SignTool or Certificate import fails after upgrading to Windows 10 20H2
After upgrading our Build Automation machine to Windows 10 20H2 I had an issue running signtool.exe. The error which was returned by our Azure DevOps Agent was:
SignTool Error: An unexpected internal error has occurred.
Error information: “Error: Store::ImportCertObject() failed.” (-2146893788/0x80090024)
When logged on to the machine itself and trying to import the certificate as under the current user I also received an error:
Certificate Import Wizard
An internal error occurred. Either the user profile is not accessible or the private key that you are importing might require a cryptographic service provider that is not installed on your system.
After some Googling, I found that the 0x80090024 is often found in a corrupt profile. So I decided to remove the profile of the user which is performing the build automation for us. I started by opening the SystemPropertiesAdvanced.exe window and by pressing the Settings to open the User Profiles. This resulted in the SystemPropertiesAdvanced window to freeze completely.
Next thing was to create a new administrator user to remove the profile from the Registry (browse over the keys until you find your user in the ProfileImagePath value) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList also I renamed the profile folder of the user in the c:\users\ location.
After rebooting the machine and trying to login with the user and the corrupted profile, the user logged in but with a lot of errors regarding the creation of the profile and stating Windows cannot set up the Event log.
I logged on with the other administrator user again and I saw that the profile was partly created. Only the AppData folder was created under the user, the registry key was not created again. So after some digging, I found the same SID registry key in the following locations:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileService\References
After removing both keys, removing the profile folder again, and restarting the machine I could log in again and run the sign tool successfully. I think that the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SIDKEY is the issue here. Within this key, you can find a REG_SZ which is named IsUpgrade.
Please note to backup your registry keys and user folders before removing items 🙂
Is interested in everything connected to technology. Has a passion for cloud, virtualization and software development. Always finds appropriate IT solutions for customers that match their needs strategically, technically and financially.
Core qualities
Quick thinker, result driven, ambitious, customer-friendly, enthusiastic
Hobbies
Running, listening to music, good food and doing fun things with family
Job description
CTO PepperByte, LoadGen, and BlueParq
Leave a Reply
Want to join the discussion?Feel free to contribute!