CNG Key Isolation (KeyIso) Service Defaults in Windows 7

The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.

Default Settings

Startup type:Manual
Display name:CNG Key Isolation
Service name:KeyIso
Service type:share
Error control:normal
Registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KeyIso

Default Behavior

CNG Key Isolation is a Win32 service. In Windows 7 it won't be started if the user doesn't start it. When the CNG Key Isolation service is started, it is running as LocalSystem in a shared process of lsass.exe. Other system components, such as drivers and services, may run in the same process. If CNG Key Isolation fails to start, Windows 7 attempts to write the failure details into Event Log. Then Windows 7 startup should proceed and the user should be notified that the KeyIso service is not running because of the error.


CNG Key Isolation is unable to start, if the Remote Procedure Call (RPC) service is stopped or disabled.

If CNG Key Isolation is stopped, the Extensible Authentication Protocol service fails to start and initialize.

Restore Default Startup Configuration for CNG Key Isolation

1. Select your Windows 7 edition and service pack, and then click Download.

2. Save the Win7_KeyIso_Service_Startup.cmd file to a local storage device.

3. Run the saved file as an administrator.

4. Restart the computer.

The KeyIso service is using the lsass.exe file that is located in the %WinDir%\system32 folder. If the file is changed, damaged or deleted, you can restore its original version from Windows 7 installation media.