Issue with SSL certs on one profile only

As I'm have two individual questions, I wanted to go ahead and post a thread for this question as well.

My mother's laptop is an HP Pavillion dm4 Notebook PC running Windows 7 Home Premium. She bought the computer used. The previous owner had the computer set up, so that you could only log in with a fingerprint. As she can't supply a fingerprint, she can only log in to a temporary profile when she wants to use the computer. I've been trying to fix this problem, but have run in to an error.

From within the temporary profile (Which appears to have admin rights), I created a new user, and gave it admin privileges. She can log in to that profile just fine. However, she can't seem to use the internet from that profile; every HTTPS site gives a privacy/certificate error. For example, in Chrome, it's "Your connection is not private" (NET::ERR_CERT_AUTHORITY_INVALID). Edge and Firefox give similar errors. There is no option to proceed in the browser and she is fully blocked from visiting the sites. HTTP is NOT an issue, and she can visit HTTP sites. This error does NOT occur within the temporary profile.

My assumption is that the profile does not have the SSL certs available to it, or does have them, but doesn't have the permissions to access them. However, I'm confused how to investigate this, and what to do to resolve it. I've read about certmgr.msc which can be run from powershell, but let's suppose I discover there's no certs on that profile - where do I get them from, how do I know what to get? Is there a reason they aren't downloading automatically (like they do in the temp profile?) How can I fix things so that the profile starts getting certs on its own like normal?

Finally I'd wonder - are you even allowed to create a full admin profile, from within a temp profile? Or will the profile always end up corrupted somehow? Maybe what I'm doing is simply a lot cause?

Any advice here is appreciated.

P.S. Here's troubleshooting I've done so far: (1) resynched clock with internet time server (2) disable anti-virus and firewall to make sure it's not blocking certs (3) cleared any browsing history and cache (4) checked for any recently installed programs that could be interferring (4) ran 'sfc /scannow' (5) Installed all pending Windows updates (6) double checked her internet connection is active. No results from any of these things.

I think we might have just solved this issue, though, I am not going to lie, I have no idea why this worked.

So I had her try this in IE - again the same issue. however, it gave a little more info. It said there was a proxy issue this time. It gave the option to run network diagnostics, and when she did, it said 'port issue (316)'. I googled and found this article: port issue (316) - HP Support Community - 3238831 . It mentioned to reset Internet Explorer Settings. We did that, and unbelievably, everything is working now.

This was most likely due to the certificate store. Resetting the Internet settings likely fixed it. You might want to enable TLS 1.2. See attached image.

You might want to use Firefox or Chrome. I have my parents use Firefox for simplicity and web compatibility. I use a niche browser called Pale Moon, but that can be a PITA for certain things and isn't for everyone. In my parent's Firefox I installed the add-on uBlock Origin. This not only blocks the annoying Ads, but increases page load time. It'll also help to block known malware domains and since it blocks Ads, if an Ad is laced with malware (that can happen) it won't execute on the computer. This is how you can end up with polymorphic malware like ransomware. It's called polymorphic because an anti-virus might not be able to catch it since there's simply no definition for it. In uBlock Origin you'll probably want to turn off the privacy blocking stuff because it can hinder some website functionality. Not all the time, but can. For this reason I also have a plain vanilla Chrome installed on my parents computer and I have told my mom when she fills out taxes, applies for jobs and what not to just use the plain vanilla Chrome browser and NOT Firefox. That way uBlock Origin won't get in the way. Even if I told them how to turn off uBlock Origin you have to reload the website which could revert all form entries and what have you, and I hide the uBlock Origin icon so it can't be turned off. So having them just use a plain vanilla Chrome for the really important stuff is just better where nothing can get screwed over.

On the subject of Chrome, I personally use something called UnGoogled Chromium which is just another browser I have installed. It's Chrome without the Google privacy crap installed. But you can't add an add-on or connect a Google account of course otherwise its game over on the privacy front. I've been meaning to switch my parent's plain vanilla Chrome install to UnGoogled Chromium. Can be downloaded here. Check the download, and ALL downloads at Virus Total. The general consensus is four hits and you toss. It largely depends on what you have there. VirusTotal

