Professional Documents
Culture Documents
(CAPIMON)
Introduction
CryptoAPI, also known as CAPI, was created to help application developers to make simpler and
more effective use of the cryptography and key management features that are provided by the
Microsoft® Windows® operating system. The generic CryptoAPI calls allow Windows to manage
cryptographic and X.509 version 3 certificate functions in a well-constructed and tested
environment. This environment helps prevent attacks against the sensitive cryptographic data and
functions.
Because CryptoAPI provides generic cryptographic services, programmers can use the
CryptoAPI functions in a variety of ways to accomplish different tasks. Although this provides a
benefit to the programmer who is thoroughly familiar with CryptoAPI and cryptography, there
are often implementation problems in how the applications use these application program
interfaces (APIs). In addition, not all applications can report accurate and detailed errors when
CryptoAPI returns anything other than a successful completion result. As a result, applications
that use CryptoAPI are often difficult to troubleshoot.
CryptoAPI Monitor (CAPIMON) is designed to specifically address this issue by allowing the
administrator to monitor an application’s CryptoAPI calls and the results. CAPIMON can be
used to troubleshoot errors in X.509 version 3 certificate chain building and revocation. It cannot
be used to troubleshoot cryptographic service providers (CSP), cryptographic routines, and
digital signature operations which are also part of CryptoAPI.
The supported operating systems for CAPIMON are:
A member of the Windows 2000 family with Service Pack 3 or later
Windows XP
A member of the Windows Server 2003 family
information about how an application works without interfering with its operations. Because of
this, CAPIMON does not have to change the application in order to determine what issues it is
encountering.
CAPIMON has two main components: a shim and a viewer. The shim captures and logs data,
and the viewer displays the logged data in a usable format.
CAPIMON Shim
A shim is a software component that is installed between two other components. The CAPIMON
shim monitors an application’s calls to the APIs in the Crypt32.dll and Cryptnet.dll files, which
provide the CryptoAPI calls that provide the majority of CryptoAPI functionality for CryptoAPI-
aware applications. The shim then logs the application’s context-specific information and the
parameters that are passed with each API call. The shim logs this information in an XML log file.
You can configure logging by using a filter file, which is discussed later in this document.
The following APIs are shimmed in Crypt32.dll:
CertFindChainInStore
CertFreeCertificateChain API is shimmed but not logged. This is done so that CAPIMON
can determine when chain contexts go out of scope.
CertGetCertificateChain
CertVerifyCertificateChainPolicy
CertVerifyRevocation
The following API is shimmed in Cryptnet.dll:
CertDllVerifyRevocation
For more information about the CryptoAPI calls listed and how they work, see “Cryptography
Functions” on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18885.
On startup, the shim checks the registry or the location that is specified in the command-line
syntax for the .inf configuration file. It then reads the filter settings from the .inf file and applies
them when shimmed APIs are captured. In addition, the shim monitors hard drive and log file
space to ensure that the configured log file size settings are applied.
The CAPIMON shim also creates events in the application event log. These events are created on
the computer running the CAPIMON shim and are not stored in the CAPIMON log file. They
indicate when CAPIMON begins and ends logging, as well as when thresholds are reached, such
as reaching the maximum disk space usage for a log file. Most errors encountered by CAPIMON
are also reported in the event log.
CAPIMON Viewer
The CAPIMON log files are XML documents. Although any XML-capable application can be
used to display the contents of the file, there is a great deal of information that might not display
correctly. For example, Base64 encoded certificate BLOBs, CRLs, and so on cannot be natively
How to Use CAPIMON 3
decoded in an XML format. A specialized viewer must be used to properly parse the XML data
and display it with appropriate formatting and labels. The CAPIMON viewer is provided as the
specialized viewer for such data.
The CAPIMON viewer has two lists: a list of captured CryptoAPI function calls at the top and a
details list below it. Clicking any CryptoAPI call in the list of function calls displays the details
of that call in the details list. This allows you to scroll through all the calls that are captured and
only display the details of the calls that might be relevant to the current problem.
