freedomofpress
Unable to read the settings files on Windows 11
What happened?
I've installed dangerzone 0.9.0 on a new Windows 11 machine. When i try to start it, i receive the bellow error.
On the same machine, I did some tests and noticed that previous dangerzone version is working fine. Any idea what can I do to fix this? Best regards, Alin
operating system version
Windows 11, version 23H2
Dangerzone version
0.9.0
Docker info
docker version
Client:
Version: 28.2.2
API version: 1.50
Go version: go1.24.3
Git commit: e6534b4
Built: Fri May 30 12:07:16 2025
OS/Arch: windows/amd64
Context: desktop-linux
Server: Docker Desktop 4.42.1 (196648)
Engine:
Version: 28.2.2
API version: 1.50 (minimum version 1.24)
Go version: go1.24.3
Git commit: 45873be
Built: Fri May 30 12:07:26 2025
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.27
GitCommit: 05044ec0a9a75232cad458027ca83437aae3f4da
runc:
Version: 1.2.5
GitCommit: v1.2.5-0-g59923ef
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info -f 'json'
'json'
C:\Windows\System32>
C:\Windows\System32>docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
dangerzone.rocks/dangerzone 20250331-0.9.0-0-gc99c424 8e6e2ec400d1 3 months ago 1.56GB
C:\Windows\System32>docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
e6590344b1a5: Pull complete
Digest: sha256:940c619fbd418f9b2b1b63e25d8861f9cc1b46e3fc8b018ccfe8b78f19b8cc4f
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
Document conversion logs
"C:\Program Files\Dangerzone\dangerzone-cli.exe" d:\dangerzone\input\1.pdf
←[40m←[33m←[2m╭──────────────────────────╮
←[40m←[33m←[2m│←[93m←[22m ▄██▄ ←[33m←[2m│
←[40m←[33m←[2m│←[93m←[22m ██████ ←[33m←[2m│
←[40m←[33m←[2m│←[93m←[22m ███▀▀▀██ ←[33m←[2m│
←[40m←[33m←[2m│←[93m←[22m ███ ████ ←[33m←[2m│
←[40m←[33m←[2m│←[93m←[22m ███ ██████ ←[33m←[2m│
←[40m←[33m←[2m│←[93m←[22m ███ ▀▀▀▀████ ←[33m←[2m│
←[40m←[33m←[2m│←[93m←[22m ███████ ▄██████ ←[33m←[2m│
←[40m←[33m←[2m│←[93m←[22m ███████ ▄█████████ ←[33m←[2m│
←[40m←[33m←[2m│←[93m←[22m ████████████████████ ←[33m←[2m│
←[40m←[33m←[2m│←[93m←[22m ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ←[33m←[2m│
←[40m←[33m←[2m│ │
←[40m←[33m←[2m│←[0m←[40m←[97m←[1m Dangerzone v0.9.0 ←[33m←[2m│
←[40m←[33m←[2m│←[0m←[40m←[97m https://dangerzone.rocks ←[33m←[2m│
←[40m←[33m←[2m╰──────────────────────────╯←[0m
ERROR Error loading settings, falling back to default
Assigning ID 'QR9auc' to doc 'd:\dangerzone\input\1.pdf'
Could not find a Dangerzone container image with tag '20250331-0.9.0-0-gc99c424'
WARNING Deleting old container image: dangerzone.rocks/dangerzone:latest
Installing Dangerzone container image...
Successfully installed container image
Converting document to safe PDF
> 'C:\Program Files\Docker\Docker\resources\bin\docker.EXE' run --security-opt=no-new-privileges:true --cap-drop all --cap-add SYS_CHROOT --security-opt label=type:container_engine_t --network=none -u dangerzone --rm -i --name dangerzone-doc-to-pixels-QR9auc dangerzone.rocks/dangerzone:20250331-0.9.0-0-gc99c424 /usr/bin/python3 -m dangerzone.conversion.doc_to_pixels
ERROR [doc QR9auc] 0% Unspecified error
Failed to convert document(s)
d:\dangerzone\input\1.pdf
Additional info
No response
Hi Alin and thanks for the report.
Dangerzone seems to be installed in C:\\Users\dz\AppData but we're trying to load the settings from D:\\Users\\svc_dangerzone\\AppData\\Local\\dangerzone\\dangerzone\\settings.json.
Here we can see the discrepancy between the user names: the application is installed for user dz, but the settings are for user svc_dangerzone, which seem to be a service account you set up.
It seems that the dangerzone application is trying to load settings for the service user, but doesn't have access to these files.
Could you please tell us more about how you installed dangerzone, and the accounts that were involved? And any specifics about your system?
Hi, Thanks for the feedback. Installations and logs looks very strange to me.
- Application is installed under Program Files
- There is no user dz on that machine.
- Browsing on that path, whit svc_dengerzone user, i am able to open it
Thanks a lot for the logs @Alinush22! I think I see two separate errors here actually:
The first error occurs when attempting to start the Dangerzone GUI, where it doesn't have permission to read the settings.json file. Interestingly, we don't encounter this error when starting Dangerzone from the CLI. We encounter a different error (see "Unspecified error" message) but more on that later.
So, let's understand why there's this discrepancy. Can you help us with the following?
-
From the terminal where you ran the
dangerzone-cli.execommand, can you also start the GUI?C:\Program Files\Dangerzone\dangerzone.exe -
Can you go to the "Apps & features" settings, and see if there are multiple Dangerzone versions installed there? We have updated the bundled Windows installer in Dangerzone 0.9.0 (https://github.com/freedomofpress/dangerzone/pull/929), and I recall that there were some incompatibilities if the user downgraded to 0.8.1. If you find two apps there, I suggest you nuke them and reinstall.
-
About the
dzuser, can you check if theC:\Users\dzpath exists? If yes, this could be an stale account or something.
The second error is the Unspecified error message I spotted in your logs. I've opened a separate issue to track this (https://github.com/freedomofpress/dangerzone/issues/1191), because it looks like a Docker Desktop regression.
Hi Alex, 1.Error is similar with the one obtain by clicking the dangerzone icon:
Traceback (most recent call last): File "C:\Users\dz\dangerzone\dangerzone\gui\main_window.py", line 447, in run File "C:\Users\dz\dangerzone\dangerzone\isolation_provider\container.py", line 108, in install File "C:\Users\dz\dangerzone\dangerzone\container_utils.py", line 107, in list_image_tags File "C:\Users\dz\dangerzone\dangerzone\container_utils.py", line 28, in init File "C:\Users\dz\dangerzone\dangerzone\settings.py", line 23, in init File "C:\Users\dz\dangerzone\dangerzone\settings.py", line 102, in load File "C:\Users\dz\dangerzone\dangerzone\settings.py", line 106, in save File "C:\Users\dz\AppData\Local\Programs\Python\Python312\Lib\pathlib.py", line 1013, in open PermissionError: [Errno 13] Permission denied: 'D:\Users\svc_dangerzone\AppData\Local\dangerzone\dangerzone\settings.json'
- There is only one version.
It is a new installed machine. After first installation of dangerzone 0.9.0, when i notice the errors, i uninstall it, install 0.8.1, all was working fine on 0.8.1. Next step was to uninstall 0.8.1 and install 0.9.0 again.--> errors again 3. There is no user dz on that machine. In the past, in some other bug report I notice that dz user in present, so I am assuming it's something related to application: https://github.com/freedomofpress/dangerzone/issues/1166
Cool, thanks for the info. So, you're definitely sure that there's no dz user in your syst- ok, ok, I'm stopping that 😛
It just hit me. The file is there, and is readable. But is it writable? Can you check this with:
icacls 'D:\Users\svc_dangerzone\AppData\Local\dangerzone\dangerzone\settings.json'
Most likely it isn't, because the line that Dangerzone fails is when writing to a file, not when reading it. Actually, it seems that reading succeeds. In this case, maybe you need to tweak the write permissions in your D:\ disk.
