Audit failures every reboot - Event 5061 - Cryptographic operation.

glnz · 28 Apr 2019

Audit failures every reboot - Event 5061 - Cryptographic operation. Win 10 Pro 64-bit version 1803. ‎4/‎28/‎2019

Immediately after every reboot of Win 10 Pro 64-bit version 1803, in Event Viewer, there are between two and four Audit Failures for something related to Cryptography. So my Win 10 machine is insecure? I have run sfc /scannow and Dism /Online /Cleanup-Image /RestoreHealth many times, with no luck. And I hardly even use my Win 10 machine - there are almost no apps on it yet. My actual Win 10 build is 17134.706

Here are the latest five Cryptography-related Audit Failures, from two reboots:

LATEST OF FIVE:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/28/2019 12:27:52 PM
Event ID: 5061
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DESKTOP-3#####N
Description:
Cryptographic operation.

Subject:
Security ID: DESKTOP-3#####N\[My user name]
Account Name: [My user name]
Account Domain: DESKTOP-3#####N
Logon ID: 0x3EC24

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.

Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5061</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-04-28T16:27:52.339705400Z" />
<EventRecordID>19582</EventRecordID>
<Correlation />
<Execution ProcessID="880" ThreadID="948" />
<Channel>Security</Channel>
<Computer>DESKTOP-3#####N</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3591163430-416291016-3566129944-1001</Data>
<Data Name="SubjectUserName">[My user name]</Data>
<Data Name="SubjectDomainName">DESKTOP-3#####N</Data>
<Data Name="SubjectLogonId">0x3ec24</Data>
<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
<Data Name="AlgorithmName">UNKNOWN</Data>
<Data Name="KeyName">Microsoft Connected Devices Platform device certificate</Data>
<Data Name="KeyType">%%2500</Data>
<Data Name="Operation">%%2480</Data>
<Data Name="ReturnCode">0x80090016</Data>
</EventData>
</Event>

FOURTH OF FIVE:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/28/2019 12:26:51 PM
Event ID: 5061
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DESKTOP-3#####N
Description:
Cryptographic operation.

Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: [Hex number]
Key Type: User key.

Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5061</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-04-28T16:26:51.704606400Z" />
<EventRecordID>19552</EventRecordID>
<Correlation />
<Execution ProcessID="880" ThreadID="1004" />
<Channel>Security</Channel>
<Computer>DESKTOP-3#####N</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-19</Data>
<Data Name="SubjectUserName">LOCAL SERVICE</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e5</Data>
<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
<Data Name="AlgorithmName">UNKNOWN</Data>
<Data Name="KeyName">[Hex number]</Data>
<Data Name="KeyType">%%2500</Data>
<Data Name="Operation">%%2480</Data>
<Data Name="ReturnCode">0x80090016</Data>
</EventData>
</Event>

THIRD OF FIVE:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/28/2019 11:29:28 AM
Event ID: 5061
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DESKTOP-3#####N
Description:
Cryptographic operation.

Subject:
Security ID: DESKTOP-3#####N\[My user name]
Account Name: [My user name]
Account Domain: DESKTOP-3#####N
Logon ID: 0x3EF94

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.

Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5061</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-04-28T15:29:28.196237300Z" />
<EventRecordID>19387</EventRecordID>
<Correlation />
<Execution ProcessID="884" ThreadID="928" />
<Channel>Security</Channel>
<Computer>DESKTOP-3#####N</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3591163430-416291016-3566129944-1001</Data>
<Data Name="SubjectUserName">[My user name]</Data>
<Data Name="SubjectDomainName">DESKTOP-3#####N</Data>
<Data Name="SubjectLogonId">0x3ef94</Data>
<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
<Data Name="AlgorithmName">UNKNOWN</Data>
<Data Name="KeyName">Microsoft Connected Devices Platform device certificate</Data>
<Data Name="KeyType">%%2500</Data>
<Data Name="Operation">%%2480</Data>
<Data Name="ReturnCode">0x80090016</Data>
</EventData>
</Event>

SECOND OF FIVE:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/28/2019 11:28:27 AM
Event ID: 5061
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DESKTOP-3#####N
Description:
Cryptographic operation.

Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: [Hex number]
Key Type: User key.

Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5061</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-04-28T15:28:27.709849300Z" />
<EventRecordID>19363</EventRecordID>
<Correlation />
<Execution ProcessID="884" ThreadID="992" />
<Channel>Security</Channel>
<Computer>DESKTOP-3#####N</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-19</Data>
<Data Name="SubjectUserName">LOCAL SERVICE</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e5</Data>
<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
<Data Name="AlgorithmName">UNKNOWN</Data>
<Data Name="KeyName">[Hex number]</Data>
<Data Name="KeyType">%%2500</Data>
<Data Name="Operation">%%2480</Data>
<Data Name="ReturnCode">0x80090016</Data>
</EventData>
</Event>

FIRST OF FIVE:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/28/2019 11:28:27 AM
Event ID: 5061
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DESKTOP-3#####N
Description:
Cryptographic operation.

Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: [Hex number]
Key Type: User key.

Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5061</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-04-28T15:28:27.709849300Z" />
<EventRecordID>19363</EventRecordID>
<Correlation />
<Execution ProcessID="884" ThreadID="992" />
<Channel>Security</Channel>
<Computer>DESKTOP-3#####N</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-19</Data>
<Data Name="SubjectUserName">LOCAL SERVICE</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e5</Data>
<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
<Data Name="AlgorithmName">UNKNOWN</Data>
<Data Name="KeyName">[Hex number]</Data>
<Data Name="KeyType">%%2500</Data>
<Data Name="Operation">%%2480</Data>
<Data Name="ReturnCode">0x80090016</Data>
</EventData>
</Event>

So, what the *** are these, and how do we fix? No guesses - just the real fix.

Thanks.

glnz · 01 May 2019

Bump.

glnz · 02 May 2019

I did some more digging.

On reboot just now, there were three Audit Failures, Event 5061, for Cryptographic operation, all noting Process ID 888, which is lsass.exe, Local Security Authority Process
So I right-clicked on lsass.exe and looked at its related services, and they are:
Keylso - CNG Key Isolation - running
SamSs - Security Account Manager - running
VaultSvc - Credential Manager - running
Any ideas what this is, or how to fix?

glnz · 03 May 2019

Update – in the detailed copies of the Audit Failure messages at the start here, the [Hex number] is associated with my One Drive, as I discovered in the registry.

Is that a clue to the reason for the Audit Failures?

UPDATE - I tried rebooting without OneDrive starting, but that did not help. Still got the AUDIT FAILURES.

glnz · 04 May 2019

IMPORTANT NEW INFO:

By checking my logs carefully, I can see that the Audit Failures start on the same day that I upgraded from Win 10 Version 1709 to Version 1803 - this past March 17.

So is this problem baked into 1803?

But why haven't more people been complaining about it?

Still need to know how to fix. Thanks.

fdegrove · 05 May 2019

Hi,

Does this help you in any way?

https://docs.microsoft.com/en-us/win...ing/event-5061

Cheers,

glnz · 05 May 2019

fdegrove - thanks for looking. You were fast to suggest that MS "doc", which is certainly a good source of info.
Problem is that I don't know what to do with it - not clear to me what to do to fix the Audit Failures.
Buy the way, when I run “certutil -store -user my” in Power Shell, I don't get the info you see in the doc. I just get "Certutil: -store command completed successfully."
Well, that's nice, but ... ?
Any suggestions?

fdegrove · 05 May 2019

Hi,

Are you running any or both of these ?

Microsoft Software Key Storage Provider

Microsoft Smart Card Key Storage Provider

If you do not then I really do not know why your system is generating those errors.

Cheers,

glnz · 05 May 2019

fdegrove -

In my Task Manager, nothing like them in Details (processes).
In my Task Manager, nothing like them in Services, except for the following five:
1. SCardSvr - Smart Card - status "Stopped"
2. ScDeviceEnum - Smart Card Device Enumeration Service - status "Stopped"
3. SCPolicySvc - Smart Card Removal Policy - status "Stopped"
4. StorSvc - Storage Service - status "Running"
5. TieringEngineService - Storage Tiers Management - status "Stopped"
Don't see anything relevant in "Programs and Features" or "Turn Windows features on or off".

By the way, the [Hex number] I noted in my first post has something to do with OneDrive, which IS running. However, when I rebooted one time yesterday WITHOUT OneDrive starting on startup, I still got the Audit Failures.

Where else should I look?

glnz · 05 May 2019

Is it because I'm missing a Certificate? If I go to certmgr.msc, I don't see any Certificates that mention Microsoft Software Key Storage Provider or Smart Card. But should I?
Also, certmgr.msc gives me a folder list on the left. The last one is Smart Card Trusted Roots, but it's empty.