Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

[SDP 3][9c2a0a48-ce0c-4e14-a6d7-00cd2f16121f] Public Key Infrastructure (PKI) Diagnostic

View products that this article applies to.


The "Public Key Infrastructure (PKI) Diagnostic" support diagnostic package was designed to collect information interactively to help troubleshoot Active Directory Certificate Services (ADCS) and PKI-related issues.

If you are working together with Microsoft Product Support Services, you should receive instructions about which selections to make during the manifest execution.

The manifest offers two execution modes: Basic and Advanced.
PKIDiag Data Collection

In Basic mode, the manifest collects logs and tool output that already exist on the computer. When you select this mode, the manifest runs and offers to upload or save the resulting file.

In Advanced mode, you can gather data about a problem reproduction attempt, and the manifest prompts you for the kinds of logs and traces to collect.

Advanced Data Collection Options

The items have the following meaning:

  • Network capture, …: Gathers interface trace data on the named components during a replication attempt, contains data that is exchanged with other computers in the environment.
  • Schannel Logging: This logs the activity of the SSL/TSL component on the computer during a problem reproduction.
  • CAPI2 Logging: In this logging, the activity of the certificate client component during a problem reproduction.
  • SmartCard Logging: Logging of hte Smartcard Servioce activity.
  • ADCS information: If checked, the manifest gathers information about the Certificate Authority configuration of the machine.
  • NDES Information: “Network Device Enrollment Services” is a standard where a “desktop client” enrolls certificates on behalf of network devices like routers or switches. If you want to collect information for such a scenario, please check this box.
  • OCSP Information: The “Online Certificate Status Protocol” helps ensuring certificates are valid while avoiding delays or lots of network traffic. If you suspect problems verifying certificates, check this box.
  • CertUtil General Information: Runs various CertUtil commands to gather information about the configuration regarding PKI.

After you click Next, the manifest asks you to prepare for the problem reproduction phase of the manifest execution.

Begin Logging Dialogue

When you click Next, begin at the problem reproduction. The manifest waits while you click the radio button at the top of the dialog box, and then click Next to stop the data gathering.

Logging Underway/Stop Loggin Selection

When the problem reproduction data collection is finished, the diagnostic will automatically begin. The manifest execution collects the static data of the system.

The logs should also contain events that were logged during the reproduction attempt. After this data is collected, you can start the upload.

↑ Back to the top

More Information

This article describes the information that may be collected from a machine when you run the Directory Services PKI Interactive – Windows troubleshooter.

Information Collected

Event Logs (System and Application)
DescriptionFile Name
Event Logs (System and Application){Computername}_evt_Application.csv






Event Logs (CAPI2)
DescriptionFile Name
Event Logs (CAPI2){Computername}_evt_CAPI2-Operational_evt_.csv



DescriptionFile Name
WinHTTP registry output

WinHTTP proxy settings


DescriptionFile Name
CertUtil commands and Registry output for ADCS{Computername}_ADCS_CertUtil_CA.txt















DescriptionFile Name
General Certificate information{Computername}_Certificates-machinestore.txt


Information about recently expired or soon-to-expire certificates.ResultReport.xml

CertUtil General Information
DescriptionFile Name
CertUtil General Information{Computername}_CertUtil_CSPList.txt














DescriptionFile Name
Cryptography registry key output{Computername}_Cryptography_reg_.txt

Resultant Set of Policy (RSoP)
DescriptionFile Name
Resultant Set of Policy (RSoP){Computername}_GPResult.htm


Active Directory Information

Description                 File Name
User Logon Information (user identity, user status, logon authentication method, domain controller and global catalog used, and logon computer details){Computername}_UserLogonInfo.txt and in ResultReport.xml

DHCP Client Information 
Description                 File Name
DHCP Client Registry Key{Computername}_ DhcpClient_reg_.TXT

IPSec Information
Description                 File Name
IPsec Powershell Cmdlets{Computername}_ IPsec_info_pscmdlets.TXT
IPsec Registry keys{Computername}_IPsec_reg_.TXT
IPsec netsh dynamic show all{Computername}_IPsec_netsh_dynamic.TXT
IPsec netsh static show all{Computername}_IPsec_netsh_static.TXT
IPsec Local Policy Export (.ipsec):{Computername}_netsh_LocalPolicyExport.ipsec

DNS Client Information 
Description                 File Name
DnsClient Registry Keys{Computername}_ DnsClient_reg_.TXT
Ipconfig /displaydns{Computername}_ DnsClient_ipconfig-displaydns.TXT
DNS Client - HOSTS file{Computername}_ DnsClient_HostsFile.TXT
DNS Client Powershell Cmdlets{Computername}_ DnsClient_info_pscmdlets.TXT
DNS Client netsh show state (for DirectAccess){Computername}_ DnsClient_netsh_dnsclient-show-state.TXT

