Windows Secure Desktop failure
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
#1881 Windows Secure Desktop failure
Trying to open a database with secure desktop authentication on latest Windows 10 results in unusable desktop. After the secure desktop is left (either with attempted authentication or cancellation), the display shows a single color (Windows accent color) with no interactive components besides cursor. Meta key does not open Start Menu, and any previously-opened windows or taskbar aren't visible or accessible. Able to use Ctrl+Alt+Del to open Task Manager or restart system, only restarting or logging out/in seems to resolve issue. This happens when accessing the secure desktop prompt from either the global hotkeys or the tray icon.
This did not happen before the latest Windows update and KeePass update. Did not test with individual updates (either latest Windows or latest KeePass).
Tried killing KeePass processes with Task Manager, but did not recover. Also attempted to restart Windows Explorer or DWM with no success. When the issue is happening, other processes seem to be active, but GUI components aren't accessible.
The only way I know to resolve the issue is to restart or log out/in from the account, then to use KeePass options to disable secure desktop, after which the database can be accessed again.
Versions:
- Windows 10 Home 1903 (Build 18362.356)
- KeePass 2.43
Other Running Software:
- Breevy 3.37
- Mozilla Firefox 69.0
- PowerToys 0.11.0
- ProtonVPN 1.10.1
- Telegram Desktop 1.8.8
- Windows Security (Security intelligence version 1.301.1045.0)
Secure Desktop is working for me running:
KeePass 2.43
Windows 10 Home 1903 (Build 18
2362.356)Mozilla Firefox 69.0
Windows Security (Security intelligence version 1.301.1049.0)
Start Windows in Safe mode. Try running KeePass while in safe mode and check if secure desktop works.
Last edit: wellread1 2019-09-16
Tried in Safe Mode, and didn't experience the issue. Thank you for your suggestion!
Rebooted back out of Safe Mode and still can't find any way to make the secure desktop work. A clean reinstallation of KeePass and toggling settings didn't change anything. I couldn't find any recently installed programs on my machine, and virus scans came up clean.
Also, UAC prompts work without issue. Any help diagnosing the issue would be appreciated!
Nobody disputes that Keepass 2.43 works on the secure desktop when Windows is in Safe Mode.
However under normal Windows operation, Keepass 2.43 crashes with "Enter master key on secure desktop" enabled. The culrpit is the "cumulative update September 10, 2019—KB4515384"
Were you referring to the fact that the feature "Enter master key on a secure desktop" worked under normal mode (not Safe Mode) after applying "Cumulative Update for Windows 10 Version 1903 for x64-based Systems (KB4515384)" ?
Two computers have KB4515384 installed:
Both run KeePass 2.43 fine in normal mode with the Enter master key on secure desktop option enabled (checked). I have not experienced the reported problem.
I suggested that the original poster "Try running KeePass while in safe mode and check if secure desktop works.", because running a program in safe mode can help distinguished problems that are caused by third party apps or non-essential Windows components from problems that are caused by KeePass or an essential Windows component.
Last edit: wellread1 2019-09-16
It is possible that one of your other programs is interfering with secure desktop. You can use taskmanager to end the other tasks, or disable them from starting up by using the startup tab in taskmanager. If you identify the incompatible program, you may be able to find a solution.
The culprit is "Cumulative Update September 10, 2019—KB4515384". You can reproduce the problem too.
Turning off secure desktop in KeePass works?
Do you have another KeePass version you can test?
Do you have another Windows version you can test?
cheers, Paul
Yes turning off Secure Desktop in Keepass works -- this is my temp solution.
Other versions I didn't try... May try later
Win7 doens't seem to have this problem.
Yes, I confirm that Keepass 2.43 works with "Enter master key on a secure desktop" disabled. But the feature of turning on the secure desktop is there for a reason, right?
Keepass 2.43 crashes when you enable the feature "Enter master key on a secure desktop" AND with "Cumulative Update September 10, 2019—KB4515384" installed.
You may wish to follow the steps below to prove that KB4515384 is the culprit:
However may I suggest that you reinstall said cumulative update. It's far more critical that you secure your operating system with the latest cumulative update from Microsoft than to let a minor issue with a software such as Keepass bug you.
I have the same issue. And tried the old version 2.42, still shows the same problem. I doubt it might caused by a recent update of the windows.
Well, the culprit is "Cumulative Update September 10, 2019—KB4515384". You can reproduce the problem too. Please read my reply to Paul.
My feel is that this is caused by Windows Update.
https://thehackernews.com/2019/08/ctfmon-windows-vulnerabilities.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162
Temporarily, I've disabled the Secure Desktop option.
The culprit is "Cumulative Update September 10, 2019—KB4515384". You can reproduce the problem too. Please read my reply to Paul.
@dreichl
After some debugging, I found
SecureDialogThreadstuck atformBack.Close();(ProtectedDialog.cs#L301).However, simply uncomment
ImmDisableIME(ProtectedDialog.cs#L241-242) fix that issue.This is a temporary solution before Microsoft fix this bug.
Interesting, thanks for the info!
If possible, I'd like to avoid disabling IME (because the users that are using IME might not be able to open their database anymore when the secure desktop option is turned on). I'm hoping that Microsoft will fix this bug, but if they don't, I'll disable IME in the next KeePass release.
