Lemonde
  • Lemonde
  • 100% (Exalted)
  • Advanced Member Topic Starter
4 years ago
We haVe been seeing this in our RDS server at user logon:

Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: 29/05/2020 19:03:41
Event ID: 513
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: %computername%.domain.local
Description:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:
Access is denied.
.
Event Xml:



513
0
2
0
0
0x8080000000000000

94582


Application
%computername%.domain.local




Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:
Access is denied.



Sponsor

Want to thank us? Use: Patreon or PayPal or Bitcoins: bc1q4whppe29dw77rm4kv4pln0gqae4yjnxly0dny0hky6yhnafukzjsyrsqhk

All opinions expressed within these pages are sent in by members of the public or by our staff in their spare time, and as such do not represent any opinion held by sircles.net Ltd or their partners.


sirclesadmin
4 years ago
From szz743 user on Microsoft Answers:

"Microsoft Link-Layer Discovery Protocol" binary is located in \Windows\system32\DRIVERS\mslldp.sys

The registry key is here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp



During a VSS backup process running as NETWORK_SERVICE, the account calls cryptcatsvc!CSystemWriter::AddLegacyDriverFiles(), which enumerates all the drivers records in Service Control Manager database and tries to open each of them, one at a time. The function fails on MSLLDP record with an Access is Denied error.

It fails because the MSLLDP driver security permissions don't allow the NETWORK_SERVICE access to the driver record.

The binary security descriptor for the record is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp\Security

Use SC.EXE and Sysinternals' ACCESSCHK.EXE to fix it:

The original security descriptor looked like this:

>accesschk.exe -c mslldp

mslldp
RW NT AUTHORITY\SYSTEM
RW BUILTIN\Administrators
RW S-1-5-32-549 <- these are server operators
R NT SERVICE\NlaSvc

No service account is allowed to access MSLLDP driver

The security descriptor for the drivers that were processed successfully looked this way:

>accesschk.exe -c mup

mup
RW NT AUTHORITY\SYSTEM
RW BUILTIN\Administrators
R NT AUTHORITY\INTERACTIVE
R NT AUTHORITY\SERVICE <- this gives access to services


How to add access rights for NT AUTHORITY\SERVICE to MSLLDP service:

1. Run: SC sdshow MSLLDP

You'll get something like below (SDDL language is documented on MSDN):

D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

2. Run: SC sdshow MUP

You'll get:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

3. Take NT AUTHORITY\ SERVICE entry, which is (A;;CCLCSWLOCRRC;;;SU) and add it to the original MSLLDP security descriptor properly, right before the last S:(AU... group.

4. Apply the new security descriptor to MSLLDP service :

sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

5. Check the result:

>accesschk.exe -c mslldp

mslldp
RW NT AUTHORITY\SYSTEM
RW BUILTIN\Administrators
RW S-1-5-32-549
R NT SERVICE\NlaSvc
R NT AUTHORITY\SERVICE