mentioned, the two services "network auth svc" and
"cert service", but removing them didn't solve it.

So now all I need is a way to somehow reset the whole thing to zero... (?)

"John Banes [MS]" <> schrieb im Newsbeitrag

Reply all
Reply to author
0 new messages