SBSL: OS: Http <-> Crypto deadlock causes slow boot and service start failure on SSL-enabled W2K8 computers


This article has been replaced by KB 2379016.

2379016provides a hotfix to resolve this issue on a computer that is running Windows Vista or Windows Server 2008.   We recommend you resolve this issue by installing the hotfix. 

For more information, please see KB 2379016  2379016
You should consider integrating the hotfix into the Windows Server build process if you plan to deploy Windows Server 2008 computers in the affected configuration.

Windows Server 2008 R2 is not affected by the problem described in this KB article.

The following symptoms may occur:

  • Windows Server 2008 hangs after boot at Applying Computer Settings orApplying Security Policy
  • Once the server finishes booting a user attempting to log on may hang at Applying User Settings
  • You may notice that services that are set to a Start Type of "Automatic" may not start 

Certain Services that are set to "Automatic" may start without problems - for example:

  • Dcom Process Launcher
  • Remote Procedure Call
  • Event log
  • Group Policy Client
  • Plug and Play
  • DHCP Client
  • DNS Client
  • Task Scheduler
  • Base Filtering Engine
  • Workstation Service
  • Netlogon

Other services set to "Automatic" may fail - for example:

  • Print Spooler
  • Terminal Services
  • Server service
  • Remote Registry
  • WMI
  • Distributed Transaction Cordinator
  • Any Services related to Applications

Trying to manually start services with a Startup type of "Automatic" may result in an Error 1053 indicating that "The service did not respond to the start or control request in a timely fashion." 


The problems described in the symptoms section occur because of a lock on the Service Control Manager (SCM) database.  As a result of the lock, none of the services can access the SCM database to initialize their service start requests. To verify that a Windows computer is affected by the problem discussed in this article, run the following command from the command Prompt:

sc querylock

The output below would indicate that the SCM database is locked:

QueryServiceLockstatus - Success
IsLocked : True
LockOwner : .\NT Service Control Manager
LockDuration : 1090 (seconds since acquired)

There is no additional information in the Event Logs beyond those from the Service Control Manager indicating that Service startup requests have timed out. The underlying root cause is a deadlock between the Service Control Manager and HTTP.SYS.


To resolve this problem, install the hotfix described in KB article 23790162379016
To work around this issue, go to the "Fix it for me" section. If you’d rather resolve this problem yourself, go to the "Let me fix it myself" section.

Fix it for me

To resolve this problem automatically, click the Fix this problem link. Then clickRun in the File Download dialog box, and follow the steps in this wizard.

Fix this problem
Microsoft Fix it 50564

Note This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD so that you can run it on the computer that has the problem.

Let me fix it myself

you can modify the behavior of HTTP.SYS to depend on another service being started first.  To do this, perform the following steps:

  1. Open Registry Editor
  2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP and create the following Multi-string value:DependOnService
  3. Double click the new DependOnService entry
  4. Type CRYPTSVC in the Value Data field and click OK.
  5. Reboot the server

NOTE: Please ensure that you make a backup of the registry / affected keys before making any changes to your system.

More Information

Beginning with Windows Server 2008, Windows does not wait on all of the Automatic Services startup to load Explorer.exe.  Services may be set to Delayed Automatic Start to increase boot performance.  Please see the following blog posts for more information on Delayed Automatic Start:

Startup Processes and Delayed Automatic Start.

More information:

HTTP.SYS / Cryptographic Services / LSASS.EXE deadlock