Export (0) Print
Expand All

Smart Cards Debugging and Developer Information

Published: February 18, 2010

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

Developers can use the following tools and services in Windows 7 and Windows Vista to help identify certificate problems.

To list certificates that are available on the smart card, type certutil –scinfo.

Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.

Each certificate is enclosed in a container. When you delete a certificate on the smart card, you are deleting the container for the certificate.

To discover the container value, type certutil –scinfo.

To delete a container, type certutil –delkey –csp "Microsoft Base Smart Card Crypto Provider" "<ContainerValue>".

Use one of the following commands to enable tracing:

  • tracelog.exe –kd –rt –start <FriendlyName> -guid # <GUID> -f .\ <LogFileName> .etl –flags <flags> -ft 1

  • logman start <FriendlyName> -ets –p { <GUID> } - <Flags> -ft 1 –rt –o .\ <LogFileName> .etl –mode 0x00080000

You can use the parameters in the following table.

 

Friendly name GUID Flags

scardsvr

13038e47-ffec-425d-bc69-5707708075fe

0xffff

winscard

3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01

0xffff

basecsp

133a980d-035d-4e2d-b250-94577ad8fced

0x7

scksp

133a980d-035d-4e2d-b250-94577ad8fced

0x7

msclmd

fb36caf4-582b-4604-8841-9263574c4f2c

0x7

credprov

dba0e0e0-505a-4ab6-aa3f-22f6f743b480

0xffff

certprop

30eae751-411f-414c-988b-a8bfa8913f49

0xffff

scfilter

eed7f3c9-62ba-400e-a001-658869df9a91

0xffff

wudfusbccid

a3c09ba3-2f62-4be5-a50f-8278a646ac9d

0xffff

Examples

To enable tracing for the SCardSvr service:

  • tracelog.exe –kd –rt –start scardsvr –guid #13038e47-ffec-425d-bc69-5707708075fe –f .\scardsvr.etl –flags 0xffff –ft 1

  • logman start scardsvr –ets –p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff –ft 1 –rt –o .\scardsvr.etl –mode 0x00080000

To enable tracing for scfilter.sys:

tracelog.exe –kd –rt –start scfilter –guid #eed7f3c9-62ba-400e-a001-658869df9a91 –f .\scfilter.etl –flags 0xffff –ft 1

Use one of the following commands to stop the tracing:

  • tracelog.exe –stop <FriendlyName>

  • logman –stop <FriendlyName> -ets

Examples

To stop a trace:

  • tracelog.exe -stop scardsvr

  • logman -stop scardsvr -ets

You can use the following resources to begin troubleshooting Kerberos:

To begin tracing, you can use Tracelog.exe. Different components use different control GUIDs.

To enable tracing for NTLM authentication, run the following at the command line:

tracelog.exe -kd -rt -start ntlm -guid #5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\ntlm.etl -flags 0x15003 -ft 1

To stop tracing for NTLM authentication, run the following at the command line:

tracelog -stop ntlm

To enable tracing for Kerberos authentication, run the following at the command line:

tracelog.exe -kd -rt -start kerb -guid #6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\kerb.etl -flags 0x43 -ft 1

To stop tracing for Kerberos authentication, run the following at the command line:

tracelog.exe -stop kerb

To enable tracing for the Key Distribution Center (KDC), run the following at the command line:

tracelog.exe -kd -rt -start kdc -guid #1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\kdc.etl -flags 0x803 -ft 1

To stop tracing for the KDC, run the following at the command line:

tracelog.exe -stop kdc

noteNote
To stop tracing remotely, run the following at the command line: logman.exe -s <ComputerName>.

The default location for logman.exe is %systemroot%system32\. Use the -s option to supply a computer name.

You can also configure tracing by editing the Kerberos registry values shown in the following table.

 

Method Registry key setting

NTLM

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

  • Value name: NtLmInfoLevel

  • Value type: DWORD

  • Value data: c0015003

Kerberos

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos

  • Value name: LogToFile

  • Value type: DWORD

  • Value data: 00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

  • Value name: KerbDebugLevel

  • Value type: DWORD

  • Value data: c0000043

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

  • Value name: LogToFile

  • Value type: DWORD

  • Value data: 00000001

KDC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

  • Value name: KdcDebugLevel

  • Value type: DWORD

  • Value data: c0000803

If you used Tracelog.exe, look for the log file kerb.etl/kdc.etl/ntlm.etl in your current directory. Otherwise, if you used the registry files shown in the Kerberos tracing registry settings table, look for the generated trace log files at the following locations:

  • NTLM: %systemroot%\tracing\msv1_0

  • Kerberos: %systemroot%\tracing\kerberos 

  • KDC: %systemroot%\tracing\kdcsvc 

To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \tools\tracing subdirectory of the Windows Driver Kit (WDK). For more information about Tracefmt, see Tracefmt (http://go.microsoft.com/fwlink/?LinkId=93734).

  1. Press CTRL+ALT+DEL, and then click Start Task Manager.

  2. In the Windows Task Manager dialog box, click the Services tab.

  3. Click the Name column to sort the list alphabetically, and then type s.

  4. In the Name column, look for SCardSvr, and then look under the Status column to see if the service is running or stopped.

  1. Click Start, type cmd, right-click cmd.exe, and then click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. At the command prompt, type net stop SCardSvr.

  4. At the command prompt, type net start SCardSvr.

You can use the following command at the command prompt to check whether the service is running: sc queryex scardsvr.

The following is example output from running this command:

SERVICE_NAME: scardsvr
    TYPE        : 20 WIN32_SHARE_PROCESS
    STATE       : 4 RUNNING
                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE  : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT     : 0x0
    WAIT_HINT     : 0x0
    PID        : 1320
    FLAGS       :
C:\>

  1. Click Start, right-click Computer, and then click Properties.

  2. Under Tasks, click Device Manager.

  3. In Device Manager, expand Smart card readers, select the smart card reader, and then click Properties.

    noteNote
    If the smart card reader is not listed in Device Manager, in the Action menu, click Scan for hardware changes.

CryptoAPI 2.0 Diagnostics is a feature that is available beginning in Windows Vista and Windows Server 2008 that helps administrators in troubleshooting public key infrastructure (PKI) problems. CryptoAPI 2.0 Diagnostics logs events in the Windows event log that contains detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the causes of problems and reduces the time required for diagnosis.

For more information about CryptoAPI 2.0 Diagnostics, see Troubleshooting PKI Problems on Windows Vista (http://go.microsoft.com/fwlink/?LinkId=89570).

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft