Today I thought of playing around with IIS MachineKeys. We have seen few issues with IIS Admin Service not starting and few events in System Event log like one below:

Source: Service Control Manager
Event ID: 7024
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Description:
The IIS Admin Service service terminated with service-specific error 2148073478 (0x80090006).

By default when you install IIS 7 in Vista, Windows Server 2008 or IIS 7.5 in Win 7, Windows Server 2008 R2 the IIS Admin Service will not appear as described in my previous post Where is IISADMIN service?

IIS Admin Service is for IIS 6 and IIS 6 Management Compatibility and it PLAYS NO PART IN IIS 7 functionality.

Here is what I did..

  • Installed IIS with IIS 6 Management Compatibility
  • Checked C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder and found the keys
c2319c42033a5ca7f44e731bfd3fa2b5_9790b371-96e4-4554-8f72-c2e0b12e99d2
7a436fe806e483969f48a894af2fe9a1_9790b371-96e4-4554-8f72-c2e0b12e99d2
  • Everything is good..
  • Open Registry Editor and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
  • You will find a key MachineGuid, this has the value 9790b371-96e4-4554-8f72-c2e0b12e99d2
  • Now, used GUID Generator and got a new GUID (Registry Format)
  • Replaced 9790b371-96e4-4554-8f72-c2e0b12e99d2 with the new GUID
  • Open IIS 6 MMC and I see a blank window

clip_image001

  • Did IISRESET and it failed

clip_image001[4]

  • Checked the MachineKey folder and now I see the c23 key created with the new GUID but 7a4 is still with the old GUID

So what happened, lets dig in deep

I used Process Monitor, to understand what happened when I installed IIS.

I filtered Procmon for the Process Inetinfo.exe to get better understanding.

At first a file is created inetinfo.exe.mui in IIS 7 and inetinfo.exe.local in IIS 6

Date & Time: 13-02-2009 06:59:12 PM
Event Class: File System
Operation: CreateFile
Result: SUCCESS
Path: C:\Windows\System32\inetsrv\en-US\inetinfo.exe.mui
TID: 4832
Duration: 0.0000553
Desired Access: Read Attributes
Disposition: Open
Options: Complete If Oplocked
Attributes: N
ShareMode: Read, Write, Delete
AllocationSize: n/a
OpenResult: Opened

Then it creates all IIS specific files (as seen in C:\Windows\System32\inetsrv folder).

At one stage, there is a Query on the Registry key HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid and get the value

Date & Time: 13-02-2009 06:59:15 PM
Event Class: Registry
Operation: RegQueryValue
Result: SUCCESS
Path: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid
TID: 4844
Duration: 0.0000042
Type: REG_SZ
Length: 74

Data: 9790b371-96e4-4554-8f72-c2e0b12e99d2

Then Inetinfo.exe creates the file

Date & Time: 13-02-2009 06:59:15 PM
Event Class: File System
Operation: WriteFile
Result: SUCCESS
Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7a436fe806e483969f48a894af2fe9a1_9790b371-96e4-4554-8f72-c2e0b12e99d2
TID: 4844
Duration: 0.0002495
Offset: 0
Length: 59
Priority: Normal

Moving further down in Procmon, I found a similar query and then Inetinfo creates the file

Date & Time: 13-02-2009 06:59:16 PM
Event Class: File System
Operation: WriteFile
Result: SUCCESS
Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c2319c42033a5ca7f44e731bfd3fa2b5_9790b371-96e4-4554-8f72-c2e0b12e99d2
TID: 4844
Duration: 0.0002375
Offset: 0
Length: 78
Priority: Normal

So, inetinfo.exe process creates MachineKeys as it should and everything is good.

But when I changed the MachineGUID and did IISRESET, Inetinfo.exe reads the inetinfo.exe.mui and starts querying for all the files in Inetsrv folder.

Reads the Metabase.xml and MBSchema.xml and moves further till the point when it loads Crypto, it finds the MachineGUID and since c23 does not exists it creates the file but with the new GUID.

Date & Time: 13-02-2009 08:49:14 PM
Event Class: File System
Operation: CreateFile
Result: SUCCESS
Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c2319c42033a5ca7f44e731bfd3fa2b5_3E08FB7E-9B1D-4422-9215-C3ECA2A68BFE
TID: 2940
Duration: 0.0000503
Desired Access: Generic Read
Disposition: Open
Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File
Attributes: n/a
ShareMode: Read
AllocationSize: n/a
OpenResult: Opened

But now there is a conflict in it's record and hence it kills the thread and then exits the process.

As seen in Procmon:

image

As seen using DebugView:

image 

Well what I did to resolve the issue, changed the MachineGUID back to its original and did IISRESET and everything is good again.

If you ever happen to face MachineKey related issue, what you can do is follow my blog backwards :).

Check MachineGUID in the Registry, check the MachineKeys c23 and 7a4. If the GUID does not match, the best is restore a good backup when IIS was working fine or just reinstall IIS.

Key here is always BACKUP YOUR SERVER.

HTH.

Till next time take care.