Expired cert breaks Windows 11 snipping tool, emoji panel, S Mode features, other stuff It has proved an unfortunate Halloween for Microsoft, with the ghost of an expired certificate haunting Windows 11 users. The upshot is: various built-in programs may stop working properly or cannot be opened at all. Redmond yesterday said "some users" are affected, so you may or may not notice the blunder. This all applies to …
I don't think people using PC over IP via a thin client will be able to use the Print Screen workaround MSFT have suggested. Unless things have changed in W11 from 10. Pressing Print Screen never worked and you had to use the snipping tool. Well done MSFT.
If you want more people to upgrade I don't think having loads of your accessories failing is a good idea.
I must be one of the few people on the entire planet who had a decent experience with WinME - in comparison to the flakey mess that was Win98 running on the same hardware, ME was (relatively, insofar as any of that era of consumer-focused Windows versions ever could be) pretty stable during its time in residence at Chez Chris, especially when it came to handling those newfangled USB whatchamacallits.
Put it this way, of all the versions of Windows I've used and paid for out of my own pocket one way or another, ME wouldn't be at the top of the "seriously MS, I pay you good money and THIS is what I get in return" list...
There were a few of us. After configured properly, there was little actual difference between WinME and Win98 2nd Edition. I never had any issue with it either. It came on a couple of Dell boxes bought for secretarial computers. Load Firefox (still 2.X at that time before the rabbit-pellet version number cycle started), Office 2K, connect to the SAMBA shares for the Linux servers, and Me was quite usable.
Worse, this provides a nice easy attack path for malware. I don't care how secure they say their certificate store is - nothing is infallible. Doing this to a thousand Windows PCs at once on a network is going to be a great denial of service tool, and I wouldn't be surprised if a lot of "security" agencies just added a new item to their "to research" lists...
These sort of bug are exactly the reason why I wouldn't upgrade to Windows 11 for at least 6 months after release. As imagine your critical piece of hardware with a touch screen device running Windows 11 is rendered useless by this expired cert because you cannot use the on screen keyboard or voice typing until MS get a fix sorted.
Would that be any safer though? The one thing you can be sure of with an expiring cert is that it's going to expire. That could be now, it could be too or three years down the line. This isn't a teething problem in a new OS but a structural weakness of Microsoft's own making. It's pure coincidence that it happened now and not in 18 months time when the wait for the service pack types have already jumped.
For myself it's part of the reason I've ditched MS wherever possible on a personal basis at least - the last hold out is a rather pricey EDA package I don't mind keeping a VM for. I've never liked this direction of users (and owners) losing operational sovereignty of their own machines, whether that is breaking changes via updates shuffled down your throat or plain carelessness as here.
So that it can report everything you do back to Redmond over a secure encrypted connection.
I mean, why the hell else would the start menu and screenshot tool even need a security certificate to work?
Also, this sounds like a sneaky way of forcing you to upgrade your OS in future.
Probably because they're cryptographically signed.
Their integrity can no-longer be guaranteed as the certificate has expired so no screenshots for you. (I mean sure, the OS could ignore this, but then that kind of renders any protection it offers moot too).
It's a broader issue with this kind of security. You need some expiration mechanism otherwise mis-issued or compromised certs will never expire, however you also don't want your apps to stop working randomly.
If you figure out a good solution, you'll probably end up quite wealthy. :D
Tying your system security to something outside of your (and by "your" I mean not just the end user sat in front of a new somewhat useless PC, but every part of whatever IT support structure sits above them) control isn't the answer either, as this latest Redmond fubar so amply demonstrates.
There probably isn't a simple answer, but personally I'd prefer a solutuon which is at least wholly controlled by me or the people I work with, even if that means having to take a bit more personal responsibility. Because if something outside of our control prevents me from doing what I need to do with the PC, then I'm not going to be thinking a pleasant "phew, good job on keeping my system safe", but a rather more sarcastic "great job on keeping us safe from malwa...oh, wait, you are the fucking malware", and wondering if there's some sneaky workaround to restore correct system operation...
"So, not the solution then."
Actually, yes. It is. After several decades of studying how users manage to bollocks up damn near everything out of sheer, unadulterated ignorance, I truly believe that user education is THE solution. No others will work.
"Any proposal in the form of "this would work, if only [...]" is not a solution until the [...] bit is sorted."
All I did was point out the solution. I in no way suggested a method to implement it.
The certificates are for testing the signatures inside executables. Drivers have different signatures than apps, and apps that aren't published on the same day probably expire at different times.
This is to prevent hackers from replacing key parts of the operating system (AKA a root kit). If the OS won't start without properly signed drivers a root kit would break the system rather than lurk under the surface as a Trojan Horse (and potentially steal your money) - that is, the root kit would not work.
It also seems to give Microsoft a convenient kill switch for Windows 10.
"The certificates are for testing the signatures inside executables."
OTOH the executable is the same as it was last week. The problem isn't the executable. It's not even certification. It's the expiry date of the certificate. The solution is to either ensure the expiry date is far enough ahead of expected lifetime when the executable's published or have a sufficiently robust system for enabling update to be installed well in advance and also take into account those systems that are not and will not be connected to the internet.
It makes sense to verify the certificate on installation, to ensure the software is from who it says it is from (and not, for instance, malware delivered by a phishing attack). It makes sense for those certificates to expire, and to be revokable, for security reasons.
Verifying the same signature on every load seems like overkill, though. What's wrong with creating a cryptographic hash of the software, along with some unique OS key, when it is installed, and checking that. Something that doesn't expire.
