diff --git a/sm/ChangeLog b/sm/ChangeLog
index 2c178ca27..ce129cfd6 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,9 @@
+2008-10-23  Werner Koch  <wk@g10code.com>
+
+	* import.c (popen_protect_tool): Add arg CTRL and assure that the
+	agent is running.  Pass a value for CTRL from all caller.
+	* export.c (popen_protect_tool): Ditto.
+
 2008-10-21  Werner Koch  <wk@g10code.com>
 
 	* call-dirmngr.c (inq_certificate_parm_s): Add field CTRL.
diff --git a/sm/export.c b/sm/export.c
index c1b9eaaf0..fa2e9de1a 100644
--- a/sm/export.c
+++ b/sm/export.c
@@ -571,7 +571,7 @@ print_short_info (ksba_cert_t cert, FILE *fp, estream_t stream)
 
 
 static gpg_error_t
-popen_protect_tool (const char *pgmname,
+popen_protect_tool (ctrl_t ctrl, const char *pgmname,
                     FILE *infile, FILE *outfile, FILE **statusfile, 
                     const char *prompt, const char *keygrip,
                     pid_t *pid)
@@ -579,6 +579,12 @@ popen_protect_tool (const char *pgmname,
   const char *argv[20];
   int i=0;
 
+  /* Make sure that the agent is running so that the protect tool is
+     able to ask for a passphrase.  This has only an effect under W32
+     where the agent is started on demand; sending a NOP does not harm
+     on other platforms. */
+  gpgsm_agent_send_nop (ctrl);
+
   argv[i++] = "--homedir";
   argv[i++] = opt.homedir;
   argv[i++] = "--p12-export";
@@ -645,7 +651,8 @@ export_p12 (ctrl_t ctrl, const unsigned char *certimg, size_t certimglen,
       goto cleanup;
     }
 
-  err = popen_protect_tool (pgmname, infp, outfp, &fp, prompt, keygrip, &pid);
+  err = popen_protect_tool (ctrl, 
+                            pgmname, infp, outfp, &fp, prompt, keygrip, &pid);
   if (err)
     {
       pid = -1;
diff --git a/sm/import.c b/sm/import.c
index 03e84ec44..cb1922ed5 100644
--- a/sm/import.c
+++ b/sm/import.c
@@ -460,12 +460,18 @@ gpgsm_import_files (ctrl_t ctrl, int nfiles, char **files,
    output to OUTFILE and the pid of the process in PID.  Returns 0 on
    success or an error code. */
 static gpg_error_t
-popen_protect_tool (const char *pgmname,
+popen_protect_tool (ctrl_t ctrl, const char *pgmname,
                     FILE *infile, FILE *outfile, FILE **statusfile, pid_t *pid)
 {
   const char *argv[20];
   int i=0;
 
+  /* Make sure that the agent is running so that the protect tool is
+     able to ask for a passphrase.  This has only an effect under W32
+     where the agent is started on demand; sending a NOP does not harm
+     on other platforms. */
+  gpgsm_agent_send_nop (ctrl);
+
   argv[i++] = "--homedir";
   argv[i++] = opt.homedir;
   argv[i++] = "--p12-import";
@@ -551,7 +557,7 @@ parse_p12 (ctrl_t ctrl, ksba_reader_t reader,
       goto cleanup;
     }
 
-  err = popen_protect_tool (pgmname, tmpfp, certfp, &fp, &pid);
+  err = popen_protect_tool (ctrl, pgmname, tmpfp, certfp, &fp, &pid);
   if (err)
     {
       pid = -1;