back to article Expired cert breaks Windows 11 snipping tool, emoji panel, S Mode features, other stuff

It has proved an unfortunate Halloween for Microsoft, with the ghost of an expired certificate haunting Windows 11 users. The upshot is: various built-in programs may stop working properly or cannot be opened at all. Redmond yesterday said "some users" are affected, so you may or may not notice the blunder. This all applies to …

  1. Hans 1
    Windows

    Certified useless

    This basically means these apps have a killswitch, the whole design is buggered. Why would you need a valid certificate somewhere on the internet to be able to open apps ?

    1. Snake Silver badge

      Re: Certified useless

      I guess we can now say this applies with any computerised construct, be it app or data, that has been secured by certificates: kill the cert, your data is GONE!

      1. Anonymous Coward
        Anonymous Coward

        Re: Certified useless

        Remember when Firefox did it a few years ago, and it disabled all add-ons?

        https://www.theregister.com/2019/05/06/mozilla_firefox_add_on_expiry/

      2. Anonymous Coward
        Anonymous Coward

        @Snake - Re: Certified useless

        Not necessarily. It all depends on what the program decides to do when certificates fail, they could simply display a warning and allow you to continue after some extra clicks for confirmation. Firefox for example does that most of the time.

    2. JimboSmith Silver badge

      Re: Certified useless

      I don't think people using PC over IP via a thin client will be able to use the Print Screen workaround MSFT have suggested. Unless things have changed in W11 from 10. Pressing Print Screen never worked and you had to use the snipping tool. Well done MSFT.

      If you want more people to upgrade I don't think having loads of your accessories failing is a good idea.

    3. Blackjack Silver badge

      Re: Certified useless

      Even Vista wasn't this terrible.

      1. Anonymous Coward
        Anonymous Coward

        Re: Even Vista wasn't this terrible

        You have forgotten

      2. Antonius_Prime
        Pint

        Re: Certified useless

        It could be worse, it could be WinME...

        (Even typing that was painful. Imma need me one o'dem tings in the icon...

        Or a few...)

        1. ChrisC Silver badge

          Re: Certified useless

          I must be one of the few people on the entire planet who had a decent experience with WinME - in comparison to the flakey mess that was Win98 running on the same hardware, ME was (relatively, insofar as any of that era of consumer-focused Windows versions ever could be) pretty stable during its time in residence at Chez Chris, especially when it came to handling those newfangled USB whatchamacallits.

          Put it this way, of all the versions of Windows I've used and paid for out of my own pocket one way or another, ME wouldn't be at the top of the "seriously MS, I pay you good money and THIS is what I get in return" list...

          1. drankinatty

            Re: Certified useless

            There were a few of us. After configured properly, there was little actual difference between WinME and Win98 2nd Edition. I never had any issue with it either. It came on a couple of Dell boxes bought for secretarial computers. Load Firefox (still 2.X at that time before the rabbit-pellet version number cycle started), Office 2K, connect to the SAMBA shares for the Linux servers, and Me was quite usable.

    4. trindflo
      Flame

      Re: Certified useless

      It probably means more than applications. All of Windows 10 drivers are required to be signed with Microsoft's certificate. I've been asking if that means that Windows 10 has a kill switch, and now I think I have my answer.

      1. Zippy´s Sausage Factory
        Devil

        Re: Certified useless

        Worse, this provides a nice easy attack path for malware. I don't care how secure they say their certificate store is - nothing is infallible. Doing this to a thousand Windows PCs at once on a network is going to be a great denial of service tool, and I wouldn't be surprised if a lot of "security" agencies just added a new item to their "to research" lists...

        1. J. Cook Silver badge

          Re: Certified useless

          This leads me to ask: how hard is it to fake a CRL or return a "this certificate has been revoked" OCSP response? Because I can see that as a nice way to wreck havoc.

    5. Cederic Silver badge

      Re: Certified useless

      So that malware doesn't overwrite and pretend to be those apps?

      1. Ken Hagan Gold badge

        Re: Certified useless

        No. That doesn't explain it. You can, and probably should, sign your code to stop Trojans but as long as you also timestamp that sig it remains valid after the certificate has expired. There are no excuses for not timestamping the sig on released software.

      2. Anonymous Coward
        Anonymous Coward

        Re: Certified useless

        The certificate process can be considered malware, as it can take away functionality that would have been available had it not been for the certificate.

  2. mark l 2 Silver badge

    These sort of bug are exactly the reason why I wouldn't upgrade to Windows 11 for at least 6 months after release. As imagine your critical piece of hardware with a touch screen device running Windows 11 is rendered useless by this expired cert because you cannot use the on screen keyboard or voice typing until MS get a fix sorted.

    1. the spectacularly refined chap Silver badge

      Would that be any safer though? The one thing you can be sure of with an expiring cert is that it's going to expire. That could be now, it could be too or three years down the line. This isn't a teething problem in a new OS but a structural weakness of Microsoft's own making. It's pure coincidence that it happened now and not in 18 months time when the wait for the service pack types have already jumped.

      For myself it's part of the reason I've ditched MS wherever possible on a personal basis at least - the last hold out is a rather pricey EDA package I don't mind keeping a VM for. I've never liked this direction of users (and owners) losing operational sovereignty of their own machines, whether that is breaking changes via updates shuffled down your throat or plain carelessness as here.

      1. MatthewSt

        If it's not a teething problem in a new OS then why do other versions of Windows (which ship with the same tools) not have the same problem?

        1. Doctor Syntax Silver badge

          Different certs with different expiry dates. It's a certificate management problem. If the certs are due to expire you need to ship updates in good time. It could happen to any product that takes its eye off the ball. Being a new OS is no excuse.

      2. John Brown (no body) Silver badge
        Devil

        "losing operational sovereignty of their own machines"

        I voted MSEXIT, I'm a proud FreeBSD using MSEXITeer :-)

        Always looked like Beastie to me --------->

  3. Anonymous Coward
    Anonymous Coward

    Part of the OS

    Why would individual parts of the OS need certificates anyway?

    1. Howard Sway Silver badge

      Re: Part of the OS

      So that it can report everything you do back to Redmond over a secure encrypted connection.

      I mean, why the hell else would the start menu and screenshot tool even need a security certificate to work?

      Also, this sounds like a sneaky way of forcing you to upgrade your OS in future.

    2. FIA Silver badge

      Re: Part of the OS

      Probably because they're cryptographically signed.

      Their integrity can no-longer be guaranteed as the certificate has expired so no screenshots for you. (I mean sure, the OS could ignore this, but then that kind of renders any protection it offers moot too).

      It's a broader issue with this kind of security. You need some expiration mechanism otherwise mis-issued or compromised certs will never expire, however you also don't want your apps to stop working randomly.

      If you figure out a good solution, you'll probably end up quite wealthy. :D

      1. jake Silver badge

        Re: Part of the OS

        "If you figure out a good solution, you'll probably end up quite wealthy."

        Nah. I figured out the solution before MS-DOS 2.0 came out. It's quite simple, really.

        User education.

        Sadly, the users want no truck with it.

        1. Filippo Silver badge

          Re: Part of the OS

          "Sadly, the users want no truck with it."

          So, not the solution then. Any proposal in the form of "this would work, if only [...]" is not a solution until the [...] bit is sorted.

          1. ChrisC Silver badge

            Re: Part of the OS

            Tying your system security to something outside of your (and by "your" I mean not just the end user sat in front of a new somewhat useless PC, but every part of whatever IT support structure sits above them) control isn't the answer either, as this latest Redmond fubar so amply demonstrates.

            There probably isn't a simple answer, but personally I'd prefer a solutuon which is at least wholly controlled by me or the people I work with, even if that means having to take a bit more personal responsibility. Because if something outside of our control prevents me from doing what I need to do with the PC, then I'm not going to be thinking a pleasant "phew, good job on keeping my system safe", but a rather more sarcastic "great job on keeping us safe from malwa...oh, wait, you are the fucking malware", and wondering if there's some sneaky workaround to restore correct system operation...

          2. jake Silver badge

            Re: Part of the OS

            "So, not the solution then."