I also use a now free and open source program for my browser's called Sandboxie. And I have my parents use Sandboxie. I have instructed them to double click the yellow pizza slice looking icon (a sandbox) instead of the Firefox icon. What Sandboxie will do is help keep possible malicious java script and what not from doing things on your computer. Once the browser is closed all that stuff should be deleted. But you have to read about how to use Sandboxie and know how to configure it all. You'll want to whitelist the browser profile other wise bookmarks and what have you won't stick. This opens the security door a little, but you want to lessen the cumbersomeness. In the browser settings its self, all cookies and cache should be deleted on browser exit. I do this myself and it's how I have my parent's browser set up. This is not only for security, but clearing that out will help elevate any issues going on further down the line with websites and what have you. In Sandboxie you'll need to click "recover" in the popup when you download a file. If that popup shows up and you didn't initiate a download, then don't recover. Sandboxie is not for everyone. Especially if they aren't computer savvy, but I mention it here if interested. Sandboxie | Sandboxie-Plus

If the computer will only be used for Internet browsing and printing or other small home/office stuff, then a Linux OS would be a lot safer to use. Your Office program would then be Libre Office. That's what I use in Windows. It's not fully compatible with creating Office documents, but it'll get the job done that Office can do. What is LibreOffice? | LibreOffice - Free Office Suite - Based on OpenOffice - Compatible with Microsoft As to a Linux flavor, many use Linux Mint and I liked what I saw in Twister OS. Main Page - Linux Mint Twister OS Twister OS is just a UI (User Interface) for something like Ubuntu or even Linux Mint, though I haven't tried it. It's mostly for something called a Raspberry PI which uses an ARM type CPU. A Raspberry PI is just a mini computer and can be had on Amazon for around $100 for the complete kit. I would get the model 4 version which is 4 GB of RAM. Running Twister OS on the Raspberry PI would be a perfect basic Internet surfing computer that is not only small, consumes very little power, but is almost 100% malware proof. They do sell mini PCs that'll run Windows, but those are a few hundred and up. Search for mini PC on Amazon. Use fakespot.com to get a review grade.

Finally, (LOL) passwords are a big thing, and you'll want to have very complex and unique passwords for each website or what ever. And a solution for this for less computer savvy people is something called a password safe (vault). For me personally, I use something called Keepass which is more nerdier and requires YOU to back up its database all over hell and back. I like this method because I'm in control of all my backups. I also use an add-on in my browser developed from some people at Standford called PWDHash, but I don't recommend anyone use it unless you're computer savvy. It may not work with all websites and what not, that's why. Now there are many different password vaults (safes) out there, and I have read about them all. And out of them all I'm of the opinion that Bitwarden as of this post is one you might want to use. After I read everything about it I was happy to know it satisfied my personal requirements of security auditing, security, cost, and other factors. So this is what I have my mom use. The great thing about Bitwarden is that it's cross platform capable. Meaning you can use it on the PC, phone, tablet or go right to the Bitwarden website and grab your passwords. All additions and edits in the Bitwarden password safe are synced, so no matter device you use it's all there synced across all devices. https://bitwarden.com/

Well, I've said an absolute mouth full. It's just I have parents that are not very computer savvy and I wanted to share a brief on what I do. Some people think a computer would cost them a lot of money. Not true. If you're just surfing the Internet, printing and Office stuff, a used Dell Latitude laptop on eBay or a Dell Optiplex will suffice. In fact, it'll provide more than enough computing horse power for those purposes. And I've seen people use a Raspberry PI for basic computer usage. It might be a a little slow for some full HD at full screen YouTube videos or what ever, but surfing the Internet, printing and office stuff should work really well. If I had kids they'd have a Raspberry PI in their room. LOL I'd also lock it down with OpenDNS and everything else under the sun. Couldn't pull a fast one past me.

PS: To stop the annoying Firefox update notifications, read here at my website. You'll just have to download the Firefox update manually. I'd avoid Internet Explorer.

@F22 Simpilot:

I apologize for my delay in responding to you. You put so much effort in to your post, I wanted to give it the attention it deserved and read it carefully. Thank you so much for all of this advice, especially given you understand the context of this situation - parents that aren't too tech savvy... this was incredibly helpful to me, because I'm only just starting to try and get things set up for my mom on the computer. I only recently discovered ublock origin, and have that set up for my mom in firefox. It's one of the reasons the temporary profile issue was so frustrating, because I kept getting this stuff set up for her and it would just reset any time she turned the computer off and we'd have to do it again haha

Never heard of unGoogled chromium, thank you, I really dislike chrome for the privacy issues so this is great just personally to know about. Also a good tip on just having vanilla chrome and telling her do taxes and stuff there. (I've run in to several sites that aren't very well compatible with firefox so this had worried me if I made firefox her default. I'll just keep both pinned to the taskbar). Also it's a smart move on hiding the ublock origin icon haha i'm going to do that.

