How to clear the CryptNet cache in Windows 7

OK, so this is going to be geeky and I wouldn’t normally post stuff like this to my Facebook page but for various reasons I can’t post to my blog right now and I want to capture this somewhere.

So in Windows there are several services related to the cryptography, certificates and smartcards; services are able to perform actions for the user and system in the background and enable application developers to do things in a least-privileged way.

One of the core services in these scenarios is the “Cryptographic Services” service; it does a bunch of things including the wire retrievals for CryptoAPI.

Specifically it is the worker for CryptRetrieveObjectByUrl which is used by Windows and other applications to gather evidence necessary to validate certificates, such evidence includes intermediate certificates, CRLs, OCSP responses and a file called commonly referred to as the Windows Certificate Trust List.

This API (at least in Windows 7) maintains a single cache for the whole system of the objects it has downloaded.

These files are kept in a hidden system folder called CryptNetUrlCache, in some cases you may want to test a scenario without relying on the cache, to do that you must flush the cache. The easiest way to do that is to open an administrative command prompt and run the following commands:

cd %WINDIR%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptNetUrlCache

attrib .\Content\*.* -s

del .\Content\*.*

attrib .\MetaData\*.* -s

del .\MetaData\*.*

 

%WINDIR%\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache

attrib .\Content\*.* -s

del .\Content\*.*

attrib .\MetaData\*.* -s

del .\MetaData\*.*
%WINDIR%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache

attrib .\Content\*.* -s

del .\Content\*.*

attrib .\MetaData\*.* -s

del .\MetaData\*.*
%WINDIR%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache

attrib .\Content\*.* -s

del .\Content\*.*

attrib .\MetaData\*.* -s

del .\MetaData\*.*

 

Alternatively you can call this command:

certutil -URLcache * delete

 

No reboot is necessary, next time a component calls the CryptRetrieveObjectByUrl API it will not be able to satisfy that request with the cached data and will be forced to go on the wire.

One of the functions the service offers is the Automatic Update of the root store, a way to validate the cache is not being used is to:

  1. Remove all “Trusted Third Party CertificateAuthorities” from the Computer Account’s store using the Certificate Managementconsole.
  2. Clear the cache as described above
  3. Visit https://www.godaddy.com
  4. in IE
  5. Open Even Viewer\Application
  6. Sort on “Event ID”, find the 4097

Since every time a root is added a new event log entry is created you will see something that says “Successful auto update of third-party root certificate” in the event log, you will also see a few files in the above directories you previously cleared.

This all tells you that new wire retrieval took place and that the cache was not used.

You can of course also use tools like Reg/FileMon as well as Network Monitors to infer much of the same.

 

Hope this helps someone someday,

Ryan

8 thoughts on “How to clear the CryptNet cache in Windows 7

  1. Dan

    Thanx for your detailed infos!

    I was able to delete all files in subfolders Content & Metadata directly, too, after changing all file attributes to standard (non-system, non-hidden, non-archived, non-indexed, uncompressed, no write protection – there are numerous little tools out there to do this).

    Win7, standard administrator rights (afaik).

    Reply
  2. Chris

    There is more… C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache
    C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache

    Safe to delete?

    Reply
  3. Joe

    Had an issue where Outlook would hang every time an S/MIME signed message was read. Used the certutil command to clear the cache and BAM! Fixed. Thanks for this post.

    Reply
  4. John Lawrence

    A related question..Why is there 2 identical sets of files generated when one should suffice ? (Content=Metadata)

    I have an old Win98 program called Window Washer by Webroot Software, and when I add all the temp files and CryptNetUrlCache files to the cleaning list,all these files are stripped out at windows start and windows close (part of Washer cleaning options) Although it is DOS based, it works fine on all windows versions, including windows 10 Anniversary. See if you can find it on one of the Abandonware sites. I’ve been using version 4.7 successfully since I purchased it some 30 years ago. It strips files without changing there attributes..just remember to change folder options/view to “show all hidden folders,files,and disks” so Washer can find your AppData folder.

    Reply
    1. rmhrisk Post author

      They are not identical sets, there is data scoped to the user and data scoped to the machine. I do not recommend using “cleaners” such as Window Washer; my experience has been these classes of tools often do more harm than good.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *