Endpoint Protection Small Business Edition

It seems that our Windows 2008 R2 Standard server started throwing CAPI2 event 513 errors every time the backup software runs a snapshot.

Formerly it was running SEP 12.1 RU1 and on 09/13/2012 it was upgraded to MP1 release - errors started appearing the same day.

The same event id errors were happening in the past, but they were rather related to MS broken revocation list of certificate store/cache, it was fixed eventually.

The System Writer is listed when I issue the command "vssadmin list writers", so that's not the case. All Windows updates are installed on the machine.

this is a copy of example error event, it mentions a file belonging to Symantec, however when I try looking for it manually I cannot find it, not Computer Search does...

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          9/21/2012 2:18:40 PM
Event ID:      513
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server
Description:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary EraserUtilRebootDrv.

System Error:
The system cannot find the file specified.
.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
    <EventID Qualifiers="0">513</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2012-09-21T18:18:40.381717300Z" />
    <EventRecordID>7371036</EventRecordID>
    <Correlation />
    <Execution ProcessID="1104" ThreadID="13288" />
    <Channel>Application</Channel>
    <Computer>server</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Details:
AddLegacyDriverFiles: Unable to back up image of binary EraserUtilRebootDrv.

System Error:
The system cannot find the file specified.
</Data>
  </EventData>
</Event>

Our backup software (HP DataProtector Express 5.0) triggers this error event to show up. what is going on?

SEPM is installed on this Windows 2008 R2 server.

The other servers in our domain (Windows 2008 32-bit Standard) were upgraded the same day via SEPM and they don't show this error.

 Hi,

Check this thread

http://www.symantec.com/connect/forums/capi2-513-cryptographic-services-failed-while-processing-onidentity-call-system-writer-object

http://technet.microsoft.com/en-us/library/cc734021(v=ws.10).aspx

Modify the access control list on the registration folder

Component Object Model (COM) applications must be able to access the COM+ catalog files that are stored in the COM catalog folder. If the default access control list is changed on the COM catalog folder within the Windows folder, the Shadow Copy System Writer may not work properly.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To modify the access control list on the COM catalog folder:

1. Click Start, and then click Computer.
2. Navigate to %systemdrive%\Windows.

   By default, %systemdrive% is located at C:\.

3. Right-click Registration, click Properties, and then click the Security tab.
4. Click Advanced, and then click Edit.
5. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
6. Click Edit to view the special permissions assigned to this folder.
7. Ensure that the access control list matches the following criteria:
   • The local Administrators group has Full Control permissions applied to This folder and files.
   • The Everyone group has List folder/read data, Read attributes, Read extended attributes, and Read permissions applied to This folder and files.
   • The local SYSTEM account has Full Control permissions applied to This folder and files.
8. If the permissions on this folder do not match what is listed in this procedure, make the appropriate changes, and then click OK.

You shoul see this:

http://support.microsoft.com/kb/2009272

thansk, but I've seen those articles and everything checks out and is set correctly. only problem is related to Symantec tool executable which cannot be found during backup. the System Writer service functions correctly otherwise and permissions on folders are set correctly as decribed in the article.

any other ideas?

I would suggest a call to support

thanks, I probably will open case with Symantec in a few days if I can't figure it out. it's nothing critical, but annoying to see those errors in server logs whenever the scheduled System State backup or scheduled tape backup runs ...

HI,

What happend if you have disable SEP service ?

good question, I don't know. will see about that in a few days, having lots of other trouble to take care of at same time and got swamped with work ...

well for now I disabled the System State Backup task schedule and deleted the Windows Backup files from the folder on hard drive and the event didn't re-appear again.

Obviously it had nothing to do with tapedrive backup (this one is scheduled every night still)... wondering why the System State backup was failing, because of some file belonging to SEP ...

Ok,

Now you can Try to Reenable back up and stop SEP Client service ?

just did, will know by tomorrow morning if problem returns.

Windows Backup / System State went through without issues with SEP disabled. However in morning I found that SEP re-enabled itself at some point and I don't know when. either way, it seems the issue is cleared ... so it seems like there was some corrupt file in the folder where SS backup were being saved to?

weird.

Hi,

Your issue resolved or not ?

will see after weekend if the problem is gone. for now it seems resolved.

Hi 6ft_Under..

Did you receive solution ?

yes, problem is gone, the mentioned errors have never come back again. case closed I guess.

HI,

Please don't forgot mark as solution if any comments help you.