Since this post, we've actually got another computer she had, upgraded to Windows 10 now (she had another laptop sitting around that wasn't working, but we got it going finally with a fresh install of Win 10!) I've got firefox as the default browser, and have ublock origin installed. I actually have the Windows version of libre office on there which i think is great, as it's a simple to use word processing program. I like the suggestion of Linux. And I actually had her play around in Ubuntu 20.10. I think she could do well with Linux. Later on when I have some more time I will introduce her to Linux mint and see if she's open to it. I think it will take some easing in to.

About passwords - surprisingly, my mom is crazy obsessive of making secure passwords. (I'm quite proud of her for this haha) That's actually what happened with her other laptop, and why she was stuck on this Win 7 machine - she had a newer laptop, but it conked out on her after the Windows 10 upgrade 4 years ago. Sat in her bedroom until a few days back. Finally we got it back up and running, but she had no clue of the password and no way to recover it. We ended up just resetting the PC as a result (but I was able to backup the data first in Ubuntu, which, on an unrelated topic, revealed to me that everyone should be encrypting their hard drives. I had no idea how easy it was to access data). She is always forgetting her passwords because of how random they are, she never duplicates any password, they're always complex, so I recently bought her a physical password book to write them down in. I'm not sure she is ready for a password vault on the computer but I am going to check out Bitwarden regardless because maybe it would be perfect and I'm underestimating her. I'm going to check it out for myself as well, I've been looking in to password vaults forever but could never settle on one. I tried Keepass some years ago but think I wasn't able to get a handle on it. But I think I am going to try and give it another shot. I will compare it to Bitwarden and see what I think.

I will absolutely do the firefox update trick because i was just trying to figure out yesterday how to disable that for her haha so thank you.


BTW - I looked and TLS 1.2 was already enabled in internet properties. Just curious why this was suggested? (Not doubting it, I'm just curious to understand, so I'll know in the future.) I'm still totally baffled that resetting internet explorer options worked, but I'm taking your suggestion that it fixed an issue with the certificate store. That makes sense and would explain it. I would never have figured out that explanation on my own.

Thank you for all the info you gave. this was supremely helpful to me. if you ever have any additional suggestions from your own situation that you'd like to share (how you setup your parents computer), I'm all ears.

P.S. To anyone who happens to come across this thread, I'll share something interesting and useful I only just discovered - Windows 10 has a built in remote desktop/assistance app called 'Quick Assist'. I have been using it now to help my mom set up her computer. It is completely easy to use and gives you admin privliges. We were relying on google remote desktop previously which had so many limitations it was a headache. So happy to have found Quick Assist. If you ever need to help your parents on a Win 10 machine for any reason, I would recommend this program!!

P.P.S - I feel like you should pin your post or something for future reference, it could be like a guide for folks who are trying to set up computers for their less-tech savy parents. There's just a lot of great ideas here that I think not everyone would think about

win7tmpProfile said:

Never heard of unGoogled chromium, thank you, I really dislike chrome for the privacy issues so this is great just personally to know about.

Just stay abreast of the updates at the UnGoogled Chromium download page. Probably like once a month to two months is all unless a real PITA website insists you need the most absolute updated version of Chrome.

win7tmpProfile said:

I will absolutely do the firefox update trick because i was just trying to figure out yesterday how to disable that for her haha so thank you.

Again, stay abreast of updates which can be downloaded at Firefox's FTP (File Transfer Protocol) webpage which can be found here: Directory Listing: /pub/firefox/releases/

You'd scroll all the way down to the latest which won't have a b in the version number. The b means beta. So looking there you'll see as of this post version 88 is the latest. Now clicking version 88 will take you to a directory of all kinds of crap. The two directories you'll want to focus on are the 32 and 64 bit directories. Depending on what Firefox version is installed (32 bit or 64 bit), you'll want that version. To make sure you know what version you already have, go into Firefox and above go to Help | About Firefox. Now once in the 32 bit or 64 bit directory you'll have all the different language versions. For the U.S. it'll be the en-US version. For the UK it'll be the en-GB version. Now once in that language directory you'll have options for the type of download you want. I'd pick the .exe type as that would be safest (in terms of code-wise updating mechanisms) to run as opposed to an .msi version. The installer version is just a downloader stub which fetches the download on the computer rather than you downloading directly from the FTP directory. See attached screenshot.

win7tmpProfile said:

Also a good tip on just having vanilla chrome and telling her do taxes and stuff there.

