cng.sys

Cryptography Next Generation System Driver

System DriverSafeSecurity/Crypto

CPU Usage

0-3%

Memory

5-20 MB

Location

C:\Windows\System32\drivers

Publisher

Microsoft

Quick Answer

cng.sys is a legitimate Windows cryptography driver. It runs as part of the Cryptography API: Next Generation to support secure operations and key management.

Is it a Virus?

✔ NO - Safe

Must be in C:\Windows\System32\drivers\cng.sys

Warning

Kernel driver, expected

Core kernel component; multiple threads may load during cryptographic operations

Can I Disable?

✔ NO

Disabling is not recommended and can destabilize security features

What is cng.sys?

cng.sys is the Windows Cryptography Next Generation system driver responsible for providing cryptographic services. It operates in kernel space to support secure keys, RNG, and crypto providers across Windows components and applications. It also interacts with TPM hardware when available and coordinates with OS security features to protect data in transit and at rest.

cng.sys implements the Cryptography API: Next Generation provider interfaces in kernel space, enabling Windows services to perform encryption, decryption, and key management efficiently. It coordinates with TPM and software providers, ensuring secure cryptographic operations across the OS.

Quick Fact: The CNG driver supports hardware-backed keys via TPM on supported hardware.

Types of cng.sys Processes

Driver Load: Kernel-mode driver loaded at boot to enable crypto services
Crypto Service Provider: Core crypto provider interactions for Windows components
TPM Interface: Hardware-backed key operations via TPM
RNG Provider: Random number generation provider used by security features
Policy & Verification: Policy enforcement and signed provider checks

Is cng.sys Safe?

Yes, cng.sys is safe when it's the legitimate file from Microsoft downloaded with Windows updates.

Is cng.sys a Virus or Malware?

The real cng.sys is NOT a virus. Malware may impersonate system drivers; always verify location and signature.

How to Tell if cng.sys is Legitimate or Malware

File Location: Must be in C:\Windows\System32\drivers\cng.sys. Any other path is suspicious.
Digital Signature: Right-click cng.sys in File Explorer -> Properties -> Digital Signatures. Should show a Microsoft signature.
Resource Usage: Kernel drivers typically use minimal user-mode CPU; check via System Information or PerfMon for anomalies.
Behavior: Should be loaded by the OS during boot and participate in cryptographic operations; unexpected frequent load may indicate tampering.

Red Flags: If cng.sys is located outside System32\drivers, lacks a valid signature, or triggers frequent crashes, run System File Checker (sfc /scannow) and DISM (DISM /Online /Cleanup-Image /RestoreHealth).

Why Is cng.sys Running on My PC?

cng.sys runs as part of Windows cryptography infrastructure to enable secure operations across the OS and apps, including TLS, code signing, and DPAPI.

Reasons it's running:

Kernel Cryptography Tasks: Performs cryptographic operations required by Windows security features; active during cryptographic requests.
TPM/Hardware Crypto: Interacts with TPM or trusted platform hardware for hardware-backed keys and secure storage.
Secure Boot & Code Signing: Used by secure boot mechanisms and code-signing checks to verify integrity of boot components.
DPAPI and Key Management: Supports Data Protection API and manages encryption keys used by apps and services.
Background Crypto Services: Handles background cryptographic tasks such as certificate handling and secure RNG in support of OS features.

Can I Disable or Remove cng.sys?

No, you should not disable cng.sys. It is a core OS driver required for cryptographic functionality and system security.

How to Stop cng.sys

Do Not Stop Kernel Drivers: cng.sys is a kernel component; stopping it can destabilize Windows. Avoid attempts to stop it.
Safe Troubleshooting: If you suspect issues, run sfc /scannow and DISM to repair system files.
Check for Updates: Install the latest Windows updates to ensure drivers and crypto components are current.
Event Viewer: Review Windows Event Viewer for crypto-related errors and fix underlying causes.
Repair Install: If problems persist, perform an in-place Windows repair using a compatible ISO.

How to Reset Windows Crypto Services

✔ Windows Update: Check for updates and install all recommended security updates.
✔ SFC and DISM: Run sfc /scannow and DISM /Online /Cleanup-Image /RestoreHealth
✔ In-Place Upgrade: Use Windows ISO to perform a repair install to restore system files.
✔ Check for Malware: Run full system antivirus and check for rootkits.
✔ Consult Microsoft Support: If issues persist, contact Microsoft support for guidance.

Common Problems: Cryptography Driver Issues

If cng.sys is behaving unexpectedly, refer to these common crypto-driver problems and fixes.

Common Causes & Solutions

Corrupted system files: Run sfc /scannow and DISM to repair Windows images.
Outdated Windows updates: Install the latest updates and restart the computer.
Tampered or unsigned driver: Verify signature and path; replace with legitimate Microsoft drivers.
TPM malfunctions: Clear or reinitialize TPM using tpm.msc and update firmware.
Conflicting security software: Disable or uninstall third-party crypto tools conflicting with Windows Crypto API.
Hardware RNG issues: Update BIOS/firmware; ensure TPM and secure enclave are functioning.

Quick Fixes:
1. Run sfc /scannow and DISM to repair system integrity
2. Check Windows Update status and install all updates
3. Run Windows Defender or your antivirus full scan
4. Review Event Viewer for crypto-related errors
5. Ensure TPM is enabled and firmware is up to date

Frequently Asked Questions

Is cng.sys a virus?

No, the legitimate cng.sys from Microsoft is a kernel driver used for cryptographic services. Verify location: C:\Windows\System32\drivers\cng.sys with a valid signature.

Why is cng.sys using system resources?

As a kernel driver, it operates in response to cryptographic requests from Windows components and apps. Normal usage is typically low; spikes may indicate legitimate activity or issues with crypto providers.

Can I disable cng.sys to improve performance?

No. Disabling a core cryptography driver can break security features. Instead, investigate specific cryptographic workloads or update drivers and Windows.

How do I verify cng.sys integrity?

Check its path (C:\Windows\System32\drivers\cng.sys), verify digital signature from Microsoft, and optionally compute sha256 with certutil -hashfile.

Where is cng.sys located?

C:\Windows\System32\drivers\cng.sys is the standard location. If found elsewhere, it may be malware.

What should I do if cng.sys crashes?

Collect event logs, run sfc /scannow, update Windows, and consider a repair install if crashes persist.

Related Processes

lsass.exe

Local Security Authority Subsystem Service - Windows security and policies

winlogon.exe

Windows Logon Process

svchost.exe

Service Host Process for Windows services