Case of the CertUtil Import Refusing The Correct Password

A colleague advised me they were getting a “strange” error with cert util – it was advising password was incorrect on certificate import – despite being 100% sure they had the correct password – the password worked when importing cert via certmgr MMC snap-in. The message received was the following:

CertUtil: –importPFX command FAILED: 0x80070056 (WIN32: 86)
CertUtil: The specified network password is not correct.
301.3160.0: 0x80070056 (WIN32: 86)

And no caps lock wasn’t on. And they did have the correct password…

Honestly looking straight at the command line I should have known what was wrong right away, but sometimes human minds skip over the obvious. So I turned to API Monitor (

Note: Some corporate networks will block this site due the fact it contains source code to non-destructive viruses. In addition some Anti-Virus products that use heuristic file scanning to detect viruses may block API Monitor from running.

Recent versions of API Monitor have greatly improved – but be warned – due to the nature of API hooking it’s not going to work for you in all cases, and can introduce instability to the process being monitored.

Compared to Process Monitor API Monitor provides much lower level detail monitoring – when you need to go beyond specific file, registry, network system calls. It produces much more useful detail around each API call compared to Windows Debugging tools !logexts extension. I particularly find it quicker vs a debugger when it is not clear what API functions may be involved in a bug and there is no crash or immediately obvious function on which to set a breakpoint. You can also monitor processes without necessarily having local administrator privilege. It also can work nicely in conjunction with a debugger as you can set quite advanced breakpoints easily…

On the negative side it doesn’t yet seem to have a good method for saving/loading logs for offline viewing. In addition it can introduce significant performance/reliability impacts onto a process, and you need to know what functions you want to hook in advance (You can select everything, but in large applications good luck with that!)

I launched API Monitor, then launched certutil – API Monitor asked if I wanted to monitor the process – I clicked “Monitor”

In this case I was monitoring, among other APIs, the Visual C++ Run-Time Library, which has been one of my favourite to monitor as you can easily see string manipulations, console output, etc made using the library. Looking for the console output of the error message using the search option, I then worked backwards through the log…and it was obvious what was wrong…

The password being parsed did not match the password on the command line!


As you can see in the command line:


Yes the wonderful little caret character ^ was missing in the API monitor log! Suddenly my memory was re-jogged and remembered ^ is the Windows command line escape character, you must specify it twice to get a single one.

So it was simply solved by double the caret:



Other times you’ll need the caret in Windows cmd line world is FOR loops launching a command with a pipe character i.e. FOR “delims” /F %i in (‘tasklist ^| find /i “iexplore”’) DO ( something )

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in API Monitor, Debugging, Tools, Troubleshooting and tagged . Bookmark the permalink.

One Response to Case of the CertUtil Import Refusing The Correct Password

  1. I am the developer of API Monitor. I’m glad you found the tool useful for identifying and fixing issues. In regards to your comment on logs; the next version of API Monitor will have support to save and load monitoring logs. I am also very open to suggestions and feature requests, so if you have any, let me know.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s