Today I thought of playing around with IIS MachineKeys. We have seen few issues with IIS Admin Service not starting and few events in System Event log like one below:
By default when you install IIS 7 in Vista, Windows Server 2008 or IIS 7.5 in Win 7, Windows Server 2008 R2 the IIS Admin Service will not appear as described in my previous post Where is IISADMIN service?
IIS Admin Service is for IIS 6 and IIS 6 Management Compatibility and it PLAYS NO PART IN IIS 7 functionality.
Here is what I did..
So what happened, lets dig in deep
I used Process Monitor, to understand what happened when I installed IIS.
I filtered Procmon for the Process Inetinfo.exe to get better understanding.
At first a file is created inetinfo.exe.mui in IIS 7 and inetinfo.exe.local in IIS 6
Date & Time: 13-02-2009 06:59:12 PM Event Class: File System Operation: CreateFile Result: SUCCESS Path: C:\Windows\System32\inetsrv\en-US\inetinfo.exe.mui TID: 4832 Duration: 0.0000553 Desired Access: Read Attributes Disposition: Open Options: Complete If Oplocked Attributes: N ShareMode: Read, Write, Delete AllocationSize: n/a OpenResult: Opened
Then it creates all IIS specific files (as seen in C:\Windows\System32\inetsrv folder).
At one stage, there is a Query on the Registry key HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid and get the value
Date & Time: 13-02-2009 06:59:15 PM Event Class: Registry Operation: RegQueryValue Result: SUCCESS Path: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid TID: 4844 Duration: 0.0000042 Type: REG_SZ Length: 74 Data: 9790b371-96e4-4554-8f72-c2e0b12e99d2
Then Inetinfo.exe creates the file
Date & Time: 13-02-2009 06:59:15 PM Event Class: File System Operation: WriteFile Result: SUCCESS Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7a436fe806e483969f48a894af2fe9a1_9790b371-96e4-4554-8f72-c2e0b12e99d2 TID: 4844 Duration: 0.0002495 Offset: 0 Length: 59 Priority: Normal
Moving further down in Procmon, I found a similar query and then Inetinfo creates the file
Date & Time: 13-02-2009 06:59:16 PM Event Class: File System Operation: WriteFile Result: SUCCESS Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c2319c42033a5ca7f44e731bfd3fa2b5_9790b371-96e4-4554-8f72-c2e0b12e99d2 TID: 4844 Duration: 0.0002375 Offset: 0 Length: 78 Priority: Normal
So, inetinfo.exe process creates MachineKeys as it should and everything is good.
But when I changed the MachineGUID and did IISRESET, Inetinfo.exe reads the inetinfo.exe.mui and starts querying for all the files in Inetsrv folder.
Reads the Metabase.xml and MBSchema.xml and moves further till the point when it loads Crypto, it finds the MachineGUID and since c23 does not exists it creates the file but with the new GUID.
Date & Time: 13-02-2009 08:49:14 PM Event Class: File System Operation: CreateFile Result: SUCCESS Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c2319c42033a5ca7f44e731bfd3fa2b5_3E08FB7E-9B1D-4422-9215-C3ECA2A68BFE TID: 2940 Duration: 0.0000503 Desired Access: Generic Read Disposition: Open Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File Attributes: n/a ShareMode: Read AllocationSize: n/a OpenResult: Opened
But now there is a conflict in it's record and hence it kills the thread and then exits the process.
As seen in Procmon:
As seen using DebugView:
Well what I did to resolve the issue, changed the MachineGUID back to its original and did IISRESET and everything is good again.
If you ever happen to face MachineKey related issue, what you can do is follow my blog backwards :).
Check MachineGUID in the Registry, check the MachineKeys c23 and 7a4. If the GUID does not match, the best is restore a good backup when IIS was working fine or just reinstall IIS.
Key here is always BACKUP YOUR SERVER.
Till next time take care.