Recently somebody requested me help with the following error: CryptAcquireContext failed, Last Error: 2148073487, which is in hex: 0x8009000F.

The error code is documented in MSDN as follows:

  • 0x8009000FL: The key container already exists.
    After trying a new flag the following error was raised.
  • 0x80090016L: The key container could not be opened. A common cause of this error is that the key container does not exist. This error code can also indicate that access to an existing key container is denied.

 

The second error gives us some clues related with permissions, the problem is that some APIs they hide the underlying resource that they’re trying to access. After some researching, I found out that applications using encryption access the files under the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

 

So I went happily to provide full access to the user account in those files to try again but I got the same error. Thankfully, for Windows environments we have a great tool called Process Monitor. Process Monitor can listen for all the system calls performed by a program. So I started capturing events generated by my application and then filtered by result ACCESS_DENIED or NAME_NOT_FOUND as seen in the (sanitized) image below.

process_monitor.png

After doing that I confirmed that the file failing to open was C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\FILE_GUID and similarly the existing file blocking the creation of a new one was C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\FILE_GUID. From there you can grant permissions to the required user account or delete the second file.

I hope this helps,

Javier Andrés Cáceres Alvis

Microsoft Most Valuable Professional – MVP

Intel Black Belt Software Developer