It seems I fixed it as follows

• exported HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed from another Windows 7 machine to disallowed-windows7.reg
• removed that branch from my registry
• imported disallowed-windows7.reg

Now the following command works as expected again.

$ certutil.exe -generateSSTFromWU roots.sst
Updated SST file.
CertUtil: -generateSSTFromWU command completed successfully.

I found another console app that updates certificates and has no such a problem.
Its particular convenience is that it shows the date of the certificates being updated.

Attachment removed for security

filename: UpdRoots.exe
filesize: 170453 bytes
sha256: 61f403e1aa744a7e5ecde584fdd9a0b490151daa389cbf6b41d4c2d32cfe8c47

Hello, thanks for pointing out this glitch. By removing the list of disallowed certificates, that's just a temporary workaround.

The other tool you found looks like a good solution. Can you please share a link to the tool so we can learn and changes on this repo? I removed the attachment since it contained an EXE with a source hasn't been verified.

@asheroto
Can you please share a link to the tool so we can learn and changes on this repo?

In my country, we have a large community of system administrators who create small tools to facilitate the management of routine tasks such as updating Windows root certificates. So when someone sighs, “Gosh, it's so exhausting to do this or that”, some hero might jump out and say, “Hey, I have a tool for that”. Then they share it, without source code, licenses, etc. That's how I got UpdRoots.exe you have just deleted. The lack of source code does not mean that the app necessarily does something bad. There are many such apps on MajorGeeks and other software portals. After all, if you've been feeling paranoid lately, you could check it against multiple antivirus engines on VirusTotal or even reverse engineer only to see that it's beneficial. Anyway, if anyone needs this app, feel free to leave a note here or contact me directly.

Excellent point. You're right, the absence of source code does not mean the app is doing something bad, but because no source information was provided, it's difficult to point to its creator or more information. From a security perspective, posting an uncommon EXE on a forum is a risk to cybersecurity, especially an EXE which requires administrative privileges. That doesn't mean we shouldn't use it, of course, it just means we must be aware of where it originated from. As an example, there are a handful of applications out there that will update your drivers, but also contain a trojan or backdoor into the system. A custom made application for backdoor access may not be detectable by AVs on VirusTotal, as most of the AVs work based on definitions of known software.

That being said, it's fine to share the program, we just have to be cautious that it's safe. Is it code-signed or is there a company name provided in the metadata? You said "I found another console app", do you have a link or more info on where it originated from?

You can upload it again and we can take another look. I probably should have taken a closer look before jumping the gun and removing the attachment - sorry if that seemed hostile. 😊

UpdRoots.zip

Do you have any more information about this tool?

https://www.virustotal.com/gui/file/61f403e1aa744a7e5ecde584fdd9a0b490151daa389cbf6b41d4c2d32cfe8c47/behavior

Although VirusTotal reports 6/73 AV classify it as suspicious, I found that the EXE is actually a self-extracting archive that can be opened with 7-Zip. Inside of it are three files. The inner updroots.exe appears to be produced by Microsoft.

The difference between that method and the one currently used by Root Certificate Updater is that the former updates the certificates and RCU updates the certificate trust lists.

I'm working on an update that will work more like the one you sent.

Okay, just finished a major rewrite. Take a look at the repo again and check releases for the latest PowerShell script. Thanks for your input on this! I don't have a Windows 7 computer to test on, but it works on Windows 10. If you have any trouble let me know and I can tweak the script.

Re: @asheroto

Okay, just finished a major rewrite. Take a look at the repo again and check releases for the latest PowerShell script.

Well, updating root certificates via PowerShell script is an exotic way to go, because these certificates are meant for Windows XP SP3 and later. On legacy OSes, it can be difficult to run PowerShell or update to a version that supports all the commands of your script. E.g.

$ powershell -Version 2 -f UpdateRootCertificates.ps1 
Cannot process the "#requires" statement at line 59 because it is not in the correct format.

Also, it seems you forgot about delroots.sst.

All this can be simplified to a batch file with zero dependecies.

:: updateRootCerts.bat

@echo off

explorer http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authroots.sst
explorer http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/delroots.sst
explorer http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcert.sst
explorer http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/roots.sst
explorer http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/updroots.sst

echo Press any key when the certificates are in this script folder or Ctrl+C to stop...
pause >nul

updroots authroots.sst
updroots updroots.sst
updroots -l roots.sst
updroots -d delroots.sst
updroots -l -u disallowedcert.sst

echo Done. Reboot and rejoice.

Windows XP reached end of life in April 2014. Lots of vulnerabilities have been discovered. It's a risk running it these days while connected to the internet.

Even so, incorporating a batch script is a good alternative if PowerShell isn't supported.

Thanks for sharing.

Windows XP reached end of life in April 2014

The hammer that I inherited from my grandfather still nails properly, even though the warranty has long expired, not to mention the factory is closed. Likewise, Windows XP and 7 work fine without any official support. To assess risks, it is better to be guided by deep knowledge of vulnerabilities, rather than by the marketing chatter of commercial giants like Microsoft who scare people to sell updates, turning them into drug addicts who don't sleep well if they don't get a dose of patches every Tuesday. People in Brazilian favelas or in Indian chawls who assemble computers from cheap Aliexpress hardware parts and then use computers behind two NATs (of the internet provider and of the router) are more likely to suffer from a robbery or rape than from a hacker attack. There are plenty of similar places in the world where people are content with legacy equipment. And these people need to update root certificates in order to connect to websites (e.g. that use new ISRG X2 from Let's encrypt). It's heartless to spit on them.

I guess it just depends on your level of risk you're willing to accept. There are 739 known vulnerabilities as of today. Personally I'd rather use Linux on an old PC than run that risk of getting hacked, because it would just cause more frustration and pain to those already in dire situations.

I'm not going to argue with you while you virtue signal or make me feel bad for valid security concerns. I didn't spit on anyone, you're turning this around to try to prove your point, getting off-topic. If I didn't care I wouldn't make the repository in the first place.