-
-
Notifications
You must be signed in to change notification settings - Fork 11
Closed
Description
Dear @asheroto, I have just used your Root Certificate Checker app on Windows 7 x64.
After reboot I got The certificate is revoked
error as follows
$ certutil.exe -generateSSTFromWU roots.sst
The certificate is revoked. 0x80092010 (-2146885616) -- authrootstl.cab
CertUtil: -generateSSTFromWU command FAILED: 0x80092010 (-2146885616)
CertUtil: The certificate is revoked.
Previously, this very command created roots.sst
without any errors.
How do I repair this thing now?
Activity
sergeevabc commentedon Mar 29, 2025
It seems I fixed it as follows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed
from another Windows 7 machine to disallowed-windows7.regdisallowed-windows7.reg
Now the following command works as expected again.
sergeevabc commentedon Mar 29, 2025
I found another console app that updates certificates and has no such a problem.
Its particular convenience is that it shows the date of the certificates being updated.
Attachment removed for securityfilename: UpdRoots.exe
filesize: 170453 bytes
sha256:
61f403e1aa744a7e5ecde584fdd9a0b490151daa389cbf6b41d4c2d32cfe8c47
asheroto commentedon Mar 30, 2025
Hello, thanks for pointing out this glitch. By removing the list of disallowed certificates, that's just a temporary workaround.
The other tool you found looks like a good solution. Can you please share a link to the tool so we can learn and changes on this repo? I removed the attachment since it contained an EXE with a source hasn't been verified.
sergeevabc commentedon Mar 30, 2025
In my country, we have a large community of system administrators who create small tools to facilitate the management of routine tasks such as updating Windows root certificates. So when someone sighs, “Gosh, it's so exhausting to do this or that”, some hero might jump out and say, “Hey, I have a tool for that”. Then they share it, without source code, licenses, etc. That's how I got
UpdRoots.exe
you have just deleted. The lack of source code does not mean that the app necessarily does something bad. There are many such apps on MajorGeeks and other software portals. After all, if you've been feeling paranoid lately, you could check it against multiple antivirus engines on VirusTotal or even reverse engineer only to see that it's beneficial. Anyway, if anyone needs this app, feel free to leave a note here or contact me directly.asheroto commentedon Mar 30, 2025
Excellent point. You're right, the absence of source code does not mean the app is doing something bad, but because no source information was provided, it's difficult to point to its creator or more information. From a security perspective, posting an uncommon EXE on a forum is a risk to cybersecurity, especially an EXE which requires administrative privileges. That doesn't mean we shouldn't use it, of course, it just means we must be aware of where it originated from. As an example, there are a handful of applications out there that will update your drivers, but also contain a trojan or backdoor into the system. A custom made application for backdoor access may not be detectable by AVs on VirusTotal, as most of the AVs work based on definitions of known software.
That being said, it's fine to share the program, we just have to be cautious that it's safe. Is it code-signed or is there a company name provided in the metadata? You said "I found another console app", do you have a link or more info on where it originated from?
You can upload it again and we can take another look. I probably should have taken a closer look before jumping the gun and removing the attachment - sorry if that seemed hostile. 😊
sergeevabc commentedon Mar 31, 2025
UpdRoots.zip
asheroto commentedon Mar 31, 2025
Do you have any more information about this tool?
asheroto commentedon Apr 1, 2025
https://www.virustotal.com/gui/file/61f403e1aa744a7e5ecde584fdd9a0b490151daa389cbf6b41d4c2d32cfe8c47/behavior
Although VirusTotal reports 6/73 AV classify it as suspicious, I found that the EXE is actually a self-extracting archive that can be opened with 7-Zip. Inside of it are three files. The inner
updroots.exe
appears to be produced by Microsoft.The difference between that method and the one currently used by Root Certificate Updater is that the former updates the certificates and RCU updates the certificate trust lists.
I'm working on an update that will work more like the one you sent.
asheroto commentedon Apr 1, 2025
Okay, just finished a major rewrite. Take a look at the repo again and check releases for the latest PowerShell script. Thanks for your input on this! I don't have a Windows 7 computer to test on, but it works on Windows 10. If you have any trouble let me know and I can tweak the script.
sergeevabc commentedon May 18, 2025
Re: @asheroto
Well, updating root certificates via PowerShell script is an exotic way to go, because these certificates are meant for Windows XP SP3 and later. On legacy OSes, it can be difficult to run PowerShell or update to a version that supports all the commands of your script. E.g.
Also, it seems you forgot about
delroots.sst
.All this can be simplified to a batch file with zero dependecies.
asheroto commentedon May 18, 2025
Windows XP reached end of life in April 2014. Lots of vulnerabilities have been discovered. It's a risk running it these days while connected to the internet.
Even so, incorporating a batch script is a good alternative if PowerShell isn't supported.
Thanks for sharing.
sergeevabc commentedon May 18, 2025
The hammer that I inherited from my grandfather still nails properly, even though the warranty has long expired, not to mention the factory is closed. Likewise, Windows XP and 7 work fine without any official support. To assess risks, it is better to be guided by deep knowledge of vulnerabilities, rather than by the marketing chatter of commercial giants like Microsoft who scare people to sell updates, turning them into drug addicts who don't sleep well if they don't get a dose of patches every Tuesday. People in Brazilian favelas or in Indian chawls who assemble computers from cheap Aliexpress hardware parts and then use computers behind two NATs (of the internet provider and of the router) are more likely to suffer from a robbery or rape than from a hacker attack. There are plenty of similar places in the world where people are content with legacy equipment. And these people need to update root certificates in order to connect to websites (e.g. that use new ISRG X2 from Let's encrypt). It's heartless to spit on them.
asheroto commentedon May 18, 2025
I guess it just depends on your level of risk you're willing to accept. There are 739 known vulnerabilities as of today. Personally I'd rather use Linux on an old PC than run that risk of getting hacked, because it would just cause more frustration and pain to those already in dire situations.
I'm not going to argue with you while you virtue signal or make me feel bad for valid security concerns. I didn't spit on anyone, you're turning this around to try to prove your point, getting off-topic. If I didn't care I wouldn't make the repository in the first place.