Troubleshooting windows access issues

Just now I needed to troubleshoot a very specific problem:

Having just removed my domain controller from a domain, and subsequently re-adding it into a child domain, I was unable to install the certificate authority service successfully.

During the install process, the installer would always fail at the stage where it generates the cryptographic keys. The installer would throw out a complicated looking error ending with “Object already exists” or “access denied”. The latter was surprising because I logged in as both Enterprise Admin and Local Domain Admin, both of which should have universal access rights.

As always when facing such access issues, I turned to Sysinternal’s nifty “Process Monitor”, or procmon for short, which is available here:

This program monitors all calls to the network, files, registry and so on.. it’s like wireshark for OS activities. Once procmon starts, it begins to capture all OS activities. It’s extremely verbose, so try to start the capture as close to the event as possible, and stop the capture immediately after to reduce the output. The trick is filtering the output to show only processes of interest. Of course, use discretion here because filtering too much means you’ll loose data.

In my case above I performed the capture, then needed to check what was the process name of the installer. I used procmon’s menu : Tools > Process Tree and isolated the process that I wanted. In this case it was “sysocmgr.exe”. From there, I defined a filter to view only events generated by this process. You find an instance of the process, right click on the process name and select “Include” to filter only on this process. Alternatively, go to the filter menu > filter, and change the top dialogue boxes to match the conditions, eg. in my case “Process Name” “contains” “sysocmgr” then “Include”. That provided me with the clue needed to resolve the issue:


Which basically said that access is denied for the folder “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys”, which is where RSA keys are stored

After navigating to this folder and granting permissions to this folder, it all worked

Procmon is extremely useful in these sort of situations where you suspect access is being denied, or simply to see at what stage a process is failing.