I mention it for two primary reasons:

1) UnGoogled Chromium won't have uBlock Origin installed to potently mess something up. And you certainly don't want that when doing something very important like taxes and what not. Some websites just don't play nice with uBlock on and its filters without you knowing how to tame that beast.

2) UnGoogled Chromium will be plain vanilla and should be with no added extensions and a Google account to help keep the privacy invasion to a limit. So being plain vanilla there is very little that can mess up the website, and most websites prefer Chrome, Firefox, Edge, etc.

win7tmpProfile said:

I really dislike chrome for the privacy issues so this is great just personally to know about.

Just keep in mind Firefox has their own abundance of telemetry and Windows 10 is the BIGGEST in that department. I know because I ran Windows 10 in a virtual machine and watched the network traffic. Never, EVER saw that in a virgin install of Windows 7 or XP.

win7tmpProfile said:

Since this post, we've actually got another computer she had, upgraded to Windows 10...

One day an update will probably hose it over again. So for ease of use in a small home/office environment just use Linux and perhaps check out the Twister OS UI. There's also Windows 10 AME (not an official Microsoft product), but you have to know what you're doing and it may not be for everybody. Just throwing that out there.

win7tmpProfile said:

We ended up just resetting the PC as a result (but I was able to backup the data first in Ubuntu, which, on an unrelated topic, revealed to me that everyone should be encrypting their hard drives. I had no idea how easy it was to access data).

Exactly. It's why I use FDE (Full Disk Encryption) on all of my computers. But I wouldn't use proprietary encryption. I personally use Truecrypt since I've been using that for years and years. When it was audited by a team of people who knew what they were doing I followed the audit and watched their DEFCON presentation on YouTube. I liked the results so I still use the now defunct Truecrypt which is a whoooole other story as to why it's now no longer being coded. There are certain flaws, but that can be mitigated. There is a fork called Veracrypt. Whether you use Trucrypt or Veracrypt you'll want to read the WHOLE manual. Every bit of it. For those less tech savvy then just use Bitlocker. The only issue with FDE is cloning the now encrypted drive. For that I found Clonezilla to work with FDE. Clonezilla may not be easy to understand either.

win7tmpProfile said:

I'm going to check it out for myself as well, I've been looking in to password vaults forever but could never settle on one. I tried Keepass some years ago but think I wasn't able to get a handle on it. But I think I am going to try and give it another shot. I will compare it to Bitwarden and see what I think.

Bitwarden will be by far the easiest to use and understand and you don't have to backup its database yourself. If you don't trust Bitwarden's server you can create your own. But that's beyond the scope of this post.

win7tmpProfile said:

BTW - I looked and TLS 1.2 was already enabled in internet properties. Just curious why this was suggested?

Two reasons:

1) You indicated you were using Internet Explorer. Since a lot of website's already have the capability to use TLS (Transport Layer Security) version 1.2, you'll want to take advantage of that more secure version of encryption. Now there is also version 1.3 which some websites use. I don't know if there is a Window update for that or if IE 11 has it. I'd have to look it up.

2) If you ever happen to install a piece of software who's licensing mechanism or other features require TLS 1.2, you may need that turned on in the Internet Options.

win7tmpProfile said:

I'm still totally baffled that resetting internet explorer options worked...

This is not just the IE settings, this is Internet Options as its name implies. Go into the Control Panel and look. So what this is are options that encompass the whole of the OS for some Internet options in relation to IE or programs that use those options as well as core OS features. IE is like built into the OS in some ways that's why even if you get the inclination to uninstall IE, you shouldn't.

win7tmpProfile said:

P.S. To anyone who happens to come across this thread, I'll share something interesting and useful I only just discovered - Windows 10 has a built in remote desktop/assistance app called 'Quick Assist'.

