MachineKeys folder fills up quickly

Microsoft

Aug 24, 2020

MachineKeys folder stores certificate keys that are used by IIS. This folder may fill up with thousands of files in a short time due to a permission or application code related issue.

The permanent solution would be correcting permissions or fixing the code so that the keys in this folder are automatically removed. However, if the permanent fix is taking long time, you may need a practical way of removing old files in the meantime.

Open Command Prompt as Administrator and run the following command to remove files older than 90 days in the MachineKeys folder

ForFiles /p "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /s /d -90 /c "cmd /c del @file /F /A:S"

Why is this folder filling up? There are four common reasons:

There is a permission issue that is preventing OS to remove files from that folder. Check this document for the permissions required
There is a code related issue. The application is not removing X.509 certificates after they are used
A security software is performing SSL check and preventing these files to be removed
Enterprise CA might be failing to respond the request

Updated Aug 25, 2020

Version 2.0

Nedim

Microsoft

Joined November 26, 2018

View Profile

IIS Support Blog

Follow this blog board to get notified when there's new activity

Gregory_Ostapenko
Copper Contributor
Jan 19, 2021
Hi,

To whoever read above article:
DO NOT remove key containers with below names (from here https://forums.iis.net/t/1224708.aspx?C+ProgramData+Microsoft+Crypto+RSA+MachineKeys+is+filling+my+disk+space)

- Microsoft Internet Information Server -> c2319c42033a5ca7f44e731bfd3fa2b5 ...
- NetFrameworkConfigurationKey          -> d6d986f09a1ee04e24c949879fdb506c ...
- iisWasKey                             -> 76944fb33636aeddb9590521c2e8815a ...
- WMSvc Certificate Key Container       -> bedbf0b4da5f8061b6444baedf4c00b1 ...
- iisConfigurationKey                   -> 6de9cb26d2b98c01ec4e9e8b34824aa2 ...
- MS IIS DCOM Server                    -> 7a436fe806e483969f48a894af2fe9a1 ...
- TSSecKeySet1                          -> f686aace6942fb7f7ceb231212eef4a4 ...

Suggest to do cleanup in following steps:
1) Report container (file) names for all certs with private keys
2) Amend pre-defined exclusion list of key container names (see above) with current machine guid
3) Use resulting file list to mark exclusions as readonly
4) Based on current date and read-only attribute absence select key files with LastAccessTime older than 90 days
5) Report on selected into xlsx (name, date of creation etc)
6) Archive selected to separate folder
7) Remove attribute "system" on each selected and delete it from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Cheers,
Greg
RickR1110
Copper Contributor
Oct 27, 2021
Are you using ManageEngine Desktop Central?
If so check this link - Agent creates many files (private keys) (manageengine.com)
Gregory_Ostapenko
Copper Contributor
Oct 27, 2021
Similar from VMware:
CRSVC-8778: Machine Key accumulation results in low disk space on Workspace ONE UEM application servers (82553)
(https://kb.vmware.com/s/article/82553?lang=en_US&queryTerm=MachineKeys)
tkouba
Copper Contributor
May 29, 2022
I had created a powershell script for cleaning MachineKeys folder. https://github.com/sntcz/Clear-MachineKeys
TechJim1155
Copper Contributor
Aug 05, 2024
MachineKeys permissions: Article mentioned by Nedim is for Windows 2003. Folder is in entirely different location. Can't be sure permissions listed there are proper.

This is an article from Microsoft concerning Azure servers, it has a PowerShell script to change permissions on MachineKeys.
https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/event-id-troubleshoot-vm-rdp-connecton

Blog Post

MachineKeys folder fills up quickly

Share