Best regards,
Dominik
For the September 10, 2019—KB4516058 Update, Micrsoft does state, "Some Input Method Editor (IME) may become unresponsive or may have high CPU usage": https://support.microsoft.com/en-au/help/4516058/windows-10-update-kb4516058
Not sure if it has anything to do with this issue specifically, but there you guys go.
Hey,
unfortunately this is really a thing. All my managed computers now rollout this update and all have the same behavior. Even the SecureDesktop at Login disabled it is still going Black.
Would be nice if IME could be get a config option into the xml so it could be forced off. Currently I need to use some keepass alternative clients :(
The Login Prompt itself for me is fine, but as soon as I enter my correct password and the DB is unlocked the whole screen goes black. No chance to recover beside Signout or reboot.
IME and CTF Loader processess are at high CPU load after it happend.
Video of the Behaviour:
(because Screen totally goes black it's a Screen Recording by Phone sorry it's a bit shaky, not so easy one hand recording and the other one typing :) )
https://photos.app.goo.gl/Lwpwc4U6B92dxbD17
Last edit: Marco Goetze 2019-10-21
Rather than use an alternative client, use KeePass with "enter master key on secure desktop" turned off.
cheers, Paul
As I wrote in my post, I disabled the SecureDesktop Option by Config already, still this Problem occurs. It is not just a thing of the Secure Drsktop for Login, it is also something happening After the Login with IME.
In my Case I do see the Login Prompt, BUT as soon as I enter valid Credentials and unlock my DB everything turns Black and IME / CTF going nuts.
See linked Video.
Last edit: Marco Goetze 2019-10-21
Microsoft claims that the IME issue is resolved ([1], [2]). Can anyone with the latest Windows updates confirm that setting the startup type of the 'Touch Keyboard and Handwriting Panel Service' to 'Manual' fixes the problem?
Thanks and best regards,
Dominik
[1] https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1903
[2] https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1903#336msgdesc
Unfortunately didn't solve the Issue.
The Service is set to Manual by default already. Even I cahnge it to disabled, same black screen :(
On the latest updates, still black.
KeePass 2.44 will be released soon, thus I'd like to know whether the issue still occurs. If you were able to reproduce the problem previously and have all the latest Windows updates installed, it'd be great if you could test it again.
Thanks and best regards,
Dominik
Hi Dominik,
I'm currently running Windows 10 Home (Version 1909, OS Build 18363.535) which is the latest stable version I can update to, and the issue still occurs.
IME won't function on KeePass input fields, if there's some way to prevent the secure context from spawning a new IME process that might resolve the issue.
Thanks!
Last edit: Andrew Gu 2019-12-30
Ok, thanks for the info!
As the IME automatically spawns the problematic process, the only workaround that I see is to disable the IME on secure desktops (like Richard suggested). I've added this now.
It would be great if you could test it:
https://keepass.info/filepool/KeePass_191231.zip
Thanks and best regards,
Dominik
Just tested, and it seems to be functioning perfectly!
Could not reproduce the issue in the following scenarios:
- On a running system
- After account signout then signin
- After restart
- Trying to enable IME on secure desktop
Thanks for the workaround, and I hope Microsoft eventually fixes it.
Verified the fix. Will this be pushed out as a new build?
Great, thanks for testing it! So, this workaround will be included in the KeePass 2.44 release (mid January).
Users who need the IME for entering their master password and currently have the secure desktop option turned on won't be able to open their database with KeePass 2.44 directly. They first need to turn off the secure desktop option. I've added instructions for this on the secure desktop help page.
https://keepass.info/help/kb/sec_desk.html#ime
Hopefully, the workaround can be removed in a future KeePass version. It'd be great if you could occasionally test whether Microsoft fixed the issue (i.e. whether KeePass 2.43 works fine again on your system) and let me know then.
Thanks again, Happy New Year 2020 and best regards,
Dominik
Hello.
I tried to run KeePass 2.43 on my Windows 10 21H1 and there are no observable problems with secure desktop.
I enter my master password multiple times a day and I have a ritual to summon the IME: I disable password masking by click to 3-dots button, press alt-shift, IME displays itself, I press alt-shift again if needed, enable password masking back and only then I can enter my password.
It would be great to have IME returned to the secure desktop or at least to have an option to enable/disable IME in settings if there are doubts of the issue being resolved.
Were you able to reproduce the IME bug before? As the bug didn't occur on all systems, we'd need confirmations from people who were affected previously. Given that there are no such reports so far, I doubt that the IME bug has been fixed.
I've now added a
UIFlagsbit for enabling the IME on secure desktops (for expert users who really want to try it, at own risk):https://keepass.info/help/v2_dev/customize.html#uiflags
Here's the latest development snapshot for testing:
https://keepass.info/filepool/KeePass_210903.zip
Thanks and best regards,
Dominik
Hi Dominik,
I can confirm the latest 2.48.1 does not have this problem with Secure Desktop on Win10 21H1 anymore.
Thanks for the great work!
Jeremy
Hi!
Nope. I wasn't using KeePass at that moment. Since I started using KeePass I always thought that this is a bug until I found an explanation in the documentation with a link to this ticket.
I have enabled this flag and it works as expected. Thank you!