Win10: Pageant - Windows Security dialog does not display when adding certs/keys

[jktrigg]

When I select Add CAPI Cert or Add FIDO Key, nothing happens. Add PKCS Cert does open a file chooser.

[NoMoreFood]

Can you include anything about what version you're using or anything that might be unique about your environment? Also, do you see the same behavior in PuTTY?

[NoMoreFood]

@jktrigg Are you still having this issue?

[dc-avasilev]

yes i have this problem too

there is if you install on a non-standard path, then everything works

I think this is because it is placed where administrator rights are required, and the work goes under a user who does not have such rights

[NoMoreFood]

@dc-avasilev What build of Windows 10 are you on? Are you using any special software like ActivClient? Do you see the behavior in both PuTTY and Pageant? I would love to help but I need some additional details to try to reproduce the issue.

Also, can you verify the pre-release version still has the issue? https://github.com/NoMoreFood/putty-cac/blob/master/binaries/puttycac-64bit-0.77u2-installer.msi

[dc-avasilev]

FYI @NoMoreFood

What build of Windows 10 are you on?

Edition Windows 10 Enterprise Version 21H2 Installed on ‎30.‎05.‎2022 OS build 19044.1288 Experience Windows Feature Experience Pack 120.2212.3920.0

PC in Domain

Are you using any special software like ActivClient?

yes, SafeNet Auth... Client

Do you see the behavior in both PuTTY and Pageant?

yes

I would love to help but I need some additional details

what details do u need, ask me

Also, can you verify the pre-release version still has the issue?

in version https://github.com/NoMoreFood/putty-cac/blob/master/binaries/puttycac-64bit-0.77u2-installer.msi pageant is crashing after start every time

Faulting application name: pageant.exe, version: 0.77.0.2, time stamp: 0x6313e84f
Faulting module name: ntdll.dll, version: 10.0.19041.1288, time stamp: 0xa280d1d6
Exception code: 0xc0000374
Fault offset: 0x00000000000ff199
Faulting process id: 0x2e3c
Faulting application start time: 0x01d8c83c9cf289c9
Faulting application path: C:\Users\vasilyev_an\putty\pageant.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 1258842d-e463-4a7e-8b73-f3477b2b0e1f
Faulting package full name: 
Faulting package-relative application ID: 

[NoMoreFood]

@dc-avasilev Interesting, I cannot reproduce the crash either. Thanks, I'll try with the SafeNet authentication client installed and see if that makes a difference. Was there an older version that worked well for you?

[NoMoreFood]

@dc-avasilev Darn. No repro with Windows 10 + SafeNet Auth Client + Experience Windows Feature Experience Pack. I didn't try those specific versions though. For the Pageant crash issue (with may or may not be related), can you try the attached file ( pageant.zip) and reply with the dump file it produces when it crashes. https://helgeklein.com/blog/creating-an-application-crash-dump

[dc-avasilev]

in my scenario, it does not crash, but just freezes tightly, as if an eternal loop when trying to open the certificate selection window, so I can’t provide any dumps, sorry

[NoMoreFood]

@dc-avasilev Alright, I'll try to think of a different approach. Earlier when you said "if you install on a non-standard path, then everything works", are you saying that instead of installing to "C:\Program Files\PuTTY", literally installing anywhere else works better?

[dc-avasilev]

@NoMoreFood I work in a domain network and my user has limited rights to folders on the computer, but there are no restrictions on the user profile folder, so I just install putty-cac in my user profile and everything works fine, example "C:\Users\username\putty"

[dc-avasilev]

@NoMoreFood maybe it will be useful for information, the root certificate is associated with a usb token

[NoMoreFood]

@dc-avasilev The USB token part shouldn't really play into it. I thought you mentioned before that it crashed:

in version https://github.com/NoMoreFood/putty-cac/blob/master/binaries/puttycac-64bit-0.77u2-installer.msi pageant is crashing after start every time

[dc-avasilev]

@NoMoreFood ah, sorry, I already deleted this version, maybe I'll try again next weekend, to collect the dump

[NoMoreFood]

Bump. I'll see someone to help me debug this is you're still seeing an issue (ideally after testing with the latest version). Even virtual meeting might be good if possible. If nobody is interested anymore, I'll close out this issue.