Just be advised that something like that built into the OS probably has hacker potential. Just like RDP (Remote Desktop Protocol). It's why I never allow RDP and remote assistance to be left on. It's one of the first things I do when I install Windows is turn that off along with NetBIOS. I don't use Samba and Windows Networking. I use a local FTP server in the house. One day I'll use something called WebDAV. Since I use FTP I can use an FTP App in the phone and transfer data back and fourth via that method with all computers. And I can transfer data between computers via FTP.

~48 CVEs since Windows 10 came out

Quick Assist is based on RDP.

What I did for remote access to my parent's computer was use TeamViewer. It is HIPAA compliant the last I looked. You'd install the server software on the computer you want to remote control and then on your end use the client. There is also a TeamViewer App so I could access the computer with my phone as well. In addition to that, TeamViewer has a server App which I installed to my mom's phone to remote into her phone if I needed to do something. This can be hit and miss sometimes depending on the phone and how great its current Internet connection is.

Now something I have to say here. TeamViewer makes LOTS of connections, so being the privacy/focused person I am I mostly ended that remote desktop software and instead went with TightVNC. Now this is fine if you deploy it the way I did, but it's very nerdy. In order to use TightVNC you'd have to open a port in the router. Well, there was no way I was doing that for security reasons. So the router is flashed with a third-party firmware called Asus Merlin and in that firmware there is a VPN capability. So without having to open a dedicated VNC port I just connect to the VPN built in the router and establish a connection. Once I do that I now have local intranet capability where I can fire up TightVNC and access the local computer as if I were right there since my connection is emanating from the router its self.

Now technically the VPN in the router would have a port already open, but try as I might I have not seen that port open at all. Neither Shodan, Censys, GRC's Shield's Up or an Nmap scan showed the port as being open. I did some research and discovered it may have something to do with a so-called magic string. So I sent the magic string via Nmap and still no joy at seeing the port as being open. Wanting to know what was going on, I asked the horse's mouth at the OpenVPN website forum. My inquiry was responded to with just got a one sentence response saying something to the effect OpenVPN was "smart." Asking to elaborate I got another cryptic response. So who knows... Maybe I had the wrong magic string. So long as the port doesn't show up at Shodan et al I think it's pretty safe. One day I will deploy the Pfsense firewall.


Anyway, if you use TeamViewer you absolutely MUST use a strong password (emphasis back to Bitwarden) and 2FA (Two Factor authentication). I use Authy for 2FA, and I already made a long post about this here. The reason being is that TeamViewer accounts have been hijacked. Also note that the TeamViewer server software on the remote computer will need to be updated from time to time and you should get a pop up on that. You should be able to do that via a remote season.

win7tmpProfile said:

P.P.S - I feel like you should pin your post or something for future reference, it could be like a guide for folks who are trying to set up computers for their less-tech savy parents. There's just a lot of great ideas here that I think not everyone would think about

I may write a post on this subject on my own website.

win7tmpProfile said:

Thank you for all the info you gave. this was supremely helpful to me. if you ever have any additional suggestions from your own situation that you'd like to share (how you setup your parents computer), I'm all ears.

No problem.

The biggest thing I could probably add is the need for a full disk clone regimen. I have, to an extent wrote about that here.

The other thing is that you want to get in the habit of scanning ALL downloads at Virus Total. Couple of reasons why you'd want to do that is A) anti-virus software (which now-a-days is nothing but fluff) is by in large definition based which means it has the characteristic of not detecting polymorphic malware like ransomware that doesn't already have a definition to detect it. The principle is the same as the flu vaccine which I believe is only 30% effective from what I remember. The flu vaccine has several different "definitions" from the most common flu strains around the word for that time. I think the lower latitude countries who were in fall and Winter. Anyway, Virus Total uses a whole pile of anti-virus engines so if the download happens to be malicious, Virus Total may be able to tell you along with some nerdy Info. if posted. B) Virus Total gets malware samples (probably unclassified) from the U.S. Cyber Command. So if that picture or piece of software you downloaded has a malicious payload from a state sponsored actor it may get detected. Now the general consensus is four hits and you toss. Since Virus Total uses so many anti-virus engines, false positives are bound to show up. So it's really kinda of a double edge sword unless you can see the source code, look at it, and compile back to source. It also depends on what you have there. If it's a game hack then bells are gonna go off. If it's some computer power user program that mimics malicious behavior, then bells will also go off. You just have to make up your own mind with some understanding when it comes to that stuff.


Well, I wrote about enough now. Time for a smoke and a coffee. LOL!