- Compare identical uploads with the VPN off and on.
- Identify proxy, DNS, TLS, firewall, routing, and reputation blocks.
- Use minimal tests without resetting ShareX or exposing credentials.
ShareX can capture a screenshot, finish a screen recording, run OCR, and open its image editor without ever contacting the internet. Uploading is different: the completed file must travel through Windows networking, DNS, a proxy or VPN, security software, and finally the selected destination. If capture succeeds but upload fails only on a VPN, proxy, corporate network, or filtered connection, the problem is usually in that network path rather than in ShareX capture settings.
The fastest way to solve this symptom is to compare controlled tests. Change one network condition at a time, repeat the same small upload, and record the result. This guide explains how to identify proxy authentication failures, DNS filtering, TLS inspection, blocked hosts or ports, split-tunneling mistakes, firewall rules, and destination-side restrictions without unnecessarily resetting ShareX or exposing account credentials.

Start with free Canva bundles
Browse the freebies page to claim ready-to-use Canva bundles, then get 25% off your first premium bundle after you sign up.
Free to claim. Canva-ready. Instant access.
1. Confirm the Symptom and Reproduce It With a Simple Test
Begin by separating capture problems from upload problems. Capture a small region and save it locally without uploading. Open the saved image to confirm it is valid. Then send that same small image to your configured uploader. Using one file for every test prevents recording size, encoding, or file-format differences from confusing the diagnosis.
1.1 Compare VPN-off and VPN-on results
If policy permits disconnecting the VPN, run these tests in order:
- Upload the small file on your normal connection with the VPN disconnected.
- Connect the VPN and upload the same file to the same destination.
- If available, reconnect through a different VPN region or gateway and repeat the upload.
A file that uploads with the VPN off but fails with it on strongly suggests VPN routing, DNS, filtering, reputation, or destination access is responsible. Success means ShareX produces a normal destination response, such as a completed task and generated URL. Once that controlled comparison identifies the failing path, stop changing capture, hotkey, image editor, OCR, and recording settings. They are not involved.
If disconnecting a work VPN is prohibited, do not bypass that restriction. Test on an approved alternative connection or ask the network administrator to review the destination and the time of the failed request.
1.2 Compare the uploader with a browser request
Open the uploader's official website in a browser while using the same network condition. A browser test is useful, but it is not conclusive. Browsers may support interactive proxy sign-in, organization-installed certificates, or security integrations that a desktop application's upload request does not use in the same way.
If the site itself displays a block page, certificate warning, DNS error, or proxy authentication prompt, the network path is the leading suspect. If the website opens but ShareX fails, inspect the exact upload API hostname rather than assuming the website and API use the same host.
1.3 Interpret the basic comparison
- Fails only with the VPN connected: investigate VPN routing, exit-IP reputation, DNS, filtering, and split tunneling.
- Fails only on the corporate network: investigate proxy authentication, TLS inspection, firewall policy, and blocked API hosts.
- Fails on every network: verify the destination configuration, authorization, service status, and uploader response.
- One destination fails but another works: focus on the failed destination's hostnames, policy, rate limits, or credentials.
- Every destination fails on one network: focus on that network rather than resetting every uploader.
2. Check the ShareX Settings Directly Related to This Problem
Do not reset all ShareX settings at the start. A broad reset can remove useful workflow information while leaving a proxy, firewall, or DNS block unchanged. Review only the settings involved between task completion and upload.
2.1 Verify the active after-capture and after-upload actions
Confirm that the workflow actually includes an upload action and that the selected destination is the one you intend to test. ShareX supports different destinations for images, text, files, and URL shortening. A screenshot and a recording may therefore be sent to different services.
Temporarily reduce the workflow to saving the file locally and uploading it once. Disable unrelated follow-up actions such as shortening the URL, sharing it through another service, or running a custom post-upload command. Those extra requests can fail after the original upload succeeds and make the whole task appear unsuccessful.
Success looks like one completed upload and one usable result URL. If that works, restore the extra actions one at a time. Stop changing settings as soon as the action that introduces the failure is identified.
2.2 Confirm the correct destination and endpoint
Check whether the uploader uses an official built-in destination, a custom uploader, an internal company endpoint, or self-hosted storage. For a custom uploader, verify the request URL, HTTP method, required headers, and response parsing against the service's current documentation. Do not casually modify authorization headers merely because a proxy-related error resembles a login failure.
A proxy can return its own HTML sign-in page or access-denied response instead of the destination's normal API response. ShareX may then report an unexpected response, parsing error, or authorization-looking failure even though the destination never received the request.
2.3 Treat credentials carefully on managed networks
Never paste uploader tokens, storage keys, cookies, or passwords into a proxy prompt, support ticket, chat message, or certificate-warning page. Corporate proxy credentials and destination credentials serve different systems. If a network requires proxy authentication, use the organization's approved Windows or VPN sign-in method.
If logs contain authorization headers, signed URLs, API keys, cookies, or upload responses with private links, redact them before sharing. Rotate a credential if it was exposed. Only regenerate destination credentials after evidence shows the request reaches the real destination and that destination rejects the credential.