Installation
You can install the CAPIMON tool by running the installation package and providing responses
to the installation wizard.
Before you install CAPIMON on a computer running a Windows 2000 operating system, you
must ensure that the Application Compatibility Toolkit version 2.6 is installed on that computer.
For more information about installing the toolkit, see the Windows Application Compatibility
Toolkit on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18670. You must
also have Service Pack 3 or later installed.
In addition, computers running Windows 2000 must install the Microsoft XML Parser
(MSXML) 3.0 Service Pack 4 before using the CAPIMON viewer. This software is available
from the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=19870.
To install CAPIMON, perform the following steps:
1. Log on to the computer as a member of the local administrators group.
2. Double-click the CAPIMON10_Setup.msi file.
3. On the Welcome to the Microsoft CAPIMON 1.0 Setup Wizard page, click Next.
4. Review the End User License Agreement, click I Agree if you agree, and then click Next.
5. Select the location to install CAPIMON and whether to make this tool available to all users
or just the logged in user, and then click Next.
The default path is C:\Program Files\Microsoft CAPIMON 1.0.
6. Click Next to install CAPIMON.
7. When CAPIMON is finished installing, click Close to exit the installation program.
When installation is finished, the folder that you specified in the installation process is created.
This is where most of the CAPIMON program and configuration files are stored. Although the
4 CryptoAPI Monitor (CAPIMON)
program files are installed, CAPIMON is not activated and cannot capture data until it is
configured. This configuration is covered in the next section.
Capture Configuration
CAPIMON uses the Capimon_filter.inf filter file to determine which API calls are monitored and
which are logged, as well as other log file configuration settings. The default settings in the
Capimon_filter.inf file will capture function calls that result in errors from the default list of API
calls mentioned earlier. To change these settings, you must use a text editor, such as Notepad, to
edit Capimon_filter.inf or create a new filter file with the necessary entries. The following is a
commented copy of the Capimon_filter.inf file that is provided during the installation of
CAPIMON.
[Version]
LayoutFile = layout.inf
[Collect]
; The names of the APIs to be logged are listed here. If an API is listed in this
section, then a corresponding section must exist. The name of that corresponding
section must be the API name.
API = CertFindChainInStore
API = CertGetCertificateChain
API = CertVerifyCertificateChainPolicy
API = CertVerifyRevocation
API = CertDllVerifyRevocation
; MaxLogFileSize sets the maximum log file size (in megabytes). When the log file
reaches this size, logging is stopped. Valid values are 1 through 50, with a
default value of 50. If this value is missing, the default value is used.
MaxLogFileSize = 50
[CertFindChainInStore]
; Each API section must specify one of the values to configure logging.
;
How to Use CAPIMON 5
; LogAll: log all CryptoAPI calls, both successes and failures. When Logall is
present, it overrides ErrorAll and Error settings. Setting LogAll = 1 configures
this setting.
ErrorAll = 1
; Maximum number of API calls to log. Valid values are 0 through 500, with a
default value of 500. If this value is missing, the default value is used.
MaxTransactions = 500
[CertGetCertificateChain]
ErrorAll = 1
MaxTransactions = 500
[CertVerifyCertificateChainPolicy]
ErrorAll = 1
MaxTransactions = 500
[CertVerifyRevocation]
ErrorAll = 1
MaxTransactions = 500
[CertDllVerifyRevocation]
ErrorAll = 1
MaxTransactions = 500
To change any of the settings in this file, simply edit the file with a text editor and save the file.
Then start or restart CAPIMON, as described in the next section of this document.
6 CryptoAPI Monitor (CAPIMON)
Capturing data
CAPIMON can capture data as either raw unfiltered data or as filtered data that conforms to
defined rules. This section describes both ways to configure CAPIMON capture. It will also
explain how to stop data capture and how to verify CAPIMON configuration with a separate
tool.
Note
Applications may run in one of several different user contexts. This
depends on several variables, including how the application is started, its
security context, the use of Runas.exe, and the type of application being
monitored. Many applications run in the SYSTEM context, while others
may use LOCAL SERVICE or NETWORK SERVICE. Still others could
use specific service accounts for their security context. This is normal
behavior, and CAPIMON records the user context when it begins
monitoring an application.
