CAPIMON Documentation

CryptoAPI Monitor
(CAPIMON)
Introduction
CryptoAPI, also known as CAPI, was created to help application developers to make simpler and
more effective use of the cryptography and key management features that are provided by the
Microsoft® Windows® operating system. The generic CryptoAPI calls allow Windows to manage
cryptographic and X.509 version 3 certificate functions in a well-constructed and tested
environment. This environment helps prevent attacks against the sensitive cryptographic data and
functions.
Because CryptoAPI provides generic cryptographic services, programmers can use the
CryptoAPI functions in a variety of ways to accomplish different tasks. Although this provides a
benefit to the programmer who is thoroughly familiar with CryptoAPI and cryptography, there
are often implementation problems in how the applications use these application program
interfaces (APIs). In addition, not all applications can report accurate and detailed errors when
CryptoAPI returns anything other than a successful completion result. As a result, applications
that use CryptoAPI are often difficult to troubleshoot.
CryptoAPI Monitor (CAPIMON) is designed to specifically address this issue by allowing the
administrator to monitor an application’s CryptoAPI calls and the results. CAPIMON can be
used to troubleshoot errors in X.509 version 3 certificate chain building and revocation. It cannot
be used to troubleshoot cryptographic service providers (CSP), cryptographic routines, and
digital signature operations which are also part of CryptoAPI.
The supported operating systems for CAPIMON are:
 A member of the Windows 2000 family with Service Pack 3 or later
 Windows XP
 A member of the Windows Server 2003 family
How CAPIMON Works

CAPIMON monitors application calls to CryptoAPI-specific dynamic linked libraries (DLL) and
the responses to those calls. Monitoring the DLLs allows CAPIMON to capture and display
2 CryptoAPI Monitor (CAPIMON)
information about how an application works without interfering with its operations. Because of
this, CAPIMON does not have to change the application in order to determine what issues it is
encountering.
CAPIMON has two main components: a shim and a viewer. The shim captures and logs data,
and the viewer displays the logged data in a usable format.
CAPIMON Shim
A shim is a software component that is installed between two other components. The CAPIMON
shim monitors an application’s calls to the APIs in the Crypt32.dll and Cryptnet.dll files, which
provide the CryptoAPI calls that provide the majority of CryptoAPI functionality for CryptoAPI-
aware applications. The shim then logs the application’s context-specific information and the
parameters that are passed with each API call. The shim logs this information in an XML log file.
You can configure logging by using a filter file, which is discussed later in this document.
The following APIs are shimmed in Crypt32.dll:
 CertFindChainInStore
 CertFreeCertificateChain API is shimmed but not logged. This is done so that CAPIMON
can determine when chain contexts go out of scope.
 CertGetCertificateChain
 CertVerifyCertificateChainPolicy
 CertVerifyRevocation
The following API is shimmed in Cryptnet.dll:
 CertDllVerifyRevocation
For more information about the CryptoAPI calls listed and how they work, see “Cryptography
Functions” on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18885.
On startup, the shim checks the registry or the location that is specified in the command-line
syntax for the .inf configuration file. It then reads the filter settings from the .inf file and applies
them when shimmed APIs are captured. In addition, the shim monitors hard drive and log file
space to ensure that the configured log file size settings are applied.
The CAPIMON shim also creates events in the application event log. These events are created on
the computer running the CAPIMON shim and are not stored in the CAPIMON log file. They
indicate when CAPIMON begins and ends logging, as well as when thresholds are reached, such
as reaching the maximum disk space usage for a log file. Most errors encountered by CAPIMON
are also reported in the event log.
CAPIMON Viewer
The CAPIMON log files are XML documents. Although any XML-capable application can be
used to display the contents of the file, there is a great deal of information that might not display
correctly. For example, Base64 encoded certificate BLOBs, CRLs, and so on cannot be natively
How to Use CAPIMON 3
decoded in an XML format. A specialized viewer must be used to properly parse the XML data
and display it with appropriate formatting and labels. The CAPIMON viewer is provided as the
specialized viewer for such data.
The CAPIMON viewer has two lists: a list of captured CryptoAPI function calls at the top and a
details list below it. Clicking any CryptoAPI call in the list of function calls displays the details
of that call in the details list. This allows you to scroll through all the calls that are captured and
only display the details of the calls that might be relevant to the current problem.
How to Use CAPIMON

CAPIMON is available as a Windows Installer (.msi) package. It must be installed and
configured properly before it will capture and display data. The following section explains how
to perform these tasks.
Installation
You can install the CAPIMON tool by running the installation package and providing responses
to the installation wizard.
Before you install CAPIMON on a computer running a Windows 2000 operating system, you
must ensure that the Application Compatibility Toolkit version 2.6 is installed on that computer.
For more information about installing the toolkit, see the Windows Application Compatibility
Toolkit on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18670. You must
also have Service Pack 3 or later installed.
In addition, computers running Windows 2000 must install the Microsoft XML Parser
(MSXML) 3.0 Service Pack 4 before using the CAPIMON viewer. This software is available
from the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=19870.
To install CAPIMON, perform the following steps:
1. Log on to the computer as a member of the local administrators group.
2. Double-click the CAPIMON10_Setup.msi file.
3. On the Welcome to the Microsoft CAPIMON 1.0 Setup Wizard page, click Next.
4. Review the End User License Agreement, click I Agree if you agree, and then click Next.
5. Select the location to install CAPIMON and whether to make this tool available to all users
or just the logged in user, and then click Next.
The default path is C:\Program Files\Microsoft CAPIMON 1.0.
6. Click Next to install CAPIMON.
7. When CAPIMON is finished installing, click Close to exit the installation program.
When installation is finished, the folder that you specified in the installation process is created.
This is where most of the CAPIMON program and configuration files are stored. Although the
program files are installed, CAPIMON is not activated and cannot capture data until it is
configured. This configuration is covered in the next section.
Capture Configuration
CAPIMON uses the Capimon_filter.inf filter file to determine which API calls are monitored and
which are logged, as well as other log file configuration settings. The default settings in the
Capimon_filter.inf file will capture function calls that result in errors from the default list of API
calls mentioned earlier. To change these settings, you must use a text editor, such as Notepad, to
edit Capimon_filter.inf or create a new filter file with the necessary entries. The following is a
commented copy of the Capimon_filter.inf file that is provided during the installation of
CAPIMON.
[Version]
Signature = "$Windows NT$"
LayoutFile = layout.inf
[Collect]
; The names of the APIs to be logged are listed here. If an API is listed in this
section, then a corresponding section must exist. The name of that corresponding
section must be the API name.
API = CertFindChainInStore
API = CertGetCertificateChain
API = CertVerifyCertificateChainPolicy
API = CertVerifyRevocation
API = CertDllVerifyRevocation
; MaxLogFileSize sets the maximum log file size (in megabytes). When the log file
reaches this size, logging is stopped. Valid values are 1 through 50, with a
default value of 50. If this value is missing, the default value is used.
MaxLogFileSize = 50
[CertFindChainInStore]
; Each API section must specify one of the values to configure logging.
; These values are :
;
; LogAll: log all CryptoAPI calls, both successes and failures. When Logall is
present, it overrides ErrorAll and Error settings. Setting LogAll = 1 configures
this setting.
; ErrorAll: log all CryptoAPI errors. When ErrorAll is present, it overrides

