Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Windows 7 ' \AppData\Roaming\Microsoft\Crypto\RSA\ ' folder is huge!.. How do I fix?

Posted on 2016-09-23
Medium Priority
Last Modified: 2016-10-12
My Windows 7 Home Premium ' c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\userSID ' folder contains a huge number of files and is over 2gb in size. What is causing this and how do I fix it?

To the best of my knowledge, I do not have any encryption turned on. As to applications, I basically, just run email (Windows Live), MsOffice10, and Adobe CS5.

Question by:wsh2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 17

Assisted Solution

Learnctx earned 1000 total points
ID: 41812222
LVL 14

Author Comment

ID: 41812228
Thank you 'learnctx' for posting.. {smile}

This computer is NOT on a domain; it is a standalone.

Contained within the ' ..\crypto\rsa\usersid ' folder are ~69,000 files consuming 2.3gb of space.

Will deleting the folder hurt anything?

Is this due to a virus/malware? If it is, can you recommend any software to clean it up.

Thank you in advance.
LVL 64

Assisted Solution

btan earned 1000 total points
ID: 41812660
Windows by default has Crypto Service provider (CSP) built into the OS. These are used for Data Protection (or they refers it as "Protected Storage") services which also exposed API functions for for application developers to use and interface within their appls. Those path is the Microsoft legacy CryptoAPI CSPs where these services store private keys. User specific private keys are in (1) %APPDATA%\Microsoft\Crypto\RSA\User SID\ or  (2) %APPDATA%\Microsoft\Crypto\DSS\User SID\

In your case, it is machine with roaming profile and it is alright to expect such huge files if it is a common shared machine which facilitate user to shift and use those common machines. Use key login will have their file redirected to the roaming folders.  Overall, I do not suspect any malware infection or foul play instead - you can scan your machine with alt AV such as Malwarebyte Anti-malware and Hitmanpro.Alert.

I know of the past in which this is experienced but in another folder e.g. under the ProgramData\Microsoft\Crypto\RSA\MachineKeys folder which is containing huge files that is caused due to AV doing man-in-the-middle to decrypt and inspect all contain in the SSL traffic to ensure the user browser is free from malicious codes. But to do this MitM, the AV must generate a fake key for each SSL website that user visits and this create huge key file to be stored in the machine - it is not clean up and being accumulated.

I do see similar happening for your case whereby many roaming user sharing the same machine and have their redirected folder that required their private key files too for whatever purpose to safeguard its crypto key by default generated ....
LVL 14

Accepted Solution

wsh2 earned 0 total points
ID: 41834432
Thanks to everyone for commenting.. {smile}

IMPORTANT: This worked for me - HOWEVER, it may or may NOT work for you. Please use your own discretion.

Environment: Windows 7 Home Premium x64
The file count of "c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\[userSID]" has grown to over 640,000 (1-2kb) files (normally, you will find maybe a dozen or so files there). The Computer passes all anti-virus/anti-malware/combofix scans. This many files in a system area imposes a huge performance drain whenever a file scan of any kind is run, to include Windows Update.

What worked for me:
1. After doing a system backup, I virtualized the computer on to an external USB drive using VmWare Vcenter.
2. I then opened the virtualized machine on another computer using VmPlayer.
3. After booting the virtualized machine, I deleted the "c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\[userSID]" folder. (CAUTION: It took over 6 hours for all of the deletions to complete, Please be patient.)
4. After the deletions, I rebooted the computer. The "c:\users\profile\AppData\Roaming\Microsoft\Crypto\RSA\[userSID]" folder was recreated along a couple of files which is typical of any Windows installation.  
5. Everything seems to be working fine and file scanning performance has returned to what it once was.

Again, this worked for me. It may or may not work for you. Good luck!


So here is what I did.
LVL 14

Author Closing Comment

ID: 41839767
While I appreciate everyone for providing referential scholarship, it was up to me to come up with a solution and put it into action. The solution I came up with is pure brute force and ignorance, and technically unsubstantiated in ANY scholarship I could find, either here or in Google World.

So, cheers to everyone. I lucked out. I only wish the very best to you the reader in your endeavors.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question