How to Use CAPIMON 7
Each time you configure CAPIMON to monitor a different application as shown in step 2 of the
above procedure, you must reboot the computer. If you want to monitor multiple applications and
minimize rebooting, you can specify more than one -appname: Application_Path parameter in
the same command. This will allow you to reboot once for several application shims.
The default file name for CAPIMON log files is
CAPIMON_ApplicationName_ProcessID_DATE-Date-TIME-Time.xml. Here are the variables
in the file name:
ApplicationName is the name of the application being monitored. This application name was
provided when you specified an application to be monitored using Capimon.exe -setup.
ProcessID is the process identification number of the application being monitored. This
number might be different each time the application starts because of the application
management scheme Windows uses.
Date is the date that the log file was created. CAPIMON obtains this value when the
application is started.
Time is the time that the log file was created. CAPIMON obtains this value when the
application is started.
To change the default location and filter name, you can use the Capimon.exe -setup command,
which is documented in “Configuration,” earlier in this paper. . However, the file is always
created with the file name that is described here.
Caution
Unfiltered CAPIMON captures of computers with a large amount of
CryptoAPI activity can cause the log files to become very large very
quickly. By default, CAPIMON stops logging events if the drive that is
used for log files has less than 5% free disk space. Log files are also
configured to have a default size limit of 50 megabytes (MB) or
500 logged transactions. This check is made whenever a logged event is
written. You can configure these settings in the Capimon_filter.inf file,
which is described later in this document.
6. Click Start, click Run, type cmd, and then press ENTER.
7. Type Capimon.exe -start -filter: FilterName and then press ENTER, where FilterName is
the name of the CAPIMON filter that you created.
CAPIMON creates the log file and begins recording the CryptoAPI calls that you defined in the
filter file. Note that CAPIMON will still process all API calls as its shims are still applied to the
entire file. However, it will only log the calls that you configured with the filter file.
Because CAPIMON can only use one filter file at a time, you should ensure that the capture filter
you use is capturing enough information for all applications that you are monitoring. This might
cause some unwanted data capture from some processes. However, the one log file created per
process should help you to easily focus on the necessary calls for each process.
Examples of CryptoAPI Applications That Can Be Monitored
Although any application can be monitored by CAPIMON, there are some applications that are
more likely to provide useful data. These applications are known to make CryptoAPI calls and
might rely on these calls for their core functionality.
Some common applications that can be monitored by CAPIMON include, but are not restricted
to, the applications listed in the following table.
Common applications that can be monitored by CAPIMON
Common use of CryptoAPI
Application File name to shim
in application
The CAPIMON log files for these applications will likely contain extraneous calls from other
applications that you will need to filter or ignore.
Although CAPIMON stores the user context of each logged application in the log file, it may
sometimes show an unexpected user name. There are three Windows processes that are known as
host processes. They host one or more services that run within the context of the host. This can
present problems when trying to identify what service is hosted by a host. To help identify these
services running within hosts, refer to the following table to see some commonly hosted services
and their host process.
Host processes and examples of services within those processes
Host process Services
To identify services within hosts, on Windows XP or a member of the Windows Server 2003
family, at a command prompt, type Tasklist.exe -svc. This lists all processes and any services or
threads running within them. Once you identify the service of interest, you can then determine
which host process should be monitored with CAPIMON.
Caution
Do not allow CAPIMON to continue to monitor applications, because it
will reduce the computer’s performance. It should only be enabled when
you are actively capturing data for analysis. As a best practice, you
should disable and uninstall CAPIMON when you resolve the issue.
1. Click Start, click Run, type cmd, and then press ENTER.
2. Type Capimon.exe -stop and then press ENTER.
This procedure stops all CAPIMON logging. It does not stop the CAPIMON shim from
functioning or uninstall the program. For instructions on removing the shim and uninstalling
CAPIMON, see “Removal,” later in this document.
Note
You must stop logging to the file before it can be viewed in the
CAPIMON viewer. Open log files cannot be displayed.
