Windows 2008 R2 – cryptosvc – the service name is invalid – windows backup fails – sfc fails – windows updates fail

Posted on July 11, 2011

The title of this article sounds ... well just terrifying. If you run into a system with this many issues, its likely easier to just rebuild it from scratch, right? WRONG! I'm stubborn and figure some things are worth the challenge. Ultimately, this was a fairly critical exchange server that would take a lot of work to rebuild.

To approach a problem like this, we follow the trail of issues.

First noticed issues: Windows Backups are failing and Windows Updates will not install.
The system is Windows 2008 R2 64bit Enterprise Edition with Exchange 2010 SP1.

1) Verify the system filesystem integrity using SFC

C:\>sfc /scannow
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example

From this you would normally interpret corruption and seek out the affected files by using the following command:

C:\Windows\system32>findstr/C:"[SR] Cannot repair member file" %windir%\Logs\CBS\CBS.log

The interesting thing in our case was the "findstr" command returned nothing. So we skipped this step and moved onto the next one for the time being. Who wants to dig through tens of  thousands of lines? not me!

2) Diagnose and attempt to repair the Windows Backup issues

The Windows Backup utility was failing with "The operation was stopped. Detailed Error: The System Writer is not found in the backup". System State Backup Failed. 

First thing to check is THAT exactly.

c:\> vssadmin list writers

You're looking for this:

Writer name: 'System Writer'
   Writer Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Instance Id: {05407ce0-b537-4973-a731-e7ed614a9a9e}
   State: [1] Stable
   Last error: No error

If your list does not include the "System Writer", that's a problem. A fairly common one at that. The windows backup utility requires this tool.

If you dig around online you'll find an arsenal of articles outlining permission errors on a specific set of windows folders that cause the System Writer to fail. We've done the research for you. The following script will reset permissions on those folders back to default.

Create a batch file called "fixPermissions.bat" and copy/paste the following:

Takeown /f %windir%\winsxs\filemaps /a

icacls %windir%\winsxs\filemaps  /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps  /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps  /grant "BUILTIN\Users:(RX)"
icacls %windir%\winsxs\filemaps  /grant "Administratoren:(RX)"
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.*  /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.*  /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.*  /grant "BUILTIN\Users:(RX)"
icacls %windir%\winsxs\filemaps\*.*  /grant "Administrators:(RX)"
Takeown /f %windir%\winsxs\temp\PendingRenames /a
icacls %windir%\winsxs\temp\PendingRenames  /grant "Administrators:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames /grant "BUILTIN\Users:(RX)"
Takeown /f %windir%\winsxs\temp\PendingRenames\*.* /a
icacls %windir%\winsxs\temp\PendingRenames\*.*  /grant "Administrators:(RX)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "BUILTIN\Users:(RX)"

net stop cryptsvc && net start cryptsvc

Run it from an elevated command prompt to ensure you have adequate permissions. As the impressive matrix like text runs down your screen, take notice to the very last command when it all finishes.

"net stop cryptsvc && net start cryptsvc"

You should see this:

The Cryptographic service is stopping..
The Cryptographic service was stopped successfully.
The Cryptographic service is starting.
The Cryptographic service was started successfully.

At this point reboot your system and run "vssadmin list writers" to verify if the "System Writer" is now listed. If so, you can test your backup again and it's likely to be working. If the VSS Writer is NOT Listed, but the "Net start cryptsvc && net start cryptsvc" was successful, you are experiencing a different issue and the following steps are not applicable (Please contact our support team if you require assistance).

In our case, the "cryptsvc" doesn't appear to be registered correctly. Instead or returning the successful stop/start on the Cryptographic service, we received:

The service name is invalid.
More help is available by typing NET HELPMSG 2185.

3) Verify the Cryptographic service is enabled and operating correctly

Start -> services.msc

Wait! "The service name is invalid" actually means it's not registered and you'll likely realize that when you can't find the service in the services list.

