The protocol engine will create one or more contexts via a call to CryptAcquireContext with the dwProvType parameter set to PROV_RSA_SCHANNEL. The dwFlags parameter will usually have the CRYPT_VERIFYCONTEXT flag set. These contexts are used to perform client-side operations as well as bulk encryption.
When Secure Socket Layer (SSL) 3.0 or Transport Layer Security (TLS) 1.0 is enabled, the protocol engine will typically create an ephemeral key container holding a 512-bit AT_KEYEXCHANGE key pair. This key pair is used when creating the ServerKeyExchange message. Because the key pair is ephemeral, the CRYPT_VOLATILE flag must be specified when the CryptGenKey function is called to create it. This call requests that the key pair not be not written to permanent storage. When an ephemeral RSA key is used, the context used to create this key will most likely be acquired by calling CryptAcquireContext with the CRYPT_VERIFYCONTEXT flag value set in the dwFlags parameter.