View Certificate. (In current context.) Displays the certificate that was used for the
CryptoAPI call. It might not display a certificate chain. If a chain is displayed, it is evaluated
on the current computer and not the computer where the capture occurred.
View CRL. (Determined at the time of capture.) This link displays the certificate revocation
list (CRL) that the computer running CAPIMON used at the time the data was captured.
View CTL. (Determined at the time of capture.) This link displays the certificate trust list
(CTL) that the computer running CAPIMON used at the time the data was captured.
Note that the View Certificate option displays the information about the individual certificate
used in the CryptoAPI call. It might be displayed with a corresponding certificate chain, but that
chain is not the same as the chain that was evaluated during the CAPIMON capture. To view the
certificate chain as it was captured during the CAPIMON session, you should click View
Certificate Chain. This displays the exact certificate chain that was captured during the trace.
CryptoAPI verified the certificate on Line 2. It then began building and verifying the chain and
revocation information in Lines 3, 4, and 5. Finally, a success was passed back to IPSec in
Line 5. In Details, Line 2 CAPIMON displays the following:
CertFindChainInStore
Computer: COMPUTER
Process ID: 640
Process Name: LSASS
Thread ID: 2060
Transaction ID: 20121
User Name: SYSTEM
CertFindChainInStore Parameters
Encoding Type: 0x00000001
X509_ASN_ENCODING (0x00000001)
Find Para:
None
This certificate shows the following data in the Trust Status section of the Cert Info tab, which
proves the validity of the certificate:
Error Status:
(0x00000000)
No Error
Info Status:
(0x00000102)
CERT_TRUST_HAS_KEY_MATCH_ISSUER
CERT_TRUST_HAS_PREFERRED_ISSUER
Viewing each certificate in the chain shows similar results, with the exception of the Root CA
certificate which has the following information in the Info Status field:
(0x0000010c)
CERT_TRUST_HAS_NAME_MATCH_ISSUER
CERT_TRUST_IS_SELF_SIGNED
CERT_TRUST_HAS_PREFERRED_ISSUER
CertDllVerifyRevocation
Computer: COMPUTER
Process ID: 640
Process Name: LSASS
Thread ID: 2060
Transaction ID: 161043
User Name: SYSTEM
CertDllVerifyRevocation Parameters:
Flags: 0x00000005
CERT_VERIFY_REV_CHAIN_FLAG (0x00000001)
CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG (0x00000004)
Revocation Para:
Issuer's Certificate:
View Certificate... (in current context)
Stores:
None
Time to Use: 11/25/1634 13:20:02 519
Url Retrieval Timeout: 10000 (ms)
Time since CRL was published: None
Current Time: 11/25/1634 13:20:02 519
Revocation Status:
None
Revocation Status:
Index: 0
Error: 0
Reason: 0
Time since CRL was published: None
The error 0x80092012 maps to “The revocation function was unable to check revocation for the
certificate.” The CertDllVerifyRevocation function actually failed twice in Lines 3 and 4 before
it was able to find a valid CRL in Line 5, which happens frequently when multiple CDPs are
specified:
How to Use CAPIMON 15
CertDllVerifyRevocation
Computer: COMPUTER
Process ID: 640
Process Name: LSASS
Thread ID: 2060
Transaction ID: 20131
User Name: SYSTEM
CertDllVerifyRevocation Parameters:
Flags: 0x00000005
CERT_VERIFY_REV_CHAIN_FLAG (0x00000001)
CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG (0x00000004)
Certificates:
1. View Certificate... (in current context)
Revocation Para:
Issuer's Certificate:
View Certificate... (in current context)
Stores:
None
Revocation Status:
None
Revocation Status:
Index: 0
Error: 0
Reason: 0
Time since CRL was published: 00 days 00 hours 00 minutes 00 seconds 016 ms
16 CryptoAPI Monitor (CAPIMON)
All four lines have the same output: “Cannot find object or property.” The certificate does not
chain.