Hi Alex, svc_dangerzone is having writing write access on the file.
D:\Users\svc_dangerzone>icacls d:\Users\svc_dangerzone\AppData\Local\dangerzone\dangerzone\settings.json
d:\Users\svc_dangerzone\AppData\Local\dangerzone\dangerzone\settings.json NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
domain\svc_dangerzone:(I)(F)
Successfully processed 1 files; Failed processing 0 files
Hm, it's a bit different than my system, but I don't know if that's right or wrong:
PS C:\Users\dz\dangerzone> icacls C:\Users\dz\AppData\Local\dangerzone\dangerzone\settings.json
C:\Users\dz\AppData\Local\dangerzone\dangerzone\settings.json NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
DESKTOP-QBCMT6T\dz:(I)(F)
Successfully processed 1 files; Failed processing 0 files
In my case, this is also what I get with set user:
C:\Users\dz>set user
USERDOMAIN=DESKTOP-QBCMT6T
USERDOMAIN_ROAMINGPROFILE=DESKTOP-QBCMT6T
USERNAME=dz
USERPROFILE=C:\Users\dz
I can also modify the settings.json file with:
C:\Users\dz>copy C:\Users\dz\AppData\Local\dangerzone\dangerzone\settings.json+
Overwrite C:\Users\dz\settings.json? (Yes/No/All): Yes
1 file(s) copied.
And I can create new files under C:\Users\dz\AppData\Local\dangerzone\dangerzone:
C:\Users\dz>echo test > C:\Users\dz\AppData\Local\dangerzone\dangerzone\thisisatest
C:\Users\dz>
So, in your case, what's the output of these commands?
set user
copy d:\Users\svc_dangerzone\AppData\Local\dangerzone\dangerzone\settings.json+
echo test > d:\Users\svc_dangerzone\AppData\Local\dangerzone\dangerzone\thisisatest
[!NOTE] I don't have a Windows 11 machine available unfortunately, so if all the above commands work, we have to check in a Win11 system.
Hi, There are 2 main differences: I am using a domain account and my user profile is on the D: drive set user USERDNSDOMAIN=domain USERDOMAIN=domain USERDOMAIN_ROAMINGPROFILE=domain USERNAME=svc_dangerzone USERPROFILE=D:\Users\svc_dangerzone
Thanks @Alinush22 for the follow up on this.
As mentioned by @apyrgio, it seems that we have two separate issues:
-
Not being able to run conversions with Docker Desktop, which is currently why we're preparing a
0.9.1release. This can be mitigated by installing Podman Desktop instead, and making it the default backend for Dangerzone with the following command:C:\"Program Files"\Dangerzone\dangerzone-cli.exe --set-container-runtime podmanAlternatively, you can wait for the upcoming 0.9.1 release.
- The issue when accessing the
settings.jsonfile.
First, I was wondering if we had an issue with all Windows 11 installations in general, which hopefully isn't the case: I've setup a Windows 11 test machine and was able to run Dangerzone and convert documents.
It seems that the issue is related to what's called domain accounts, and my understanding is that you're running in some sort of specific organization setup that creates the issue we're facing.
Since none of us is proficient with Windows, could you describe how we could reproduce the setup you have? Or any way we can reproduce the errors that you are facing? If you don't want to document that publicly, you can also send us this information by email (at support --at-- dangerzone --dot-- rocks).
Thanks, and hopefully we'll find a solution to this 👍
Hi, Sorry for my late reply, I was on holiday for a few days.
