How to Configure and Collect Schannel and CAPI2 Logs

  • Thread starter Thread starter HridayDutta
  • Start date Start date
H

HridayDutta

Introduction​


CAPI2 log is a diagnostic log in Windows that tracks cryptographic operations. It track events related to certificate validation, key exchange. It also record how Windows and applications use cryptographic algorithms for securing data. This is crucial for diagnosing issues with SSL/TLS, digital signatures, and other encryption-related processes. CAPI2 logs are particularly useful for diagnose security-related problems in Windows systems. When troubleshooting issues related to cryptographic operations in Windows, it may be necessary to enable and collect logs for both Schannel and CAPI2. This article will help you to configure and collect these logs for diagnostic purposes.



Schannel Logging

Before enabling CAPI2 logs, you need to configure Schannel logging. Schannel is responsible for handling encryption and certificate-based authentication on Windows systems. Follow the below steps to enable Schannel logging:



  • Open Registry Editor.
  • Go to Run type regedit, and then click OK.
  • Take a backup of your registry. Go to File -> Export and choose a location and backup name and click Save. Refer the warning section before making any changes in registry.
  • Locate the following key in the registry -

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL​

HridayDutta_0-1726906281215.png

  • Right-click and select Modify the EventLogging key.
  • Update the value to 0x0003

    Value Name: EventLogging

    Data Type: REG_DWORD

    Value: 3

  • Click OK and close the Registry Editor.
  • You need to reboot the system to logging take effect.
  • To disable the Schannel log update EventLogging value to 0x00000.

Warning

Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.



CAPI2 Log

To enable CAPI2 logs follow the below steps -



  • Open Event Viewer (press Win + R, type eventvwr, and press Enter).
  • Navigate to Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational
  • Now right-click and Clear Log to delete all existing logs (if any).

HridayDutta_1-1726906891204.png



  • To enable the logs right-click again and select Enable Log.
  • Reproduce the issue.
  • To disable the CAPI2 logs right- click and select Disable Log.

Conclusion


By following these steps, you can configure and collect both Schannel and CAPI2 logs for cryptographic troubleshooting. Remember to disable Schannel and CAPI2 logging after the issue is resolved to avoid unnecessary log generation in the future. This log will be helpful to diagnose and troubleshoot SSL, TLS and other cryptographic related issues. If you want us to do that, please contact us with a case and we will do it for you.

Continue reading...
 
Back
Top