KeePass Help Center KeePass Home | Downloads | Translations | Plugins | Donate 
Help Center Home | Forums | Awards | Links 







Secure Desktop

Details on the 'Secure Desktop' option of KeePass 2.x.


General Information

KeePass 2.x has an option (in 'Tools' → 'Options' → tab 'Security') to show master key dialogs on a different/secure desktop (supported on Windows 2000 and higher), similar to Windows' User Account Control (UAC).

Benefit. Most currently available keyloggers work only on normal desktops; they do not capture keypresses on secure desktops. So, on a secure desktop, the master key is protected against most keyloggers.

Limitations.

  • Although most keyloggers do not work on KeePass' secure desktop, keyloggers can be developed to also work on it. This could only be prevented if KeePass would be running on a secure desktop with higher rights (e.g. as system process, like Windows' UAC). However, this would be completely impractical, because KeePass could not interact (drag&drop, auto-type, integration plugins, ...) with other applications on the user's normal desktop anymore.
  • There may be compatibility issues.

Compatibility. The option is turned off by default for compatibility reasons (some problems are mentioned below).


Why does a desktop switch occur during entering the master key?

Symptoms. While entering the master key for a KeePass database on the secure desktop, a switch to a different desktop occurs. KeePass then displays a message 'An application has switched from the secure desktop to a different desktop.', and offers to switch back to the secure desktop.

Reason. A different application is causing the switch. For example, users have reported the following applications to cause desktop switches:

  • Acronis Scheduler Helper (e.g. part of Acronis True Image WD Edition).
  • HitmanPro.
  • Seagate DiscWizard.
  • TeamViewer.

Solution. Unfortunately, KeePass cannot prevent other applications from switching to a different desktop. Therefore, the only solutions are to either turn off the secure desktop option of KeePass (in 'Tools' → 'Options' → tab 'Security') or terminate the interfering application.


Why does the Input Method Editor (IME) not work?

Some Input Method Editors (IMEs) are incompatible with secure desktops. Trying to show such an IME on a secure desktop can result in problems (black screen, IME/CTF process with high CPU usage, ...). In order to avoid such problems, KeePass disables the IME when switching to a secure desktop (and this may also disable it on the normal desktop, depending on the Windows version).

If you need the IME for entering the master password, turn off the secure desktop option as follows:

  1. Start KeePass. If you are prompted for the master key (on the secure desktop), click [Cancel].
  2. Click 'Tools' → 'Options' → tab 'Security' → turn off the option 'Enter master key on secure desktop'. Close the dialog with [OK].
  3. Restart KeePass.

On the normal desktop, the IME can be used as usual.


Can the desktop be locked?

The Windows desktop can be locked by pressing Win+L. This also works on a secure desktop.

  • On Windows 7, 8 and 11, locking the desktop works as expected. When you are on a secure desktop and press Win+L, the lock screen appears. After unlocking, the secure desktop is displayed again.
  • On Windows 10 (but not 11), there is a bug. When you are on a secure desktop and press Win+L, Windows continues to display the secure desktop instead of switching to the lock screen. The KeePass dialog is visible, but cannot be focused. In order to leave this confusing state, you can press Ctrl+Alt+Delete. This causes the lock screen to appear. After unlocking, the secure desktop is displayed again (and the KeePass dialog has the input focus).






Get KeePass