[dc-avasilev]

Bump. I'll see someone to help me debug this is you're still seeing an issue (ideally after testing with the latest version). Even virtual meeting might be good if possible. If nobody is interested anymore, I'll close out this issue.

I am interested in a solution but there is no time yet

[wmagb]

I am having this issue with 0.77u2 x64 on Windows 10 Enterprise, we have ActivClient 7.2.1.68.

Edition Windows 10 Enterprise Version 21H1 Installed on ‎5/‎31/‎2021 OS build 19043.2132 Experience Windows Feature Experience Pack 120.2212.4180.0

I open pageant, go to View keys and Certs, click Add CAPI Cert, and it freezes. I have to go to Task Manager and end pageant.

This is the installed version (msi) of PuTTY. Luckily, my PuTTY itself is still working, although I did have another user report issues with his PuTTY (same thing, it freezes when trying to use a CAPI cert).

[NoMoreFood]

@wmagb Are you using it with DoD CACs? I want to try to replicate your setup as best I can. Also, what antivirus are you running? If I provided a debug version with a few message boxes to see where it's getting stuck, would you be in a position to test it?

[wmagb]

Yes we are using with DoD CACs. We are running McAfee Endpoint Security 10.7.0. Sure, I can test.

[NoMoreFood]

@wmagb Could you try the attached files and let me know the last few messages you get before it hangs?

puttycac-0.78-testset.zip

[dutchthomas]

This might not be very helpful, but I bisected it to this commit https://github.com/NoMoreFood/putty-cac/commit/3ea27f0489a9193eaf079e42725d7a69062b0dc5

[NoMoreFood]

@dutchthomas Thanks. I'll take a look at the PuTTY CAC related changes during that commit to see if they are material. Simon (PuTTY maintainer) did a huge refactor at that point so it's possible it's something in there that I have to work around. If you wouldn't mind trying out the binaries I provided for @wmagb that would be helpful as well so I know where in the code it might be getting hung up. It's basically just a bunch of dialog boxes popping up along the 'Add CAPI' code in Pageant. Based on one thing that was changed with that commit, it's possible the last box you see will be "Cert Prompt 5 - Select Cert List".

[wmagb]

The last few messages are: Cert Prompt 3 - Cert Found Loop Cert Prompt 4 - Cert Add To Memory Store Cert Prompt 5 - Select Cert List

Then it freezes, the window loses focus, and I have to go to Task Manager to end it.

[NoMoreFood]

@wmagb Alright, that makes sense. For some reason the foreground window on your computer must point to a location the Microsoft certificate selection function does not like. I'll give you an alternate version to test in a few hours.

[NoMoreFood]

@wmagb I updated the debug version. I'm especially interested in the four message boxes right before the certificate selection popup (or the hang --- whatever comes first). This may also happen to address the issue (let me know if it does), but it's more of a workaround.

puttycac-0.78-additionaldebug.zip

[wmagb]

Cert Prompt 5 - Select Cert List Window Visible True Window Iconic False Window Valid True Window Enable True Then another window opens off screen, to select the cert or key, I can't see it until I hover the mouse over the pageant icon in the taskbar.

[NoMoreFood]

@wmagb I am somewhat at a loss; I have your configuration replicated identically but cannot reproduce the behavior. From the debug messages, I know generally what's going on -- for whatever reason the foreground window being assigned to the certificate dialog must somehow be offscreen (or somewhere you can't see it). The program isn't really hanging... it's just asking you to select a certificate and you can't see the prompt or click the button to pick a certificate. Can you think of anything that could cause such a behavior? Like a really wacky monitor software or screen setup? Something that changes window focus automatically? If you create a different local user (i.e. fresh profile), are you able to reproduce the issue?

You've definitely got my curiously piqued. I think I know of a way to work around it, but I'd really like to understand root cause more so I'm confident I'm not breaking it for everyone else that it's working for right now.

[jktrigg]

Okay, I've seen this with other programs. It usually has to do with your display topography having changed since you ran the program previously.

Thanks, Jim Trigg

On November 17, 2022 9:50:07 PM EST, Bryan Berns @.> wrote: @. I am somewhat at a loss; I have your configuration replicated identically but cannot reproduce the behavior. From the debug messages, I know generally what's going on -- for whatever reason the foreground window being assigned to the certificate dialog must somehow be offscreen (or somewhere you can't see it). The program isn't really hanging... it's just asking you to select a certificate and you can't see the prompt or click the button to pick a certificate. Can you think of anything that could cause such a behavior? Like a really wacky monitor software or screen setup? Something that changes window focus automatically? If you create a different local user (i.e. fresh profile), are you able to reproduce the issue?

You've definitely got my curiously piqued. I think I know of a way to work around it, but I'd really like to understand root cause more so I'm confident I'm not breaking it for everyone else that it's working for right now.

-- Reply to this email directly or view it on GitHub: https://github.com/NoMoreFood/putty-cac/issues/101#issuecomment-1319476923 You are receiving this because you were mentioned.

Message ID: @.***> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[NoMoreFood]

Thanks @jktrigg. Accordingly... if someone with the issue is able to, I'm curious if trying on a fresh profile in Windows will address it since a fresh profile should have no record of previous window positioning.

[wmagb]

Fresh profile, fresh machine, didn't matter. We tried a few different versions, including the latest 0.78, to no avail. We have rolled back to 0.76u4, which works just fine.

[NoMoreFood]

@wmagb Can you try this version? It more closely resembles the window location approach in 0.76u4. Also, do you happen to use one of those programs that displays a banner at the top of the screen (e.g., for classification).

puttycac-0.78u1-newbehavior.zip

[wmagb]

@NoMoreFood just tried it, didn't work. Same issue.

[NoMoreFood]

@wmagb Now that surprises me. To be clear, you were testing the 'Add CAPI Cert' functionality within Pageant either through the right-click menu or the "View Keys & Certs" dialog interface? That was the main change I made.

[wmagb]

@NoMoreFood that is correct. Launch pageant, right-click, View Keys & Certs, Add CAPI Cert.

[NoMoreFood]

@wmagb I'll continue to ponder. It might help to do a Teams call if you can share out a machine where the problem is occurring. If you're willing to pursue this, shoot me an email at Bryan.Berns@unnpp.gov

[xeniphon]

@wmagb Can you try this version? It more closely resembles the window location approach in 0.76u4. Also, do you happen to use one of those programs that displays a banner at the top of the screen (e.g., for classification).

puttycac-0.78u1-newbehavior.zip

So I fetched this new version and attempted to open a CAPI cert using the 32-bit putty and it worked perfectly: I was presented with a dialog to actually open my CAPI . I was about to comment that 0.78u1 was helpful when it occurred to me that I've been defaulting to 64-bits, so I tried the 64-bit exe and it exhibited the bad behavior. When I poke the "Set CAPI Cert" button I see this un-identifiable flash on the screen and the putty configuration window is stuck until I kill it.

Now the weird part: When I mouse over the task-manager icon, it gives me a little thumbnail of the putty configuration window. When I mouse over the thumbnail it would normally highlight the actual window. However, I don't see any available windows but instead I'm shown a full-screen Windows Security dialog across the entirety of 1 of my three displays. The window shows some text in the upper left of the screeen to select a certificate or key, and there is a close button in the bottom-right, and nothing in the middle - it isn't a completely drawn security dialog, and I can't interact with any of it.

So at least for me the 32-bit putty works as I expect, but the x64 putty gets stuck. Maybe this provides some additional insight?

[NoMoreFood]

@xeniphon It's certainly interesting and thank you for the update... we don't do anything different for x64 from a coding perspective so likely pointing back to some sort of weird / unique issue where the built-in Windows certificates dialog are playing games with focus.

[Vax1969]

Hi,

I have the same issue on my company. PC are on W10 20H2 on Active Directory. I tried your latest version 0.78u1. With 32 bits version no issue, with 64 bits version PuttyCac freeze when I click on Set CAPI cert.

[NoMoreFood]

@Vax1969 Does it occur on every system you've tried with the 64-bit version? Do you also happen to be using ActivClient?

