C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder

4,520 views
Skip to first unread message

Mayo, Bill

unread,
Feb 14, 2022, 1:52:36 PM2/14/22
to ntsys...@googlegroups.com

I have discovered that files are accumulating in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder at the rate of about one a minute. Googling shows this as an issue for many people, with the primary culprit identified as a bug in ESET and lots of suggestions to fix permissions. We do not have ESET. I did find a permissions problem and corrected it to match documentation (https://docs.microsoft.com/en-US/troubleshoot/windows-server/windows-security/default-permissions-machinekeys-folders). The files keep building. I tried monitoring the directory with ProcMon, but I am not getting any hits from that (possible I am doing something wrong there, but I don’t think so). Tried looking in Event Logs, but don’t see anything obvious there. This server is Windows Server 2016 and is running SQL Server.

 

Anybody have any ideas/pointers on what is going on, how I can pinpoint the source, or otherwise correct the issue?

 

Bill Mayo

 

Kurt Buff

unread,
Feb 14, 2022, 2:10:26 PM2/14/22
to ntsys...@googlegroups.com
This is very familiar sounding, so I searched on "machinekeys files accumulating".

I saw articles dating back to at least 2015 on this symptom:

And several others as well.

Possible things to check:
CA not responding to requests for certs
SSL Scanner dumping keys (unlikely, but possible)
An AV product other than ESET misfiring

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8a8bd219664b46daa5d68f9d7261235e%40pittcountync.gov.

Michael B. Smith

unread,
Feb 14, 2022, 2:15:57 PM2/14/22
to ntsys...@googlegroups.com

ManageEngine, SolarWinds, VMWare,  many others have had this issue. It happens when a .NET certificate object isn’t properly disposed.

 

I think this may be a helpful article (the first comment, not the post itself): https://techcommunity.microsoft.com/t5/iis-support-blog/machinekeys-folder-fills-up-quickly/bc-p/2076851/highlight/true#M531

Mayo, Bill

unread,
Feb 14, 2022, 2:36:16 PM2/14/22
to ntsys...@googlegroups.com

Kurt/Michael – thanks for the responses. I had seen the articles linked. AV involved here is Defender and I stopped it for a while, but files kept accumulating. I am not able to find any failed certificate requests. Based on Michael’s comment, I suspect something happening with the vendor application that hits this server. Is there any specific resource that would further explain the .NET issue that Michael indicates?

 

My main issue at the moment is that the directory continues to build, and trying to address that before cleanup.

Michael B. Smith

unread,
Feb 14, 2022, 3:04:41 PM2/14/22
to ntsys...@googlegroups.com

Mayo, Bill

unread,
Feb 14, 2022, 3:20:32 PM2/14/22
to ntsys...@googlegroups.com

Thanks, guys. I am going to check with the vendor to see if maybe it is their application.

Robert ECEO Townley

unread,
Feb 14, 2022, 3:37:09 PM2/14/22
to ntsys...@googlegroups.com
OpenSSH service is off, I presume.

--
Two Rules to remember:
Do not blame older Windows versions when Win10 networking can be blamed. 
Do not blame IPv4 when you can blame IPv6.

Mayo, Bill

unread,
Feb 14, 2022, 3:52:52 PM2/14/22
to ntsys...@googlegroups.com

No SSH running.

Reply all
Reply to author
Forward
0 new messages