Error settings. Setting ErrorAll = 1 configures this setting.
; Error (Error is applicable only to CertGetCertificateChain API) logs specific

errors for this API. the errors are specified as OR-ed hexadecimal flags for
dwErrorStatus in the returned chain context. The wincrypt.h file provides more
details on the error values to use for this value.
; For example, Error = 0xFFFFFFFF will log all errors.
ErrorAll = 1
; Maximum number of API calls to log. Valid values are 0 through 500, with a
default value of 500. If this value is missing, the default value is used.
MaxTransactions = 500
[CertGetCertificateChain]
ErrorAll = 1
[CertVerifyCertificateChainPolicy]
ErrorAll = 1
[CertVerifyRevocation]
ErrorAll = 1
[CertDllVerifyRevocation]
ErrorAll = 1
To change any of the settings in this file, simply edit the file with a text editor and save the file.
Then start or restart CAPIMON, as described in the next section of this document.
Capturing data
CAPIMON can capture data as either raw unfiltered data or as filtered data that conforms to
defined rules. This section describes both ways to configure CAPIMON capture. It will also
explain how to stop data capture and how to verify CAPIMON configuration with a separate
tool.
Capturing Error Data with CAPIMON

To configure CAPIMON to capture CryptoAPI calls from an application that return an error, you
can use the following procedure:
2. Click Start, click Run, type cmd, and then press ENTER.
3. Type Capimon.exe -setup -appname: Application_Path and then press ENTER; where
Application_Path is the full path and file name of the application you want to monitor.
4. Reboot the computer when prompted. If you are not prompted to reboot the computer,
proceed to the next step.
5. Log on to the computer as a member of the local computer’s Administrators group.
7. Type Capimon.exe -start and then press ENTER.
When you complete this procedure, all monitored CryptoAPI calls from the specified application
that return an error are saved in a log file. The location of the log file is the
CAPIMONInstallation\Logs\User Name folder, where CAPIMONInstallation is the path that you
specified when you installed CAPIMON (the default is C:\Program Files\Microsoft
CAPIMON 1.0) and User Name is the name of the user context that the monitored application is
using. Because the user context for applications can vary, you should examine the CAPIMON
events in Event Viewer to determine the user context and exact path to new log files.
Note
Applications may run in one of several different user contexts. This
depends on several variables, including how the application is started, its
security context, the use of Runas.exe, and the type of application being
monitored. Many applications run in the SYSTEM context, while others
may use LOCAL SERVICE or NETWORK SERVICE. Still others could
use specific service accounts for their security context. This is normal
behavior, and CAPIMON records the user context when it begins
monitoring an application.
Each time you configure CAPIMON to monitor a different application as shown in step 2 of the
above procedure, you must reboot the computer. If you want to monitor multiple applications and
minimize rebooting, you can specify more than one -appname: Application_Path parameter in
the same command. This will allow you to reboot once for several application shims.
The default file name for CAPIMON log files is
CAPIMON_ApplicationName_ProcessID_DATE-Date-TIME-Time.xml. Here are the variables
in the file name:
 ApplicationName is the name of the application being monitored. This application name was
provided when you specified an application to be monitored using Capimon.exe -setup.
 ProcessID is the process identification number of the application being monitored. This
number might be different each time the application starts because of the application
management scheme Windows uses.
 Date is the date that the log file was created. CAPIMON obtains this value when the
application is started.
 Time is the time that the log file was created. CAPIMON obtains this value when the
application is started.
To change the default location and filter name, you can use the Capimon.exe -setup command,
which is documented in “Configuration,” earlier in this paper. . However, the file is always
created with the file name that is described here.
Caution
Unfiltered CAPIMON captures of computers with a large amount of
CryptoAPI activity can cause the log files to become very large very
quickly. By default, CAPIMON stops logging events if the drive that is
used for log files has less than 5% free disk space. Log files are also
configured to have a default size limit of 50 megabytes (MB) or
500 logged transactions. This check is made whenever a logged event is
written. You can configure these settings in the Capimon_filter.inf file,
which is described later in this document.
Using a Capture Filter

You can use CAPIMON to filter captured CryptoAPI calls in order to ensure that you do not
capture any unnecessary data. Before capturing with a filter, you must create a CAPIMON filter,
as described in “Configuration,” earlier in this document. To begin a capture with a filter,
perform the following procedure:
3. Type Capimon.exe -setup -appname: Application_Path and then press ENTER; where
Application_Path is the full path and file name of the application you want to monitor.
4. Reboot the computer when prompted.
7. Type Capimon.exe -start -filter: FilterName and then press ENTER, where FilterName is
the name of the CAPIMON filter that you created.
CAPIMON creates the log file and begins recording the CryptoAPI calls that you defined in the
filter file. Note that CAPIMON will still process all API calls as its shims are still applied to the
entire file. However, it will only log the calls that you configured with the filter file.
Because CAPIMON can only use one filter file at a time, you should ensure that the capture filter
you use is capturing enough information for all applications that you are monitoring. This might
cause some unwanted data capture from some processes. However, the one log file created per
process should help you to easily focus on the necessary calls for each process.
Examples of CryptoAPI Applications That Can Be Monitored
Although any application can be monitored by CAPIMON, there are some applications that are
more likely to provide useful data. These applications are known to make CryptoAPI calls and
might rely on these calls for their core functionality.
Some common applications that can be monitored by CAPIMON include, but are not restricted
to, the applications listed in the following table.
Common applications that can be monitored by CAPIMON
Common use of CryptoAPI
Application File name to shim
in application
Microsoft Outlook Secure e-mail Outlook.exe
IP Security (IPSec) Session establishment (IKE), Lsass.exe

Layer 2 Tunneling Protocol
(L2TP) virtual private network
(VPN) connections, Internet
Authentication Service (IAS)
communication
Internet Explorer Secure Sockets Layer (SSL) Iexplore.exe

communications - client-side
Internet Information SSL communications - server- Lsass.exe

Services (IIS) side
Kerberos Smart card logon Lsass.exe

authentication
Internet Authentication Smart card logon Lsass.exe

Server (IAS) authentication
Secure wireless networking, Encrypted wireless Services.exe

Extensible Authentication communication
Protocol-Transport Layer
Security (EAP TLS)
Protected storage, Data Private key access Lsass.exe

