C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys is filling my disk space

Question

User-812513505 posted

Hello,

Our web application send and receive information from remote web services. Each time that our application make connection to remote web service (https) to obtain some information, one or more files are created into C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.

We detected that this directory has a size of 1Gb and has more than 900.000 files but we don't understand what is the reason about the creation of this file.

This files has names like...

00a0f6194244925d4efbd8bf34102cf6_d9c7d19b-1530-402c-ae67-0ded0f59bb2c
00b742b793de0705c893602dd8ab4689_d9c7d19b-1530-402c-ae67-0ded0f59bb2c
00b906c620a140eec67558e8fd7dac2a_d9c7d19b-1530-402c-ae67-0ded0f59bb2c
...

There are a problem about IIS Service If I try to empty this directory, because IIS store some encryption keys about iisConfigurationKey, NetFrameworkConfigurationKey and iisWasKey.

Someone is happening the same situation?

Thanks!

Xavi

Answer 1

User-1122936508 posted

Do you have any security software installed on the machine? There's various reports on the internet that software like ESET perform "MITM" SSL inspection, and thus can end up issuing vast amounts of fake SSL certs to perform this.

Answer 2

User1183424175 posted

Hi,

The MachineKeys folder stores certificate pair keys for both the computer and users. Whenever a certificate request is generated for the machine, a new file is created in this location.  This is true even if the certificate request fails.

What I would recommend doing is checking all Enterprise CAs you have in the environment and looking for failed certificate requests. If you can find a significant amount, investigate the certificate template listed in the error and correct it or unpublish it from all the CAs.  Once
corrected/unpublished wait 24 hours to see if the buildup in the MachineKeys folder stops.

For more information, please refer to the discussion:

http://forums.techarena.in/windows-server-help/633085.htm

To delete the files in the folder, we can find the unusefull files and delete it. Please refer to the discussion:

http://forums.whirlpool.net.au/archive/1683713

http://serverfault.com/questions/39768/can-i-clear-down-the-machine-keys-folder

Hope it can help you.

Answer 3

User-812513505 posted

Hi,

Thank you for your comments. Now, we are investigating about your approaches. When I find the issue originator I will write back.

Best regards,

Xavi

Answer 4

User-812513505 posted

Hello,

We found the problem. It happens when we sign the SAML ticket with the certificate (X509Certificate Class) before sending it to remote web service (SSL).

At the end of the process to sign SAML there wasn't the Reset method who frees all resources related with used certificate.

After this change, we have seen that the keys into MachineKeys directory emerge when we sign the SAML ticket and then they disapear when I perform X509Certificate.Reset().

In the other hand, we focused to remove all non used keys into this directory. Firstly, we are identified the main keys related with encryption windows components. Our list is the next:

 - Microsoft Internet Information Server -> c2319c42033a5ca7f44e731bfd3fa2b5 ...
 - NetFrameworkConfigurationKey          -> d6d986f09a1ee04e24c949879fdb506c ...
 - iisWasKey                             -> 76944fb33636aeddb9590521c2e8815a ...
 - WMSvc Certificate Key Container       -> bedbf0b4da5f8061b6444baedf4c00b1 ...
 - iisConfigurationKey                   -> 6de9cb26d2b98c01ec4e9e8b34824aa2 ...
 - MS IIS DCOM Server                    -> 7a436fe806e483969f48a894af2fe9a1 ...
 - TSSecKeySet1                          -> f686aace6942fb7f7ceb231212eef4a4 ...

Now, we are working to build a script to remove all keys except it starts with previous name keys.

Thank you for your help.

See you soon

Xavi