Scanning Windows Certificate Root Store for Suspicious Certificates

Windows Certificate Store stores self-signed and public-signed certificates for secure web surfing experience. If there are suspicious ones that got their way to the store, especially in Trusted Root Certification Authorities store, it could very well compromise your system and put your encrypted HTTPS connections in danger.

So generally speaking, it’s a good idea doing an inspection to scan your Windows Certificate Store to see if there are any suspicious certificates. Since Windows users have access to the Certificate Store, theoretically it’s possible to go through the list of the certificates listed in the store to make sure only the legitimated ones are installed. Not really practical but still doable.

certlm - [Certificates - Local Computer] - 2015-11-28 23_20_54

There is also a free tool called RCC, short for Root Certificate Check, to scan the Windows root CA store and the Mozilla Firefox root CA store on the system for suspicious entries, and highlights potentially rogue root certificates based on trusted baselines and timestamp metadata. Thanks to gHack for sharing.

RootCertificateCheck - 2015-11-28 23_27_44

The highlighted “interesting” items are not necessarily malicious or a security risk. The one listed in the screenshot above is obviously doing no harm to my computer. But they could very well be the bad one. If you see any red highlights, it’s a good idea doing some research on the internet to make sure it’s a clean and safe one to be in your Certificate Store. If they are ended to be the bad ones, find and remove them from Windows Certificate Store immediately.

The famous Windows Sysinternals also has a small utility called Sigcheck that recently got updated at the beginning of 2016 with a feature that makes the Root Certificates checkup a very easy process. Download or update the tool from Microsoft and run it with the following switches.

sigcheck -tv

What it does is to download the trusted Microsoft root certificate list and only output valid certificates not rooted to a certificate on that list.

Command Prompt - 2016-01-19 22_56_09

As you see from the screenshot above, I’ve got 2 suspicious certificates installed in the Root CA that need to be checked. Fortunately, I am aware of both of them and ok with them staying there. But if you see anything suspicious that you are not aware of at all, check them up on the internet and remove them from the Certificate Applets.

Certificate removal

Note #1: Removing the bad certificate manually may not be good enough. If it was installed by a spyware/adware running on your computer, that program could just reinstall the certificate if it finds out. The best practice is to dig deep down a bit and find out which program is causing this problem and remove that program entirely first.

Note #2: don’t remove any legitimate certificates. There are a large number of certificates installed in the Root CA and majority of them are legitimate and part of Windows itself.

Note #3: there are a lot more Sigcheck can do. It’s originally designed to show file version number, timestamp information, and digital signature details. For example, running the following command checks for unsigned files in Windows system folder.

sigcheck -u -e c:\windows\system32

Kent Chen

Microsoft MVP, IT Professional, Developer, Geek, and the co-founder of Next of Windows.

Last updated: 01/19/2016

Posted in: Tips & Tricks , Tools
Discover more: ,