Introduction

CAPI2 log is a diagnostic log in Windows that tracks cryptographic operations. It track events related to certificate validation, key exchange. It also record how Windows and applications use cryptographic algorithms for securing data. This is crucial for diagnosing issues with SSL/TLS, digital signatures, and other encryption-related processes. CAPI2 logs are particularly useful for diagnose security-related problems in Windows systems. When troubleshooting issues related to cryptographic operations in Windows, it may be necessary to enable and collect logs for both Schannel and CAPI2. This article will help you to configure and collect these logs for diagnostic purposes.

Schannel Logging

Before enabling CAPI2 logs, you need to configure Schannel logging. Schannel is responsible for handling encryption and certificate-based authentication on Windows systems. Follow the below steps to enable Schannel logging:

Open Registry Editor.
Go to Run type regedit, and then click OK.
Take a backup of your registry. Go to File -> Export and choose a location and backup name and click Save. Refer the warning section before making any changes in registry.
Locate the following key in the registry –

HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurityProvidersSCHANNEL

Right-click and select Modify the EventLogging key.
Update the value to 0x0003

Value Name: EventLogging

Data Type: REG_DWORD

Value:  3

Click OK and close the Registry Editor.
You need to reboot the system to logging take effect.
To disable the Schannel log update EventLogging value to 0x00000.

Warning

Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

CAPI2 Log

To enable CAPI2 logs follow the below steps –

Open Event Viewer (press Win + R, type eventvwr, and press Enter).
Navigate to Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational
Now right-click and Clear Log to delete all existing logs (if any).

To enable the logs right-click again and select Enable Log.
Reproduce the issue.
To disable the CAPI2 logs right- click and select Disable Log.

Conclusion

By following these steps, you can configure and collect both Schannel and CAPI2 logs for cryptographic troubleshooting. Remember to disable Schannel and CAPI2 logging after the issue is resolved to avoid unnecessary log generation in the future.  This log will be helpful to diagnose and troubleshoot SSL, TLS and other cryptographic related issues. If you want us to do that, please contact us with a case and we will do it for you.

​Microsoft Tech Community – Latest Blogs –Read More