| Event Id | 95 |
| Source | Microsoft-Windows-CertificationAuthority |
| Description | Security permissions are corrupted or missing. Active Directory Certificate Services needs to be reinstalled. |
| Event Information | According to Microsoft : Cause This event is logged when Security permissions are corrupted or missing. Resolution Fix certification authority security permissions Information about essential security permissions is stored in the registry and is needed for a certification authority (CA) to function properly. To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority. To resolve security permission problems: Confirm that security descriptors have been corrupted. If you have a backup of the registry, restore registry settings from the backup. If you have a backup of the CA, you can restore the CA from the backup. If the restore procedure fails, create a CA debug log and contact Microsoft Customer Service and Support. For more information, see http://go.microsoft.com/fwlink/?LinkId=89446. Confirm security descriptor corruption To confirm that CA security descriptors have been corrupted: 1.Open a command prompt window. 2.Type certutil -getreg ca\security and press ENTER. Restore CA registry settings Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data. To restore registry settings from a hive file: 1.On the computer hosting the CA, click Start, type 2.Select the keys in which you want to restore the hive. 3.On the File menu, click Import, and then select the drive, folder, or network computer and folder in which the hive is located. 4.In Files of type, click Registry Hive Files, and select the correct file name for the hive. 5.Click Open. When a message appears indicating that the hive has been successfully imported, click OK. Restore a CA from a backup Note: To complete this procedure, you need to have created a backup of your CA prior to the failure, including registry settings, private key and CA certificate, certificate database, and database log. To restore a CA: 1.If you had to reinstall Windows, apply all current service packs and security updates before restoring the CA, and reinstall Active Directory Certificate Services (AD CS). 3.Right-click the name of the CA, and click Stop. 4.Import the registry hive for the CA by using the previous procedure. 5.In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA. 6.When the Certification Authority Restore Wizard starts, click Next, and then click Private keyand CA certificate. 7.Click Certificate database and certificate database log. 8.Type the backup folder location, and then click Next. 9.Verify the backup settings. The Issued Log and Pending Requests settings should be displayed. 10.Click Finish, and then click Yes to restart AD CS. Create a debug log To create a debug log: 1.On the computer hosting the CA, click Start, type cmd and press ENTER. 2.Type certutil -setreg ca\debug 0xffffffe3 and press ENTER. 3.Click Start, point to Administrative Tools, and click B>Services. 4.Select the Active Directory Certificate Services service, and click Start. 5.When you have reproduced the issue, locate the certsrv.log file containing advanced diagnostic information in the %windir% directory. 6.When you have finished generating the diagnostics, disable debugging by opening a command prompt window. 7.Type certutil -delreg ca\debug and press ENTER. Enable CryptoAPI 2.0 Diagnostics To enable CryptoAPI 2.0 Diagnostics: 1.On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer. 2.In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2. 3.Right-click Operational, and click Enable Log. 4.Click Start, point to Administrative Tools, and click Services. 5.Right-click Active Directory Certificate Services, and click Restart. Verify To perform this procedure, you must have membership in local Administrators on the computer hosting the certification authority (CA), or you must have been delegated the appropriate authority. To confirm that the CA service is available: 1.On the computer hosting the CA, click Start, type cmd and press ENTER. 2.Type certutil -config |
| Reference Links | Event ID 95 from Source Microsoft-Windows-CertificationAuthority |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.