[Vax1969]

Hi @NoMoreFood Yes it's the same on all 64 bits Laptop + Virtual Machine I tried to install it on the default folder + also give me full modification right on Install Diretory (by default no full right), but the issue is the same. It appears only with 64 bits of Putty Cac. I have not sure what is an ActivClient, but yes on our PC/VM we have a soft for manage our SecureID card that include certifcate.

[Vax1969]

I tested with 0.75 64 bits version. It works. I can't test with 0.76, download not allowed on my company. I tested with 0.77 and later, it don't work.

[NoMoreFood]

@Vax1969 There were some huge changes in the core PuTTY code starting in 0.77 so it's been tough to narrow this down. I'll try to put some time in later this week. I still have to connect up with @wmagb.

And, just throwing this out there in the unlikely event someone is able... if anyone is able to reproduce this on a virtual machine that they can provide to me a virtual hard drive, that would be great for debugging.

[compuguy]

Odd, I'm able to get CAPI and PKCS working with my CAC with the latest x86 PuTTY CAC 0.78. Its the x64 version that doesn't see anything for CAPI or work with ActivClient. I'm using ActivClient x64 (7.2.1.211, FIXS2010001) on Windows 10 21H2.

[NoMoreFood]

All, we were able to identify the problem and should have an updated version out soon. The problem actually appears to be an issue with how ActivClient (and potentially other credential providers) loads certain DLL files. I'll report the problem HID, but given we all don't want to wait for them to patch it, I will deploy a version with the workaround later this weekend.

[NoMoreFood]

@compuguy @xeniphon @dutchthomas @jktrigg @Vax1969 @dc-avasilev

Please try the revised 0.78u1 found here: https://github.com/NoMoreFood/putty-cac/releases

[dutchthomas]

@compuguy @xeniphon @dutchthomas @jktrigg @Vax1969 @dc-avasilev

Please try the revised 0.78u1 found here: https://github.com/NoMoreFood/putty-cac/releases

Confirming success! I ran the 64 bit pageant and was able to add a certificate. Thank you! I'll be interested to have a look at the required changes; I spent a few unsuccessful hours trying to debug it myself (:

[NoMoreFood]

@dutchthomas It was literally a one line change. The core of the issue is that normally the PuTTY code only allows loading of DLL files from the Windows system directory or when the full path is called out. Most programs don't restrict library loading like this and allow the application to load any DLL file just by name. For example, if I call LoadLibrary("mylibrary.dll"), Windows will search for "mylibrary.dll" in the current directory, your PATH variable, and the Windows System directory. The code in some of these third party credential providers (e.g., ActivClient, SecureID) must load DLL files without specifying the full path which appears to break the rendering of the credential dialog. Really these vendors should not be doing this since it makes the program susceptible to something called "DLL Hijacking", but it is a relatively minor security concern (in my opinion). Most Microsoft applications don't even go out of their way to protect against it since it causes these sorts of compatibility concerns. So the fix was just basically to not run the function that prevents loading of libraries without specifying the whole path.

[chuckmilam]

Most Microsoft applications don't even go out of their way to protect against it since it causes these sorts of compatibility concerns.

I bet there's a STIG setting that forces this check now, because those guys LOVE to break functionality in exchange for a minor security gain. ;)

[NoMoreFood]

@chuckmilam Luckily not ..... yet.... In the case of something like Outlook, it would probably break S/MIME email the same way it was breaking PuTTY CAC. But definitely agree with your point overall... STIGs have bit us the same way many, many times. The Windows FIPS setting, in particular, has broken license servers and things like that use non-FIPS hashes for non-security purposes.... which is probably why Microsoft has casually recommended not enforcing it. That specifically is why I wrote that WinPriv program; it allows you to disable FIPS for specific applications but not the entire OS.

[Vax1969]

@NoMoreFood Hi, I confirm on my side that the latest release 0.78U1 64 bits works on my VM + physical laptop. Thanks.

[NoMoreFood]

@Vax1969 Thanks! Given the multiple affirmations, I'm going to go ahead and close this issue and mark the new release as production.