Resolving “PAUTOENR.DLL raised an exception”Posted: November 14, 2010
This has been nagging me for about a month. On my personal SBS 2008 box, since mid-October, I have been getting this error repeatedly. When logged on to the server console, a Windows Error Reporting dialog pops up every minute reporting that Taskeng.exe has stopped working.
Taskeng is the main process of Windows Task Manager, which has a console under Administrative Tools.
What was causing Task Scheduler to crash? I very quickly found it—Certificate Services Client was causing it, as you may have seen in the Event Viewer screenshot; it throws a error message right before Task Scheduler reports the crash. It has three tasks: SystemTask, UserTask and UserTask-Roam. On my machine, SystemTask was crashing and trying to restart. That accounted for the repeating WER dialogs.
But what is the Certificate Services Client? What do its three tasks do?
The Certificate Services Client (CSC, not to be confused with Client-Side Caching) is a component of Windows that allows users to use their site certificates, which are often used for VPN, email authentication and many other services on a corporate network. It’s been a part of Windows for awhile, and it’s on Windows Server 2008 and by extension SBS 2008.
A very important part of the CSC is autoenrollment: Autoenrollment is the process of keeping track of user certificates, expiring them and renewing them as needed. PAUTOENR.DLL is the DLL that manages this process, running with DIMSJOB.DLL and DIMSROAM.DLL under Task Scheduler.
After a lot of tracing with Process Monitor and a lot of research online, I have a conclusion: The CSC, and the Autoenrollment feature, each keep a cache of certificate information. It was corrupted. I suspect a certificate expired sometime in October or a bit before, and the Autoenrollment choked on it.
I must note at this point that the CSC is a client. On an SBS machine, it runs alongside the Certificate Services role, but it is totally separate so it does no good to troubleshoot Cert Services if it is otherwise working. Don’t touch Cert Services.
This is an involved process with several reboots so you will need patience.
- First, pull up Task Scheduler from Administrative Tools. Select “Task Scheduler Library” and open Microsoft\Windows\CertificateServicesClient. We are going to disable each of the three tasks before we delete the cache. On each task, SystemTask, UserTask and UserTask-Roam, right-click and select End. Repeat this for each task and select Disabled.
- Follow these steps to delete the certificate cache on the server: Go to the LOCAL SYSTEM profile at C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache. Copy the CryptNetURLCache folder to a safe place. Two folders are there—Content and Metadata. Go to each folder and delete the files therein—don’t delete the Content and Metadata folders themselves.
- Run Regedit as an administrator and go to this key, HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates. Delete all the keys under this key. That takes care of the certificate cache.
- Now, delete the Autoenrollment cache. Go to Regedit and to HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache. Delete all the keys under that key.
- Go back to Task Scheduler. Open the CertificateServicesClient folder that we had opened before (Task Scheduler Library\Microsoft\Windows\CertificateServicesClient). Right-click on each task and select “Enable”.
- We aren’t done yet. The Certificate caches have been empty, but they need to be repopulated. To do this, we need to change the local security policy on the machine to turn on autoenrollment temporarily until the caches are repopulated. By default (on my SBS box at least), autoenrollment is not turned on. This is often done on Windows networks via the Default Domain policy but I am really uneasy about making a global change to fix a local problem so the local security policy is the best way.
- Open secpol.msc as an administrator to access the local security policy. Click on Public Key Policies. On the right pane, double-click Certificate Services Client—Auto-Enrollment Policies. In the dialog, click on the Configuration Model dropdown box and select Enabled. There are two checkboxes: Check both boxes, “Renew expired certificates, update pending certificates and remove revoked certificates” and “Update certificates that use certificate templates”. Click OK.
- From an elevated command prompt, enter the command gpupdate /force to make the change apply to the machine.
- Restart the server.
- Log back on and reopen the Task Scheduler and the CertificateServicesClient task. SystemTask and UserTask will show as running. Click on SystemTask, and click the History tab. The most recent events in History should show that the task started normally and is currently running.
- While still on the SystemTask window, right-click and select End. This task normally only runs when the system is restarted, and every eight hours thereafter.
- Next, we will undo our changes to the local security policy. Open secpol.msc as an administrator and select Public Key Policies. Click on Certificate Services Client—Auto-Enrollment Policies. On the Configuration Model dropdown box, select “Not Configured” and click OK.
- From an elevated command prompt, reenter gpupdate /force to undo the change.
- Restart the server again.
- Log back on once again and reopen the CertificateServicesClient task. SystemTask should be listed as Ready or Running. UserTask should be Running. UserTask-Roam should be Ready. Look at the event history for each task. If there are no errors since the last reboot, the problem is resolved. You may want to try running the SystemTask as a test, if it is not already running.