diff --git a/daemon/remote.c b/daemon/remote.c
index 787a41fb7..22589d829 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -568,11 +568,15 @@ ssl_print_text(RES* res, const char* text)
 	} else {
 		size_t at = 0;
 		while(at < strlen(text)) {
-			ssize_t r = write(res->fd, text+at, strlen(text)-at);
+			ssize_t r = send(res->fd, text+at, strlen(text)-at, 0);
 			if(r == -1) {
 				if(errno == EAGAIN || errno == EINTR)
 					continue;
-				log_err("could not write: %s", strerror(errno));
+#ifndef USE_WINSOCK
+				log_err("could not send: %s", strerror(errno));
+#else
+				log_err("could not send: %s", wsa_strerror(WSAGetLastError()));
+#endif
 				return 0;
 			}
 			at += r;
@@ -621,7 +625,7 @@ ssl_read_line(RES* res, char* buf, size_t max)
 			}
 		} else {
 			while(1) {
-				ssize_t rr = read(res->fd, buf+len, 1);
+				ssize_t rr = recv(res->fd, buf+len, 1, 0);
 				if(rr <= 0) {
 					if(rr == 0) {
 						buf[len] = 0;
@@ -629,7 +633,11 @@ ssl_read_line(RES* res, char* buf, size_t max)
 					}
 					if(errno == EINTR || errno == EAGAIN)
 						continue;
-					log_err("could not read: %s", strerror(errno));
+#ifndef USE_WINSOCK
+					log_err("could not recv: %s", strerror(errno));
+#else
+					log_err("could not recv: %s", wsa_strerror(WSAGetLastError()));
+#endif
 					return 0;
 				}
 				break;
@@ -3007,12 +3015,16 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
 		}
 	} else {
 		while(1) {
-			ssize_t rr = read(res->fd, magic, sizeof(magic)-1);
+			ssize_t rr = recv(res->fd, magic, sizeof(magic)-1, 0);
 			if(rr <= 0) {
 				if(rr == 0) return;
 				if(errno == EINTR || errno == EAGAIN)
 					continue;
-				log_err("could not read: %s", strerror(errno));
+#ifndef USE_WINSOCK
+				log_err("could not recv: %s", strerror(errno));
+#else
+				log_err("could not recv: %s", wsa_strerror(WSAGetLastError()));
+#endif
 				return;
 			}
 			r = (int)rr;
diff --git a/doc/Changelog b/doc/Changelog
index 02c231ebe..a5d4034fd 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -3,6 +3,7 @@
 	  more closely.
 	- Windows example service.conf edited with more windows specific
 	  configuration.
+	- Fix windows unbound-control no cert bad file descriptor error.
 
 18 June 2018: Wouter
 	- Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index c794e4258..36a7a4812 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -616,13 +616,17 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len)
 		}
 		buf[r] = 0;
 	} else {
-		ssize_t rr = read(fd, buf, len-1);
+		ssize_t rr = recv(fd, buf, len-1, 0);
 		if(rr <= 0) {
 			if(rr == 0) {
 				/* EOF */
 				return 0;
 			}
-			fatal_exit("could not read: %s", strerror(errno));
+#ifndef USE_WINSOCK
+			fatal_exit("could not recv: %s", strerror(errno));
+#else
+			fatal_exit("could not recv: %s", wsa_strerror(WSAGetLastError()));
+#endif
 		}
 		buf[rr] = 0;
 	}
@@ -637,8 +641,13 @@ remote_write(SSL* ssl, int fd, const char* buf, size_t len)
 		if(SSL_write(ssl, buf, (int)len) <= 0)
 			ssl_err("could not SSL_write");
 	} else {
-		if(write(fd, buf, len) < (ssize_t)len)
-			fatal_exit("could not write: %s", strerror(errno));
+		if(send(fd, buf, len, 0) < (ssize_t)len) {
+#ifndef USE_WINSOCK
+			fatal_exit("could not send: %s", strerror(errno));
+#else
+			fatal_exit("could not send: %s", wsa_strerror(WSAGetLastError()));
+#endif
+		}
 	}
 }