Someone added code to CryptGenRandom so that it generates very bad random data (with <10 bits randomness in them). Don't do that. It's a known security risk. Read from /dev/urandom instead. If that does not succeed, just abort(). Linux and newer Solaris have /dev/urandom. I would guess the BSDs have it too. Morten