Smart Card Tools and debugging

CertUtil is a tool available on Windows Vista and Windows 2003 Server Admin Pack

CertUtil (tool available on Vista and W2K3 Admin pack)

Listing Certificates available on the card:

Command to list Certificates available on the Smart Card: certutil –scinfo

Entering PIN is not required for this operation.  Hitting Escape at each PIN dialog will work as the objective is to read the public certificates on the card.


Deleting Certificates on the card:

To delete a certificate on the card, you are actually deleting a container corresponding to that certificate.  Each certificate is enclosed in a container.  The following command is used to delete container:

Certutil –delkey –csp “Microsoft Base Smart Card Crypto Provider”  “38f813f2-ec3b-4e96-ba19-38b830923be9”


Kerberos debugging and trace

The Kerberos Authentication in Windows portal ( is a good place to start. There are two troubleshooting docs:

Smart Card Service (SCardSvr.exe – XP and SVCHost - Vista)

To restart “SCardSvr” services, the following commands from a Windows Command window will help.

C:\> net stop SCardSvr

C:\> net start SCardSvr


To findout if Smart Card Service is running (Note: the state field tells if the service is running or stopped):

C:\>sc queryex scardsvr

SERVICE_NAME: scardsvr
WIN32_EXIT_CODE : 0 (0x0)
PID : 1320


CAPI2 Diagnostics

CAPI2 Diagnostics is a feature in Microsoft® Windows® Vista and Microsoft® Windows® Server code name “Longhorn” which helps administrators with troubleshooting PKI problems. CAPI2 Diagnostics logs events in the Windows Event Log containing detailed information about certificate chain validation, certificate store operations and signature verification. This makes it easier to identify the root cause of problems and reduces the time required for diagnosis.

For more information on CAPI2 Diagnostics, refer to this whitepaper on "Trouble Shooting PKI problems on Windows Vista"

Comments (9)
  1. yoavmorag says:

    hi expert 🙂

    I am trying to create a mini-driver for a virtual smart card (with the purpose of later on writing a real one). I implemented most of the cardmod.h stuff and added the card to registry and created a manifest which resides along with the dll in windowssystem32 (this is a vista machine). still the certutil can’t find any smart card readers… any ideas what am I doing wrong ?

    thanks –


  2. shivaram says:

    To locate Readers, you need to write a Smart Card reader Driver API (winscard.h)

  3. arm says:

    hello all!

    I’m developing a new card module for a smart card and I wonder if somebody could be so kind of telling me the different calls of functions that are invoked in the following scenarios:

    – enrollment

    – signature creation

    – asymmetric decryption

    This information can be found in "the Smart Card Service Provider Cookbook" for the old architecture (xp and w2000) ( Is there in anywhere some similar cookbook for the new architecture?

  4. I bought IDVault.  I have the smart card service running (verified using your instructions) however when I try to insert the ID Vault it tells me the smart card service is not running.  Any idea how to debug this?

  5. Alex says:

    Hi all,

    I was running a diagnostic on my laptop running Vista.  It said that the Smart Card Resource Manager had been abnormally stopped, i tried running the command:

    net start SCardSvr and got the error System error 5 has occurred Access is denied.

    Any have any clues?



  6. Ian Fleming says:

    I’m using our smartcards now with Cisco SSL VPN and going to have our users just authenticate with username credentials but we’d like to block smartcards so that they can ONLY be used with VPN and not authenticate to Active Directory if they try to use the smart card to login to their machine…any ideas?

    Thanks a million.


  7. fgf says:

    to restart the smart card service tried the above mentioned commands but its not working…. pls help

  8. chrislsh says:

    I have developed a new logon module, call by Microsoft WinLogon, which will verify the finger print data stored in smart card with live sample captured from finger print scanner.  If verification is OK, then using userid and password stored in smart card to logon to the domain.

    I want to know the default Microsoft smart card service allow me to do the verification first before reading the userid and password from smart card.

    Can anyone out there help me?



Comments are closed.

Skip to main content