CertFindChainInStore
Computer: COMPUTER
Process ID: 640
Process Name: LSASS
Thread ID: 2060
Transaction ID: 143452
User Name: SYSTEM
CertFindChainInStore Parameters:
Encoding Type: 0x00000001
X509_ASN_ENCODING (0x00000001)
CERT_CHAIN_FIND_BY_ISSUER (0x00000001)
Find Para:
None
In the Details portion of Line 1, you see that CertDllVerifyRevocation fails immediately.
18 CryptoAPI Monitor (CAPIMON)
CertDllVerifyRevocation
Computer: COMPUTER01
Process ID: 4052
Process Name: OUTLOOK
Thread ID: 804
Transaction ID: 2488
User Name: mikedan
CertDllVerifyRevocation Parameters:
Encoding Type: 0x00000001
X509_ASN_ENCODING (0x00000001)
Flags: 0x00000004
CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG (0x00000004)
Certificates:
1. View Certificate... (in current context)
Revocation Para:
Issuer's Certificate:
View Certificate... (in current context)
Stores:
None
Revocation Status:
None
Revocation Status:
Index: 0
Error: 0
Reason: 0
How to Use CAPIMON 19
In the Details portion of Lines 2-4, you can see that CertDllVerifyRevocation successfully
checks the revocation of the certificate.
CertDllVerifyRevocation
Computer: COMPUTER01
Process ID: 4052
Process Name: OUTLOOK
Thread ID: 804
Transaction ID: 159305
User Name: mikedan
CertDllVerifyRevocation Parameters:
Encoding Type: 0x00000001
X509_ASN_ENCODING (0x00000001)
Flags: 0x00000004
CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG (0x00000004)
Certificates:
1. View Certificate... (in current context)
Revocation Para:
Issuer's Certificate:
View Certificate... (in current context)
Stores:
None
Revocation Status:
Base CRL: View CRL... (determined at the time of capture)
Revocation Status:
Index: 0
20 CryptoAPI Monitor (CAPIMON)
Error: 0
Reason: 0
Time since CRL was published: 00 days 00 hours 00 minutes 00 seconds 018 ms
In the Details portion of Line 5, you can see that CertGetCertificateChain determined that the
certificate had expired.
CertGetCertificateChain
View Certificate Chain... (determined at the time of capture)
Computer: COMPUTER01
Process ID: 4052
Process Name: OUTLOOK
Thread ID: 804
Transaction ID: 310
User Name: mikedan
CertGetCertificateChain Parameters:
Chain Engine: 0
HCCE_CURRENT_USER (0)
Additional Store:
Certificates:
1. View Certificate... (in current context)
CRLs:
None
CTLs:
How to Use CAPIMON 21
None
Flags: 0x28000001
CERT_CHAIN_CACHE_END_CERT (0x00000001)
CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT (0x08000000)
CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
Chain Para:
Requested Usages (Type: AND):
Secure Email (1.3.6.1.5.5.7.3.4)
The following is displayed on the Cert Info tab of View Certificate Chain.
Error Status:
0x00000001
CERT_TRUST_IS_NOT_TIME_VALID (0x00000001)
Info Status:
0x00000102
CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x00000002)
CERT_TRUST_HAS_PREFERRED_ISSUER (0x00000100)
On the Details tab of the certificate, in Validity Period, you find that the certificate expired
5 months before the e-mail was read:
Valid to: Wednesday, April 23, 2003 10:38:33 PM
The security certificate was issued by a company you have not chosen to trust. View the
certificate to determine whether you want to trust the certifying authority”
On the General tab, there is another error message:
The certificate cannot be verified up to a trusted certification authority.
Function Calls displays the following table.
Thread
Index Time API End Entity Certificate Root Certificate Status User
Id
In the Status column, the status is listed as Partial Chain. In Line 1, CertGetCertificateChain
fails.
Details for Line 1 display the following information.
