Event ID 256 — System Catalog Database Integrity

Applies To: Windows Server 2008

The system catalog database is used with the cryptographic services provided by the operating system to ensure that the Windows system files have not been changed. This is done by comparing the digital signature of a system file to the digital signature stored in the system catalog database. If the signatures do not match, the file is replaced with a copy of the file located on this computer with the correct signature.

Event Details

Product: Windows Operating System
ID: 256
Source: Microsoft-Windows-CAPI2
Version: 6.0
Symbolic Name: MSG_CATDB_INIT_ERROR
Message: The Cryptographic Services service failed to initialize the Catalog Database. The error was: %1 : %2.

Resolve

Repair the system catalog database

The system catalog database is stored in the %windir%\system32\catroot2 folder, where %windir% is the folder in which Windows was installed. If the system catalog database is corrupt, you can repair it by using the Esentutl command-line tool. The steps for using the Esentutl command-line tool are included in the "Repair the catalog database by using Esentutl" section.  If Esentutl cannot repair the catalog database, you can create a new one by following the procedure in the "Create a new catroot2 folder" section or the "Create a new catroot2 folder by using the command prompt" section.

Caution: When you remove the catroot2 folder by using the "Create a new catroot2 folder" section, Windows will automatically recreate it. However, Windows will not recreate the catroot folder if it has been modified. Modifying the contents of the catroot folder can cause your computer to be unusable.

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

Repair the catalog database by using Esentutl

To repair the catalog database by using Esentutl:

  1. Click Start, point to All Programs, and then click Accessories.

  2. Right-click Command Prompt, and then click Run as administrator.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. In the command prompt window, type net stop cryptsvc to stop Cryptographic Services, and then press ENTER.

  5. Type esentutl /p <%systemroot%>\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb, and then press ENTER.

    By default, %systemroot% is located at C:\Windows.

  6. Click OK to confirm that you should run this tool only on databases that are corrupt.

  7. If Esentutl reports that the catalog database is still corrupt, you should use one of the following procedures to create a new catroot2 folder.

  8. Type net start cryptsvc to start Cryptographic Services, and then press ENTER.

Create a new catroot2 folder

To create a new catroot2 folder:

  1. Click Start, point to Administrative Tools, and then click Services.

  2. Right-click Cryptographic Services, and then click Stop.

  3. Click Start, and then click Computer.

  4. Navigate to %systemroot%\System32.

    By default, %systemroot% is located at C:\Windows.

  5. Rename the catroot2 folder to catroot2.old.

  6. In the Services snap-in console, right-click Cryptographic Services, and then click Start.

Create a new catroot2 folder by using the command prompt

To create a new catroot2 folder by using the command prompt:

  1. Click Start, point to All Programs, and then click Accessories.

  2. Right-click Command Prompt, and then click Run as administrator.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. In the command prompt window, type net stop cryptsvc, and then press ENTER.

  5. Type ren <%systemroot%>\System32\catroot2 catroot2.old, and then press ENTER.

    By default, %systemroot% is located at C:\Windows.

  6. Type net start cryptsvc, and then press ENTER.

  7. Type exit, and then press ENTER to close the command prompt window.

Verify

You can verify the integrity of the security catalog database by using the Esentutl command-line tool.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify the integrity of the security catalog database:

  1. Click Start, point to All Programs, and then click Accessories.

  2. Right-click Command Prompt, and then click Run as administrator.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue

  4. In the command prompt window, type net stop cryptsvc to stop Cryptographic Services, and then press ENTER.

  5. Type esentutl /g <%systemroot%>\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb, and then press ENTER.

    By default, %systemroot% is located at C:\Windows.

  6. If the integrity check on the security catalog database is successful, Integrity check successful will be displayed in the command prompt window.

  7. Type net start cryptsvc to start Cryptographic Services, and then press ENTER.

System Catalog Database Integrity

Core Security