CNG Key Isolation (KeyIso) Service Defaults in Windows 8

The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.

Default Settings

Startup type:Manual
Display name:CNG Key Isolation
Service name:KeyIso
Service type:share
Error control:normal
Object:LocalSystem
Path:%SystemRoot%\system32\lsass.exe
File:%SystemRoot%\system32\keyiso.dll
Registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KeyIso

Default Behavior

CNG Key Isolation is a Win32 service. In Windows 8 it will not be started until the user starts it. When the CNG Key Isolation service is started, it runs as LocalSystem in a process of lsass.exe, sharing it with other services. If CNG Key Isolation fails to start, the error details are added to Windows 8 error log. When the operating system startup is complete, the user is being notified that the KeyIso service hasn't been started.

Dependencies

CNG Key Isolation can't start, if the Remote Procedure Call (RPC) service is disabled or not available.

All the services listed below will not start if CNG Key Isolation is disabled:

Restore Default Startup Configuration for CNG Key Isolation

1. Select your Windows 8 edition and update pack, and then click Download.

2. Save the Win8_KeyIso_Service_Startup.cmd file to a local storage device.

3. Run the saved file as an administrator.

4. Restart the computer.

The KeyIso service is using the keyiso.dll file that is located in the %WinDir%\system32 folder. If the file is corrupted or deleted, you can put it back in there.