The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.
This service also exists in Windows 10, 11, 8 and Vista.
Windows 7 edition | without SP | SP1 |
---|---|---|
Starter | Manual | Manual |
Home Basic | Manual | Manual |
Home Premium | Manual | Manual |
Professional | Manual | Manual |
Ultimate | Manual | Manual |
Enterprise | Manual | Manual |
Display name: | CNG Key Isolation |
Service name: | KeyIso |
Type: | share |
Path: | %WinDir%\system32\lsass.exe |
Error control: | normal |
Object: | LocalSystem |
The CNG Key Isolation service runs as LocalSystem in a shared process. It shares the executable file with other services. If the CNG Key Isolation fails to load or initialize, the error is recorded into the Event Log. Windows 7 startup should proceed, but a message box is displayed informing you that the KeyIso service has failed to start.
CNG Key Isolation will not start, if the Remote Procedure Call (RPC) service is stopped or disabled.
If the CNG Key Isolation is stopped, the Extensible Authentication Protocol fails to start and initialize.
1. Select your Windows 7 edition and Service Pack, and then click on the Download button below.
2. Save the RestoreCNGKeyIsolationWindows7.bat file to any folder on your hard drive.
3. Right-click the downloaded batch file and select Run as administrator.
4. Restart the computer to save changes.
Note. Make sure that the lsass.exe
file exists in the %WinDir%\system32
folder. If this file is missing you can try to restore it from your Windows 7 installation media.