The Ethical Hacker Network - Where is the Winodws Certificate Store?

Latest Additions

Who's Online

rance

Full Member

Offline

Posts: 212

Where is the Winodws Certificate Store?

« on: January 18, 2011, 11:45:42 AM »

Hey Folks! Hope everyone had good holidays. I'm in need of some info I can't seem to dig up.

I'm working on an assessment for a potential wireless rollout at my company, and part of our authentication mechanism is to issue a cert/key to grant access to the wireless assets. I'm testing the viability and security of these certs.

Using the "Certificates" mmc snap-in, I'm obviously able to view certs and such, but I'm trying to locate the actual certificate store to check some integrity there. However, I'm unable to find much information on the actual location of the store itself. Some older documents point to this information being stored somewhere in the registry, but newer docs state that the store has moved out of the registry. Unfortunately, I've not been able to uncover much more information.

If anyone can help, I'd be most appreciative... thanks!


	Logged

Poking at security since 1986. +++ATH

Data_Raid

Full Member

Offline

Posts: 165

Re: Where is the Winodws Certificate Store?

« Reply #1 on: January 19, 2011, 05:13:28 AM »

Rance, I ran into the same results you have when I was trying to figure this out a few years ago. I also had problems trying to find the physical store, as well as reading information from MSDN that the certificates are stored in the registry ... or not

I'm not sure if this will help you but I have tried the following: run certmgr.msc and then select View > Options > "Show the following: Physical certificate stores"

This didn't help much as the actual physical location information wasn't displayed, I then ran Process Monitor (Sysinternals) and monitored the mmc.exe process while I toggled "Show physical certificate stores" hoping that I will see an open/read file process to the local computer. Process Monitor did show some read file activity such as:
create file and query directory C:\Documents and Settings\<user>\Application Data\Microsoft\SystemCertificates\My\Certificates

I checked the directory mentioned above and that was empty.

I also saw a registry read request for: HKCU\Software\Microsoft\SystemCertificates\Root\PhysicalStores
which resulted in a "name not found"

I also tried the following from MMC: "Trusted Root Certification Authorities" > "Local Computer" > "Certificates" and then selected a random certificate and saw that a call to read the registry was made, an example below:

HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\049811056AFE9FD0F5BE01685AACE6A5D1C4454C

So it does appear that certificates are stored in the registry


	Logged

All men by nature desire knowledge.

Aristotle

rance

Full Member

Offline

Posts: 212

Re: Where is the Winodws Certificate Store?

« Reply #2 on: January 19, 2011, 04:16:17 PM »

Quote from: Data_Raid on January 19, 2011, 05:13:28 AM

<snip>

So it does appear that certificates are stored in the registry

Thanks so much for the great information... not just the answer, but your process as well. Lots of good information in there! I had actually been down the Docs & Settings road, but couldn't get what I needed out of the few files I found there. The registry information was spot on though, got me exactly what I needed.

Thanks again for the assist!