Fix Event 513 CAPI2 Errors During Windows Backup

March 10, 2015 by Ed Sparks

Update: March 2016.
Commenters have noted this same fix appears to work correctly on Windows 10 as well

A semi-common error seen on various Windows 8.1 and 2012/R2 systems is the following during the start of system backups that use VSS (i.e. most backups). This often causes the backup process to hang for a long period of time, or fail.

Application Event Log:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Much digging through forums has found what appears to be the cause.

During backup a VSS process running under NETWORK_SERVICE account calls cryptcatsvc!CSystemWriter::AddLegacyDriverFiles(), which enumerates all the drivers records in Service Control Manager database and tries opening each one of them. , The function fails on MSLLDP record with "Access Denied" error.

Turned out it fails because MSLLDP driver's security permissions do not allow NETWORK_SERVICE to access the driver record.

What causes this to have incorrect permissions in the first place is unclear, but a fairly simple fix exists. We've tested this on several systems without issue, but your mileage may vary.

It can be fixed by correcting the Security Description on the MSLLDP service, using the built-in command line utility SC.exe

Open an Administrative Command Prompt (NOT PowerShell) and execute the following. This must all be one long command without carriage returns

sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

You should receive a successful result of

[SC] SetServiceObjectSecurity SUCCESS

If so, the problem is resolved, and there's no reboot required. The next backup should complete successfully.

Connecting or Ending another RDP session in Windows 2012

April 4, 2014 by Ed Sparks

As part of the complete re-architecture of the Remote Desktop Services Roles in Windows Server 2012, Microsoft moved the cheese in a serious way.

While there is much that is great about the new design, and we applaud their decision to more holistically approach all of the disparate remote connectivity and VDI options provided by the OS, the UI is an incomplete, slow and confusing mess.

One of the biggest problems was that they severely hampered the built-in Administrative RDP connections that have existed since Windows 2003, and got rid of all of the old TS/RDP Management Tools. Even more painfully, they turfed everyone's old friend RDP Session Shadowing. Thankfully this has made a return in Windows Server 2012 R2, but the management and UI haven't improved much.

As a result of all of this, it became difficult to do the simplest of tasks. One of the most common that many admins used the Remote Desktop Services Manager utility for was connecting to another session, or ending a hung or disconnected session. Alas, no RDS Manager for you dear 2012 User. Too simple!

What to do? Task Manager. Seriously.

While this functionality has existed for quite some time, it is (by my quick survey of admins) unknown and rarely used. It is, however, surprisingly functional.

Simply bring up Task Manager, click More Details to switch to the "Actually Useful" mode, and then click the Users Tab. All current sessions will be displayed, along with a list of their processes. Right click on any session to connect to or end the session.

Simple, but non-obvious.

Two-Factor Authentication Comes of Age

December 10, 2013 by Ed Sparks

Two-factor Authentication - "something you know, and something you have" - is the number one thing you can do to protect yourself online. While this used to be a complex and difficult process to setup and utilize, it has now become a relatively common and simple affair thanks to the ubiquity of smartphones and "authenticator apps".

Lifehacker has just updated their excellent article titled "Here's Everywhere You Should Enable Two-Factor Authentication Right Now"

Check it out, then immediately go and turn on two-factor everywhere you can! You'll be thankful when the next huge security breach of a major website happens.

Changing your Windows Password over RDP

June 21, 2013 by Ed Sparks

Windows Server 2003/2008:
Click Start - Windows Security - Change Password. Update password.
Continue on with your day, safe and secure.

Windows Server 2012:
Click Star...oh wait, there's no start menu.
Hmm, attempt to hit the edge of the screen to find the 'charms' and click Settings, then Change PC Setti. Oh wait, that doesn't exist on 2012, even though it's on Windows 8.
Go to the vast empty void that is the 2012 Start Screen and click, umm, hmm.
Back to the Desktop, Right Click on the "empty spot that should be the start menu" for the secret "Power Users" menu. Nope. Apparently Power Users don't change their passwords.
Bang head against wall.
Google "remote desktop keyboard shortcuts"
Press CTRL-ALT-END, then Change Password. Update password.
Continue on with your day frustrated and annoyed that Microsoft glued this ridiculous interface onto Windows Server. Really guys, do you actually USE this thing?

</rant>

Blackberry 10 and Windows Phone 8 Password Prompts

February 22, 2013 by Ed Sparks

Now that more BB10 and WP8 devices are out in the wild, there are a few issues coming to light in regards to the connection to Exchange ActiveSync.

The most common is that users are periodically prompted for their password after having successfully synced with the server for some time. In many cases (particularly BB 10) this results in an account lockout if the user simply cancels the prompt, or doesn't enter the password successfully.

The same issues do not seem to appear when using any iOS, Android or Windows Phone 7.x device against the same servers. It's not yet clear why the implementation is different on these other platforms.

The solution - adjust the timeout settings on your Exchange server, or ISA/TMG or ASA gateways, so that the connections are held open for longer than the heartbeat interval of the ActiveSync device.

Exchange
Follow the steps in this article to ensure the correct configuration is in place for both Exchange (2003/2007/2010) and your ISA/TMG.

ISA/TM
Under the Web Listener for the EAS/OWA Rule - uncheck the "Apply session timeout to non-browser clients" setting as per this article.

Cisco ASA
Ensure any NAT rules that pass traffic to Exchange on HTTP/HTTPS have no timeouts, or very long timeout values.

Curious how all this fits together? Here's a great backgrounder on how EAS Direct Push works, heartbeat intervals, firewalls and more.
http://technet.microsoft.com/en-us/library/cc182270.aspx

Not charmed? Restart Windows 8 or Server 2012 Quickly!

January 14, 2013 by Ed Sparks

Another gem from Jeff over at the EXPTA blog!

Microsoft and their crazy need to make previously simple tasks complicated in Windows 8...all in the name of ease, or something.

Here's a quick tip on how to sign out, shutdown or restart Windows 8 or Windows Server 2012 from the desktop the easy way. Simply click the Windows Taskbar to give focus to the desktop and press Alt-F4

Source: http://www.expta.com/2013/01/how-to-shut-d...

Introducing Windows Server 2012 E-Book Now Available for Free!

June 4, 2012 by Ed Sparks

Windows Server 2012 is a huge release on many fronts, particularly surrounding virtualization and Microsoft Press has made its latest book, Introducing Windows Server 2012 available for free in e-book formats.

There are PDF, ePub, and Mobi versions available now on the Microsoft Press Blog.

Thanks to Paul for the info!