At this point you'll likely start wondering how the? where did it go? We honestly couldn't tell you, but it's really easy to fix. Using another Windows 2008 R2 System, export the missing registry values .


If you load regedit and browse to this location, you'll notice the CryptSvc is missing. On your secondary system, right click the CryptSvc and export it to a file. You can then double click this file on your problematic system to import the missing values.

If you do not have access to another system, copy the content below into a registry file and double click to load.

File Name: cryptsvc.reg (use whatever you want as long as it ends in .reg)

Windows Registry Editor Version 5.00

"ObjectName"="NT Authority\\NetworkService"




Once you've loaded the registry file and repaired the missing data, reboot your system. You should now see the "Cryptographic Services" running in the "services.msc" list, "sfc /scannow" will return no errors, the "System Writer" will show up in the "vssadmin list writers" list, and your Windows Backup and Windows Updates will complete successfully.

Hopefully this helps you avoid a complete re-installation!


The session setup from the computer %% failed to authenticate. The following error occurred: Access is denied.

Posted on May 7, 2011

Event ID: 5805
The session setup from the computer %computername% failed to authenticate. The following error occurred:
Access is denied.

We ran into a client with PCs that would not authenticate to his domain controllers.
After further investigations, the client had configured an RODC for a remote office and had not yet added the specific user or computer groups to the trusted list.

Just for those how are not aware, EVERY COMPUTER in a domain has an account (just like a user account, except it ends with $).

Add User & Computer Security Groups to the RODC Cache:
Active Directory Users & Computers ->  Right Click -> Properties of the RODC ->  Password Replication Policy -> Add
Choose the Computers individually or add the entire "Domain Computers" security group, or even better, create a new security group for the specific computers you would like this RODC to authenticate.

Once you've added them to the "allow" status in this window, reboot the PC and allow 15+ minutes for replication to the RODC to complete.


Win XP RDP client fails to print Calibri font correct when connected to Win 2008 Server

Posted on April 11, 2011

Windows XP users using RDP to a Windows 2008 server may experience issues printing documents that contain Calibri. Locations that are not formatted with Calibri will print normally. This issue persists when using the Easy Print feature with XPS.

This is a known issue and Microsoft has released a hotfix for it.
Sadly, as you read the attached hotfix info you will notice that you have to call them to get the file.

We located it here:

(although we recommend calling microsoft to get it, you can likely find it online somewhere)

After installation, the RDP clients were printing Calibri correctly.

Deploying Adobe Acrobat Reader MSI by GPO (Group Policy)

Posted on January 2, 2011

Adobe recently released version 10.0.0 of their Acrobat Reader package. Versions prior to this release did have an MSI available, it took extra steps to extract and acquire it. With 10.0, they finally came to their senses and released a native msi available for download directly from their site.

Download it here:

You can now deploy this package using the standard active directory software deployment methods available on all 2008/2008R2 servers. We can confirm that when Acrobat X is installed, it does upgrade previous versions of reader so that you only have the latest instance. In the past, we noticed the installation files did not remove/upgrade existing versions.

To deploy this package by group policy object, complete the following:

1) Download the adobe MSI package and save it to a shared network location accessible to all client stations. (example: \\server\software\adobe\)
2) Load the "Group Policy Management" console
3) Create a new Group Policy Object (call it "Software Deployment - Adobe Acrobat Reader")
4) Edit this GPO and navigate to ( Computer Configuration -> Policies -> Software Settings -> Software Installation)
5) Right click and add new "Package"
6) Browse to the UNC path to the downloaded package ( "\\server\software\adobe\AdbeRdr1000_en_US.msi")
7) Choose "Assigned" and save.
8 ) Browse through your OUs (organizational units) and find the container where your PCs reside. Link this new GPO to this container. If you currently have your computer objects located under the default "Computers" container, you need to create a new OU, move the computers to this location, and link the newly create GPO to it. Storing your computer objects under the default "Computers" location is not recommended and will not work with a lot of active directory features.

