Troubleshooting windows access issues

Posted on by David Vassallo

Just now I needed to troubleshoot a very specific problem:

Having just removed my domain controller from a domain, and subsequently re-adding it into a child domain, I was unable to install the certificate authority service successfully.

During the install process, the installer would always fail at the stage where it generates the cryptographic keys. The installer would throw out a complicated looking error ending with “Object already exists” or “access denied”. The latter was surprising because I logged in as both Enterprise Admin and Local Domain Admin, both of which should have universal access rights.

As always when facing such access issues, I turned to Sysinternal’s nifty “Process Monitor”, or procmon for short, which is available here: http://technet.microsoft.com/en-us/sysinternals/bb896645

This program monitors all calls to the network, files, registry and so on.. it’s like wireshark for OS activities. Once procmon starts, it begins to capture all OS activities. It’s extremely verbose, so try to start the capture as close to the event as possible, and stop the capture immediately after to reduce the output. The trick is filtering the output to show only processes of interest. Of course, use discretion here because filtering too much means you’ll loose data.

In my case above I performed the capture, then needed to check what was the process name of the installer. I used procmon’s menu : Tools > Process Tree and isolated the process that I wanted. In this case it was “sysocmgr.exe”. From there, I defined a filter to view only events generated by this process. You find an instance of the process, right click on the process name and select “Include” to filter only on this process. Alternatively, go to the filter menu > filter, and change the top dialogue boxes to match the conditions, eg. in my case “Process Name” “contains” “sysocmgr” then “Include”. That provided me with the clue needed to resolve the issue:

procmon

Which basically said that access is denied for the folder “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys”, which is where RSA keys are stored

After navigating to this folder and granting permissions to this folder, it all worked

Procmon is extremely useful in these sort of situations where you suspect access is being denied, or simply to see at what stage a process is failing.

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.