Audit failures every reboot - Event 5061 - Cryptographic operation.

EyeInTheSky · 05 Jun 2019

glnz said:

Eye - nothing yet. What version of 10 do you have? I'm still 1803.
In another forum, another fellow afflicted with this problem saw it go away when he upgraded his 1803 to 1903 (the most recent). I haven't done that yet but might do it this weekend.

Version 1903.

That reminds me; if the Audit Failures are not showing up in Version 1903, I would be inclined to know the exact build number that they quit showing up on because mine didn't start until I installed 1903 on the laptop

.

The laptops build number is different than my desktops build number but they are both Version 1903.

The desktops build number (18362.145) ends with 145 and I think the laptops build number ends in the 345 range.

I'll have to take a closer look to re-verify the laptops build number later when I have access to it.

bo elam · 05 Jun 2019

glnz said:

Bo - I think I'd rather have a Warning than these Audit Failures about Cryptography, which imply a possible security breach. Until they go away, I cannot trust my Win 10 machine with banking or similar.
Over in MS's Technet forum, nobody from MS seems to care.

glnz, if this audit event was caused by a security issue in W10, there would be a lot of noise about it in the internet. And regardless of what you or I think of MS, they would have fixed it by now. I think you are worrying too much about it.

Regardless of what you do to keep your computer safe, when you do banking/sensitive activities, always do it in a fresh browsing session. You open the browser, go to your banking site, do banking, and close the browser immediately after you finish. Dont mix sensitive browsing with regular browsing. After you done banking and closed the browser, you can reopen it and continue with your regular browsing.

Stay away from installing many extensions. The more extensions you install, the less safer you are. Extensions have same right as the browser and they can see and read everything the browser has access to. They have access to your entire computer. If you install a malicious extension, it can hijack the browser, steal your data, and phone home. I see you are worried about doing banking, so, I am just trowing some ideas at you for you to think about, this routine and ideas will make your sensitive activities safer.

If you are the type of user that uses 20 or 30 (I use 1) extensions, you can create a separate profile (like in Firefox) and use it only for sensitive activities, with no extensions. Or perhaps, one or two. Something like NoScript, helps your security.

Be safe

Bo

glnz · 05 Jun 2019

Bo - your advice is of course very good. I have long been doing exactly what you say - fresh single-use browser session for banking, and close it immediately afterwards.

I use only Firefox, and my extensions are only these:

NoScript
DisconnectMe
AdBlock Plus
HTTPS Everywhere
Clear Flash Cookies

The latest Firefox has newer cookie controls as well, and I am rejecting all "Cookies from unvisited websites" although I much miss "Ask Me Every Time".

Miss anything?

bo elam · 05 Jun 2019

I guess you are using Clear Flash Cookies because you have Flash installed, right? Plugins are like Extensions, I should have said Addons instead of Extensions. Plugins can do harm also, same as Extensions. Personally, I haven't had Flash (or any plugin) installed in my real system for at least 8 years. I still use it sometimes, but what I do when I require it is I install it in a sandbox, and when I finish using it, I close the browser and delete the sandbox. Any cookies, or changes done by Flash, are gone when the sandbox gets deleted.

Flash for Firefox saves cookies here, below, for your case use, you can delete them manually. IMO, you dont need an extension for that:

C:\Users\glnz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys

NoScript is a javascript blocker, but you can use it to block trackers as well, same as ad servers, etc. Myself, I used to use ABP but stopped using it long time ago because NoScript blocks most ads anyway. So, I figure to be minimalist, I decided not to use it. Personally, I get a high amount of satisfaction doing the blocking myself, I doing the choosing on what content to block and what not, instead of having filters list do it. But I think, ABP is great and is fine to use it along NoScript. IMO, if you know what you are doing with NoScript, and you use it to block trackers, you can be without DisconnectMe. This is just my opinion.

Bo

EyeInTheSky · 06 Jun 2019

For me, it has become somewhat of a challenge to work on now.

Both the laptop and the desktop are on the exact same build number which is 18362.145 (Version 1903) - yet the laptop is the only one displaying the 5061 Audit Failure on shutdown/boot-up.

I have read numerous suggestions that it was caused by Internet Explorer settings to something as simple as having a password for a local account.

I have not been able to determine if it is system configuration related or not. However, all the evidence suggests that it has to be system configuration related.

There is no other explanation as to why one computer would display the Audit Failure and the other would not when both computers are running the exact same Version and build number for an Operating System.

I have further read that it could also be registry related, but I cannot simply transplant my entire registry from my desktop to my laptop to test the theory.

I mean to say, I could do it because I know how using the Advanced Recovery Environment; but the fact is I know that it wouldn't work transplanting a foreign registry into another computer.

Simply put, I have no doubt it is registry related, pointing ultimately to system configuration; however, exactly which entry in the registry is wrong in the laptop - I have no way of pinpointing at this time with the vague information provided by the Event Viewer Log.

