Share via


Windows Server 2008: Event ID 257 - System Catalog Database Integrity

Applies to

Windows Server 2008, Windows Server 2008 R2

Overview

The system catalog database is used with the cryptographic services provided by the operating system to ensure that the Windows system files have not been changed. This is done by comparing the digital signature of a system file to the digital signature stored in the system catalog database. If the signatures do not match, the file is replaced with a copy of the file located on this computer with the correct signature.

Event Details

 Product Windows Operating System
 ID 257
 Source Microsoft-Windows-CAPI2
 Version  6.1
 Symbolic Name
MSG_CATDB_JET_INIT_ERROR
 Message  The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: %1.

Resolve

Repair the system catalog database

The system catalog database is stored in the %windir%\system32\catroot2 folder, where %windir% is the folder in which Windows was installed. If the system catalog database is corrupt, you can repair it by using the Esentutl command-line tool. The steps for using the Esentutl command-line tool are included in the "Repair the catalog database by using Esentutl" section.  If Esentutl cannot repair the catalog database, you can create a new one by following the procedure in the "Create a new catroot2 folder" section or the "Create a new catroot2 folder by using the command prompt" section.

Caution: When you remove the catroot2 folder by using the "Create a new catroot2 folder" section, Windows will automatically recreate it. However, Windows will not recreate the catroot folder if it has been modified. Modifying the contents of the catroot folder can cause your computer to be unusable.

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

Repair the catalog database by using Esentutl

To repair the catalog database by using Esentutl:

  1. Click Start, point to All Programs, and then click Accessories.
  2. Right-click Command Prompt, and then click Run as administrator.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. In the command prompt window, type net stop cryptsvc to stop Cryptographic Services, and then press ENTER.
  5. Type esentutl /p %systemroot%\System32\catroot2\F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb, and then press ENTER. By default, %systemroot% is located at C:\Windows.
  6. Click OK to confirm that you should run this tool only on databases that are corrupt. If the tool reports that the database is corrupt, then you will need to empty the catroot2 folder, so that its contents can be rebuilt (as described below).
  7. Type net start cryptsvc to start Cryptographic Services, and then press ENTER.

Empty the catroot2 folder so that its content can be rebuilt

  1. From the administrative command prompt, run the following commands:

    • net stop cryptsvc
    • md %systemroot%\system32\catroot2.old
    • xcopy %systemroot%\system32\catroot2 %systemroot%\system32\catroot2.old /s
  2. Delete all contents of catroot2 folder but leave the catroot2 folder in place

  3. Restart the Cryptographic Services by running the following command: net start cryptsvc

Verify

You can verify the integrity of the security catalog database by using the Esentutl command-line tool.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify the integrity of the security catalog database:

  1. Click Start, point to All Programs, and then click Accessories.
  2. Right-click Command Prompt, and then click Run as administrator.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. In the command prompt window, type net stop cryptsvc to stop Cryptographic Services, and then press ENTER.
  5. Type esentutl /g %systemroot%\System32\catroot2\F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb, and then press ENTER. By default, %systemroot% is located at C:\Windows.
  6. If the integrity check on the security catalog database is successful, Integrity check successful will be displayed in the command prompt window.
  7. Type net start cryptsvc to start Cryptographic Services, and then press ENTER.