A colleague advised me they were getting a “strange” error with cert util – it was advising password was incorrect on certificate import – despite being 100% sure they had the correct password – the password worked when importing cert via certmgr MMC snap-in. The message received was the following:
CertUtil: –importPFX command FAILED: 0×80070056 (WIN32: 86)
CertUtil: The specified network password is not correct.
301.3160.0: 0×80070056 (WIN32: 86)
And no caps lock wasn’t on. And they did have the correct password…
Honestly looking straight at the command line I should have known what was wrong right away, but sometimes human minds skip over the obvious. So I turned to API Monitor (http://www.rohitab.com/apimonitor)
Note: Some corporate networks will block this site due the fact it contains source code to non-destructive viruses. In addition some Anti-Virus products that use heuristic file scanning to detect viruses may block API Monitor from running.
Recent versions of API Monitor have greatly improved – but be warned – due to the nature of API hooking it’s not going to work for you in all cases, and can introduce instability to the process being monitored.
Compared to Process Monitor API Monitor provides much lower level detail monitoring – when you need to go beyond specific file, registry, network system calls. It produces much more useful detail around each API call compared to Windows Debugging tools !logexts extension. I particularly find it quicker vs a debugger when it is not clear what API functions may be involved in a bug and there is no crash or immediately obvious function on which to set a breakpoint. You can also monitor processes without necessarily having local administrator privilege. It also can work nicely in conjunction with a debugger as you can set quite advanced breakpoints easily…
On the negative side it doesn’t yet seem to have a good method for saving/loading logs for offline viewing. In addition it can introduce significant performance/reliability impacts onto a process, and you need to know what functions you want to hook in advance (You can select everything, but in large applications good luck with that!)
I launched API Monitor, then launched certutil – API Monitor asked if I wanted to monitor the process – I clicked “Monitor”
In this case I was monitoring, among other APIs, the Visual C++ Run-Time Library, which has been one of my favourite to monitor as you can easily see string manipulations, console output, etc made using the library. Looking for the console output of the error message using the search option, I then worked backwards through the log…and it was obvious what was wrong…
The password being parsed did not match the password on the command line!
As you can see in the command line:
Yes the wonderful little caret character ^ was missing in the API monitor log! Suddenly my memory was re-jogged and remembered ^ is the Windows command line escape character, you must specify it twice to get a single one.
So it was simply solved by double the caret:
Other times you’ll need the caret in Windows cmd line world is FOR loops launching a command with a pipe character i.e. FOR “delims” /F %i in (‘tasklist ^| find /i “iexplore”’) DO ( something )