2019年3月13日
Stuck in Establishing securing connection - CryptSvc loop after fresh Windows install
I've tried the usual install triage but nothing has worked. I checked proxy settings (none), disabled Windows Defender, no other AV, turned off the firewall completely, played with TLS settings in Internet Options. I've reset Chrome, uninstalled, cleaned my registry, and reinstalled Chrome. I've also disabled Chrome hardware acceleration Malware bytes didn't find anything but that is not a surprise as Windows is a fresh install.
I looked in Task Manager, when Chrome is stuck there is a small (~3%) CPU hit for Cryptographic Services (CryptSvc).
Help!
情報の通知.
この質問はロックされているため、返信は無効になりました。
コミュニティのコンテンツは、確認されていない場合や最新ではない場合があります。詳細
最終編集: 2019年3月13日
2019年3月13日
The simplest solution is to disable personal user root certificates which few users need.
The .reg file for turning off this feature can be found in bug report CR838707 comment #213
(CA HKLM_Pol_PR-DisableCA.reg).
Instructions for manually repairing the registry are posted below.
A scripted version of the repair is also available (below).
These are reposts of my (5/21/18, 9/19/18) comments from an earlier Chrome Product Forum topic. The Product Forum was rehosted under Community Help the beginning of March 2019. After the port to Community Help, the posts have been difficult to access and are reposted here for convenience.
Will follow up later. If you down-vote this fix, please leave a note. I've been trolling the web for over a year on this, and this is the best I've found.
最終編集: 2019年6月8日
Breeze Through さん(元の投稿者)が、これを回答としてマークしました
すべての返信(28 件)
2019年5月10日
This text fails: Violates community standards:
Still working on CryptSvc - Microsoft Community thread mentioned One-Drive and AMD HW recently
-add 2 periods, then OK
最終編集: 2019年5月10日
2019年5月20日
CryptSvc Registry Fix (repost from my 5/21/18 instructions
on the Product Forum Mike Ward 5/3/18 thread.)
on the Product Forum Mike Ward 5/3/18 thread.)
First verify you have the CryptSvc problem
- Before opening Chrome, open Edge
If Chrome works OK, but only if Edge is also running
this is very likely a CryptSvc issue
If not, you may have another problem.
this is very likely a CryptSvc issue
If not, you may have another problem.
- To verify the CryptSvc loop explicitly
start Chrome without Edge
while Chrome is stalled (and CryptSvc is looping),
verify CryptSvc high CPU usage - it's normally quiet
verify CryptSvc high CPU usage - it's normally quiet
in Task Manager> Services, select CryptSvc, then right click for Details,
(CryptSvc runs as an svchost task with matching PID)
(CryptSvc runs as an svchost task with matching PID)
check the svchost CPU column,
if > 2%, proceed with the registry repair.
Registry Repair - Options & Alternatives
A) Scripted Registry repair, available as a PowerShell script here (with instructions).
Runs as admin, needs the SetACL.exe admin tool - see instructions.
B) CryptSvc Manual Registry fix instructions, preened from Bug 838707:
The instructions look long, but will probably take longer to read them than to do.
You need to delete a user certificates Root level, but it takes a few steps to get there and be safe along the way.
The instructions boil down to:
1. Open Run, type in regedit
2. Go here: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
2. Go here: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
3. Right-click ProtectedRoots > Permissions and pick your account .
Tick Allow Full Control
4. Open Task Manager > stop Cryptographic Service
5. In regedit, delete Root (HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\)
5. In regedit, delete Root (HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\)
6. Restart Windows
For detail instructions, see B.1 belowC) Alternatives
There are some trivial changes that on some occasions help as well as more aggressive cleanups but with drawbacks. See Other Things to Try (below).
