Keepass Master Key not on Secure Desktop

Help
robocop
2013-07-24
2013-11-05
  • robocop

    robocop - 2013-07-24

    On one of my computers, the keepass Master Key log-in doesn't always occur on a secure desktop. This was happening on version 2.22, so I upgraded to 2.23, but it still happens.

    If I restart the computer though, it tends to use the secure desktop once more. It's only after opening the first few databases that secure desktop stops being used. I've also tried unchecking and rechecking secure desktop.

    I'm on a Windows 7 Pro 32bit computer.

     
  • wellread1

    wellread1 - 2013-07-25

    I have been using Secure Desktop on Win 7 Home Premium x32 & x64 since its introduction and have not observed this problem.

    Can you provide additional details about your KeePass usage and what you mean by "It's only after opening the first few databases that secure desktop stops being used.". Are you opening multiple databases in one instance of KeePass, or multiple instances of KeePass, or does this occur after an extended period of use after repeatedly locking/unlocking a single database, or after an extended period of use where you have repeatedly exited KeePass?

    Do you have any plugins installed?

    Are you using settings different than the default settings that you think might be a contributing factor?

    Have you noticed any external factors that might be contributing (e.g. other running programs, low memory conditions etc?)

     
  • robocop

    robocop - 2013-07-26

    Hi wellread1, thanks for the support.

    Just default keepass settings for me, other than turning secure desktop on. It's on my work computer, and a number of other programs are usually running, but there should still be plenty of ram. Other programs always running on this computer are Symantec, Hamachi, Google Drive and Truecrypt.

    I always have multiple databases open. I have my personal databases called "personal basic" and "personal secure", one having basic passwords in and one having more secure passwords, and the same for my work databases; "work basic" and "work secure".

    The first database I open after restarting my computer always opens in 'Secure Desktop Mode.' I have a feeling it's not after a specific number of databases open but a bit more random than that. After Secure Desktop Mode turns itself off, I cannot turn it back on again without restarting the computer. Closing and reopening Keepass does not turn it back on.

    • A small thought: I have an old database which I cannot remember the password of. This does not matter because I moved all the passwords to a newer one a long time ago, but occasionally I try to log into it, without success. Perhaps it is this that turns off secure desktop mode, after a specific number of failures?

    All of my databases are what I would call "small"; none of them have any files attached.

    Or perhaps my Keepass has been compromised.... Sorry for not being very clear. I dont have a lot of time to work on the problem as it occurs on my work computer.

     
  • robocop

    robocop - 2013-07-26

    I've restarted my computer and cannot seem to reproduce the bug where keepass stops using the secure desktop. I have all of my regular databases open and have tried to fail with passwords on another database

     
  • wellread1

    wellread1 - 2013-07-26

    I have an old database which I cannot remember the password of. ... but occasionally I try to log into it, without success. Perhaps it is this that turns off secure desktop mode, after a specific number of failures?

    The Secure Desktop setting is not affected by an unsuccessful database unlocking/opening. The Secure Desktop is stored in the KeePass.config.xml and is read at KeePass start up. The setting won't change while KeePass is running unless the user changes it. You can check the current state of the setting by checking whether "Enter master key on secure desktop" in Tools>Options>Security(tab).

    The only thing I can think of that would affect whether the Secure Desktop is applied would be if the keepass.config.xml where temporarily unavailable when KeePass starts. This would cause KeePass to load the default settings (Secure Desktop OFF) and stay that way the entire session. This would not be a KeePass issue and seems pretty unlikely.

    I have an old database which I cannot remember the password of....but occasionally I try to log into it, without success

    If you don't need the passwords in the database you can delete the database. Make sure you delete the correct one! Of course you should always make backups of your databases, at least the ones you don't want to lose.

     
  • wellread1

    wellread1 - 2013-07-26

    The other possibility is that you are running two different copies of KeePass that are configured with different settings.

     
  • robocop

    robocop - 2013-07-29

    Those are some good ideas.

    As far as I can tell I haven't got multiple versions of keepass installed. I've probably got some portable versions scattered around the place, but none that should cause this.

    Something I didn't mention, but works with your ideas, is that I tend to open .kdbx files using the windows taskbar drop down list.

    Weirdly though, despite it occurring at multiple occasions last week, I haven't seen the "bug" happen recently. I haven't been able to manually recreate it. When it did occur, I did go into the settings to check whether it was on, and it was. I'd then try to toggle it on and off to make it come back on but to no avail. Even restarting keepass didnt turn it back on, but restarting the computer did.

     
  • wellread1

    wellread1 - 2013-07-29

    As far as I can tell I haven't got multiple versions of keepass installed. I've probably got some portable versions scattered around the place, but none that should cause this.

    In the default configuration, an installed version of KeePass obtains its configuration settings from the User Application Directory while portable versions obtain their settings from their respective KeePass Application Directories.

     
  • robocop

    robocop - 2013-07-30

    Well, I'm unable to recreate the problem, which is good. Really, I have no idea what the problem would have been. I'm surprised I can't recreate it because I had this error both before and after upgrading from 2.22 to 2.23.

    Edit - Just as I say that I recreated it!