            Actually, yes. It is. After several decades of studying how users manage to bollocks up damn near everything out of sheer, unadulterated ignorance, I truly believe that user education is THE solution. No others will work.

            "Any proposal in the form of "this would work, if only [...]" is not a solution until the [...] bit is sorted."

            All I did was point out the solution. I in no way suggested a method to implement it.

    3. trindflo
      Unhappy

      Re: Part of the OS

      The certificates are for testing the signatures inside executables. Drivers have different signatures than apps, and apps that aren't published on the same day probably expire at different times.

      This is to prevent hackers from replacing key parts of the operating system (AKA a root kit). If the OS won't start without properly signed drivers a root kit would break the system rather than lurk under the surface as a Trojan Horse (and potentially steal your money) - that is, the root kit would not work.

      It also seems to give Microsoft a convenient kill switch for Windows 10.

      1. Anonymous Coward
        Anonymous Coward

        Re: Part of the OS

        "the root kit would not work."

        Not sure if you have noticed, that doesn't seem to stop them and ransomeware.

        Chocolate fireguard comes to mind.

      2. Doctor Syntax Silver badge

        Re: Part of the OS

        "The certificates are for testing the signatures inside executables."

        OTOH the executable is the same as it was last week. The problem isn't the executable. It's not even certification. It's the expiry date of the certificate. The solution is to either ensure the expiry date is far enough ahead of expected lifetime when the executable's published or have a sufficiently robust system for enabling update to be installed well in advance and also take into account those systems that are not and will not be connected to the internet.

        1. Loyal Commenter Silver badge

          Re: Part of the OS

          It makes sense to verify the certificate on installation, to ensure the software is from who it says it is from (and not, for instance, malware delivered by a phishing attack). It makes sense for those certificates to expire, and to be revokable, for security reasons.

          Verifying the same signature on every load seems like overkill, though. What's wrong with creating a cryptographic hash of the software, along with some unique OS key, when it is installed, and checking that. Something that doesn't expire.

          OK, that doesn't solve the issue with being able to make the software revokable, but I'd question whether that is actually a feature anyone other than Microsoft would want to implement. Once I've installed something, I'd like it to remain installed.

    4. drankinatty

      Re: Part of the OS

      Moreover and specifically, "Why on God's Green Earth" would "snipping" tool need to phone-home? It's not like it will have a big risk of being pirated. The new "Snip & Sketch" is patently worthless compared to the original "Snipping Tool" (circa Win7). In fact, there should be an option to disable telemetry completely. The larger question being what information about screen shots should ever be transmitted?

      I wonder what happens to the apps if you have no network cable? Does Win11 roll over and die on a stand-alone machine? That's is one of the primary reason I always install with a normal windows login and never a Microsoft account.

  4. Duffaboy
    FAIL

    Early adopters

    You are doing the testing for Microsoft, that's why I wait till the O/S is embedded in before I will install it. Windows 10 is just fine for me.

  5. karlkarl Silver badge

    So when does the new certificate expire?

    2022? 2023? 2024?

    DRM bullsh*t. You are basically buying an unspecified time limited demo.

    1. Anonymous Coward
      Anonymous Coward

      It is worrying isn't it.

      1. karlkarl Silver badge

        Indeed.

        But what is even more worrying is that this time next year 99% of desktop users will be running the defective piece of crap and my software will have to support it.

        It is embarrassing frankly. Us plebs are a ridiculous bunch.

      2. jake Silver badge

        "It is worrying isn't it."

        Not if you don't buy into it.

        I'm absolutely astonished that the Corporate World keeps falling for it, year after year, decade after decade. You'd think they'd have learned by now.

        I wonder how many tens of billions of dollars have been lost in man-hours alone due to Microsoft incompetence. And the Corporate Lawyers allow this crap in the building? Still? Mind boggling.

        1. Tim99 Silver badge
          Windows

          OK, your power in an organization is proportional to your budget and the number of staff you control. Many senior IT types like Windows, it needs a lot of hand-holding staff, gets expensively updated, and breaks on a regular basis; and is "what everybody uses".