Protection API (DPAPI)
Certification authority (CA) Certificate issuance and Certsrv.exe

storage
The CAPIMON log files for these applications will likely contain extraneous calls from other
applications that you will need to filter or ignore.
Although CAPIMON stores the user context of each logged application in the log file, it may
sometimes show an unexpected user name. There are three Windows processes that are known as
host processes. They host one or more services that run within the context of the host. This can
present problems when trying to identify what service is hosted by a host. To help identify these
services running within hosts, refer to the following table to see some commonly hosted services
and their host process.
Host processes and examples of services within those processes
Host process Services
Lsass.exe HTTPFilter, KDC, PolicyAgent, ProtectedStore
Svchost.exe BITS, Cryptsvc, Termservice
Services.exe None by default
To identify services within hosts, on Windows XP or a member of the Windows Server 2003
family, at a command prompt, type Tasklist.exe -svc. This lists all processes and any services or
threads running within them. Once you identify the service of interest, you can then determine
which host process should be monitored with CAPIMON.
Verifying CAPIMON Configuration

To verify that a process is shimmed, you can use the CompatAdmin.exe tool. CompatAdmin.exe
is provided in the Application Compatibility Toolkit, which is available from the Microsoft Web
site at http://go.microsoft.com/fwlink/?linkid=9513. Some of the tools in the Application
Compatibility Toolkit can directly affect CAPIMON, such as stopping a shim of a process. As a
best practice, you should always use CAPIMON to configure itself. CompatAdmin.exe should
only be used as a configuration viewer.
Caution
Do not allow CAPIMON to continue to monitor applications, because it
will reduce the computer’s performance. It should only be enabled when
you are actively capturing data for analysis. As a best practice, you
should disable and uninstall CAPIMON when you resolve the issue.
Stopping Data Capture

Once a sample of data that probably contains the desired error has been obtained, you should stop
the logging. This will allow the log file to remain as small as possible while still containing the
desired information. It will also minimize the amount of performance degradation caused by
CAPIMON. To stop the CAPIMON logging, complete the following procedure:
2. Type Capimon.exe -stop and then press ENTER.
This procedure stops all CAPIMON logging. It does not stop the CAPIMON shim from
functioning or uninstall the program. For instructions on removing the shim and uninstalling
CAPIMON, see “Removal,” later in this document.
Reading Captured Data with the

CAPIMON Viewer
CAPIMON supplies a viewer, CapimonUI.exe, to display the details of the captured information.
This viewer is important, as there is a great deal of information stored in the CAPIMON captures
that cannot be easily interpreted on its own. CAPIMON interprets and formats that data to help
you read and understand the operations in the log file.
To view captured CAPIMON data, complete the following procedure:
2. Type CapimonUI.exe CAPIMON_FileName and then press Enter where
CAPIMON_FileName is the path and file name of the captured data.
This procedure opens a CAPIMON viewer window with the specified CAPIMON data capture
displayed. As an alternative to this procedure, you can start Windows Explorer and then drag a
CAPIMON log file onto the CapimonUI.exe application file. This starts the CAPIMON viewer
and displays the log file.
Note
You must stop logging to the file before it can be viewed in the
CAPIMON viewer. Open log files cannot be displayed.
Using the CAPIMON Viewer

The CAPIMON viewer, also called CAPIMONUI, has two lists: a list of captured CryptoAPI
function calls at the top and a detail list below it. Click any CryptoAPI call in the list of function
calls to display the details of that call in the detail list. This allows you to scroll through all calls
that are captured and only display the details of the calls that might be relevant to the current
problem.
Many CryptoAPI calls have hyperlink details provided in the CAPIMON viewer to provide
additional information and help with troubleshooting tasks. These hyperlinks will be one of the
following:
 View Certificate Chain. (Determined at the time of capture.) Displays the certificate chain
that the computer running CAPIMON built at the time the data was captured.
 View Certificate. (In current context.) Displays the certificate that was used for the
CryptoAPI call. It might not display a certificate chain. If a chain is displayed, it is evaluated
on the current computer and not the computer where the capture occurred.
 View CRL. (Determined at the time of capture.) This link displays the certificate revocation
list (CRL) that the computer running CAPIMON used at the time the data was captured.
 View CTL. (Determined at the time of capture.) This link displays the certificate trust list
(CTL) that the computer running CAPIMON used at the time the data was captured.
Note that the View Certificate option displays the information about the individual certificate
used in the CryptoAPI call. It might be displayed with a corresponding certificate chain, but that
chain is not the same as the chain that was evaluated during the CAPIMON capture. To view the
certificate chain as it was captured during the CAPIMON session, you should click View
Certificate Chain. This displays the exact certificate chain that was captured during the trace.
Considerations When Using the CAPIMON Viewer

CAPIMON displays the certificate chain, certificate revocation list (CRL), and certificate trust
list (CTL) status as it was evaluated on the computer running CAPIMON at the time of the
capture and within the security context of the application being monitored. Although the captured
information can be displayed on a different computer, it does not affect the display of that
captured data. For example, suppose that a certificate has an invalid chain on the computer
running CAPIMON, but the computer viewing the data can successfully build a certificate chain
for that certificate. In that case, CAPIMON will display the broken certificate chain of the
original computer.
Although you cannot directly export data from the CAPIMON Viewer, you can select the data in
the details window and press CTRL+C to copy data to the clipboard. You can then use CTRL+V
to paste the data into other applications for later review, for printing, and so forth.
When you click View Certificate Chain in CAPIMONUI, the details of the certificate chain are
displayed in the same way as if you double-clicked the certificate object in Windows Explorer.
However, there is an important difference. When this information is displayed from CAPIMON
Viewer, a Cert Info tab is added to the properties of the certificate chain. This tab displays
detailed information about the end certificate in the certificate chain. This includes trust and
revocation status information that was evaluated and any errors that were encountered when
building the certificate chain. You can view this type of information for each certificate in the
chain by double-clicking each certificate on the Certification Path tab, and then clicking the
Cert Info tab.
The CAPIMON viewer displays the raw data that is provided to the monitored application by
CryptoAPI. The raw data can sometimes be difficult to interpret, especially in the case of error
codes. When CAPIMON displays error codes for CryptoAPI calls, they are shown as provided to
the application and not interpreted in any way. As a result, you might need to review more than
one error value to determine the actual error code of an unsuccessful CryptoAPI call. When you
review calls that return an error, you should always review the Return Value, Last Error, and
Error Status values. The combination of these values provides a more complete picture of the
actual errors and their causes.
Interpreting Data with CAPIMON

Once you have installed CryptoAPI Monitor (CAPIMON) and used it to capture data, you must
then interpret this data to determine the cause of the problem. This section focuses on
troubleshooting the most common uses of CryptoAPI by Microsoft products. Each common use
scenario is presented with a sample capture and a detailed explanation of that captured data.
Although your CAPIMON data will be different, these scenarios should help you identify the
cause of the problem.
Authentication by IPSec for a Certificate Chain

You can configure Internet Protocol security (IPSec) to use certificates to verify the subjects that
establish a secure network connection. During secure session establishment, IPSec obtains the
certificate for the other party. It then verifies the authenticity of the certificate and ensures that
the certificate chains to a trusted root.
In Function Calls, IPSec successfully verifies a certificate and its chain during session
establishment:
End Entity Root Thread
Index Time API Status User
Certificate Certificate Id
1 8/1/2003 CertFindChainInStore Not Found Not Found Not System 2060

19:47 Found
2 8/1/2003 CertFindChainInStore Sample OK System 2060

19:47 Root CA
3 8/1/2003 CertDllVerifyRevocation N/A N/A Error System 2060

19:47
4 8/1/2003 CertDllVerifyRevocation N/A N/A Error System 2060

19:47
5 8/1/2003 CertDllVerifyRevocation N/A N/A OK System 2060

19:47
CryptoAPI verified the certificate on Line 2. It then began building and verifying the chain and
revocation information in Lines 3, 4, and 5. Finally, a success was passed back to IPSec in
Line 5. In Details, Line 2 CAPIMON displays the following:
CertFindChainInStore
Computer: COMPUTER
Process ID: 640
Process Name: LSASS
Thread ID: 2060
Transaction ID: 20121
User Name: SYSTEM
Return Value: Success (1)

Last Error: Cannot find object or property. (0x80092004)
CertFindChainInStore Parameters
Encoding Type: 0x00000001
X509_ASN_ENCODING (0x00000001)
Find Flags: 0x0000400d

CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG (0x00000001)
CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG (0x00000004)
CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG (0x00000008)
CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG (0x00004000)
Find Type: 0x00000001

CERT_CHAIN_FIND_BY_ISSUER (0x00000001)
Previous Chain Context:

None
Find Para:
None
This certificate shows the following data in the Trust Status section of the Cert Info tab, which
proves the validity of the certificate:
Error Status:
(0x00000000)
No Error
Info Status:
(0x00000102)
CERT_TRUST_HAS_KEY_MATCH_ISSUER
CERT_TRUST_HAS_PREFERRED_ISSUER
Viewing each certificate in the chain shows similar results, with the exception of the Root CA
certificate which has the following information in the Info Status field:
(0x0000010c)
CERT_TRUST_HAS_NAME_MATCH_ISSUER
CERT_TRUST_IS_SELF_SIGNED
CERT_TRUST_HAS_PREFERRED_ISSUER
In Function Calls, Lines 2-5 show three steps in checking revocation.

The extended data in two of the lines shows the following information:
CertDllVerifyRevocation
Computer: COMPUTER
Process ID: 640
Process Name: LSASS
Thread ID: 2060
User Name: SYSTEM
Return Value: Failure (0)

Last Error: The revocation function was unable to check revocation for the
certificate. (0x80092012)
CertDllVerifyRevocation Parameters:

Revocation Type: 0x00000001

CERT_CONTEXT_REVOCATION_TYPE (0x00000001)
Flags: 0x00000005
CERT_VERIFY_REV_CHAIN_FLAG (0x00000001)
CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG (0x00000004)
Revocation Para:
Issuer's Certificate:
View Certificate... (in current context)
Stores:
None
Time to Use: 11/25/1634 13:20:02 519
Url Retrieval Timeout: 10000 (ms)
Time since CRL was published: None
Current Time: 11/25/1634 13:20:02 519
Revocation Status:
None
Revocation Status:
Index: 0
Error: 0
Reason: 0
The error 0x80092012 maps to “The revocation function was unable to check revocation for the
certificate.” The CertDllVerifyRevocation function actually failed twice in Lines 3 and 4 before
it was able to find a valid CRL in Line 5, which happens frequently when multiple CDPs are
specified:
Computer: COMPUTER
Process ID: 640
Process Name: LSASS
Thread ID: 2060
User Name: SYSTEM

Last Error: The operation completed successfully. (0x00000000)


Flags: 0x00000005
CERT_VERIFY_REV_CHAIN_FLAG (0x00000001)
Certificates:
1. View Certificate... (in current context)
Revocation Para:
Stores:
None
Time to Use: 11/25/1634 13:20:02 519
Current Time: 11/25/1634 13:20:02 519
Revocation Status:
None
Revocation Status:
Index: 0
Error: 0
Reason: 0
Time since CRL was published: 00 days 00 hours 00 minutes 00 seconds 016 ms
Authentication by IP Security Fails Because of a Bad

Certificate Chain
This is a very simple capture, because the CryptoAPI function CertFindChainInStore does not
see the rest of the certificate chain because the Root CA certificate is not in the Trusted Root
store for the local computer.
In Function Calls, CAPIMON displays the following information.

19:41 Found

19:41 Found

19:41 Found

19:41 Found
All four lines have the same output: “Cannot find object or property.” The certificate does not
chain.
CertFindChainInStore
Computer: COMPUTER
Process ID: 640
Process Name: LSASS
Thread ID: 2060
User Name: SYSTEM

CertFindChainInStore Parameters:
Find Flags: 0x0000400d

CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG (0x00000001)
CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG (0x00000004)
CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG (0x00000008)
CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG (0x00004000)
Find Type: 0x00000001

CERT_CHAIN_FIND_BY_ISSUER (0x00000001)
Previous Chain Context:

None
Find Para:
None
Authentication by Microsoft Outlook 2003 Fails When

Opening a Signed E-mail
When opening a signed e-mail in Microsoft Outlook 2003, an error message appears below the
Subject line.
Signed by: There are problems with the signature. Click the signature button for details.
If you click Signature, the following message appears:
The digital signature on this message is Invalid or Not Trusted.
The Security tab of the message’s properties contains the following errors:
Error: There was an error in the “Digital Signature Layer”. Signed message.
Error: There was an error in the “Signer: subject@microsoft.com” layer. Signed.
Error: The certificate used to create this signature is no longer valid.
Signed by subject@microsoft.com using RSA/SHA1 at 04:09:54 PM 3/20/2003.
When you examine the certificate in Outlook, these errors are displayed:
Error: There were problems validating the certificate used to create this signature.
Error: The certificate used to create this signature is no longer valid.
Function Calls displays the following table:
1 8/27/200 CertDllVerifyRevocation N/A N/A Error mikedan 804

3 02:59
2 8/27/200 CertDllVerifyRevocation N/A N/A OK mikedan 804

3 02:59

3 02:59

3 02:59
5 8/27/200 CertGetCertificateChain Subject Sample Not Time mikedan 804

3 02:59 Root CA Valid
In the Details portion of Line 1, you see that CertDllVerifyRevocation fails immediately.
Computer: COMPUTER01
Process ID: 4052
Process Name: OUTLOOK
Thread ID: 804
User Name: mikedan


Flags: 0x00000004
Certificates:
Revocation Para:
Stores:
None
Time to Use: 08/27/2003 02:59:36 162
Current Time: 08/27/2003 02:59:36 162
Revocation Status:
None
Revocation Status:
Index: 0
Error: 0
Reason: 0
In the Details portion of Lines 2-4, you can see that CertDllVerifyRevocation successfully
checks the revocation of the certificate.
Process ID: 4052
Thread ID: 804
User Name: mikedan


Flags: 0x00000004
Certificates:
Revocation Para:
Stores:
None
Time to Use: 08/27/2003 02:59:36 162
Current Time: 08/27/2003 02:59:36 162
Revocation Status:
Base CRL: View CRL... (determined at the time of capture)
Revocation Status:
Index: 0
Error: 0
Reason: 0
In the Details portion of Line 5, you can see that CertGetCertificateChain determined that the
certificate had expired.
CertGetCertificateChain
View Certificate Chain... (determined at the time of capture)
Lower Quality Chains:

None
Process ID: 4052
Thread ID: 804
Transaction ID: 310
User Name: mikedan

CertGetCertificateChain Parameters:
Chain Engine: 0
HCCE_CURRENT_USER (0)
Time for Chain Verification: 08/27/2003 02:59:36 162
Additional Store:
Certificates:
CRLs:
None
CTLs:
None
Flags: 0x28000001
CERT_CHAIN_CACHE_END_CERT (0x00000001)
CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT (0x08000000)
CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
Chain Para:
Requested Usages (Type: AND):
Secure Email (1.3.6.1.5.5.7.3.4)
Issuance Usages (Type: AND):

None
The following is displayed on the Cert Info tab of View Certificate Chain.
Error Status:
0x00000001
CERT_TRUST_IS_NOT_TIME_VALID (0x00000001)
Info Status:
0x00000102
CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x00000002)
CERT_TRUST_HAS_PREFERRED_ISSUER (0x00000100)
On the Details tab of the certificate, in Validity Period, you find that the certificate expired
5 months before the e-mail was read:
Valid to: Wednesday, April 23, 2003 10:38:33 PM
Authentication Fails When Using Outlook Web Access to

Establish an HTTP Session Over SSL (HTTPS) with an
Untrusted Root Certificate
In this scenario, the user uses Internet Explorer 6.0 to connect to an Outlook Web Access server.
The issuer of the Secure Sockets Layer (SSL) certificate is not in the computer’s Trusted Root
store.
When you access the Web site, an error message appears:
Information you exchange with this site cannot be viewed or changed by others. However,
there is a problem with the site’s security certificate.
The security certificate was issued by a company you have not chosen to trust. View the
certificate to determine whether you want to trust the certifying authority”
On the General tab, there is another error message:
The certificate cannot be verified up to a trusted certification authority.
Function Calls displays the following table.
Thread
Index Time API End Entity Certificate Root Certificate Status User
Id
1 8/27/200 CertGetC mail.tailspintoys.com mail.tailspintoys.com Partial mikedan 1400

3 04:11 ertificate Chain
Chain
2 8/27/200 CertVerif mail.tailspintoys.com mail.tailspintoys.com Partial mikedan 1400

3 04:11 yCertifica Chain
teChainP
olicy
3 8/27/200 CertGetC mail.tailspintoys.com mail.tailspintoys.com Partial mikedan 1400

3 04:11 ertificate Chain
Chain
4 8/27/200 CertVerif mail.tailspintoys.com mail.tailspintoys.com Partial mikedan 1400

3 04:11 yCertifica Chain
teChainP
olicy
In the Status column, the status is listed as Partial Chain. In Line 1, CertGetCertificateChain
fails.
Details for Line 1 display the following information.

None
Process ID: 1204
Process Name: IEXPLORE
Thread ID: 1400
Transaction ID: 3
User Name: mikedan

Chain Engine: 0
Additional Store:
Certificates:
CRLs:
None
CTLs:
None
Flags: 0x00000000
None
Chain Para:
Requested Usages (Type: OR):
Server Authentication (1.3.6.1.5.5.7.3.1)
1.3.6.1.4.1.311.10.3.3
2.16.840.1.113730.4.1

None
On the Cert Info tab of View Certificate Properties, the certificate status shows that it is acting
as if it is self-signed, when it is not.
Info Status:
0x00000004
CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x00000004)
CertVerifyCertificateChainPolicy

None
Process ID: 1204
Thread ID: 1400
Transaction ID: 3
User Name: mikedan

CertVerifyCertificateChainPolicy Parameters:
Policy OID: 4
CERT_CHAIN_POLICY_SSL (4)
Policy Para:
Flags: 0x00000000
None
Policy Status:
Error: CERT_E_UNTRUSTEDROOT (0x800b0109)
Chain Index: 0
Element Index: -1
In Line 2. the error is displayed. The user or computer does not trust the issuer of the SSL
certificate.

None
Process ID: 1204
Thread ID: 1400
Transaction ID: 3
User Name: mikedan

Chain Engine: 0
Additional Store:
Certificates:
CRLs:
None
CTLs:
None
Flags: 0x00000000
None
Chain Para:
Requested Usages (Type: OR):
Server Authentication (1.3.6.1.5.5.7.3.1)
1.3.6.1.4.1.311.10.3.3
2.16.840.1.113730.4.1

None

None
Process ID: 1204
Thread ID: 1400
Transaction ID: 3
User Name: mikedan

Policy OID: 4
CERT_CHAIN_POLICY_SSL (4)
Policy Para:
Flags: 0x00000000
None
Policy Status:
Error: ERROR_SUCCESS (0x00000000)
Chain Index: -1
Element Index: -1
In Lines 3 and 4, even though the certificate is not trusted, it is still usable for SSL, if the user
chooses to move forward or trust the issuing certification authority.
Authentication Fails When a Domain Controller Denies a

Smart Card Logon Request
Sometimes, you can use CAPIMON to troubleshoot a server-side problem when it is difficult to
determine a client-side problem. When a user is logging on to a workstation that requires smart
card authentication, it is difficult to use CAPIMON to capture data, therefore, look at the server-
side behavior to determine the problem.
In Function Calls, CAPIMON displays the following table.

1 8/02/200 CertDllVerify N/A N/A OK SYSTEM 1012

3 00:09 Revocation
2 8/27/200 CertDllVerify N/A N/A OK SYSTEM 1012

3 00:09 Revocation
3 8/27/200 CertGetCertif User Sample Root OK SYSTEM 1012

3 00:09 icateChain CA
4 8/27/200 CertVerifyCe User Sample Root OK SYSTEM 1012

3 00:09 rtificateChain CA
Policy
The first two lines suggest that there is not a problem with the revocation of the certificate that
the smart card user is using.
Computer: COMPUTER
Process ID: 440
Process Name: LSASS
Thread ID: 1012
User Name: SYSTEM


Flags: 0x00000000
None
Certificates:
Revocation Para:
Stores:
None
Time to Use: 08/02/2003 00:09:57 057
Current Time: 08/02/2003 00:09:57 057
Revocation Status:
Base CRL: View CRL... (determined at the time of capture)
Delta CRL: View CRL... (determined at the time of capture)
Revocation Status:
Index: 0
Error: 0
Reason: 0

None
Computer: COMPUTER
Process ID: 440
Process Name: LSASS
Thread ID: 1012
User Name: SYSTEM

In Function Calls, Lines 3 and 4 show the server attempting to build the certificate chain. In
Line 4, the Certification Path tab shows a full chain.
Chain Engine: 0
Additional Store:
None
Flags: 0x40000000
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
Chain Para:
Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

None


None
Computer: COMPUTER
Process ID: 440
Process Name: LSASS
Thread ID: 1012
User Name: SYSTEM

Policy OID: 6
Policy Para:
Flags: 0x00000000
None
Policy Status:
Error: Unknown Error (0x800b0112)
Chain Index: 0
Element Index: 1
In Function Calls, on Line 4, there is an Unknown Error (0x800b0112) in the Policy Status
column. The Certutil.exe tool displays the following error message for this error code.
0x800b0112 (-2146762478) -- 2148204818 (-2146762478)

Error message text: A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider.
The chain was built successfully, but the server did not trust a certification authority in the chain.
Using Certutil.exe to Verify the Validity of a Certificate

One of the most useful troubleshooting tools for problems in a Microsoft public key
infrastructure (PKI) is the Certutil.exe command-line tool. In this case, at a command prompt,
type certutil -verify -urlfetch to display revocation and trust information, which you can use to
ensure proper configuration. In CAPIMON, Function Calls displays the following. (Lines which
are not important to this illustration are not shown.)

4 8/26/2003 CertGetCertifi Mike Sample OK mikedan 3160

12:40 cateChain Danseglio Root CA
5 8/26/2003 CertVerifyCert Mike Sample OK mikedan 3160

12:40 ificateChainPo Danseglio Root CA
licy
6 8/26/2003 CertDllVerifyR N/A N/A OK mikedan 3160

12:40 evocation
7 8/26/2003 CertVerifyRev N/A N/A OK mikedan 3160

12:40 ocation

12:40 evocation

12:40 ocation
10 8/26/2003 CertDllVerifyR N/A Not Found OK mikedan 3160

12:41 evocation

12:41 ocation
12 8/26/2003 CertGetCertifi Mike Sample OK mikedan 3160

12:41 cateChain Danseglio Root CA

12:41 evocation

12:41 ocation

12:41 evocation

12:41 ocation

12:41 evocation

12:41 ocation

12:41 evocation

12:41 ocation
37 8/26/2003 CertGetCertifi Sample Sample OK mikedan 3160

12:41 cateChain Root CA Root CA

12:41 evocation

12:41 ocation
The following section displays output from Certutil.exe, with the corresponding CAPIMON
information:
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 5 Weeks, 14 Hours, 43 Minutes, 22 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwRevocationFreshnessTime: 5 Weeks, 14 Hours, 43 Minutes, 22 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0

Issuer: CN=Microsoft Intranet Level 2 User CA 2, DC=wingtiptoys, DC=com
Subject: E=mikedan@microsoft.com, CN=Mike Danseglio, CN=Users, DC=wingtiptoys,
DC=com
Serial: 4d9f41fe000000000b37
Template: MS Smartcard User
b1 de e1 82 8f 4b e7 0d 39 6a 04 76 ab 10 a9 af 72 d2 09 60
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
This is a view of Line 4


None
Process ID: 3072
Process Name: CERTUTIL
Thread ID: 3160
User Name: mikedan

Last Error: The command completed successfully. (0x00000000)
Chain Engine: 0

Additional Store:
None
Flags: 0x40000000
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
Chain Para:
None

None

On the Cert Info tab of View Certificate Chain, the following data is displayed in the Info
Status field. This information matches the Certutil.exe output:
0x00000102
CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x00000002)
Revocation Checking (CertVerifyRevocation,

CertDllVerifyRevocation)
In the CAPIMON Viewer, in Function Calls, Lines 6-20 correspond to this Certutil.exe output:
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0]
ldap:///CN=Microsoft%20Intranet%20Level%202%20User%20CA%202,CN=AIA,CN=Public%20Ke
y%20Services,CN=Services,CN=Configuration,DC=wingtiptoys,
DC=com?cACertificate?base?objectClass=certificationAuthority

[1.0]
http://caserver01.wingtiptoys.com/CertEnroll/caserver01.wingtiptoys.com_Microsoft
%20Intranet%20Level%202%20User%20CA%202.crt

[2.0] http://caserver01.wingtiptoys.com/ca1.crt
---------------- Certificate CDP ----------------

Verified "Base CRL (189)" Time: 0
[0.0]
ldap:///CN=Microsoft%20Intranet%20Level%202%20User%20CA%202,CN=reditgcac09,CN=CDP
,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=wingtiptoys,
DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

[1.0]
ldap://caserver01.wingtiptoys.com/CN=Microsoft%20Intranet%20Level%202%20User%20CA
%202,CN=caserver01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration
,DC=wingtiptoys,DC=com?certificateRevocationList?base?objectClass=cRLDistribution
Point

[2.0]
http://caserver01.wingtiptoys.com/CertEnroll/Microsoft%20Intranet%20Level%202%20U
ser%20CA%202.crl

[3.0] http://caserver01.wingtiptoys.com/crl01.crl
---------------- Base CRL CDP ----------------

No URLs "None" Time: 0
--------------------------------
Later in the Certutil.exe output, you can see the verification of the Root CA certificate that
corresponds to Line 37 in Function Calls.
--------------------------------
CRL 0:
Issuer: CN=Sample Root CA, OU= PKIGroup, O=Wingtiptoys, L=Redmond, S=WA,
C=US, E=someone@wingtiptoys.com
63 68 07 2c 83 d0 ef 0a b8 c3 4e 86 c7 6b 8e a7 48 42 aa 0a
Issuance[0] = 1.3.6.1.4.1.311.42.1.1
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0

Issuer: CN=Sample Root CA, OU=PKIGroup, O=Wingtiptoys, L=Redmond, S=WA, C=US,
E=admin@wingtiptoys.com
Subject: CN=Sample Root CA, OU= PKIGroup, O=Wingtiptoys, L=Redmond, S=WA, C=US,
E= admin@wingtiptoys.com
Serial: 6d0e6ec095a4c1b4488031531c588b31
8c 5f 31 42 80 a2 b0 e1 b1 0e b4 5a 53 86 ec 1d 89 ab ff 5a
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
In the View Certificate Chain details for Line 37, note the Info Status field: This corresponds
with the final results of the Certutil.exe command.
0x0000010c
CERT_TRUST_IS_SELF_SIGNED (0x00000008)
This example shows how CAPIMON gives a hierarchical flow-based representation of data that
might otherwise be difficult to understand.
Using Certutil.exe to Verify the Validity of a Certificate

That Is Not Trusted
In this instance, the user wants to verify a certificate that is from a completely different
enterprise. There is no way to verify the internal CRL distribution points (CDP) and the
certificate is not trusted. At a command prompt, the user types certutil -verify -urlfetch while
CAPIMON is running.
1 8/26/2003 CertGetCertif Root CA Root CA Untrusted mikedan 3520

12:34 icateChain Root
2 8/26/2003 CertVerifyCer Root CA Root CA Untrusted mikedan 3520

12:34 tificateChain Root
Policy
3 8/26/2003 CertGetCertif Root CA Root CA Untrusted mikedan 3520

12:34 icateChain Root
4 8/26/2003 CertDllVerify N/A N/A Error mikedan 3520

12:34 Revocation
5 8/26/2003 CertVerifyRe N/A N/A Error mikedan 3520

12:34 vocation
The following is output from the specified Certutil.exe command.

Issuer:
CN=Sample Root CA
OU=Information Technology
O=Wingtiptoys
L=Bellevue
S=Washington
C=US
Subject:
CN=Sample Root CA
OU=Information Technology
O=Wingtiptoys
L=Bellevue
S=Washington
C=US
Cert Serial Number: 2a268d370c0e228443e718248b15adbe
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)

ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)

HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20

Issuer: CN=Sample Root CA,OU=Information
Technology,O=Wingtiptoys,L=Bellevue,S=Washington,C=US,E=admin@wingtiptoys.com
Subject: CN=Sample Root CA,OU=Information Technology,
O=Wingtiptoys,L=Bellevue,S=Washington,C=US,E=admin@wingtiptoys.com
Serial: 2a268d370c0e228443e718248b15adbe
3b 46 47 88 42 f4 78 dd 4f 21 ce ae ac 3b 7d 93 5a 66 89 d5
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
Note that, in CAPIMON, for Line 1, Error Status and Info Status in certificate
view is very similar.
Error Status:
0x00000020
CERT_TRUST_IS_UNTRUSTED_ROOT (0x00000020)
Info Status:
0x0000010c
CERT_TRUST_IS_SELF_SIGNED (0x00000008)
The following is the corresponding output from the Certutil.exe command.
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The server name or address could not be resolved
0x80072ee7 (WIN32: 12007)
http://rootca/CertEnroll/Root%20CA.crl
Failed "CDP" Time: 0

Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\caserver01\CertEnroll\Root%20CA.crl
--------------------------------
Exclude leaf cert:

da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
Issuer: CN=Sample Root CA,OU=Information Technology,
Subject: CN=Sample Root CA,OU=Information Technology,
Serial: 2a268d370c0e228443e718248b15adbe
A certificate chain processed, but terminated in a root certificate which is not
trusted by the trust provider. 0x800b0109 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root
Cert is a CA certificate
ERROR: Verifying leaf certificate revocation status returned The revocation

function was unable to check revocation because the revocation server was
offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the
revocation server was offline.
CertUtil: -verify command completed successfully.
Lines 4 and 5 of the CAPIMON capture are listed below. They show the status of the revocation
check that Certutil.exe performs.
Line 4:
Process ID: 3524
Thread ID: 3520
Transaction ID: 31
User Name: mikedan


Flags: 0x00000000
None
Certificates:
Revocation Para:
None
Stores:
None
Time to Use: 11/25/1634 13:20:02 519
Current Time: 11/25/1634 13:20:02 519
Revocation Status:
None
Revocation Status:
Index: 0
Error: 0
Reason: 0
Line 5:
CertVerifyRevocation
Process ID: 3524
Thread ID: 3520
Transaction ID: 31
User Name: mikedan

Last Error: The revocation function was unable to check revocation because the
revocation server was offline. (0x80092013)
CertVerifyRevocation Parameters:

Flags: 0x00000000
None
Certificates:
Revocation Para:
None
Stores:
None
Time to Use: 11/25/1634 13:20:02 519
Current Time: 11/25/1634 13:20:02 519
Revocation Status:
None
Revocation Status:
Index: 0
Error: 0
Reason: 0
Notice that Certutil.exe and CAPIMON both show the same error for the certificate. The
revocation function was unable to check revocation because the revocation server was offline,
which is confirmed by the result code 0x80092013.
Not only is CAPIMON a very valuable troubleshooting tool, you can also use it to see how tools
like Certutil.exe work as well.
CAPIMON Removal 39
CAPIMON Removal
Once you have completed your troubleshooting work with CAPIMON, you should stop it from
monitoring the CryptoAPI calls. This will help ensure that there is no ongoing performance
degradation due to the tool’s installation. In most cases, you might want to entirely remove
CAPIMON from the computer. While stopping CAPIMON monitoring will ensure that
performance is not affected by the tool, you might prefer complete removal to ensure that the
monitoring is not unintentionally restarted.
CAPIMON must be removed by following two procedures. The first procedure stops CAPIMON
from monitoring the CryptoAPI calls that it has been configured to monitor. The second
procedure removes the CAPIMON program files that were created during installation.
To stop CAPIMON from monitoring the CryptoAPI calls, perform the following procedure:
3. Type Capimon.exe -cleanup and then press ENTER.
4. Reboot the computer when prompted.
To remove the CAPIMON program files that were created during installation, perform the
following steps:
2. Click Start, and then click Control Panel.
3. Double-click Add or Remove Program, click Microsoft CAPIMON 1.0, and then click
Remove.
4. Click Yes to confirm removal.
Although the files can be left on the computer, the best practice is to remove the files when they
are not in use. This helps reduce the amount of applications on the computer. CAPIMON can
easily be reinstalled at a later date if more monitoring is required.
CAPIMON Privacy Statement

Microsoft is committed to protecting your privacy. This privacy statement explains data
collection and use practices of the CAPIMON tool; it does not apply to other online or offline
Microsoft sites, products or services. By using the CAPIMON tool, you are consenting to the
information collection and use practices described in this privacy statement.
Collecting Your Personal Information

The CAPIMON tool will collect personal information if you choose to install and shim a process
with CAPIMON. The personal information that may be collected includes, but is not limited to
your user name, SID, machine name, process name(s), certificates, CRLs, CTLs as well as
subject and subject alternative name forms in certificates.
When the CAPIMON tool shims an application, any information passed in from an application to
the CryptoAPI API(s) or returned to the application will be captured and stored in the log file(s).
The log files are not transmitted from the local machine to any remote machine or service.
However, any local administrator on the local machine may have access to the log file(s) and
subsequently the information contained within them.
Use of Your Personal Information

The personal information CAPIMON collects may be used to provide troubleshooting and
diagnostic services when the log files are provided to Microsoft Product Support Services.
Except as otherwise described in this statement, the personal information you provide on this site
will not be shared outside of Microsoft and its controlled subsidiaries and affiliates without your
permission.
Microsoft may disclose personal information if required to do so by law or in the good faith
belief that such action is necessary to (a) conform to the edicts of the law or comply with legal
process served on Microsoft or the Site; (b) protect and defend the rights or property of Microsoft
and our family of Web sites; or (c) act in urgent circumstances to protect the personal safety of
Microsoft employees or agents, users of Microsoft products or services, or members of the
public.
Personal information collected with the CAPIMON tool and provided to Microsoft voluntarily
may be stored and processed in the United States or any other country in which Microsoft or its
affiliates, subsidiaries or agents maintain facilities, and by using the CAPIMON tool, you
consent to any such transfer of information outside of your country. Microsoft abides by the safe
harbor framework as set forth by the U.S. Department of Commerce regarding the collection,
use, and retention of data from the European Union.
Control of Your Personal Information

Except as otherwise described in this statement, personal information you provide via a
CAPIMON log will not be shared outside of Microsoft and its controlled subsidiaries and
affiliates without your permission.
Please be aware that this privacy statement and any choices you make with the CAPIMON tool
will not necessarily apply to personal information you may have provided to Microsoft in the
context of other, separately operated, Microsoft products or services.
Summary 41
Security of Your Personal Information

Microsoft is committed to protecting the security of your personal information. We use a variety
of security technologies and procedures to help protect your personal information from
unauthorized access, use, or disclosure. For example, we store the personal information you
provide on computer servers with limited access that are located in controlled facilities.
Additionally, when we transmit sensitive personal information (such as a credit card number)
over the Internet, we protect it through the use of encryption, such as the Secure Socket Layer
(SSL) protocol.
Changes to This Privacy Statement

We may occasionally update this privacy statement. When we do, we will also revise the “last
updated” date at the top of the privacy statement. We encourage you to periodically review this
privacy statement to stay informed about how we are protecting the personal information we
collect. Your continued use of the service constitutes your agreement to this privacy statement
and any updates.
Contact Information
Microsoft welcomes your comments regarding this privacy statement. If you believe that
Microsoft has not adhered to this privacy statement, please contact us by e-mail or via postal mail
at the addresses provided below, and we will use commercially reasonable efforts to promptly
determine and remedy the problem.
Microsoft Licensing, GP
6100 Neil Rd. suite 210
Reno, NV 89511
USA
Summary
CAPIMON is an effective tool for troubleshooting an application’s use of CryptoAPI. It can help
you identify exactly what applications are making CryptoAPI calls and what the results of those
calls are. Although many of the CryptoAPI applications are detailed in this document, the
CAPIMON tool can be used with any application that makes CryptoAPI calls.
Contacts
For questions about the CAPIMON tool or its usage, contact the CAPIMON team at
CAPIMON@microsoft.com. This alias does not provide assistance with troubleshooting issues
or resolving problems discovered by CAPIMON. For assistance in resolving issues, contact
Microsoft Product Support Services.

CAPIMON Documentation

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CAPIMON Documentation

Uploaded by

Copyright:

Available Formats

CryptoAPI Monitor

How CAPIMON Works

How to Use CAPIMON

Signature = "$Windows NT$"

; These values are :

; ErrorAll: log all CryptoAPI errors. When ErrorAll is present, it overrides

; Error (Error is applicable only to CertGetCertificateChain API) logs specific

; For example, Error = 0xFFFFFFFF will log all errors.

Capturing Error Data with CAPIMON

Using a Capture Filter

Microsoft Outlook Secure e-mail Outlook.exe

IP Security (IPSec) Session establishment (IKE), Lsass.exe

Internet Explorer Secure Sockets Layer (SSL) Iexplore.exe

Internet Information SSL communications - server- Lsass.exe

Kerberos Smart card logon Lsass.exe

Internet Authentication Smart card logon Lsass.exe

Secure wireless networking, Encrypted wireless Services.exe

Protected storage, Data Private key access Lsass.exe

Certification authority (CA) Certificate issuance and Certsrv.exe

Lsass.exe HTTPFilter, KDC, PolicyAgent, ProtectedStore

Svchost.exe BITS, Cryptsvc, Termservice

Services.exe None by default

Verifying CAPIMON Configuration

Stopping Data Capture

Reading Captured Data with the

Using the CAPIMON Viewer

Considerations When Using the CAPIMON Viewer

Interpreting Data with CAPIMON

Authentication by IPSec for a Certificate Chain

1 8/1/2003 CertFindChainInStore Not Found Not Found Not System 2060

2 8/1/2003 CertFindChainInStore Sample OK System 2060

3 8/1/2003 CertDllVerifyRevocation N/A N/A Error System 2060

4 8/1/2003 CertDllVerifyRevocation N/A N/A Error System 2060

5 8/1/2003 CertDllVerifyRevocation N/A N/A OK System 2060

Return Value: Success (1)

Last Error: Cannot find object or property. (0x80092004)

Find Flags: 0x0000400d

Find Type: 0x00000001

Previous Chain Context:

In Function Calls, Lines 2-5 show three steps in checking revocation.

Return Value: Failure (0)

Encoding Type: 0x00000001

Revocation Type: 0x00000001

Return Value: Success (1)

Encoding Type: 0x00000001

Revocation Type: 0x00000001

Time to Use: 11/25/1634 13:20:02 519

Url Retrieval Timeout: 9984 (ms)

Time since CRL was published: None

Current Time: 11/25/1634 13:20:02 519

Authentication by IP Security Fails Because of a Bad

1 8/1/2003 CertFindChainInStore Not Found Not Found Not System 2060

2 8/1/2003 CertFindChainInStore Not Found Not Found Not System 2060

3 8/1/2003 CertFindChainInStore Not Found Not Found Not System 2060

4 8/1/2003 CertFindChainInStore Not Found Not Found Not System 2060

Return Value: Failure (0)

Find Flags: 0x0000400d

Find Type: 0x00000001

Previous Chain Context:

Authentication by Microsoft Outlook 2003 Fails When

1 8/27/200 CertDllVerifyRevocation N/A N/A Error mikedan 804

2 8/27/200 CertDllVerifyRevocation N/A N/A OK mikedan 804

3 8/27/200 CertDllVerifyRevocation N/A N/A OK mikedan 804