B.1) CryptSvc Manual Registry fix instructions, preened from Bug 838707:
The piece of the registry tree we're working with looks like this:HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\
Root\ - delete this to rebuild. AKA HKCU...Root
Certificates\ - may need to save these
CRLs\ - empty ignore
CTLs\ - empty, ignore
ProtectedRoots\ - the culprit, may need to delete this first
AKA: HKCU...ProtectedRoots
Begin here:
-exit Chrome,
-stop CryptSvc from Task Manager> Services
-in regedit, go HKCU...Root - see full path above
The Root steps are mostly optional and for documentation only.
export Root: do: right click Root, Export, choose file name...
expand Certificates, stretch the left panel to the right to expose the cert IDs somewhat.
-note the number of Certificates. None is common and OK.
take a screenshot, like this
-right click ProtectedRoots, go Permissions, then Advanced
if you get errors, take screenshots. if you get: error: incorrectly ordered, do Reorder, then go Advanced
and note the reordering for later. save a screenshot of Advanced, like this
-if ProtectedRoots is NOT owned by you or Admin
-
if it's owned by System (see screenshot above),
then change owner to you with:
from Advanced, select Change, then Advanced (in Change), then Find
Now
select your name. It should look like this:
then OK out of Advanced Change, and OK out of Change
in Advanced Permissions, enable Inheritance
verify User (you) now have Full Control \
take a snapshot of Advanced Permissions with the new owner and Inheritance on
OK out of Advanced Permissions and Permissions
-right click ProtectedRoots and delete - this will rebuild automatically later
(This step is optional and only used to pretest the Root Delete)
if you get: Error deleting keys,
a) go back to Permissions> Advanced and verify owner is you with full control
If not, redo the steps above to change owner and redo delete
b) try: select: Replace all child object permission with inheritable...
Apply, redo delete
c) If it still fails, take a snapshot of the error and
go to End & Send Feedback
-at ...SystemCertificates\Root - up one level
If there are Certificates, check that you did the Root Export above
right click Root, then Delete - this will rebuild automatically later
End & Send Feedback
-start CryptSvc from task manager> Services - this rebuilds the deleted items (keys)
-restart regedit, go HKCU...ProtectedRoots,
verify ProtectedRoots [and Root] have been rebuilt
verify ProtectedRoots Permissions> Advanced: Inheritance is off &
you have Read, CryptSvc has Full Control
take a screenshot of the rebuilt Permissions Advanced
-if there were certificates initially, restore with the earlier Root export
stop CryptSvc, click on the Root export file to import;
stop CryptSvc, click on the Root export file to import;
ignore errors related to open keys or no permission
The import restarts CryptSvc, so no action needed.
Done!
-start Chrome - sites should open OK now.
If not, try restarting Windows, check the registry ProtectedRoots again
Let us know how it went: add a reply with notes and the screenshots.
Please indicate if the problem occured after your first 1803 Feature update or after a monthly cumulative Windows update.
We need the feedback. Many users have confirmed the registry fix, but we need ongoing notes to monitor patterns.The screenshots are optional and for your own use in case of problems.
==Other Things to Try
Trivial changes, occasionally mentioned, easy to do but only work sometimes.
If any of these work for you, please let us know:
- With Chrome closed, in the Application folder C:\Program Files (x86)\Google\Chrome\Applicationrename chrome.exe to chrome..exe - just add an extra dotlaunch chrome from your usual toolbar or shortcutIf the toolbar or shortcut doesn't work,
launch by clicking on chrome..exe
If Chrome starts. check
if other apps or data types that use Chrome still work
If chrome..exe doesn't work, rename it back to chrome.exe - From Chrome Settings> Advanced> System> Proxy
disable auto-detect - Set Chrome as your default browser
- Create and use an alternate Windows login account, that didn't install the Windows 1803 feature update. This generally works, but means you have to migrate to the new account. See Fulvio 7/28 below. Ask and I'll post tips on how share Windows User folders (Documents, Pictures, Downloads, etc) across the two accounts.
