Windows 7 Services

CNG Key Isolation - Windows 7 Service

The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.

This service also exists in Windows 10, 8 and Vista.

Startup Type

Windows 7 edition without SP SP1
Starter Manual Manual
Home Basic Manual Manual
Home Premium Manual Manual
Professional Manual Manual
Ultimate Manual Manual
Enterprise Manual Manual

Default Properties

Display name:CNG Key Isolation
Service name:KeyIso
Error control:normal

Default Behavior

The CNG Key Isolation service runs as LocalSystem in a shared process. It shares the executable file with other services. If the CNG Key Isolation fails to load or initialize, the error is recorded into the Event Log. Windows 7 startup should proceed, but a message box is displayed informing you that the KeyIso service has failed to start.


CNG Key Isolation will not start, if the Remote Procedure Call (RPC) service is stopped or disabled.

If the CNG Key Isolation is stopped, the Extensible Authentication Protocol fails to start and initialize.

Restore Default Startup Type of CNG Key Isolation

Automated Restore

1. Select your Windows 7 edition and Service Pack, and then click on the Download button below.

2. Save the RestoreCNGKeyIsolationWindows7.bat file to any folder on your hard drive.

3. Right-click the downloaded batch file and select Run as administrator.

4. Restart the computer to save changes.

Note. Make sure that the lsass.exe file exists in the %WinDir%\system32 folder. If this file is missing you can try to restore it from your Windows 7 installation media.

Yea, though I walk through the valley of the shadow of death, I will fear no evil: for thou art with me; thy rod and thy staff they comfort me.