3. Check Windows and Network Factors
When ShareX uploads are blocked by a proxy or VPN, Windows networking and security controls deserve more attention than screenshot settings. Perform these checks under the exact network condition that causes the failure.
3.1 Corporate proxy authentication
An authenticated proxy may allow a browser after an interactive sign-in while rejecting an application's background request. Errors can include HTTP 407 Proxy Authentication Required, access-denied pages, repeated credential prompts, timeouts, or an HTML response where JSON was expected.
Check the Windows proxy configuration and any organization-provided proxy or secure web gateway client. On a managed computer, ask IT whether non-browser applications are expected to inherit the signed-in user's proxy session and whether the upload API hostname is allowed. Avoid manually embedding a username and password in an uploader URL or configuration file.
Success means the same small upload completes through the required proxy without an extra prompt or proxy-generated response. Once it does, do not change destination credentials.
3.2 DNS filtering and name resolution
Filtered DNS can block the uploader's API, object-storage host, authentication host, or short-link domain even when the service's main website opens. A VPN may also replace the normal DNS resolver, producing different results when connected.
Use Windows tools such as nslookup or Resolve-DnsName in PowerShell to look up the exact hostname shown in the error or uploader configuration. Compare results with the VPN on and off when permitted. A nonexistent-domain response, filtering address, block-page address, or result that changes only on the affected network is useful evidence.
Do not permanently switch a managed device to public DNS to evade company controls. Request an allowlist review for all required service hostnames. Success means the real hostname resolves consistently and the upload completes on the approved network.
3.3 TLS inspection and certificate errors
TLS inspection allows a security gateway to examine encrypted traffic by presenting certificates issued by an organization-controlled certificate authority. If the required root certificate is unavailable to the application context, or the gateway cannot correctly process the service, ShareX may report a trust, certificate-chain, secure-channel, or connection-closed error.
Check whether the destination displays a certificate warning in a browser on the affected network. Do not disable certificate validation, accept an unexplained certificate, or convert an HTTPS endpoint to HTTP. On a managed computer, ask IT to confirm that the inspection certificate is correctly deployed and that the destination supports inspection. Some upload or storage services may need a policy-approved inspection exemption.
Success means the upload completes over HTTPS without a trust warning. Stop troubleshooting credentials if correcting certificate trust resolves the request.
3.4 Blocked hosts, ports, and redirects
Most web uploaders use HTTPS on TCP port 443, but a custom or self-hosted uploader may use another port. A service can also redirect from its API domain to authentication, storage, content-delivery, or result-link domains. Allowing only the public website may therefore be insufficient.
Record every relevant hostname from the uploader configuration, error details, and approved service documentation. In PowerShell, an administrator may use Test-NetConnection hostname -Port 443 to test basic TCP reachability. A successful TCP test does not prove that the application-layer request is allowed, but a failed test is strong evidence of routing or firewall trouble.
Ask the network team to permit only the documented hosts and required ports rather than broad wildcard access. Success means name resolution, TCP connection, TLS negotiation, and the actual upload all complete.
3.5 VPN split tunneling
Split tunneling decides which traffic goes through the VPN and which traffic uses the local internet connection. A bad route can send the uploader request through a blocked corporate tunnel, while an incomplete split can send an internal uploader outside the tunnel where it is unreachable.
If your VPN has an approved per-application or per-destination routing feature, check whether ShareX or the uploader hostname is included in the correct path. Do not create unsupported routes or exclusions on a managed system. Ask the VPN administrator whether the destination should be inside or outside the tunnel.
Success means the uploader follows the intended route and works consistently after reconnecting the VPN. Once routing is corrected, leave unrelated ShareX settings unchanged.
3.6 Firewall and endpoint-security rules for ShareX
Windows Defender Firewall or third-party endpoint security can block outbound traffic by executable, network profile, destination, or reputation. Review recent alerts and outbound rules applying to ShareX. Confirm that an existing rule points to the current legitimate executable rather than an old path.
Do not disable the firewall as a permanent fix. If policy allows a short diagnostic test, keep it controlled and re-enable protection immediately. The safer solution is a narrowly scoped outbound allow rule created by an administrator for the legitimate ShareX executable and required destinations. Download ShareX only through its official distribution channels.
Success means uploads work with security protection enabled and the approved rule active. If disabling protection makes no difference, restore it immediately and investigate another layer.
3.7 Destination rate, abuse, and reputation blocks
A destination may reject a VPN exit address, shared corporate IP address, hosting-provider range, region, or burst of automated uploads. Common signs include HTTP 403 or 429 responses, CAPTCHA or challenge pages, temporary access denials, and success after changing to an approved network.
Pause repeated testing if the service reports rate limiting. Repeated retries can extend a temporary restriction. Check the provider's service status and usage limits, then test once after the stated wait period. A different VPN gateway may confirm an IP-reputation issue, but it should not be used to bypass the destination's rules.
Success means a single upload receives the normal API response without a challenge or rate-limit message. If the provider confirms an address block, follow its appeal process or use an approved destination.