OK, that doesn't solve the issue with being able to make the software revokable, but I'd question whether that is actually a feature anyone other than Microsoft would want to implement. Once I've installed something, I'd like it to remain installed.
Moreover and specifically, "Why on God's Green Earth" would "snipping" tool need to phone-home? It's not like it will have a big risk of being pirated. The new "Snip & Sketch" is patently worthless compared to the original "Snipping Tool" (circa Win7). In fact, there should be an option to disable telemetry completely. The larger question being what information about screen shots should ever be transmitted?
I wonder what happens to the apps if you have no network cable? Does Win11 roll over and die on a stand-alone machine? That's is one of the primary reason I always install with a normal windows login and never a Microsoft account.
"It is worrying isn't it."
Not if you don't buy into it.
I'm absolutely astonished that the Corporate World keeps falling for it, year after year, decade after decade. You'd think they'd have learned by now.
I wonder how many tens of billions of dollars have been lost in man-hours alone due to Microsoft incompetence. And the Corporate Lawyers allow this crap in the building? Still? Mind boggling.
OK, your power in an organization is proportional to your budget and the number of staff you control. Many senior IT types like Windows, it needs a lot of hand-holding staff, gets expensively updated, and breaks on a regular basis; and is "what everybody uses".
Plausible support for this idea is that IBM who, arguably, invented the PC (Wintel) ditched manufacture of PCs to Lenovo. IBM (Perhaps, as part of their cost-cutting slow amble to the bottom?) stated that they use a lot of Apple kit. They claim support costs are lower than for Windows. Here is my post from last year:-
----------------------------------------------
...At the end of 2019 they (IBM) had ~290,000 Apple devices of which ~200,000 use macOS. At the same time they had 383,800 employees, obviously some employees will use more than one device. I have a relative who is a very senior IBM techie who told me that in his (large) part of IBM far more techies use Linux than Windows - He was also of the opinion that a number of IBMers elected to go to Apple rather than move from Windows 7 to 10.
According to IBM, Mac users cost less to support with about 1/3 of the support personnel and are generally happier and more productive.
https://www.zdnet.com/article/ibm-cio-mac-users-perform-better-more-engaged-than-windows-users/
https://www.jamf.com/resources/press-releases/ibm-announces-research-showing-mac-enables-greater-productivity-and-employee-satisfaction-at-ibm/
https://www.macrotrends.net/stocks/charts/IBM/ibm/number-of-employees
---------------------------------------------
The last link is probably incorrect (or very worrying?!), as it states that IBM ditched 92% of their workforce in 2020 - Other links suggest ~345,000 current staff - So unless COVID was worse that we believe...
It was a joke, but seeing as you missed that part, I never mentioned contacting letencrypt.org (shouldn't that be letSencrypt.org) but "phoning home" as almost all Microsoft software seems to do - to Microsoft.
If the signing certificate expired every 3 months and the system hadn't phoned home to Microsoft to fetch updates in that time things would get 'interesting'.
Scary that this appears to pre-suppose all Windows systems must be online regularly, and have to re-fetch signed applications even if the code hasn't changed (unless the signatures are detached and it can just fetch the new signature).
That could equate to a lot of bandwidth!
"If the signing certificate expired every 3 months and the system hadn't phoned home to Microsoft to fetch updates in that time things would get 'interesting'."
Doesn't Windows already get a bit arsey if it's not connected to the internet for some defined length of time any way? I though it started doing that years ago.
> These three items can be restored to working order by installing KB5006746, which you can try applying by checking the Settings > Update & Security > Windows Update > Optional updates available panel.
Just waiting for Windows 11 Update to be broken by an expired certificate to really mess you up.
Honestly, that doesn't seem all that far-fetched considering it is downloading packages from the Internet.
This post has been deleted by its author
Does that also have bloody certificates for the simplest tools of the OS ?
Can Borkzilla also shut down part of my work laptop out of sheer incompetence ? (okay, don't answer that)
I can understand certificates on drivers, they usually work in kernel space (even if that seems stupid to me), but on the Snipping tool ? Really ?
And the clock in the task bar, does it have a certificate too ?
What a bloody mess.
I don't know how long Microsoft has been doing this, but I do know that if your domain attached computer didn't log on to the domain on a regular basis, the trust would be broken and you would have to remove it from the domain and add it back in again. And if your Windows 7 machine didn't get on the internet or connect to your license server on a regular basis, you could lose activation, so it's not like this is a particularly new trick.
Windows 8 and 10 also have the "hey, you haven't validated your product key in a long long while" timers as well, at least if you are using a MAK or KMS key. (the latter is used in corporates to manage product keys for all workstations and servers by having the computers check in with a machine with the KMS host running on it (which, in earlier versions, could be another workstation!)- said host needs to be able to validate the KMS key with microsoft every now and again as well.)
Domain trust is typically a "I haven't see this machine in 30/60/90 days, the computer account didn't renew it's password, so I no longer trust it for authentication" issue, which is fixed by re-joining the machine to the domain. I've seen it frequently with sales people who tend to run around instead of being connected to the company network every now and again to make sure the computer's trust relationship is still there. (If the company is using a VPN client, that trust renewal will occur over the VPN connect if it's configured right.)
mean if we block m$ at the firewall, our copies of win11 will stop working either instantly or when they decide to phone home and cant?
Or will win 11 be like some god awful virus and attempt to phone home across multiple IPs.................
Someone create an outlook/office killer that runs on linux....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