More aggressive cleanups or changes:
- Run a generic repair or registry cleaner
Windows All-in-one repair tool (instructions on how to use)
AVS Registry Cleaner (unconfirmed)
ccleaner wipedisk - beware removes Windows restore points! (Angelo 9/6 unconfirmed) - (Not recommended) Change the Services CryptSvc logon account to Local system
!Beware: This will break future software updates, including Windows updates, some software installs etc., but cures the immediate CryptSvc problem. Look here - 7/14 below and search for Globo comments.
==For history and details see
- main forum Chrome Crashes topic
- bug 838707
11/26/18 Reorg alternatives, add A)B)C)
12/06/18 Last update before repost here
05/20/19 Repost from my 5/21/18 instructions (with minor edits)
from the Product Forum Mike Ward 5/3/18 thread old stale Mike Ward thread:*0kMc msg: *DAAJ
]
最終編集: 2019年5月21日
2019年5月20日
To recap, after a Windows update or fresh install, on isolated machines, the registry permissions for an authentication service (CryptSvc), can cause 'Establishing secure connection' to stall when opening sites in Chrome. Manual repair instructions are available here, but are tedious. This script implements the same approach, but takes only a few clicks to run. A somewhat outdated YouTube video for running the script is here. The problems in the video have have been fixed. For details follow the instructions here (this post).
The problem began with the Windows April 2018 1803 feature update and continues through the October 1809 update. There are other generic registry repair tools that may fix this problem, but they are not transparent and are hard to verify.
See DimmV2's 9/6 post for the tweaking.com tool example.
The All-In-One utility is mentioned on the main thread here 9/8.
There are other workarounds, but they generally have downsides (see the list here, at the bottom). The attached script targets the CryptSvc problem specifically and is safe to use.
The script does need a third party admin tool, SetACL.exe, which you can download here. This is a well established tool and seems to be safe. As always, use your own judgement. Get the EXE version. The download is a .zip file, unzip, drag & drop (64bit) SetACL.exe to a work directory.
The work directory needs to be owned by you. Somewhere under Downloads or Documents is a good location.
Download the linked powerShell script file to the same work directory.
Open Windows PowerShell (as Admin, from the Start Menu)
If you haven't used PowerShell before, you will need to allow scripts with
PS> set-ExecutionPolicy Unrestricted -or-
PS> set-ExecutionPolicy -scope CurrentUser Unrestricted
(Prompts: set with Y, reply R when run)
When finished restore the protected policy with
PS> set-ExecutionPolicy Undefined
To view the policy settings use
PS> get-ExecutionPolicy -list
Change to your directory with
PS> cd YourDirectoryPath
You need to run the script from the same directory where SetACL.exe is located.
The directory is also used for logs and registry snapshots.
Close Chrome, then invoke the script with
PS> .\CryptSvcAdminSetAclFix.ps1
from the PowerShell admin console.
It will display a page of progress info, which is logged as
CryptSvcAdminSetAclFix.ps1.log in the work directory
Done. Restore your policy settings with [safer, but optional]
PS> set-ExecutionPolicy Undefined
An example log file is linked below, so you can preview what the script does.
If you have problems, provide the session log (...ps1.log) and the ProtRoots.log.
The log files may contain some minimally private information (machine and account names).
Feel free to sanitize the logs first.
Let me know how it goes..
Later, Larry
Files:
[Updated 10/27/18 with better script and log, slight update to instructions.
Look here for latest details and (AD) limitations.
Look here for latest details and (AD) limitations.
Replaced ProtRootsFix-SetACL.ps1 with CryptSvcAdminSetAclFix.ps1
10/29/18 for Windows users without admin privileges
11/03/18: Usage refs folder dir, log rev ID, no functional changes
11/12/18: dir owner: BA uses HKCU, rename xmpl log file, reorg instructions
11/18/18: hide cert import nativeCommandErrors which can be ignored
12/09/18: add -or- set ExecutionPolicy -scope CurrentUser Unrestricted
01/01/19: add close Chrome before run script ]
最終編集: 2019年5月20日