Your PCs will now install this package on start-up.
You can also apply updates using this same method and assigning the updates to the original package within the same GPO.

Have fun!

Windows 2008 R2 and the Active Directory Recycle Bin

Posted on October 13, 2010

How many of you have deleted the wrong user, group or computer and realized it was the wrong one. Although its rare, the one time you do tends to be such a pain in the butt. Enter Windows 2008 R2 and the AD recycling bin. Most people are still un-aware of this feature as its not integrated into any AD GUI tools, it must be setup and used from the AD power shell.

There are a few requirements before setting it up:

  • Your domain must be set to a Windows 2008 R2 functional level
  • Your forest must be set to a Windows 2008 R2 functional level
  • You must use ADSIedit to identity the active directory distinguished name to your recycling bin

Upgrading to the Windows 2008 R2 domain functional level:

Start -> Administrative Tools -> Active Directory Domains & Trusts-> Right Click "" -> Raise Domain Functional Level

READ THE WARNINGS and do your research to ensure you can upgrade to this level without causing issues in your domain.
Allow any updates to propagate for at least 15 minutes.

Upgrading to the Windows 2008 R2 forest functional level:

Start -> Administrative Tools -> Active Directory Domains & Trusts-> Right Click "Active Directory Domains and Trusts" -> Raise Forest Functional Level

READ THE WARNINGS and do your research to ensure you can upgrade to this level without causing issues in your forest.
Allow any updates to propagate for at least 15 minutes.

Identifying your recycling bin distinguished name:

Start -> ADSIEDIT -> Connect To -> Select a well known naming context -> Configuration -> Configuration [] -> Configuration -> Services -> Windows NT -> Directory Service -> Optional Features -> Double Click Recycle Bin Feature in right window -> double click DistinguishedName -> Copy the Value:

Turning the Recycling Bin On:

Start -> Administrative Tools -> Active Directory Power Shell

Enable-ADOptionalFeature -identity '<distinguishedName>' -scope ForestOrConfigurationSet -Target '<domain>'


Enable-ADOptionalFeature -identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com' -scope ForestOrConfigurationSet -Target ''

Once this completes your recycling bin is now enabled.

Tape Alternative Backup Solutions – Seagate GO w/ Shuttle

Posted on August 23, 2010

I personally cannot stand tape technology. It’s dated, unreliable and horribly expensive. What surprises me is that with all of the drive technology out today people are still using tapes!

I suggest you checkout the Seagate GO solution with the bonus of a Seagate GO USB 2.0 dock. The drives are small, high-capacity and can easily be swapped just like tapes. What about software? If you’re running Windows 2008 server you’re all set. The native backup solution has been drastically upgraded since the days of Server 2003. Block-level efficiency, bare-metal recovery and support for multiple backup destinations are now included, you can deploy a serious backup solution for just the cost of a few external drives.

To give you an example of how efficient a single backup drive is with 2008 server:

Our client “MisterA” has a dedicated file server running W2K8R2. His drive capacity is 1TB and presently 150GB is used. His single external 750GB FreeAgent GO drive is housing over 250 backup copies. How? You need to read up on the block-level backup technology. Only blocks that have changed since the previous backup are copied. I could literally travel back 250 days and restore a single file, or restore the entire system image with the bare metal recovery. That’s just slick.

I strongly recommend the Seagate FreeAgent GO drives with a Seagate USB shuttle. We can ship them directly to your door. Give us a call if you have any questions!

Sizes:                    250gb – 1TB
Weight:                0.35 lb (160g)
Speeds:                USB 2.0

Windows Server 2008 Backup – “The filename, directory name, or volume label syntax is incorrect”

Posted on August 23, 2010

Microsoft explanation:

When you try to add an additional disk to a scheduled backup by using the Windows Server Backup Schedule Wizard, you may receive the following error message: "The filename, directory name, or volume label syntax is incorrect". This problem may occur if a previously-added destination disk is not currently attached to the server. When the wizard completes, the currently-listed destination disks are verified. If any of these disks are missing, you receive the error message that is described in the "Symptoms" section.