CertGetCertificateChain
View Certificate Chain... (determined at the time of capture)
Computer: COMPUTER01
Process ID: 1204
Process Name: IEXPLORE
Thread ID: 1400
Transaction ID: 3
User Name: mikedan
CertGetCertificateChain Parameters:
Chain Engine: 0
HCCE_CURRENT_USER (0)
Additional Store:
Certificates:
1. View Certificate... (in current context)
CRLs:
None
CTLs:
None
Flags: 0x00000000
None
Chain Para:
Requested Usages (Type: OR):
Server Authentication (1.3.6.1.5.5.7.3.1)
1.3.6.1.4.1.311.10.3.3
2.16.840.1.113730.4.1
On the Cert Info tab of View Certificate Properties, the certificate status shows that it is acting
as if it is self-signed, when it is not.
Info Status:
0x00000004
CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x00000004)
24 CryptoAPI Monitor (CAPIMON)
CertVerifyCertificateChainPolicy
View Certificate Chain... (determined at the time of capture)
Computer: COMPUTER01
Process ID: 1204
Process Name: IEXPLORE
Thread ID: 1400
Transaction ID: 3
User Name: mikedan
CertVerifyCertificateChainPolicy Parameters:
Policy OID: 4
CERT_CHAIN_POLICY_SSL (4)
Policy Para:
Flags: 0x00000000
None
Policy Status:
Error: CERT_E_UNTRUSTEDROOT (0x800b0109)
Chain Index: 0
Element Index: -1
In Line 2. the error is displayed. The user or computer does not trust the issuer of the SSL
certificate.
CertGetCertificateChain
View Certificate Chain... (determined at the time of capture)
Computer: COMPUTER01
Process ID: 1204
Process Name: IEXPLORE
Thread ID: 1400
Transaction ID: 3
User Name: mikedan
CertGetCertificateChain Parameters:
Chain Engine: 0
HCCE_CURRENT_USER (0)
Additional Store:
Certificates:
1. View Certificate... (in current context)
CRLs:
None
CTLs:
None
Flags: 0x00000000
None
Chain Para:
Requested Usages (Type: OR):
Server Authentication (1.3.6.1.5.5.7.3.1)
1.3.6.1.4.1.311.10.3.3
2.16.840.1.113730.4.1
CertVerifyCertificateChainPolicy
View Certificate Chain... (determined at the time of capture)
Computer: COMPUTER01
Process ID: 1204
Process Name: IEXPLORE
Thread ID: 1400
Transaction ID: 3
User Name: mikedan
26 CryptoAPI Monitor (CAPIMON)
CertVerifyCertificateChainPolicy Parameters:
Policy OID: 4
CERT_CHAIN_POLICY_SSL (4)
Policy Para:
Flags: 0x00000000
None
Policy Status:
Error: ERROR_SUCCESS (0x00000000)
Chain Index: -1
Element Index: -1
In Lines 3 and 4, even though the certificate is not trusted, it is still usable for SSL, if the user
chooses to move forward or trust the issuing certification authority.
The first two lines suggest that there is not a problem with the revocation of the certificate that
the smart card user is using.
How to Use CAPIMON 27
CertDllVerifyRevocation
Computer: COMPUTER
Process ID: 440
Process Name: LSASS
Thread ID: 1012
Transaction ID: 64503
User Name: SYSTEM
CertDllVerifyRevocation Parameters:
Encoding Type: 0x00000001
X509_ASN_ENCODING (0x00000001)
Flags: 0x00000000
None
Certificates:
1. View Certificate... (in current context)
Revocation Para:
Issuer's Certificate:
View Certificate... (in current context)
Stores:
None
Revocation Status:
Base CRL: View CRL... (determined at the time of capture)
Revocation Status:
Index: 0
Error: 0
Reason: 0
28 CryptoAPI Monitor (CAPIMON)
Time since CRL was published: 00 days 00 hours 00 minutes 00 seconds 010 ms
CertGetCertificateChain
View Certificate Chain... (determined at the time of capture)
Computer: COMPUTER
Process ID: 440
Process Name: LSASS
Thread ID: 1012
Transaction ID: 64502
User Name: SYSTEM
In Function Calls, Lines 3 and 4 show the server attempting to build the certificate chain. In
Line 4, the Certification Path tab shows a full chain.
