Windows 7 ' \AppData\Roaming\Microsoft\Crypto\RSA\ ' folder is huge!.. How do I fix?

My Windows 7 Home Premium ' c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\userSID ' folder contains a huge number of files and is over 2gb in size. What is causing this and how do I fix it?

To the best of my knowledge, I do not have any encryption turned on. As to applications, I basically, just run email (Windows Live), MsOffice10, and Adobe CS5.

Help!
LVL 14
wsh2Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wsh2Author Commented:
Thank you 'learnctx' for posting.. {smile}

This computer is NOT on a domain; it is a standalone.

Contained within the ' ..\crypto\rsa\usersid ' folder are ~69,000 files consuming 2.3gb of space.

Will deleting the folder hurt anything?

Is this due to a virus/malware? If it is, can you recommend any software to clean it up.

Thank you in advance.
btanExec ConsultantCommented:
Windows by default has Crypto Service provider (CSP) built into the OS. These are used for Data Protection (or they refers it as "Protected Storage") services which also exposed API functions for for application developers to use and interface within their appls. Those path is the Microsoft legacy CryptoAPI CSPs where these services store private keys. User specific private keys are in (1) %APPDATA%\Microsoft\Crypto\RSA\User SID\ or  (2) %APPDATA%\Microsoft\Crypto\DSS\User SID\

https://msdn.microsoft.com/en-us/library/windows/desktop/bb204778(v=vs.85).aspx

In your case, it is machine with roaming profile and it is alright to expect such huge files if it is a common shared machine which facilitate user to shift and use those common machines. Use key login will have their file redirected to the roaming folders.  Overall, I do not suspect any malware infection or foul play instead - you can scan your machine with alt AV such as Malwarebyte Anti-malware and Hitmanpro.Alert.

I know of the past in which this is experienced but in another folder e.g. under the ProgramData\Microsoft\Crypto\RSA\MachineKeys folder which is containing huge files that is caused due to AV doing man-in-the-middle to decrypt and inspect all contain in the SSL traffic to ensure the user browser is free from malicious codes. But to do this MitM, the AV must generate a fake key for each SSL website that user visits and this create huge key file to be stored in the machine - it is not clean up and being accumulated.

I do see similar happening for your case whereby many roaming user sharing the same machine and have their redirected folder that required their private key files too for whatever purpose to safeguard its crypto key by default generated ....
wsh2Author Commented:
Thanks to everyone for commenting.. {smile}

IMPORTANT: This worked for me - HOWEVER, it may or may NOT work for you. Please use your own discretion.

Environment: Windows 7 Home Premium x64
The file count of "c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\[userSID]" has grown to over 640,000 (1-2kb) files (normally, you will find maybe a dozen or so files there). The Computer passes all anti-virus/anti-malware/combofix scans. This many files in a system area imposes a huge performance drain whenever a file scan of any kind is run, to include Windows Update.

What worked for me:
1. After doing a system backup, I virtualized the computer on to an external USB drive using VmWare Vcenter.
2. I then opened the virtualized machine on another computer using VmPlayer.
3. After booting the virtualized machine, I deleted the "c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\[userSID]" folder. (CAUTION: It took over 6 hours for all of the deletions to complete, Please be patient.)
4. After the deletions, I rebooted the computer. The "c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\[userSID]" folder was recreated along a couple of files which is typical of any Windows installation.  
5. Everything seems to be working fine and file scanning performance has returned to what it once was.

Again, this worked for me. It may or may not work for you. Good luck!

 



So here is what I did.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wsh2Author Commented:
While I appreciate everyone for providing referential scholarship, it was up to me to come up with a solution and put it into action. The solution I came up with is pure brute force and ignorance, and technically unsubstantiated in ANY scholarship I could find, either here or in Google World.

So, cheers to everyone. I lucked out. I only wish the very best to you the reader in your endeavors.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.