          Plausible support for this idea is that IBM who, arguably, invented the PC (Wintel) ditched manufacture of PCs to Lenovo. IBM (Perhaps, as part of their cost-cutting slow amble to the bottom?) stated that they use a lot of Apple kit. They claim support costs are lower than for Windows. Here is my post from last year:-

          ----------------------------------------------

          ...At the end of 2019 they (IBM) had ~290,000 Apple devices of which ~200,000 use macOS. At the same time they had 383,800 employees, obviously some employees will use more than one device. I have a relative who is a very senior IBM techie who told me that in his (large) part of IBM far more techies use Linux than Windows - He was also of the opinion that a number of IBMers elected to go to Apple rather than move from Windows 7 to 10.

          According to IBM, Mac users cost less to support with about 1/3 of the support personnel and are generally happier and more productive.

          https://www.zdnet.com/article/ibm-cio-mac-users-perform-better-more-engaged-than-windows-users/

          https://www.jamf.com/resources/press-releases/ibm-announces-research-showing-mac-enables-greater-productivity-and-employee-satisfaction-at-ibm/

          https://www.macrotrends.net/stocks/charts/IBM/ibm/number-of-employees

          ---------------------------------------------

          The last link is probably incorrect (or very worrying?!), as it states that IBM ditched 92% of their workforce in 2020 - Other links suggest ~345,000 current staff - So unless COVID was worse that we believe...

  6. Trigun Bronze badge

    An interesting way of making your OS redudant and, more importantly, unusable when *you* have decided it's eol. Microsoft are heading into the red on my peeved scale if they are going to be applying certificates to things which don't need it.

    1. Anonymous Coward
      Anonymous Coward

      If that was the case, then why wouldn't they 1) set the support timeframe for Windows 11, and then 2) create a signing certificate that expired after the end-of-support of Windows 11, and then 3) sign all Windows 11 applications with this certificate?

    2. John Brown (no body) Silver badge

      "Microsoft are heading into the red on my peeved scale"

      Only just heading into red now? For me. the pointer is wrapped around the stop needle at the end of the red and it got there years ago!

  7. TJ1
    Joke

    Good job MS hasn't heard of Let's Encrypt

    Don't phone home for 3 months? Sorry, your applications will not start!

    (not sure how much of a joke this actually is!)

    1. Anonymous Coward
      Anonymous Coward

      Re: Good job MS hasn't heard of Let's Encrypt

      I'm not sure why you think the systems on which LetsEncrypt certficates are installed need to be the systems contacting letencrypt.org.

      1. TJ1
        FAIL

        Re: Good job MS hasn't heard of Let's Encrypt

        It was a joke, but seeing as you missed that part, I never mentioned contacting letencrypt.org (shouldn't that be letSencrypt.org) but "phoning home" as almost all Microsoft software seems to do - to Microsoft.

        If the signing certificate expired every 3 months and the system hadn't phoned home to Microsoft to fetch updates in that time things would get 'interesting'.

        Scary that this appears to pre-suppose all Windows systems must be online regularly, and have to re-fetch signed applications even if the code hasn't changed (unless the signatures are detached and it can just fetch the new signature).

        That could equate to a lot of bandwidth!

        1. John Brown (no body) Silver badge

          Re: Good job MS hasn't heard of Let's Encrypt

          "If the signing certificate expired every 3 months and the system hadn't phoned home to Microsoft to fetch updates in that time things would get 'interesting'."

          Doesn't Windows already get a bit arsey if it's not connected to the internet for some defined length of time any way? I though it started doing that years ago.

  8. cornetman Silver badge

    > These three items can be restored to working order by installing KB5006746, which you can try applying by checking the Settings > Update & Security > Windows Update > Optional updates available panel.

    Just waiting for Windows 11 Update to be broken by an expired certificate to really mess you up.

    Honestly, that doesn't seem all that far-fetched considering it is downloading packages from the Internet.

  9. Anonymous Coward
    Anonymous Coward

    "Some users are affected"

    Ahem, that's the comment we put in our release notes when all users are affected but we don't want to make it obvious we fucked up.

    Anon, obvs.