CertGetCertificateChain Parameters:
Chain Engine: 0
HCCE_CURRENT_USER (0)
Additional Store:
None
Flags: 0x40000000
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
Chain Para:
Requested Usages (Type: AND):
Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
CertVerifyCertificateChainPolicy
View Certificate Chain... (determined at the time of capture)
Computer: COMPUTER
Process ID: 440
Process Name: LSASS
Thread ID: 1012
Transaction ID: 1007
User Name: SYSTEM
CertVerifyCertificateChainPolicy Parameters:
Policy OID: 6
Policy Para:
Flags: 0x00000000
None
Policy Status:
Error: Unknown Error (0x800b0112)
Chain Index: 0
Element Index: 1
In Function Calls, on Line 4, there is an Unknown Error (0x800b0112) in the Policy Status
column. The Certutil.exe tool displays the following error message for this error code.
The chain was built successfully, but the server did not trust a certification authority in the chain.
The following section displays output from Certutil.exe, with the corresponding CAPIMON
information:
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 5 Weeks, 14 Hours, 43 Minutes, 22 Seconds
Computer: COMPUTER01
Process ID: 3072
Process Name: CERTUTIL
Thread ID: 3160
Transaction ID: 172314
User Name: mikedan
CertGetCertificateChain Parameters:
Chain Engine: 0
HCCE_CURRENT_USER (0)
Additional Store:
None
Flags: 0x40000000
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
Chain Para:
Requested Usages (Type: AND):
None
Later in the Certutil.exe output, you can see the verification of the Root CA certificate that
corresponds to Line 37 in Function Calls.
--------------------------------
CRL 0:
Issuer: CN=Sample Root CA, OU= PKIGroup, O=Wingtiptoys, L=Redmond, S=WA,
C=US, E=someone@wingtiptoys.com
63 68 07 2c 83 d0 ef 0a b8 c3 4e 86 c7 6b 8e a7 48 42 aa 0a
Issuance[0] = 1.3.6.1.4.1.311.42.1.1
In the View Certificate Chain details for Line 37, note the Info Status field: This corresponds
with the final results of the Certutil.exe command.
0x0000010c
CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x00000004)
CERT_TRUST_IS_SELF_SIGNED (0x00000008)
CERT_TRUST_HAS_PREFERRED_ISSUER (0x00000100)
34 CryptoAPI Monitor (CAPIMON)
This example shows how CAPIMON gives a hierarchical flow-based representation of data that
might otherwise be difficult to understand.
Note that, in CAPIMON, for Line 1, Error Status and Info Status in certificate
view is very similar.
Error Status:
0x00000020
CERT_TRUST_IS_UNTRUSTED_ROOT (0x00000020)
Info Status:
0x0000010c
CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x00000004)
CERT_TRUST_IS_SELF_SIGNED (0x00000008)
CERT_TRUST_HAS_PREFERRED_ISSUER (0x00000100)
The following is the corresponding output from the Certutil.exe command.
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The server name or address could not be resolved
0x80072ee7 (WIN32: 12007)
http://rootca/CertEnroll/Root%20CA.crl
--------------------------------
Full chain:
3b 46 47 88 42 f4 78 dd 4f 21 ce ae ac 3b 7d 93 5a 66 89 d5
Issuer: CN=Sample Root CA,OU=Information Technology,
O=Wingtiptoys,L=Bellevue,S=Washington,C=US,E=admin@wingtiptoys.com
Subject: CN=Sample Root CA,OU=Information Technology,
O=Wingtiptoys,L=Bellevue,S=Washington,C=US,E=admin@wingtiptoys.com
Serial: 2a268d370c0e228443e718248b15adbe
3b 46 47 88 42 f4 78 dd 4f 21 ce ae ac 3b 7d 93 5a 66 89 d5
A certificate chain processed, but terminated in a root certificate which is not
trusted by the trust provider. 0x800b0109 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root
Cert is a CA certificate
Lines 4 and 5 of the CAPIMON capture are listed below. They show the status of the revocation
check that Certutil.exe performs.