- I think I will wait for the next release. I installed podman as instructed, but when i run the command: C:"Program Files"\Dangerzone\dangerzone-cli.exe --set-container-runtime podman, output is:
Again that dz user, which does not exist on my machine
- performed the following steps: uninstalled dangerzone 0.9.0 installed dangerzone 0.8.1, run it, all good uninstall dangerzone 0.8.1 install dangerzone 0.9.0 - start it from cli: "c:\Program Files\Dangerzone\dangerzone.exe"
Want to start it again -error
from time to time, it is starting, let;s say 50%....so even more strange All this actions was perfmred by me in 10 minutes, no restart of the machine
This svc_dangerzone is a domain user, with admin rights on the machine. No other special configurations, and it has full rights on settings.json file
P.S. Do i need to install some specific packets for the application, like python?
Again that dz user, which does not exist on my machine
I think what you're seeing here is an artifact of cx_freeze, an utility that we're using to package dangerzone for windows, which freezes the error messages with the user we're using when packaging. I don't think it's problematic, just a bit misleading.
All this actions was perfmred by me in 10 minutes, no restart of the machine
About podman, have you tried logging out and logging back in before doing this? It might just be that the podman binary wasn't visible in your session.
This svc_dangerzone is a domain user, with admin rights on the machine
If that's possible for you, can you tell us how we can setup something like this for testing purposes?
Quick update here, we have a new Dangerzone release out. Let us know if it helps, cheers!
Just a short update. Current configuration: Windows 11 23H2 (domain joined machine), Docker desktop 4.43.1, dangerzone 0.9.1. Behaviour still very strange. If I am starting dangerzone i have:
Sometimes, application is starting with no errors. When it starts, it is working as it should. I will do some more tests, we are using via some scripts.
Thanks for the follow up, and don't hesitate to add more information.
I'm not sure how practical it would be, but we might be able to replicate your setup using samba, if you provide us how the domain is configured (what the ACL are, etc).
Also, in the second screenshot you sent I cannot see the full traceback, if you can paste it here, that would help us understand what's going on.
Alex
Another short update: from cli is working as expected, I manage to convert today 14 pdf's. From time to time i am receive a warning:
WARNING Container 'dangerzone-doc-to-pixels-Dj4myC' did not stop gracefully
Text from second picture:
Traceback (most recent call last):
File "C:\Users\dz\dangerzone\dangerzone\gui\main_window.py", line 447, in run
File "C:\Users\dz\dangerzone\dangerzone\isolation_provider\container.py", line 99, in install
File "C:\Users\dz\dangerzone\dangerzone\container_utils.py", line 176, in list_image_tags
File "C:\Users\dz\dangerzone\dangerzone\container_utils.py", line 28, in __init__
File "C:\Users\dz\dangerzone\dangerzone\settings.py", line 23, in __init__
File "C:\Users\dz\dangerzone\dangerzone\settings.py", line 102, in load
File "C:\Users\dz\dangerzone\dangerzone\settings.py", line 106, in save
File "C:\Users\dz\AppData\Local\Programs\Python\Python313\Lib\pathlib\_local.py", line 537, in open
PermissionError: [Errno 13] Permission denied: 'D:\\Users\\dangerzone_app\\AppData\\Local\\dangerzone\\dangerzone\\settings.json'
As per your question regarding the domain: there are multiple policies, it's not so easy to replicate. User is part of the local administrators group and docker-users group. I don't think that anything else has an impact, and version 0.8.1 is working as expected.
The reason it fails is because of automated updates trying to write to the settings file (to keep track of its last check), and failing due to a lack of permissions and/or the mix of paths that we're seeing.
Because we're not currently able to reproduce this, and we have not received any other report for other parties, we're prioritizing this bug for after 0.10.0, so after the summer.
In the meantime, one way to avoid getting these errors is to disable the update-check mechanism for now (it's not recommended generally speaking because it is how we can advertise new releases, but in your case it could make the issue go away while waiting for us to solve the issue).
Bear in mind that this will not solve all the issues you face, and when changing the settings of the app, it might still not be able to save them.
In order to disable this update-check, you can switch updater_check value to false in the settings file (with the user with the proper rights):
"updater_check": false,
This might well be mitigated by #1200, which probably will be our first try.
Thanks a lot for your patience, and I hope you can have Dangerzone in a working state for now, let us know if not.