Recently, a new type of error I haven’t seen showed up on one of the servers I maintain and manage.
Event ID: 513
Source: CAPI2
Event:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddLegacyDriverFiles: Unable to back up image of binary EraserUtilRebootDrv.
System Error:
The system cannot find the file specified.
.
Also, after further investigation I also noticed that when Windows Server Backup was running, sometimes snapshots on the C: volume wouldn’t “grow in time” so were automatically deleting.
It was difficult to find anything on the internet regarding this as in my case it was reporting “The system cannot find the file specified”, whereas all other cases were due to security permissions. On the bright side, I was able to identify the software that this file belonged to: Symantec Endpoint Protection.
Ultimately I found a fix. PLEASE ONLY attempt this, if you are receiving the “The system cannot find the file specified”. If you are seeing any “Access Denied” messages under System Error, your issue is related to something else.
To fix:
1) Uninstall Symantec Endpoint protection.
2) Restart Server
3) Disable VSS snapshots for C: volume (NOTE: This will delete all existing snapshots for the drive.).
4) Re-install Symantec Endpoint protection.
5) Re-enable VSS snapshots for C: volume.
When this issue occurred, I was seeing the event many times every hour. It’s been 4 days since I applied this fix and it has completely disappeared, back to a 100% clean event log!
Just to inform other readers…
I received such an error yesterday too. The event log doesn’t report earlier instances of this error, but yesterday I had 5. The machine is a private PC running W7 Enterprice edition and was beeig backed-up using WindowBackup (so not Symantec Backup).
The event log shows:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddLegacyDriverFiles: Unable to back up image of binary MpKsl6b6cf20f.
System Error:
The system cannot find the file specified.
.
I cannot find a file with that name, but I find the string in the registry.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPKSL6B6CF20F000]
“Service”=”MpKsl6b6cf20f”
“Legacy”=dword:00000001
“ConfigFlags”=dword:00000000
“Class”=”LegacyDriver”
“ClassGUID”=”{8ECC055D-047F-11D1-A537-0000F8753ED1}”
“DeviceDesc”=”MpKsl6b6cf20f”
“Capabilities”=dword:00000000”
I have no idea what caused the error, but I may have messed up some access right last week trying to change the backup for other PC’s at home to use the external USB drive of this machine.
Further Backup reports to fail backing up 2 files:
Backup encountered a problem while backing up file C:\Users\Linde\Contacts. Error:(The system cannot find the file specified. (0x80070002))
Backup encountered a problem while backing up file C:\Users\Linde\Searches. Error:(The system cannot find the file specified. (0x80070002))
Both files belong to the profile of a new user that has never logged in to this machine yet. So this may be a logical failure that has nothing to do with the event 513.
Symantec needs to reimburse every one of their customers for having to fix problems with their whack software…sick of this!
Hi Stephen,
Thanks for your post. Solution is too hard to apply on Production Environments. I don’t think clients would agree to Uninstall and Re-install SEP.. I am dealing with the same problem now 🙂 will get back to you with my results.
Hi Ali,
It’s actually a fairly simple and straightforward fix. Keep in mind, I’m referring to the re-installation of the Endpoint client, not the actual Endpoint Protection Management server software.
Cheers,
Stephen
We are facing same issue. We are trying to apply this solution, could you please let us know the steps to disable & enable VSS snapshots for C: volume.
Hi Prince,
If you haven’t done this before and/or aren’t familiar, I may recommend doing more research to become familiar with VSS snapshots (what they are, how to enable/disable, etc…).
If my memory serves me correct, on your server you’ll go in to “My Computer” or “Computer”, right click on the drive, select “Configure Volume Shadow Copy”.
Inside of the window that pops up, you can view, delete, enable/disable, or even configure schedules.
Keep in mind that when you disable VSS snapshots, it will delete all previous snapshots. Please make sure you fully understand what this means before attempting.
Cheers,
Stephen