Key Containers: Basics

Hi, welcome back,

Let’s talk today a bit about Key Containers in CryptoAPI.

Key containers can be created in user’s profile or machine’s. User-level key containers can only be used by the user in which profile they’ve been created, and machine-level key containers can be used by anyone with access to them. Keys are usually in files, so NTFS permissions can be used to restrict access to users. Read this article for more info: Understanding Machine-Level and User-Level RSA Key Containers.

Key containers can be found here by default:

+ User containers:

– Vista:


– Previous Windows:

C:\Documents and Settings\<user_name>\Application Data\Microsoft\Crypto\RSA

+ Machine containers:

– Vista:

C:\Users\All Users\Application Data\Microsoft\Crypto\RSA

– Previous Windows:

C:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA


The following tool can be used to create containers, export/import keys, modify permissions on them, etc.: ASP.NET IIS Registration Tool (Aspnet_regiis.exe).

We could also use Process Monitor to monitor which key containers (files) our app uses to store our keys. We can also use Notepad.exe (or any other text editor) to open those files in Microsoft\Crypto\RSA to see the name of the key container: the first clear text string in that file is the container name.

If we use certificates instead, we can use the following tool to manipulate the permissions on the keys associated to the certs: WinHttpCertCfg.exe, a Certificate Configuration Tool.


I hope this helps.



Alex (Alejandro Campos Magencio)


PS: This info may be useful if we are facing an issue like this: RSACryptoServiceProvider fails when used with ASP.NET. Process Monitor may help us to detect which file (key container) we are trying to access, if we find it or not (is user’s profile loaded?), or if we get access denied when trying to access it (does user have permissions to use those keys?).

Comments (7)

  1. KAI says:

    Thank u for replying so quick!

    And appreciate ur effort, but my host is in a shared environment with a 3rd party hosting company. And I found a post that totally make me give up this idea.

    So Alex hope u can solve this problem out. ^_^

  2. KAI says:

    Sorry I forget attach that post’s link on >_<

  3. CB says:

    I’ve run into a rather interesting problem with these key containers on Vista.

    Because these containers are kept in C:Users<user_name>AppDataRoaming, any attempts to write to this directory while in IE Protected Mode will fail.

    So, if you have a plug-in/control that uses CAPI to do key operations, you could be in trouble.  It would seem that if you attempt to encrypt data and the key container does not exist, it simply cannot be created.  Thus, the operation will fail.

    I wonder if there is any specific reason that this directory can not be virtualized (or atleast have an equivalent in C:Users<user_name>AppDataLocalLow) for applications running under IE Protected Mode.

  4. alejacma says:

    As far as I know, persisted key containers can’t be created in protected mode.

    Volatile containers should still work, though.

  5. CB says:

    Right, and that’s exactly the problem, persisted key containers can’t be created in protected mode.

    For instance, I’ve got a smart card containing certs and associated private keys.  I’ve also got an ActiveX control that does some cryptographic operations with those private keys.  If the private keys have never been used, the key container files do not exist.  When the control attempts to aquire a CSP context, it will fail everytime in protected mode because CAPI cannot create the key files under "C:UsersusernameAppDataRoaming*".

    As long as you somehow access the private keys on the smart card in some manor before using the control in protected mode, you’d be fine.  But if that’s the first, or only, place you use your smart (in protected mode) you’re out of luck.

    I don’t know, it just seems a little squirrely to me.

  6. Kamyar says:

    How can I use exported RSA key files, or the file itself to encrypt/decrypt an xml using unmanaged C++ code?Can I use Windows CryptAPI

  7. venkat says:

    Good info