MachineKeys folder fills up quickly

By
Published 08-24-2020 06:38 AM 4,518 Views
Microsoft

MachineKeys folder stores certificate keys that are used by IIS. This folder may fill up with thousands of files in a short time due to a permission or application code related issue.

 

The permanent solution would be correcting permissions or fixing the code so that the keys in this folder are automatically removed. However, if the permanent fix is taking long time, you may need a practical way of removing old files in the meantime.

 

Open Command Prompt as Administrator and run the following command to remove files older than 90 days in the MachineKeys folder

 

 

ForFiles /p "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /s /d -90 /c "cmd /c del @file /F /A:S"

 

 

Nedim_0-1598276289100.jpeg

 

 

Why is this folder filling up? There are four common reasons:

 

  • There is a permission issue that is preventing OS to remove files from that folder. Check this document for the permissions required
  • There is a code related issue. The application is not removing X.509 certificates after they are used
  • A security software is performing SSL check and preventing these files to be removed
  • Enterprise CA might be failing to respond the request
1 Comment

Hi,

 

To whoever read above article:

Under no circumstances do not remove key containers with below names (from here https://forums.iis.net/t/1224708.aspx?C+ProgramData+Microsoft+Crypto+RSA+MachineKeys+is+filling+my+d...)

 

 - Microsoft Internet Information Server -> c2319c42033a5ca7f44e731bfd3fa2b5 ...
 - NetFrameworkConfigurationKey          -> d6d986f09a1ee04e24c949879fdb506c ...
 - iisWasKey                             -> 76944fb33636aeddb9590521c2e8815a ...
 - WMSvc Certificate Key Container       -> bedbf0b4da5f8061b6444baedf4c00b1 ...
 - iisConfigurationKey                   -> 6de9cb26d2b98c01ec4e9e8b34824aa2 ...
 - MS IIS DCOM Server                    -> 7a436fe806e483969f48a894af2fe9a1 ...
 - TSSecKeySet1                          -> f686aace6942fb7f7ceb231212eef4a4 ...

 

Suggest to do cleanup in following steps:

1) Report container (file) names for all certs with private keys

2) Amend pre-defined exclusion list of key container names (see above) with current machine guid

3) Use resulting file list to mark exclusions as readonly

4) Based on current date and read-only attribute absence select key files with LastAccessTime older than 90 days

5) Report on selected into xlsx (name, date of creation etc)
6) Archive selected to separate folder
7) Remove attribute "system" on each selected and delete it from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

 

Cheers,

Greg

%3CLINGO-SUB%20id%3D%22lingo-sub-1608008%22%20slang%3D%22en-US%22%3EMachineKeys%20folder%20fills%20up%20quickly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1608008%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EMachineKeys%26nbsp%3B%3C%2FSTRONG%3Efolder%20stores%20certificate%20keys%20that%20are%20used%20by%20IIS.%20This%20folder%20may%20fill%20up%20with%20thousands%20of%20files%20in%20a%20short%20time%20due%20to%20a%20permission%20or%20application%20code%20related%20issue.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20permanent%20solution%20would%20be%20correcting%20permissions%20or%20fixing%20the%20code%20so%20that%20the%20keys%20in%20this%20folder%20are%20automatically%20removed.%20However%2C%20if%20the%20permanent%20fix%20is%20taking%20long%20time%2C%20you%20may%20need%20a%20practical%20way%20of%20removing%20old%20files%20in%20the%20meantime.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOpen%20Command%20Prompt%20as%20Administrator%20and%20run%20the%20following%20command%20to%26nbsp%3B%3CSTRONG%3Eremove%20files%20older%20than%2090%20days%20in%20the%20MachineKeys%20folder%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-html%22%3E%3CCODE%3EForFiles%20%2Fp%20%22C%3A%5CProgramData%5CMicrosoft%5CCrypto%5CRSA%5CMachineKeys%22%20%2Fs%20%2Fd%20-90%20%2Fc%20%22cmd%20%2Fc%20del%20%40file%20%2FF%20%2FA%3AS%22%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Nedim_0-1598276289100.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214321i71D6EB8725A89494%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Nedim_0-1598276289100.jpeg%22%20alt%3D%22Nedim_0-1598276289100.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhy%20is%20this%20folder%20filling%20up%3F%20There%20are%20four%20common%20reasons%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThere%20is%20a%20permission%20issue%20that%20is%20preventing%20OS%20to%20remove%20files%20from%20that%20folder.%20Check%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%3A%252F%252Fsupport.microsoft.com%252Fen-us%252Fhelp%252F278381%252Fdefault-permissions-for-the-machinekeys-folders%2523%3A~%3Atext%253DSummary%252CInternet%252520Explorer%252520use%252520this%252520folder.%26amp%3Bdata%3D02%257C01%257CNedim.Sahin%2540microsoft.com%257Cc6969801c773415b008c08d848310358%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637338722629836048%26amp%3Bsdata%3Dhea%252F9GGFwGT6%252FdIvWuqT3%252BTQ1X%252FQP2LMYgjBrzJJrzo%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ethis%20document%3C%2FA%3E%20for%20the%20permissions%20required%3C%2FLI%3E%0A%3CLI%3EThere%20is%20a%20code%20related%20issue.%20The%20application%20is%20not%20removing%20X.509%20certificates%20after%20they%20are%20used%3C%2FLI%3E%0A%3CLI%3EA%20security%20software%20is%20performing%20SSL%20check%20and%20preventing%20these%20files%20to%20be%20removed%3C%2FLI%3E%0A%3CLI%3EEnterprise%20CA%20might%20be%20failing%20to%20respond%20the%20request%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1608008%22%20slang%3D%22en-US%22%3E%3CP%3EMachineKeys%26nbsp%3Bfolder%20stores%20certificate%20keys%20that%20are%20used%20by%20IIS.%20This%20folder%20my%20fill%20up%20with%20thousands%20of%20files%20in%20a%20short%20time%20due%20to%20a%20permission%20or%20application%20code%20related%20issue.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2076851%22%20slang%3D%22en-US%22%3ERe%3A%20MachineKeys%20folder%20fills%20up%20quickly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2076851%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20whoever%20read%20above%20article%3A%3C%2FP%3E%3CP%3EUnder%20no%20circumstances%20do%20not%20remove%20key%20containers%20with%20below%20names%20(from%20here%20%3CA%20href%3D%22https%3A%2F%2Fforums.iis.net%2Ft%2F1224708.aspx%3FC%2BProgramData%2BMicrosoft%2BCrypto%2BRSA%2BMachineKeys%2Bis%2Bfilling%2Bmy%2Bdisk%2Bspace%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fforums.iis.net%2Ft%2F1224708.aspx%3FC%2BProgramData%2BMicrosoft%2BCrypto%2BRSA%2BMachineKeys%2Bis%2Bfilling%2Bmy%2Bdisk%2Bspace%3C%2FA%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B-%26nbsp%3BMicrosoft%20Internet%20Information%20Server%20-%26gt%3B%20c2319c42033a5ca7f44e731bfd3fa2b5%26nbsp%3B...%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%26nbsp%3B-%20NetFrameworkConfigurationKey%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%26gt%3B%20d6d986f09a1ee04e24c949879fdb506c%26nbsp%3B...%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%26nbsp%3B-%20iisWasKey%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%26gt%3B%2076944fb33636aeddb9590521c2e8815a%20...%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%26nbsp%3B-%20WMSvc%20Certificate%20Key%20Container%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%26gt%3B%20bedbf0b4da5f8061b6444baedf4c00b1%20...%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%26nbsp%3B-%20iisConfigurationKey%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%26gt%3B%206de9cb26d2b98c01ec4e9e8b34824aa2%20...%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%26nbsp%3B-%20MS%20IIS%20DCOM%20Server%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26gt%3B%207a436fe806e483969f48a894af2fe9a1%20...%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%26nbsp%3B-%20TSSecKeySet1%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26gt%3B%20f686aace6942fb7f7ceb231212eef4a4%20...%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESuggest%20to%20do%20cleanup%20in%20following%20steps%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E1)%20Report%20container%20(file)%20names%20for%20all%20certs%20with%20private%20keys%3C%2FP%3E%3CP%3E2)%20Amend%20pre-defined%20exclusion%20list%20of%20key%20container%20names%20(see%20above)%20with%20current%20machine%20guid%3C%2FP%3E%3CP%3E3)%20Use%20resulting%20file%20list%20to%20mark%20exclusions%20as%20readonly%3C%2FP%3E%3CP%3E4)%20Based%20on%20current%20date%20and%20read-only%20attribute%20absence%20select%20key%20files%20with%20LastAccessTime%20older%20than%2090%20days%3C%2FP%3E%3CP%3E5)%20Report%20on%20selected%20into%20xlsx%20(name%2C%20date%20of%20creation%20etc)%3CBR%20%2F%3E6)%20Archive%20selected%20to%20separate%20folder%3CBR%20%2F%3E7)%20Remove%20attribute%20%22system%22%20on%20each%20selected%20and%20delete%20it%20from%20C%3A%5CProgramData%5CMicrosoft%5CCrypto%5CRSA%5CMachineKeys%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3EGreg%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 25 2020 07:33 AM
Updated by: