Crypto RSA folder issue

Support
Log in to reply
  • M

    We recently (I think about a month ago) started receiving notifications for low disk space on our server. In investigating the source of the usage, we found a very large number of files (millions) being generated in the following folder, quickly consuming all of the free space on the disk:
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-20

    Although this link is for a different application, this appears to be the same issue (https://github.com/Pro/dkim-exchange/issues/91).

    We've run a script (https://github.com/sntcz/Clear-MachineKeys) to clean this up (initially removing files older than 30 days, but eventually decreasing it to 10 days). Unfortunately, it takes a while to get the folder cleaned up. With web services still running, we actually reached 0 free space on the system, so we disabled the IIS/World Wide Web Publishing Service. After getting the folder cleaned up to a reasonable level yesterday (we had about 30 files remaining), we restarted services, and it looked like it was staying stable around 100 files. However, the number of files in the folder has grown to ~1.5 million since yesterday, consuming around 3 GB.

    Following the restart, I had to increase the system's processor to get it to even be reasonably responsive. I'm not sure if this is a consequence of cleaning up the files or the system being slow/unstable, but we now have several clients in a PendingConfirmation status (some of these were new clients that we were just now able to approve; at least one is a client that I had to reset), and I'm unable to get clients to manually run inventory, check in, or run instant modules.

    I'm not sure how to proceed now, but I think verifying how/why so many files are being generated and resolving that would allow us to verify if the performance and client check-in was also resolved. For the record, the system has been in place for approximately three years without issue. No other services or web instances run on this system.

    M 1 Reply 0
  • M

    Uninstalling the 2025-03 Cumulative Update (KB5053596) (and 2025-04 [KB505519] to be able to remove the 2025-03 update) seems to have allowed the server to resume operating. Clients are checking in, the clients with PendingConfirmation status now show Provisioned, and manual inventory/checkin and instant modules are working.
    Obviously, leaving these updates off long-term is not good for security, but this does confirm that the Windows update caused the issue.

    Server is running Windows Server 2019 in a VM instance. Outside of these two updates, it's fully patched and has only Theopenem (and supporting software, e.g., MariaDB) installed.

    The Crypto\RSA folder does still have 780k files in it. We will be watching to make sure that number is not growing.

    0
  • T

    Thanks, I was trying to replicate this and was unable to, I'll update to latest security updates and try again.

    0