SIRKit explanation:

You've setup a scheduled backup with one disk, and want to add more. You are short on USB cables or you're using a shuttle system on the same USB cable. You swap the new drive in place and begin adding it to the backup schedule when "The filename, directory name, or volume label syntax is incorrect" is displayed. The windows backup suite requires that all drives are accessible when it stores the changes. What!?

To resolve the issue complete the following:

Note To configure or modify a daily backup schedule, you must be a member of the Administrators group. In addition, you must run the wbadmin command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Add a new disk to the backup schedule by running the wbadmin command from an elevated command prompt.

  1. Run the following command from an elevated command prompt to determine the Disk Identifier of the new disk:
    wbadmin get disks
  2. Based on the output, locate the disk that will be added to the scheduled backup. Make a note of the Disk Identifier. The output will resemble the following:
    Disk name: xxxxxxxxxxx
    Disk number: x
    Disk identifier: {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
    Total space: xxx.xx GB
    Used space : xxx.xx GB
  3. Run the following command to add the new disk to the Scheduled backup.  Use the Disk Identifier from the previous step as the "AddTarget" parameter.
    WBADMIN ENABLE BACKUP -addtarget:{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
  4. When you receive the following prompt, type Y for Yes.

"Do you want to enable scheduled backups with the above settings?"

This particular application of swapping hard drives is a huge bonus of Windows 2008 server. We highly recommend you deploy at least 2 external drives for a server, this way one of the drives can be taken offsite.

File locking issues on DFSR (Windows 2003/2008)

Posted on August 22, 2010

Are users complaining that shared documents are being overwritten by other users?
Are user not being prompted that a file is Read-Only when opened by another user?
Are you running a distributed file system with replication?

You’ve enter the world of inherited file locking drama!

The issue is Windows Server 2003 and 2008 presently have no centralized file-locking management. When a user is referred to a server within a DFS with replication, the local server locks the locally requested file. The remaining member services are not sent the same notice to lock the same file and as a result, if another user is referred to a different member server, the most recent save wins. There is presently no concrete method in-place to tackle the issue.

By default a DFS configuration uses the "lowest-cost" or "random" referral methods. If you use these types of referrals you will be subject to the file-locking issues.

The good news is depending on your company’s size and requirements you may have a few workarounds.

1) Ask users to inform one another when documents will be in use (painful!!!)
2) Utilize the built-in conflict resolution folders managed by Windows 2003/2008 DFS
3) Override the lowest-cost and random referral orders with static referral order.

I recommend the 3rd option. It allow for fault-tolerance and let’s face it, your time is valuable! Do you really want to dig through conflict folders? Using this method will force users to share the same DFS server for specific folders. Generally depending on the size of your business this isn’t a huge concern. If the primary DFS server is offline the clients will be redirected to the next server in sequence.

If your goal is to also introduce a load-balancing strategy you will have to manually segregate and deploy your DFS carefully. Target major folders or departments to a reserved DFS server.

For example:

If you have 3 departments (Accounting, Sales and Support). The DFSR structure should encompass all of these departments across all servers. The manual load-balancing would be as follows:

-> \\\Accounting (1st static referral order "first among all targets" on serverA)
-> \\\Sales (1st static referral order "first among all targets" on serverB)
-> \\\Support (1st static referral order "first among all targets" on serverC)

All accounting users will be accessing serverA by default, sales serverB and support serverC. All of these folders are replicated throughout the DFS and as a result, if ServerA went down, the next server you statically assign would take over the responsibility.

To access to Override options in your namespace folders:

DFS Management Console -> Namespaces -> default root namespace -> links (right click) -> properties -> advanced tab