    1. yetanotheraoc Silver badge

      Re: "Some users are affected"

      Yes, that's the code:

      Some users -.> all users who match a popular configuration

      Limited number of users -.> all users who match a less usual configuration

      crackle, hum, radio silence -.> we are still researching how many users...

  10. redpawn Silver badge

    What a shame

    my computer is not supported by Widows 11.

  11. Anonymous Coward
    Anonymous Coward

    ""Use the Print Screen key on your keyboard and paste ... it into Paint to select and copy the section you want,"

    This is the way!

    1. Anonymous Coward Silver badge
      Boffin

      Alt+PrtScr generally works better for me. If you want a small part of a massive screen, it's easier to work with when you only capture the current window.

    2. Dan 55 Silver badge

      Greenshot. You can thank me later.

      1. David 132 Silver badge
        Boffin

        1) take photo of screen with your smartphone

        2)with the new photo displayed on its screen, hold smartphone up to the PC’s webcam and use the Photo app to capture an image of it into the PC

        Honestly, surprised no-one’s suggested this yet. And you call yourselves technical.

        1. This post has been deleted by its author

        2. Dan 55 Silver badge

          If I ever got a bug report with a screenshot like that then I would be completely unsurprised. My current record is a bmp in a ppt in a zip.

          1. jake Silver badge

            I once got a screenshot of a rather small Excel spreadsheet that had been zipped, and then UUencoded & copy/pasted into an email.

            They could have just emailed me their hours and mileage ...

  12. Ken Moorhouse Silver badge

    Windows 11

    You need to be certified to use it.

  13. Anonymous Coward
    Anonymous Coward

    Wow. I'm genuinely surprised that this has happened.

    That they still have S mode that is, not that it's broken.

  14. Pascal Monett Silver badge

    What about Windows 1 0 ?

    Does that also have bloody certificates for the simplest tools of the OS ?

    Can Borkzilla also shut down part of my work laptop out of sheer incompetence ? (okay, don't answer that)

    I can understand certificates on drivers, they usually work in kernel space (even if that seems stupid to me), but on the Snipping tool ? Really ?

    And the clock in the task bar, does it have a certificate too ?

    What a bloody mess.

  15. keith_w Silver badge

    I don't know how long Microsoft has been doing this, but I do know that if your domain attached computer didn't log on to the domain on a regular basis, the trust would be broken and you would have to remove it from the domain and add it back in again. And if your Windows 7 machine didn't get on the internet or connect to your license server on a regular basis, you could lose activation, so it's not like this is a particularly new trick.

    1. J. Cook Silver badge

      Windows 8 and 10 also have the "hey, you haven't validated your product key in a long long while" timers as well, at least if you are using a MAK or KMS key. (the latter is used in corporates to manage product keys for all workstations and servers by having the computers check in with a machine with the KMS host running on it (which, in earlier versions, could be another workstation!)- said host needs to be able to validate the KMS key with microsoft every now and again as well.)

      Domain trust is typically a "I haven't see this machine in 30/60/90 days, the computer account didn't renew it's password, so I no longer trust it for authentication" issue, which is fixed by re-joining the machine to the domain. I've seen it frequently with sales people who tend to run around instead of being connected to the company network every now and again to make sure the computer's trust relationship is still there. (If the company is using a VPN client, that trust renewal will occur over the VPN connect if it's configured right.)

  16. Boris the Cockroach Silver badge
    WTF?

    Does that

    mean if we block m$ at the firewall, our copies of win11 will stop working either instantly or when they decide to phone home and cant?

    Or will win 11 be like some god awful virus and attempt to phone home across multiple IPs.................

    Someone create an outlook/office killer that runs on linux....

  17. Clausewitz 4.0
    Devil

    Rollback your date, anyone?

    Did anyone tried to rollback the computer date, both in BIOS, local NTP server and Windows clock, to before 31 October?

    It used to work in the past.

  18. Sleep deprived
    Alert

    You got warned

    When my girlfriend was offered the Windows 11 upgrade, the alert did mention that some current (but unspecified) features would stop working. They were right. And you were warned. She declined, we'll wait for 12. Always skip one every two.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022