Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Windows 10 / How to Check Trusted Root Certification Authorities for Suspicious Certs

August 31, 2017 Windows 10Windows 7

How to Check Trusted Root Certification Authorities for Suspicious Certs

Windows users need to pay more attention to certificates installed on their computers. Recent incidents with Lenovo Superfish, Dell eDellRoot and Comodo PrivDog certificates evidence that users have to be both attentive when they install new applications and aware what software and certificates are preinstalled in the system by the manufacturer. Fake or specially generated certificates help hackers to perform MiTM (man-in-the-middle) attacks, capture your traffic (including HTTPS), allow malicious software or scripts to run, etc.

As a rule, these certificates are installed in the Trusted Root Certification Authorities store. Let’s see how you can check the store for the third-party certificates.

In general, the Trusted Root Certification Authorities store should contain only trusted certificates verified and published by Microsoft under Microsoft Trusted Root Certificate Program. To check the certificate store for third-party certificates, use Sigcheck (a tool from Sysinternals).

  1. Download Sigcheck from Microsoft website (https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx)
  2. Unpack Sigcheck.zip to any folder (e. g., C:\install\sigcheck\)
  3. Start the command prompt and go to the directory where the tool is located: cd C:\install\sigcheck\
  4. Run sigcheck.exe –tv or sigcheck64.exe –tv (for 64-bit Windows versions) in the command prompt
  5. At the first run, sigcheck prompts to accept license termssigcheck64 accept license agreement
  6. Then the tool downloads authrootstl.cab archive containing the list of MS root certificates in Certification Trust List format from Microsoft website and saves it to its own directory.

    Tip. If there is no direct Internet connection on your computer, you can download authrootstl.cab yourself following this link http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab and manually place it to the directory containing SigCheck
  7. The tool will compare the list of certificates installed on your computer with the list of MSFT root certificates in authrootstl.cab. If there are third-party certificates in the list of root certificates on your computer, SigCheck will display them. In our case, there is one certificate with the name test1 (it is a self-signed certificate created using New-SelfSignedCertificate cmdlet that I have created to sign the code of a PowerShell script)sigcheck: list cert not rooted in Microsoft Certificate Trust List
  8. Each found third-party certificate must be analyzed to evaluate if it should be on the list of trusted certificates. It is also recommended to find out what application has installed and uses it.

    Tip. If the computer is a part of a domain, it is likely that list of “third-party” certs will contain the root certificates  of internal certification authority (CA) and other certificates integrated into the system image or distributed using GPO .
  9. To delete a certificate from the list of trusted certificates, start the certificate management console (msc), expand Trusted Root Certification Authorities -> Certificates and delete the certificates found by SigCheck utilitydelete certificate from trusted root certification authorities

Thus, it is recommended to check the certification store using SigCheck on all systems, especially on the OEM computers with the preinstalled OS and different Windows builds distributed via some popular torrent trackers.

0 comment
0
Facebook Twitter Google + Pinterest
previous post
VMware vSphere 6.5 Licensing Guide
next post
Package Management in Nano Server 2016

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Booting Windows 7 / 10 from GPT Disk on BIOS (non-UEFI) systems
  • Removable USB Flash Drive as Local HDD in Windows 10 / 7
  • How to Create a Wi-Fi Hotspot on your Windows 10 PC
  • How to increase KMS current count (count is insufficient)
  • How to Download APPX Installation File from Microsoft Store in Windows 10 / 8.1
  • How to Sign an Unsigned Driver for x64 Windows 10, 8.1 or 7 with a Self-signed Certificate
  • How to Hide Installed Programs from Programs and Features in Windows?
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top