Smart Cards Debugging and Developer Information
Updated: February 18, 2010
Applies To: Windows 7, Windows Server 2008 R2
Developers can use the following tools and services in Windows 7 and Windows Vista to help identify certificate problems.
Certutil
Listing certificates available on the smart card
To list certificates that are available on the smart card, type certutil –scinfo.
Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
Deleting certificates on the smart card
Each certificate is enclosed in a container. When you delete a certificate on the smart card, you are deleting the container for the certificate.
To discover the container value, type certutil –scinfo.
To delete a container, type certutil –delkey –csp "Microsoft Base Smart Card Crypto Provider" "<ContainerValue>".
WPP_Tracing debugging and tracing
Enabling the trace
Use one of the following commands to enable tracing:
tracelog.exe –kd –rt –start <FriendlyName> -guid #<GUID> -f .\<LogFileName>.etl –flags <flags> -ft 1
logman start <FriendlyName> -ets –p {<GUID>} -<Flags> -ft 1 –rt –o .\<LogFileName>.etl –mode 0x00080000
You can use the parameters in the following table.
| Friendly name | GUID | Flags |
|---|---|---|
scardsvr |
13038e47-ffec-425d-bc69-5707708075fe |
0xffff |
winscard |
3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 |
0xffff |
basecsp |
133a980d-035d-4e2d-b250-94577ad8fced |
0x7 |
scksp |
133a980d-035d-4e2d-b250-94577ad8fced |
0x7 |
msclmd |
fb36caf4-582b-4604-8841-9263574c4f2c |
0x7 |
credprov |
dba0e0e0-505a-4ab6-aa3f-22f6f743b480 |
0xffff |
certprop |
30eae751-411f-414c-988b-a8bfa8913f49 |
0xffff |
scfilter |
eed7f3c9-62ba-400e-a001-658869df9a91 |
0xffff |
wudfusbccid |
a3c09ba3-2f62-4be5-a50f-8278a646ac9d |
0xffff |
Examples
To enable tracing for the SCardSvr service:
tracelog.exe –kd –rt –start scardsvr –guid #13038e47-ffec-425d-bc69-5707708075fe –f .\scardsvr.etl –flags 0xffff –ft 1
logman start scardsvr –ets –p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff –ft 1 –rt –o .\scardsvr.etl –mode 0x00080000
To enable tracing for scfilter.sys:
tracelog.exe –kd –rt –start scfilter –guid #eed7f3c9-62ba-400e-a001-658869df9a91 –f .\scfilter.etl –flags 0xffff –ft 1
Stopping the trace
Use one of the following commands to stop the tracing:
tracelog.exe –stop <FriendlyName>
logman –stop <FriendlyName> -ets
Examples
To stop a trace:
tracelog.exe -stop scardsvr
logman -stop scardsvr -ets
Kerberos debugging and tracing
You can use the following resources to begin troubleshooting Kerberos:
Troubleshooting Kerberos Errors (https://go.microsoft.com/fwlink/?LinkId=93730)
Troubleshooting Kerberos Delegation (https://go.microsoft.com/fwlink/?LinkId=93731)
The Trace Log tool in the Windows Software Development Kit (SDK) Update for Windows Vista (https://go.microsoft.com/fwlink/?LinkId=81029) is a utility that you can use to debug Kerberos authentication failures
To begin tracing, you can use Tracelog.exe. Different components use different control GUIDs.
NTLM
To enable tracing for NTLM authentication, run the following at the command line:
tracelog.exe -kd -rt -start ntlm -guid #5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\ntlm.etl -flags 0x15003 -ft 1
To stop tracing for NTLM authentication, run the following at the command line:
tracelog -stop ntlm
Kerberos
To enable tracing for Kerberos authentication, run the following at the command line:
tracelog.exe -kd -rt -start kerb -guid #6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\kerb.etl -flags 0x43 -ft 1
To stop tracing for Kerberos authentication, run the following at the command line:
tracelog.exe -stop kerb
KDC
To enable tracing for the Key Distribution Center (KDC), run the following at the command line:
tracelog.exe -kd -rt -start kdc -guid #1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\kdc.etl -flags 0x803 -ft 1
To stop tracing for the KDC, run the following at the command line:
tracelog.exe -stop kdc
Note
To stop tracing remotely, run the following at the command line: logman.exe -s <ComputerName>.
The default location for logman.exe is %systemroot%system32. Use the -s option to supply a computer name.
Configure tracing with the registry
You can also configure tracing by editing the Kerberos registry values shown in the following table.
| Method | Registry key setting |
|---|---|
NTLM |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
|
Kerberos |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
|
KDC |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
|
If you used Tracelog.exe, look for the log file kerb.etl/kdc.etl/ntlm.etl in your current directory. Otherwise, if you used the registry files shown in the Kerberos tracing registry settings table, look for the generated trace log files at the following locations:
NTLM: %systemroot%\tracing\msv1_0
Kerberos: %systemroot%\tracing\kerberos
KDC: %systemroot%\tracing\kdcsvc
To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \tools\tracing subdirectory of the Windows Driver Kit (WDK). For more information about Tracefmt, see Tracefmt (https://go.microsoft.com/fwlink/?LinkId=93734).
Smart Card service
To check if the Smart Card service is running
Press CTRL+ALT+DEL, and then click Start Task Manager.
In the Windows Task Manager dialog box, click the Services tab.
Click the Name column to sort the list alphabetically, and then type s.
In the Name column, look for SCardSvr, and then look under the Status column to see if the service is running or stopped.
To restart the Smart Card service
Click Start, type cmd, right-click cmd.exe, and then click Run as administrator.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
At the command prompt, type net stop SCardSvr.
At the command prompt, type net start SCardSvr.
You can use the following command at the command prompt to check whether the service is running: sc queryex scardsvr.
The following is example output from running this command:
SERVICE_NAME: scardsvr
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1320
FLAGS :
C:\>
Smart card readers
To check whether the smart card reader is connected and working properly
Click Start, right-click Computer, and then click Properties.
Under Tasks, click Device Manager.
In Device Manager, expand Smart card readers, select the smart card reader, and then click Properties.
Note
If the smart card reader is not listed in Device Manager, in the Action menu, click Scan for hardware changes.
CryptoAPI 2.0 Diagnostics
CryptoAPI 2.0 Diagnostics is a feature that is available beginning in Windows Vista and Windows Server 2008 that helps administrators in troubleshooting public key infrastructure (PKI) problems. CryptoAPI 2.0 Diagnostics logs events in the Windows event log that contains detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the causes of problems and reduces the time required for diagnosis.
For more information about CryptoAPI 2.0 Diagnostics, see Troubleshooting PKI Problems on Windows Vista (https://go.microsoft.com/fwlink/?LinkId=89570).