0

Whenever I try to run the onscreen keyboard (or any other of Windows’ “ease-of-access” utilities), I get the error message A referral was returned by the server, then Windows asks me if I want to delete the (supposedly) broken shortcut.

They used to work, and even now, they sometimes do work, but usually do not. I have not noticed any obvious patterns of when they do work or what might have changed between the time(s) that they do and do not work.

Researching the problem has been fruitless because the (relatively) few pages that mention the error usually end up with just wild guesses, some unrelated discussion of other third-party software, and always end up without a solution.

What could be the problem, and how can it be fixed?

Improve this question

1 Answer 1

Reset to default
3

Solution

I had this problem for a few months and eventually figured it out with a bit of testing. It turns out the problem occurs if the Cryptographic service is not running. Simply run the Cryptographic service, and the ease-of-access tools will run just fine.

Technical Explanation

Security

So why do the accessibility tools require the Cryptographic service? It’s because the accessibility tools are required to be accessible at any point in the system since they provide functionality to allow people to, well, access the system. Therefore, they would not be of much use if they were unavailable in restricted, elevated-privilege areas such as the login screen or UAC dialog.

Because they need to be available everywhere, including restricted areas, they must also be secure to prevent opening an attack vector which can be exploited to take advantage of the restricted areas. To do that, Windows must validate the program by checking its digital signature. To do this, it requires the Cryptographic service.

One might think that it should not need to do this when running in the regular, user-mode areas on the desktop and such, but trying to run it unconditionally in user-mode and trying to validate only in elevated areas would unnecessarily complicate it, which in turn creates more possibility of vulnerabilities. As such, Windows always validates the accessibility tools when run, and therefore always needs the Cryptographic service.

Programming Defect

(Of course it could be argued that it should run the service if it’s not already running. Good design practice would dictate that programs always check for dependencies, install or run them if not available, and return an appropriate message if they cannot. If they had done that, then this problem wouldn’t have occurred because it would automatically run the Cryptographic service and/or give an error that makes it clear exactly what the problem is as opposed to such a cryptic message.)

Other Symptoms

Also, note that if the Cryptographic service is not running, you may experience other security-related issues such as running things elevated not displaying the UAC dialog. For example, clicking the System protection link in My Computer may show the wait-cursor for a moment, then nothing happens and now clicking anywhere in the My Computer window causes Windows to ding (i.e., it is disabled). This is because consent.exe tries to run in order to show the UAC prompt, but without the Cryptographic service running, it cannot perform its task and just hangs. To fix it, you need to open the Task Manager and kill consent.exe. You will get an Incorrect function error message, and My Computer once again becomes enabled. (You still need to run the Cryptographic service to get it to actually work.)

Improve this answer
1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .