[Chrome&Windows] 'Establishing secure connection' issue

source: https://support.google.com/chrome/forum/AAAAP1KN0B0s5S1uPI0kMc?msgid=b2Mud3SKCgAJ

 

Repair Script for Cryptographic Service

 

 

after a Windows update or fresh install, on isolated machines, the registry permissions for an authentication service (CryptSvc), can cause 'Establishing secure connection' to stall when opening sites in Chrome. Manual repair instructions are available here, but are tedious.  The script implements the same approach, but takes only a few clicks to run.  A somewhat outdated YouTube video for running the script is here.  The problems in the video have have been fixed. For details follow the instructions here (this post).

 

The problem began with the Windows April 2018 1803 feature update and continues through the October 1809 update. There are other generic registry repair tools that may fix this problem, but they are not transparent and are hard to verify.  See DimmV2's 9/6 post (elsewhere) for the tweaking.com tool example. The All-In-One utility is mentioned on the main thread here 9/8.  There are other workarounds, like changing the CryptSvc logon, but they all have downsides, see the list here, at the bottom. The attached script targets the CryptSvc problem specifically and is safe to use. 

 

The script does need a third party admin tool, SetACL.exe, which you can download here.  This is a well established tool and seems to be safe.  As always, use your own judgement.  Get the EXE version. The download is a .zip file, unzip, drag & drop (64bit) SetACL.exe to a work directory.  

 

The work directory needs to be owned by you.  Somewhere under Downloads or Documents is a good location.  

 

Download the attached powerShell script file to the same work directory.

 

Open Windows PowerShell (as Admin, from the Start Menu)      

If you haven't used PowerShell before, you will need to allow scripts with

  PS> set-ExecutionPolicy Unrestricted            -or-

  PS> set-ExecutionPolicy -scope CurrentUser Unrestricted

  

  PS> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted

  (This worked for me)

   (Prompts: set with Y, reply R when run)

 

When finished restore the protected policy with

  PS> set-ExecutionPolicy Undefined

To view the policy settings use

  PS> get-ExecutionPolicy -list

 

Change to your directory with

    PS> cd YourDirectoryPath

You need to run the script from the same directory where SetACL.exe is located.

The directory is also used for logs and registry snapshots.

 

Close Chrome, then invoke the script with

    PS> .\CryptSvcAdminSetAclFix.ps1

from the PowerShell admin console.  

It will display a page of progress info, which is logged as

    CryptSvcAdminSetAclFix.ps1.log in the work directory

Done.  Restore your policy settings with [safer, but optional]

    PS> set-ExecutionPolicy Undefined

  

 An example log is attached, so you can preview what it does.

 

If you have problems, attach the session log (...ps1.log) and the ProtRoots.log.

The log files may contain some minimally private information (machine and account names).  

  Feel free to sanitize those before attaching.

 

Let me know how it goes..

Later, Larry

 

[Updated 10/27/18 with better script and log, slight update to instructions.
Look here for latest details and (AD) limitations.

Replaced ProtRootsFix-SetACL.ps1 with CryptSvcAdminSetAclFix.ps1

10/29/18 for Windows users without admin privileges

11/03/18: Usage refs folder dir, log rev ID, no functional changes

11/12/18: dir owner: BA uses HKCU, rename xmpl log file, reorg instructions

11/18/18: hide cert import nativeCommandErrors which can be ignored

12/09/18: add -or- set ExecutionPolicy -scope CurrentUser Unrestricted

01/01/19: add close Chrome before run script ]