How to Check Trusted Root Certification Authorities for Suspicious Certs

Windows users need to pay more attention to certificates installed on their computers. Recent incidents with Lenovo Superfish, Dell eDellRoot and Comodo PrivDog certificates evidence that users have to be both attentive when they install new applications and aware what software and certificates are preinstalled in the system by the manufacturer. Fake or specially generated certificates help hackers to perform MiTM (man-in-the-middle) attacks, capture your traffic (including HTTPS), allow malicious software or scripts to run, etc.

As a rule, these certificates are installed in the Trusted Root Certification Authorities store. Let’s see how you can check the store for the third-party certificates.

In general, the Trusted Root Certification Authorities store should contain only trusted certificates verified and published by Microsoft under Microsoft Trusted Root Certificate Program. To check the certificate store for third-party certificates, use Sigcheck (a tool from Sysinternals).

1. Download Sigcheck from Microsoft website (https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx)
2. Unpack Sigcheck.zip to any folder (e. g., C:\install\sigcheck\)
3. Start the command prompt and go to the directory where the tool is located: cd C:\install\sigcheck\
4. Run sigcheck.exe –tv or sigcheck64.exe –tv (for 64-bit Windows versions) in the command prompt
5. At the first run, sigcheck prompts to accept license terms
6. Then the tool downloads authrootstl.cab archive containing the list of MS root certificates in Certification Trust List format from Microsoft website and saves it to its own directory.

   Tip. If there is no direct Internet connection on your computer, you can download authrootstl.cab yourself following this link http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab and manually place it to the directory containing SigCheck

7. The tool will compare the list of certificates installed on your computer with the list of MSFT root certificates in authrootstl.cab. If there are third-party certificates in the list of root certificates on your computer, SigCheck will display them. In our case, there is one certificate with the name test1 (it is a self-signed certificate created using New-SelfSignedCertificate cmdlet that I have created to sign the code of a PowerShell script)
8. Each found third-party certificate must be analyzed to evaluate if it should be on the list of trusted certificates. It is also recommended to find out what application has installed and uses it.

   Tip. If the computer is a part of a domain, it is likely that list of “third-party” certs will contain the root certificates  of internal certification authority (CA) and other certificates integrated into the system image or distributed using GPO .

9. To delete a certificate from the list of trusted certificates, start the certificate management console (msc), expand Trusted Root Certification Authorities -> Certificates and delete the certificates found by SigCheck utility

Thus, it is recommended to check the certification store using SigCheck on all systems, especially on the OEM computers with the preinstalled OS and different Windows builds distributed via some popular torrent trackers.