Cryptographic Services

The Cryptographic Services (CryptSvc) service provides key-management services for the computer. Cryptographic Services is composed of the following management services:

  • Catalog Database Service. This service adds, removes, and looks up catalog files, which are used to sign all the files in the operating system. Windows File Protection (WFP), Driver Signing, and setup use this service to verify signed files. You cannot stop this service during setup. If the service stops after setup, it restarts when it is requested by an application.
  • Protected Root Service. This service adds and removes Trusted Root Certification Authority certificates. The service displays a service message box with the certificate's name and thumbprint. If you click OK, the certificate is added or removed from your current list of trusted root authorities. Only Local System accounts have write access to the list. If this service stops, the current user cannot add or remove Trusted Root Certification Authority certificates.
  • Automatic Root Certificate Update Service. This service retrieves root certificates as needed from Windows Update. This service can be used in support secure-sockets-layer (SSL) sessions to help ensure that server certificates are kept up-to-date. If this service stops, root certificates must be updated manually.
  • Key Service. This service allows administrators to enroll for certificates on behalf of the local computer account. The service provides several functions that are required for enrollment, such as enumeration of available certification authorities, enumeration of available computer templates, and the ability to create and submit a certificate request in the local computer context. Only administrators can enroll on behalf of the local computer account. The Key Service also allows administrators to remotely install Personal Information Exchange (PFX) files on the computer. If this service stops, autoenrollment cannot automatically acquire the default set of computer certificates.

The Cryptographic Services service is installed by default and its startup type is Automatic. When Cryptographic Services service is started in its default configuration, it logs on by using the Network Service account. If it stops, the management services that are referenced in the preceding paragraphs do not function properly.

The Cryptographic Services service is dependent on the following system components:

  • Remote Procedure Call (RPC)
  • DCOM Server Process Launcher
  • RPC Endpoint Mapper

The following system component is dependent upon the Cryptographic Services service:

  • Application Identity service

Related content