On a Windows Server 2003-based or Windows Server 2008-based client computer, the system does not delete a temporary file that is created when an application calls the "CryptQueryObject" function

Consider the following scenario:

• You have a client computer that is running Microsoft Windows Server 2003 or Microsoft Windows Server 2008.
• On this computer, you use an application that calls the CryptQueryObject function to decode an embedded PKCS7 certificate.

In this scenario, a temporary file of 0 bytes is created in the %windir%\Temp folder. This temporary file is not deleted when the CryptQueryObject function finishes its task. Additionally, when the number of temporary files reaches about 65,000, the call to the CryptQueryObject function takes longer than expected to finish.

Note %windir% represents the path of the Windows system folder. Typically, this path is C:\Windows.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running Windows Server 2003 or Windows Server 2008.

Restart requirement

You must restart your computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The English (United States) version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

Windows Server 2003 file information notes

• In addition to the files that are listed in these tables, this hotfix also installs an associated security catalog file (KB931908.cat) that is signed with a Microsoft digital signature.

For all supported x86-based versions of Windows Server 2003

For all supported x64-based versions of Windows Server 2003

For all supported IA-64-based versions of Windows Server 2003

Windows Server 2008 file information notes

Important Windows Vista hotfixes and Windows Server 2008 hotfixes are included in the same packages. However, only "Windows Vista" is listed on the Hotfix Request page. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows Vista" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.

• The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
  Collapse this tableExpand this table

  Version	Product	SR_Level	Service branch
  6.0.600 1 . 22xxx	Windows Server 2008	SP1	LDR
  6.0.600 2 . 22xxx	Windows Server 2008	SP2	LDR

• Service Pack 1 is integrated into the release version of Windows Server 2008.
• The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008" section. MUM files and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows Server 2008

For all supported x64-based versions of Windows Server 2008

For all supported IA-64-based versions of Windows Server 2008

Workaround for Windows Server 2003

To work around this problem, manually delete the temporary files before the number of temporary files reaches 65,000.

Workaround for Windows Server 2008

To work around this problem, manually delete the temporary files before the number of temporary files reaches 65,000.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

This problem is more apparent when the CryptQueryObject function is called either directly or indirectly from a server application through some intermediate layer. When the number of temporary files reaches 65,000, client computers experience significant delays. A known indirect caller of the CryptQueryObject function is the constructor of the System.Security.Cryptography.X509Certificates.X509Certificate2 managed class.

Technical support for x64-based versions of Microsoft Windows

If your hardware came with a Microsoft Windows x64 edition already installed, your hardware manufacturer provides technical support and assistance for the Windows x64 edition. In this case, your hardware manufacturer provides support because a Windows x64 edition was included with your hardware. Your hardware manufacturer might have customized the Windows x64 edition installation by using unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with a Windows x64 edition. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware. If you purchased a Windows x64 edition such as a Microsoft Windows Server 2003 x64 edition separately, contact Microsoft for technical support.

For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site: For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Additional file information

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008

Additional files for all supported x64-based versions of Windows Server 2008

Additional files for all supported IA-64-based versions of Windows Server 2008