board logo
Posted by: Lemonde - 12 June 2020 15:03:33
We haVe been seeing this in our RDS server at user logon: Log Name: Application Source: Microsoft-Windows-CAPI2 Date: 29/05/2020 19:03:41 Event ID: 513 Task Category: None Level: Error Keywords: Classic User: N/A Computer: %computername%.domain.local Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol. System Error: Access is denied. . Event Xml: 513 0 2 0 0 0x8080000000000000 94582 Application %computername%.domain.local Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol. System Error: Access is denied.

Posted by: sirclesadmin - 18 November 2020 17:45:42
From [b]szz743 [/b]user on Microsoft Answers: "Microsoft Link-Layer Discovery Protocol" binary is located in \Windows\system32\DRIVERS\mslldp.sys The registry key is here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp During a VSS backup process running as NETWORK_SERVICE, the account calls cryptcatsvc!CSystemWriter::AddLegacyDriverFiles(), which enumerates all the drivers records in Service Control Manager database and tries to open each of them, one at a time. The function fails on MSLLDP record with an [i]Access is Denied[/i] error. It fails because the MSLLDP driver security permissions don't allow the NETWORK_SERVICE access to the driver record. The binary security descriptor for the record is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp\Security Use SC.EXE and Sysinternals' ACCESSCHK.EXE to fix it: The original security descriptor looked like this: >accesschk.exe -c mslldp mslldp RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators RW S-1-5-32-549 <- these are server operators R NT SERVICE\NlaSvc No service account is allowed to access MSLLDP driver The security descriptor for the drivers that were processed successfully looked this way: >accesschk.exe -c mup mup RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators R NT AUTHORITY\INTERACTIVE R NT AUTHORITY\SERVICE <- this gives access to services How to add access rights for NT AUTHORITY\SERVICE to MSLLDP service: 1. Run: SC sdshow MSLLDP You'll get something like below (SDDL language is documented on MSDN): D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 2. Run: SC sdshow MUP You'll get: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 3. Take NT AUTHORITY\ SERVICE entry, which is (A;;CCLCSWLOCRRC;;;SU) and add it to the original MSLLDP security descriptor properly, right before the last S:(AU... group. 4. Apply the new security descriptor to MSLLDP service : sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 5. Check the result: >accesschk.exe -c mslldp mslldp RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators RW S-1-5-32-549 R NT SERVICE\NlaSvc R NT AUTHORITY\SERVICE