I'm going to compare alphanumeric GUID values between the two computers registries and see if that points to anything relevant to the cause.

EyeInTheSky · 06 Jun 2019

I have looked into this further and discovered something that is not quite right. The laptop that throws the Audit Failures has two alphanumeric Keys listed in the Event Viewer that do not exist in its own damn Registry. They don't exist in the desktop Registry either.

Here are the two culprits I have isolated:

{D530ECA9-FF5A-4A6A-AAB3-6EC1870F2CC3}

{1c5c8091-1c6c-0003-f580-5c1c6c1cd501}

Now how in the hell can the Event Viewer throw out two alphanumeric values that do not exist in its own Registry?

Like you said @glnz: "What's really going on?"

I thought maybe the path key had to be created in the registry as a solution..........so........

At first I was thinking I will just go to my desktop and punch the alphanumeric codes into the registry search function and get the path for the keys that were missing in the laptop. They didn't exist in the desktop either??????

At this point, I am thinking the two Keys are created at the exact moment of a shutdown command and are deleted immediately upon boot-up causing an Audit Failure!

I now know how it is happening; but why it's happening is another thing entirely.

EyeInTheSky · 06 Jun 2019

I just figured it out.

1- Navigate to this folder: C:\ProgramData\Microsoft\Crypto\RSA
2- Copy and paste all the system files I have attached to the S-1-5-18 folder.

Just copy and replace and if it says a file already exists with the same name, just copy and replace it anyways.

I transplanted them to my laptop's S-1-5-18 folder from my desktop and the Audit Failures went bye-bye.

Somehow the certificates didn't get transferred during the the upgrade to 1903 on the laptop.

If you look in the S-1-5-18 folder before you copy and paste the files provided, you might notice that you only have a couple of files in it. I only had two on the laptop, and apparently there are suppose to be a ton of them.

Oh, and ALWAYS make a back-up/system image of your machine before doing something.

I'm glad I did before I tried this, because honestly I didn't know if it would boot with another computers system files. I guess they are different than the registry keys because it worked!

I have shutdown and restarted the laptop several times now and no Audit Failures are rearing their ugly heads.

humbird · 07 Jun 2019

Had these event 5061on my laptop but when I upgraded to 1903 they are gone now. Mine were introduced in 1809. Hi glnz, good to see you on Ten Forums.ConiGL on other forum.

glnz · 09 Jun 2019

Eye - OK - with many hiccups today, I set myself up with a good backup of my dual-booting machine and am ready to try to do what you suggest directly above (Audit failures every reboot - Event 5061 - Cryptographic operation.).

HOWEVER, before I do anything, my starting situation is different from yours.

In my existing Win 10 (which shows as "E:/" for the moment), the folder E:\ProgramData\Microsoft\Crypto\RSA has two subfolders - S-1-5-18, which has 439 items (!!) - and MachineKeys, which has 33 items (!).

So my starting situation is different from yours.

Now, it gets worse. I have a Macrium Reflect image of my Win 10 from two years ago - what was the version before 1709? That version is explorable (and now appears as "P:/"), It's folder P:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 has only three items (!!). I have just copied those three items into the current E:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 - they replaced three existing items with the same name.

I am NOT doing anything with the MachineKeys folder.

I will now reboot, come back here and let you know.

EDIT - NO LUCK. On reboot, I get the same three Audit Failures.

Given that you have a different situation and started with almost nothing in the current folder (where I started with 439 entries), I don't feel comfortable injecting your files into my arteries.

But still looking for a "fix".

Thanks for your interesting suggestion.

Humbird/ConiGL - still good with 1903?

EyeInTheSky · 09 Jun 2019

glnz said:

Given that you have a different situation and started with almost nothing in the current folder (where I started with 439 entries), I don't feel comfortable injecting your files into my arteries.

That is understandable; but you're missing the fact that they are not my files, they are system files found on any good working system that doesn't have the audit failures you are experiencing.

SFC scan can't replace or fix them because they are encrypted certificate files.

591 of them to be precise - you are missing the crucial 152 system files that prevent the audit failures.

I tested this working solution on a third machine with positive results as well.

You just have to accept the fact that they are not my personal files and are part of a healthy system that displays no audit failures. Scan the zip with any AV you want and you'll find no viruses.

You wanted the solution and I'm confident that this is it. I compared system specs of two OS's for three days to find the solution; so believe me when I say that I didn't just do it for the forum, I had to find an answer as well and was kind enough to share it.

Now as far as why you have a sub-folder of the main folder you want to deal with; I can only surmise that is because two Operating Systems are sharing the same system and you'll have to find which one pertains to the OS that is having audit failures; although it would do no harm to inject both folders with the system files I provided.

You can't lose, because you have a backup and I felt the same way you do about it even though the files are realistically not mine in a sense.

On a side note, my Machine Keys folder was empty as well as the other folders in the RSA; except for the S-1-5-18 folder which had the 500+ items on the healthy machine that displayed no audit failures.