4. Run a Clean Temporary Test With Minimal ShareX Settings
A minimal test isolates the network request without destroying the user's normal setup. First, back up or note important ShareX configuration details. Do not delete history, custom uploaders, or credentials merely to run this test.
- Create a tiny PNG screenshot and save it locally.
- Select one known, approved uploader destination.
- Disable URL shortening, clipboard follow-up actions, custom commands, and secondary sharing steps temporarily.
- Upload the saved PNG manually from ShareX.
- Repeat with the VPN off and on, or on the approved comparison networks.
- Test a second approved uploader destination using the same file.
If the first destination fails while the second succeeds on the same connection, the network is not blocking all ShareX traffic. Compare destination hostnames, TLS behavior, proxy policy, and rate or reputation restrictions. If both fail only on one network, concentrate on that network path.
If the minimal upload succeeds, restore the normal workflow one action at a time. Test after each addition. The first restored action that triggers failure identifies the relevant service or request. Stop there rather than resetting working components.
5. Check Task History, Logs, and Error Output
The exact error is more valuable than a generic statement that ShareX is not working. Open ShareX task history and inspect the failed task. If diagnostic or debug logging is available in the installed build, reproduce one failure and review only the corresponding time window.
5.1 Match errors to likely causes
- 407: the proxy requires authentication or rejected the available proxy identity.
- 403: the destination or a security gateway denied the request.
- 429: the destination is rate limiting requests.
- Name resolution or host not found: investigate DNS, the hostname, and VPN-provided DNS.
- Certificate or trust failure: investigate TLS inspection, certificate deployment, and system time.
- Connection timeout: investigate routing, blocked ports, firewall rules, or an unavailable destination.
- Unexpected HTML or parsing failure: a proxy login, block page, or web challenge may have replaced the expected API response.
- Connection reset or closed: a gateway, inspection product, endpoint security tool, or remote service may be terminating the session.
Record the local time, destination hostname, VPN state, network used, HTTP status if present, and whether another destination worked. This gives IT or the service provider a focused incident report.
5.2 Know when credentials are actually relevant
Credentials become the primary suspect when DNS, TCP, and TLS succeed, the response clearly comes from the intended destination, and that destination returns an authentication-specific error. They are not the first suspect when the response is a corporate block page, proxy-authentication error, certificate failure, or timeout.
If destination credentials must be replaced, use the provider's official account page, store the replacement only in the appropriate ShareX destination configuration, and revoke the old credential. A successful authenticated test should produce the expected upload result. Once it does, avoid further network changes.
6. Quick Fix Checklist
- Confirm that local capture and file saving work before troubleshooting uploads.
- Upload the same small file with the VPN off and on when policy permits.
- Verify the selected destination and remove temporary post-upload actions.
- Test the exact API hostname, not only the provider's main website.
- Look for proxy 407 responses, sign-in pages, or replaced HTML responses.
- Compare DNS results on working and failing network paths.
- Investigate certificate errors as possible TLS inspection problems.
- Confirm required hosts and ports are allowed through the firewall.
- Ask whether split tunneling routes the destination through the correct path.
- Test one other approved uploader to separate global and destination-specific failures.
- Pause after 429 responses instead of repeatedly retrying.
- Redact tokens, cookies, signed URLs, and private links before sharing logs.
- Stop changing settings when the same small upload succeeds repeatedly on the required network.
7. Frequently Asked Questions
7.1 Why does ShareX capture correctly but fail to upload?
Capturing, editing, OCR, and local saving happen on the computer. Uploading requires a working path through DNS, a proxy or VPN, TLS, firewalls, and the destination. Successful capture therefore does not prove that outbound network access is working.
7.2 Why does ShareX work with the VPN off but not with it on?
The VPN may change DNS resolvers, routes, firewall policy, geographic location, or the public exit address. The destination may also restrict the VPN exit IP. Compare the same small upload in both states, then investigate routing, split tunneling, DNS, and reputation instead of changing capture settings.
7.3 Can a proxy make valid uploader credentials look invalid?
Yes. An authenticated proxy or filtering gateway can return its own login or block page before the request reaches the uploader. If ShareX expects an API response, that replacement response may appear as an authorization or parsing failure. Confirm the responding host and HTTP status before rotating credentials.
7.4 Should I disable HTTPS checking or the firewall?
No permanent fix should require disabling certificate validation or security protection. A tightly controlled test may be permitted by local policy, but protection should be restored immediately. Correct the certificate deployment, inspection policy, routing, or outbound rule instead.
7.5 Why does another ShareX uploader work on the same network?
Different uploaders use different API hosts, storage domains, certificates, ports, authentication methods, and abuse controls. One successful destination proves that ShareX can make at least some outbound requests, but it does not prove that every required host is allowed.
7.6 What information should I send to corporate IT?
Provide the failure time, destination hostname, required port, VPN state, network profile, HTTP status or exact error, and whether a second approved destination worked. Include a redacted log excerpt if allowed. Never send API keys, passwords, cookies, signed URLs, or unrestricted screenshots containing secrets.