    Okay. How I THINK I have managed it is by the following:

    1) Open (doubleclick) a database as normal. Enter the password and be signed in.
    2) Open (doubleclick) a second database. DO NOT LOG IN. Instead, enter the wrong composite key. This will give you the popup message saying "incorrect composite key". Do not click off it!
    3) Whilst the "incorrect composite key" message is still up, open (double click) a 3rd database. This will probably cause keepass to "flash" but will not be opened.
    4) Click okay in the "incorrect composite key" message. It will then ask you for the pin again.
    - Note - At this point it may already be incorrectly asking you to enter the composite key in a non-secure desktop. However if the bug has not occurred yet continue.
    5) Enter the wrong composite key again. The "incorrect password message" will appear. Click Okay.
    6) Enter the wrong composite key again. The "incorrect password message" will appear. Click okay.
    Finally) When you next try to open a 4th database, or any other database, it will not attempt to do so in secure desktop mode.

    Restarting keepass will not fix this problem. However, restarting the computer should fix it.

     
  • robocop

    robocop - 2013-07-30

    After saying that, I restarted my computer.... and then couldn't recreate it using the above method.

    In my mind it's definitely an obscure bug. But as I can't recreate it at will, its a bit difficult.

     
  • wellread1

    wellread1 - 2013-07-30

    I could not repeat it either on Win 7 Home Premium x32 w .NET 4.

    1. Is "Limit to single instance" checked? (Tools>Options>Advanced(tab)>Start & Exit(section))
    2. If the problem reappears: check how many instances of keepass.exe are running in Task manager compared to the sum of (number of open KeePass Windows (count 1 per window not per database) + number of "The composite key is invalid!" windows + number of open Enter Master Key dialogs).
     
    Last edit: wellread1 2013-07-30
  • robocop

    robocop - 2013-10-21

    I still get this error upon occasion. Most recently it was after my work computer had been on for around 8 consecutive days, (it acts as a server). I thought for a second it was CTRL being a master key to prevent secure desktop from loading, as I realised I was still holding Ctrl.. But I can't get that to repeat either. What was interestering is this time the error was definitely not related to me entering an incorrect composite key

    Is "Limit to single instance" checked? (Tools>Options>Advanced(tab)>Start & Exit(section))

    Yes.

    If the problem reappears: check how many instances of keepass.exe are running in Task manager compared to the sum of (number of open KeePass Windows (count 1 per window not per database) + number of "The composite key is invalid!" windows + number of open Enter Master Key dialogs).

    Ah, failed to do this last time. When it reoccurs I will try to get this information. So if I had 5 open databases, all in one keepass window, then that should still count as 1. Then the "composite key entry" window counts as an additional one, and if I have a composite key error window that will count as a 3rd. So I should have 3 in that case, 2 without the composite key error window, and one normally.

     
  • wellread1

    wellread1 - 2013-10-21

    The most likely cause is that you are inadvertently running one of the "portable versions [that you have] scattered around the place,..." and it is configured with enter Master Key on Secure desktop off. I suggest you clean up your computer and remove all copies of KeePass that you are not using. If this is not the trouble, then before any meaningful debugging can occur, you will need to establish the conditions that reliably produce the problem.

    I don't remember why I suggested 2 above. If your configuration is as you say, you should never see more than one KeePass process running. When the error occurs, you should record the number of KeePass processes to verify that only one process is running and you may want to compare it to an itemized list of the number of displayed KeePass Windows, Master Key dialogs, and Error messages, but I believe my logic that the sum of those items is somehow significant was mistaken.

     
  • robocop

    robocop - 2013-11-04

    Hi Wellread. Thanks for all the help given so far.

    I've had it again today after this PC has been running for nearly 6 days. There is only 1 instance of keepass running according to task manager with 3 databases open, and even with an open database "composite key entry" window open (non secure), that remains at 1 keepass instance.

    I do often use portableapps, but only could find one portable app version of keepass on this computer. After closing keepass down, deleting it, and reopening keepass it remains nonsecure.

    I'm sure I have said this before, but the "Enter Master Key On Secure Desktop" checkbox remains checked even when keepass is not acting securely. I'm not using any plugins.

    This issues doesn't exactly bother me; restarting the computer always seems to fix the problem. But it's a bit of a mystery

     
  • Paul

    Paul - 2013-11-04

    It does sound like KeePass cannot read the config file so it doesn't know to use the secure desktop.
    When KeePass is locked, right click on the taskbar icon and select Options > Security. Is the option for secure desktop ticked?
    Now unlock KeePass, do you have the secure desktop?

    cheers, Paul

     
  • wellread1

    wellread1 - 2013-11-04

    The KeePass Master Key dialog is displayed on the secure desktop only for opening/unlocking a database. It is not displayed on the secure desktop for other actions (e.g. if any of the "Do not require entering master key before...." Exporting/Printing/Change Master Key are unchecked in Tools>Options>Policy).

    Prior to the just released KeePass 2.24 there was an issue with orphaned Ctfmon processes being generated by secure desktop. While the issue was never reported to lead to the symptoms you describe, you could upgrade.

    Beyond these and Paul's comments above I don't have any additional insight.

     
  • robocop

    robocop - 2013-11-05

    When the Database(s) are locked, "Enter Master Key on Secure Desktop" remains checked, and after unlocking the databases (non-securely) it still remains checked.

    It's a very strange one. All I know is that it never happens straight after the PC has been restarted, only after a number of hours or days does it then stop opening on a secure desktop.

    Maybe its something to do with Symantec.

     

Log in to post a comment.