Line 4:
CertDllVerifyRevocation
Computer: COMPUTER01
Process ID: 3524
Process Name: CERTUTIL
Thread ID: 3520
Transaction ID: 31
User Name: mikedan
CertDllVerifyRevocation Parameters:
Encoding Type: 0x00000001
X509_ASN_ENCODING (0x00000001)
Flags: 0x00000000
None
How to Use CAPIMON 37
Certificates:
1. View Certificate... (in current context)
Revocation Para:
Issuer's Certificate:
None
Stores:
None
Revocation Status:
None
Revocation Status:
Index: 0
Error: 0
Reason: 0
Line 5:
CertVerifyRevocation
Computer: COMPUTER01
Process ID: 3524
Process Name: CERTUTIL
Thread ID: 3520
Transaction ID: 31
User Name: mikedan
CertVerifyRevocation Parameters:
Encoding Type: 0x00000001
X509_ASN_ENCODING (0x00000001)
CERT_CONTEXT_REVOCATION_TYPE (0x00000001)
Flags: 0x00000000
None
Certificates:
1. View Certificate... (in current context)
Revocation Para:
Issuer's Certificate:
None
Stores:
None
Revocation Status:
None
Revocation Status:
Index: 0
Error: 0
Reason: 0
Notice that Certutil.exe and CAPIMON both show the same error for the certificate. The
revocation function was unable to check revocation because the revocation server was offline,
which is confirmed by the result code 0x80092013.
Not only is CAPIMON a very valuable troubleshooting tool, you can also use it to see how tools
like Certutil.exe work as well.
CAPIMON Removal 39
CAPIMON Removal
Once you have completed your troubleshooting work with CAPIMON, you should stop it from
monitoring the CryptoAPI calls. This will help ensure that there is no ongoing performance
degradation due to the tool’s installation. In most cases, you might want to entirely remove
CAPIMON from the computer. While stopping CAPIMON monitoring will ensure that
performance is not affected by the tool, you might prefer complete removal to ensure that the
monitoring is not unintentionally restarted.
CAPIMON must be removed by following two procedures. The first procedure stops CAPIMON
from monitoring the CryptoAPI calls that it has been configured to monitor. The second
procedure removes the CAPIMON program files that were created during installation.
To stop CAPIMON from monitoring the CryptoAPI calls, perform the following procedure:
1. Log on to the computer as a member of the local administrators group.
2. Click Start, click Run, type cmd, and then press ENTER.
3. Type Capimon.exe -cleanup and then press ENTER.
4. Reboot the computer when prompted.
To remove the CAPIMON program files that were created during installation, perform the
following steps:
1. Log on to the computer as a member of the local computer’s Administrators group.
2. Click Start, and then click Control Panel.
3. Double-click Add or Remove Program, click Microsoft CAPIMON 1.0, and then click
Remove.
4. Click Yes to confirm removal.
Although the files can be left on the computer, the best practice is to remove the files when they
are not in use. This helps reduce the amount of applications on the computer. CAPIMON can
easily be reinstalled at a later date if more monitoring is required.
Contact Information
Microsoft welcomes your comments regarding this privacy statement. If you believe that
Microsoft has not adhered to this privacy statement, please contact us by e-mail or via postal mail
at the addresses provided below, and we will use commercially reasonable efforts to promptly
determine and remedy the problem.
Microsoft Licensing, GP
6100 Neil Rd. suite 210
Reno, NV 89511
USA
Summary
CAPIMON is an effective tool for troubleshooting an application’s use of CryptoAPI. It can help
you identify exactly what applications are making CryptoAPI calls and what the results of those
calls are. Although many of the CryptoAPI applications are detailed in this document, the
CAPIMON tool can be used with any application that makes CryptoAPI calls.
42 CryptoAPI Monitor (CAPIMON)
Contacts
For questions about the CAPIMON tool or its usage, contact the CAPIMON team at
CAPIMON@microsoft.com. This alias does not provide assistance with troubleshooting issues
or resolving problems discovered by CAPIMON. For assistance in resolving issues, contact
Microsoft Product Support Services.