Installing the card reader software gives your system the ability to exchange data with supported memory card. This software provides compatibility with cards such as MMC, SD, SDHC, micro SD, and many others that can be used with. Part of this series, we are going to show you how to update the software in your ZIMO decoder with your computer and the MXULF.
Free software to read your card number – PACSprobe is an easy-to-use software tool to analyze card and reader and read card data.
The utility detects the card type (prox, iCLASS, Mifare ..) and then reads data such as user ID, card number, facility code to name a few.
PACSprobe supports logical and physical access control cards on desktop card readers with USB interface.
HID iCLASS cards are supported
on all OMNIKEY card readers.
Card number worn-off? Faded fob and card labels won’t pose an issue anymore. The card number can be read using a desktop card reader and PACSprobe.
Presenting a card to a card reader, displays the card number that’s printed on the card. PACSprobe displays card data. The resulting card number is copied to the clipboard for easy copy and paste.
The output can also be placed in the keyboard buffer, allowing you to populate Excel spread sheets, Notepad or any other software that accepts manual data input.
Building management staff uses our PACSProbe software to maintain and validate physical access cards.
PACSprobe allows maintenance engineers to check if a key fob is still working without the need of a door reader.
PACSprobe supports all HID OMNIKEY desktop readers and is the ideal tool to check a card number of a fob that’s a little worn and has an illegible card number label.
A quick card check goes way beyond the simple green light & beep test of a physical access control system.
Access control installers love the keyboard wedge feature. PACSprobe can drop card numbers directly into NotePad, Excel or any other editable field – without any software integration or source code modification of existing software application.
PACSprobe can be configured to support any card format supported by HID PROX, iCLASS, SEOS cards and many more.
It is so easy to use … it doesn’t even have an “easy button”.
We developed PACSprobe using our very own smart card library, SmartCard-API(professional). It is available at smartcard-api.com.
SmartCardAPI is a set of .NET libraries. It allows C# and VB.NET software developers to write their own smart card software. SmartCardAPI supports PC/SC compliant card readers. A fully functional trial version can be downloaded for free.
-->Applies To: Windows 10, Windows Server 2016
This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use.
Certutil
For a complete description of Certutil including examples that show how to use it, see Certutil [W2012].
List certificates available on the smart card
To list certificates that are available on the smart card, type certutil -scinfo.
Note
Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
Delete certificates on the smart card
Each certificate is enclosed in a container. When you delete a certificate on the smart card, you're deleting the container for the certificate.
To find the container value, type certutil -scinfo.
To delete a container, type certutil -delkey -csp 'Microsoft Base Smart Card Crypto Provider' '<ContainerValue>'.
Debugging and tracing using WPP
WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see Diagnostics with WPP - The NDIS blog.
Enable the trace
Using WPP, use one of the following commands to enable tracing:
tracelog.exe -kd -rt -start <FriendlyName> -guid #<GUID> -f .<LogFileName>.etl -flags <flags> -ft 1
logman start <FriendlyName> -ets -p {<GUID>} -<Flags> -ft 1 -rt -o .<LogFileName>.etl -mode 0x00080000
You can use the parameters in the following table.
| Friendly name | GUID | Flags |
|---|---|---|
scardsvr | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
winscard | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
basecsp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
scksp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
msclmd | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
credprov | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
certprop | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
scfilter | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
wudfusbccid | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
Examples
To enable tracing for the SCardSvr service:
tracelog.exe -kd -rt -start scardsvr -guid #13038e47-ffec-425d-bc69-5707708075fe -f .scardsvr.etl -flags 0xffff -ft 1
logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .scardsvr.etl -mode 0x00080000
To enable tracing for scfilter.sys:
- tracelog.exe -kd -rt -start scfilter -guid #eed7f3c9-62ba-400e-a001-658869df9a91 -f .scfilter.etl -flags 0xffff -ft 1
Stop the trace
Using WPP, use one of the following commands to stop the tracing:
tracelog.exe -stop <FriendlyName>
logman -stop <FriendlyName> -ets
Examples
To stop a trace:
tracelog.exe -stop scardsvr
logman -stop scardsvr -ets
Kerberos protocol, KDC, and NTLM debugging and tracing
You can use these resources to troubleshoot these protocols and the KDC:
Kerberos and LDAP Troubleshooting Tips.
Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in these examples. For more information, see Tracelog.
NTLM
To enable tracing for NTLM authentication, run the following command on the command line:
- tracelog.exe -kd -rt -start ntlm -guid #5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .ntlm.etl -flags 0x15003 -ft 1
To stop tracing for NTLM authentication, run this command:
- tracelog -stop ntlm
Smartcard Decoding Program Update Download
Kerberos authentication
To enable tracing for Kerberos authentication, run this command:
- tracelog.exe -kd -rt -start kerb -guid #6B510852-3583-4e2d-AFFE-A67F9F223438 -f .kerb.etl -flags 0x43 -ft 1
To stop tracing for Kerberos authentication, run this command:
- tracelog.exe -stop kerb
KDC
To enable tracing for the KDC, run the following command on the command line:
- tracelog.exe -kd -rt -start kdc -guid #1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .kdc.etl -flags 0x803 -ft 1
To stop tracing for the KDC, run the following command on the command line:
- tracelog.exe -stop kdc
To stop tracing from a remote computer, run this command: logman.exe -s <ComputerName>.
Note
The default location for logman.exe is %systemroot%system32. Use the -s option to supply a computer name.
Configure tracing with the registry
You can also configure tracing by editing the Kerberos registry values shown in the following table.
| Element | Registry Key Setting |
|---|---|
| NTLM | HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaMSV1_0 Value name: NtLmInfoLevel Value type: DWORD Value data: c0015003 |
| Kerberos | HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberos Value name: LogToFile Value type: DWORD Value data: 00000001 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters Value name: KerbDebugLevel Value type: DWORD Value data: c0000043 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters Value name: LogToFile Value type: DWORD Value data: 00000001 |
| KDC | HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesKdc Value name: KdcDebugLevel Value type: DWORD Value data: c0000803 |
If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
NTLM: %systemroot%tracingmsv1_0
Kerberos: %systemroot%tracingkerberos
KDC: %systemroot%tracingkdcsvc
To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the toolstracing subdirectory of the Windows Driver Kit (WDK). For more information, see Tracefmt.
Smart Card service
The smart card resource manager service runs in the context of a local service. It's implemented as a shared service of the services host (svchost) process.
To check if Smart Card service is running
Press CTRL+ALT+DEL, and then select Start Task Manager.
In the Windows Task Manager dialog box, select the Services tab.
Select the Name column to sort the list alphabetically, and then type s.
In the Name column, look for SCardSvr, and then look under the Status column to see if the service is running or stopped.
To restart Smart Card service
Run as administrator at the command prompt.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then select Yes.
At the command prompt, type
net stop SCardSvr.At the command prompt, type
net start SCardSvr.
Smartcard Decoding Program Updates Windows
You can use the following command at the command prompt to check whether the service is running: sc queryex scardsvr.
The following code sample is an example output from this command:
Smart card readers
As with any device connected to a computer, Device Manager can be used to view properties and begin the debug process.
To check if smart card reader is working
Navigate to Computer.
Right-click Computer, and then select Properties.
Under Tasks, select Device Manager.
In Device Manager, expand Smart card readers, select the name of the smart card reader you want to check, and then select Properties.
Note
If the smart card reader is not listed in Device Manager, in the Action menu, select Scan for hardware changes.
CryptoAPI 2.0 Diagnostics
CryptoAPI 2.0 Diagnostics is available in Windows versions that support CryptoAPI 2.0 and can help you troubleshoot public key infrastructure (PKI) issues.
CryptoAPI 2.0 Diagnostics logs events in the Windows event log. The logs contain detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the causes of issues and reduces the time required for diagnosis.
Smartcard Decoding Program Updated
For more information about CryptoAPI 2.0 Diagnostics, see Troubleshooting an Enterprise PKI.