Firewall Information 
Description                 File Name
Firewall PowerShell Cmdlets{Computername}_Firewall_info_pscmdlets.txt
Firewall Registry Keys{Computername}_Firewall_reg.txt
NETSH Advanced Firewall{Computername}_netsh_advFirewall.txt
NETSH Advanced Firewall Export{Computername}_netsh_advFirewall-export.wfw
NETSH Advanced Firewall Rules ConSec{Computername}_netsh_advFirewall-consec-rules.txt
NETSH Advanced Firewall Rules ConSec Active{Computername}_netsh_advFirewall-consec-rules-active.txt
NETSH Advanced Firewall Rules{Computername}_netsh_advFirewall-firewall-rules.txt
NETSH Advanced Firewall Rules Active{Computername}_netsh_advFirewall-firewall-rules-active.txt
NETSH WFP Show Events{Computername}_netsh_wfp_show_netevents.xml
NETSH WFP Show BootTimePolicy{Computername}_netsh_wfp_show.boottimepolicy.xml
NETSH WFP Show Filters{Computername}_netsh_wfp-show-filters.xml
NETSH WFP Show Options OptionsForNetEvents{Computername}_netsh_wfp-show-options-optionsfornetevents.txt
NETSH WFP Show Options OptionsForKeyWords{Computername}_netsh_wfp-show-options-optionsforkeywords.txt
NETSH WFP Show Security Net Events{Computername}_netsh_wfp-show-security-netevents.txt
NETSH WFP Show State{Computername}_netsh_wfp-show-state.xml
NETSH WFP Show Sysports{Computername}_netsh_wfp-show-sysports.xml
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall{Computername}_evt_WindowsFirewallWithAdvancedSecurity-Firewall_evt_.*

TCP Information 
Description                 File Name
TCPIP Info{Computername}_ TCPIP_info.TXT
TCPIP registry output{Computername}_ TCPIP_reg_output.TXT
TCPIP Services File{Computername}_TCPIP_ServicesFile.TXT
TCPIP Net Powershell Cmdlets{Computername}_TCPIP_info_pscmdlets_net.TXT
TCPIP IPv6 Transition Technology Info{Computername}_TCPIP_info_pscmdlets_IPv6Transition.TXT
TCPIP netsh output{Computername}_TCPIP_netsh_info.TXT

RPC Information 
Description                 File Name
RPC netsh output{Computername}_ RPC_netsh_output.TXT
RPC registry output{Computername}_ RPC_reg_output.TXT

SMB Information 
Description                 File Name
SMB Client registry output{Computername}_SmbClient_reg_output.TXT
SMB Client Information from Net.exe {Computername}_SmbClient_info.TXT
SMB Server registry output{Computername}_SmbServer_reg_output.TXT
SMB Server Information from tools like net.exe{Computername}_SmbServer_info.txt

Internet Explorer
DescriptionFile Name
Internet Explorer registry information{Computername}_InternetExplorer_reg_output.txt

DescriptionFile Name
NDES output (Appcmd and Certutil){Computername}_NDES_appcmd-list-config.txt




DescriptionFile Name
OCSP Certutil output{Computername}_OCSP_CertUtil_computerMyStore.txt



DescriptionFile Name
SmartCard (Certutil){Computername}_SmartCard_CertUtil_CSPTest.txt


Software Publishing
DescriptionFile Name
Software Publishing{Computername}_SoftwarePublishing_reg_.txt

Information Collected for the Advanced Version (all sections above plus the following)

ETL Tracing (Network Capture, WinHTTP and WebIO)
DescriptionFile Name
Netsh Trace: ETL (Network Capture, WinHTTP and WebIO ETL logging)

Netsh Trace: CAB

ETL Logging (SChannel)
DescriptionFile Name
SChannel ETL Logging{Computername}_SChannel_schannel.etl

ETL Logging (SmartCard)
DescriptionFile Name
SmartCard ETL logging{Computername}_SmartCard_basecsp.etl

In additon to the files collected and listed previously, this diagnostic can detect one or more of the following situations:
  • Problem detection for certificates that will expire soon or that have expired within the past seven days.
  • Problem detection for identifying certificates that have weak keys (RSA keys less than 1024 bits).
  • Problem detection: Cryptographic Cipher Configuration Detection to detect whether cipher uses have been configured explicitly on the computer or through group policy.
  • Problem detection for identifying problems with certificates that are signed with unsupported encryption types for use with TLS 1.2.
  • Problem detection for certificates that fail chaining validation. All certificates in the User and Computer personal (also known as the "My" store) are checked. Certificates that fail are reported in ResultReport.xml. All certificate results (success or failure) are reported in a text file.
  • Problem detection for domain user token sizing problems that can effect all domain-based authorization scenarios.
  • Problem detection to see whether the local domain secure channel has problems (domain members only).
  • Problem detection to see whether the secure channels to trusted domains are having problems.

↑ Back to the top


For more information about the Support Diagnostic Tool, click the following article number to go the article in the Microsoft Knowledge Base:
973559 Frequently asked questions about the Microsoft Support Diagnostic Tool (MSDT) when it is used with Windows 7 or Windows Server 2008 R2

↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2642485
Revision : 1
Created on : 1/7/2017
Published on : 4/2/2014
Exists online : False
Views : 339