Solved

Windows 7 ' \AppData\Roaming\Microsoft\Crypto\RSA\ ' folder is huge!.. How do I fix?

Posted on 2016-09-23
5
1,168 Views
Last Modified: 2016-10-12
My Windows 7 Home Premium ' c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\userSID ' folder contains a huge number of files and is over 2gb in size. What is causing this and how do I fix it?

To the best of my knowledge, I do not have any encryption turned on. As to applications, I basically, just run email (Windows Live), MsOffice10, and Adobe CS5.

Help!
0
Comment
Question by:wsh2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41812222
0
 
LVL 14

Author Comment

by:wsh2
ID: 41812228
Thank you 'learnctx' for posting.. {smile}

This computer is NOT on a domain; it is a standalone.

Contained within the ' ..\crypto\rsa\usersid ' folder are ~69,000 files consuming 2.3gb of space.

Will deleting the folder hurt anything?

Is this due to a virus/malware? If it is, can you recommend any software to clean it up.

Thank you in advance.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 41812660
Windows by default has Crypto Service provider (CSP) built into the OS. These are used for Data Protection (or they refers it as "Protected Storage") services which also exposed API functions for for application developers to use and interface within their appls. Those path is the Microsoft legacy CryptoAPI CSPs where these services store private keys. User specific private keys are in (1) %APPDATA%\Microsoft\Crypto\RSA\User SID\ or  (2) %APPDATA%\Microsoft\Crypto\DSS\User SID\

https://msdn.microsoft.com/en-us/library/windows/desktop/bb204778(v=vs.85).aspx

In your case, it is machine with roaming profile and it is alright to expect such huge files if it is a common shared machine which facilitate user to shift and use those common machines. Use key login will have their file redirected to the roaming folders.  Overall, I do not suspect any malware infection or foul play instead - you can scan your machine with alt AV such as Malwarebyte Anti-malware and Hitmanpro.Alert.

I know of the past in which this is experienced but in another folder e.g. under the ProgramData\Microsoft\Crypto\RSA\MachineKeys folder which is containing huge files that is caused due to AV doing man-in-the-middle to decrypt and inspect all contain in the SSL traffic to ensure the user browser is free from malicious codes. But to do this MitM, the AV must generate a fake key for each SSL website that user visits and this create huge key file to be stored in the machine - it is not clean up and being accumulated.

I do see similar happening for your case whereby many roaming user sharing the same machine and have their redirected folder that required their private key files too for whatever purpose to safeguard its crypto key by default generated ....
0
 
LVL 14

Accepted Solution

by:
wsh2 earned 0 total points
ID: 41834432
Thanks to everyone for commenting.. {smile}

IMPORTANT: This worked for me - HOWEVER, it may or may NOT work for you. Please use your own discretion.

Environment: Windows 7 Home Premium x64
The file count of "c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\[userSID]" has grown to over 640,000 (1-2kb) files (normally, you will find maybe a dozen or so files there). The Computer passes all anti-virus/anti-malware/combofix scans. This many files in a system area imposes a huge performance drain whenever a file scan of any kind is run, to include Windows Update.

What worked for me:
1. After doing a system backup, I virtualized the computer on to an external USB drive using VmWare Vcenter.
2. I then opened the virtualized machine on another computer using VmPlayer.
3. After booting the virtualized machine, I deleted the "c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\[userSID]" folder. (CAUTION: It took over 6 hours for all of the deletions to complete, Please be patient.)
4. After the deletions, I rebooted the computer. The "c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\[userSID]" folder was recreated along a couple of files which is typical of any Windows installation.  
5. Everything seems to be working fine and file scanning performance has returned to what it once was.

Again, this worked for me. It may or may not work for you. Good luck!

 



So here is what I did.
0
 
LVL 14

Author Closing Comment

by:wsh2
ID: 41839767
While I appreciate everyone for providing referential scholarship, it was up to me to come up with a solution and put it into action. The solution I came up with is pure brute force and ignorance, and technically unsubstantiated in ANY scholarship I could find, either here or in Google World.

So, cheers to everyone. I lucked out. I only wish the very best to you the reader in your endeavors.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question