![]() |
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
|
-
1000003: Manually install the latest Microsoft root certs
Home › Forums › Knowledge Base › 1000003: Manually install the latest Microsoft root certs
Tagged: root cert update
- This topic has 15 replies, 9 voices, and was last updated 1 year, 9 months ago.
Viewing 4 reply threads-
AuthorPosts
-
-
February 4, 2017 at 5:38 pm #89555
woody
ManagerAKB1000003: Manually install the latest Microsoft root certs
By VulturEMaN
Published 4 Feb 2017 rev 1.0
1. Download http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe and save in c:\temp\
2. Extract the files using the command c:\temp\rootsupd.exe /c /t:C:\temp\extroot
3. from an elevated prompt run the following commands in this order:
cd C:\temp\extroot\
updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst
-
July 8, 2017 at 1:30 pm #123850
anonymous
Guest-
July 8, 2017 at 3:47 pm #123868
-
July 8, 2017 at 7:28 pm #123884
-
July 8, 2017 at 7:50 pm #123889
-
July 8, 2017 at 7:52 pm #123892
Kirsty
Manager-
July 8, 2017 at 7:55 pm #123894
satrow
AskWoody MVP-
July 8, 2017 at 7:58 pm #123897
-
July 8, 2017 at 8:22 pm #123906
satrow
AskWoody MVPNot if you’re getting a 404, I don’t think, doesn’t read like a routing issue either, strange. The URL doesn’t have any odd chars, spaces or anything?
Try a middle-click or right-click > open in new tab… ?
EDIT: it’s Shift + Refresh/Reload, sorry = forced refresh (reloads all the data for the page, instead of a normal refresh which would only reload the changed data, the rest it would load from disk cache).
-
July 8, 2017 at 10:32 pm #123913
-
-
July 8, 2017 at 8:24 pm #123907
-
-
-
-
November 17, 2017 at 9:19 am #146050
Rydan
AskWoody LoungerAs rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
You could get the trusted and untrusted sst files and import those.
(there are different options)…
Below I assume you have a C:\Temp (or make a location of your choice)
Open a command Prompt; Run as Administrator
untrusted:
Run: certutil -syncwithwu c:\Temp
It should say something like: added xxx files, updated xxx files / certutil completed successfully
Check to see if disallowedcert.sst is created
trusted:
Run: certutil -generateSSTFromWU c:\Temp\authroot.sst
It should say something like: updates sst file / certutil completed successfully
(try again on memory error = uncommon)make 2 powershell scripts:
1. discert.ps1
[reflection.assembly]::LoadWithPartialName(“System.Security”)
$certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
$certs.import(“c:\temp\authroot.sst”)
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “AuthRoot”, LocalMachine
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
$store.AddRange($certs)
2. authcert.ps1
[reflection.assembly]::LoadWithPartialName(“System.Security”)
$certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
$certs.import(“c:\temp\disallowedcert.sst”)
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist “Disallowed”, LocalMachine
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”)
$store.AddRange($certs)place those 2 scripts in C:\Temp
Open a powershell command prompt as administrator (or start powershell in same prompt)
Run: .\discert.ps1
Run: .\authcert.ps1Check:
Open MMC.exe
Click ctrl+M
Add the Certificates mmc and select Computer account
Check if the changes that Microsoft provided are added to the Untrusted Certificates folder, Third Party Root Certificates Authorities folder
List:
https://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspxRef.
https://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx
https://social.technet.microsoft.com/wiki/contents/articles/33315.microsoft-trusted-root-certificate-program-portal.aspx
https://technet.microsoft.com/library/dn265983.aspx
https://blogs.technet.microsoft.com/vishalagarwal/2009/08/13/adding-certificates-for-a-serialized-store-sst-file-to-an-actual-physical-store/ -
April 23, 2019 at 5:22 am #829250
owdrtn
AskWoody LoungerAs rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
You could get the trusted and untrusted sst files and import those.
(there are different options)Awesome find @Rydan.. works flawless, thanks !
Where have you found your way to the shell scripting of this ? I couldn’t find anything on that matter from the provided online docu.Thumbs up !!
-
April 23, 2019 at 8:21 am #838468
owdrtn
AskWoody Lounger@Rydan
However, i’m not sure to understand why not simply download the two cab file “authrootstl.cab” & “disallowedcertstl.cab” @
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab & http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabThen just extract the two stl files from those and install both stl files using either:
the right-click context menu"Install CTL"
or certutil:certutil -addstore -f root authroot.stl disallowedcert.stl
?Also, how one would goes updating the “Trusted Publisher” & the “Intermediate CA” stores ? are those not relevent/applicable to update as well ?
-
-
April 23, 2019 at 8:32 am #839039
access-mdb
AskWoody MVP-
April 23, 2019 at 11:54 am #847155
-
-
-
AuthorPosts
Viewing 4 reply threads -
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Search The Lounge
Recent Replies
desertdad on Windows 10 Latest Patch: KB 4598242
1 hour, 8 minutes agocyberSAR on Hasta la vista, TeamViewer Free
1 hour, 29 minutes agoanonymous on Google threatens to remove search engine from Australia
1 hour, 32 minutes agoBob99 on KB4023057 while on Win10-2004
2 hours, 22 minutes agoBob99 on Seriously, MBAM?
2 hours, 41 minutes agoBob99 on Seriously, MBAM?
2 hours, 44 minutes agoBob99 on Susan recommending version 2004
2 hours, 51 minutes agoOscarCP on Google threatens to remove search engine from Australia
2 hours, 56 minutes agoSusan Bradley on This should be the best patching experience
3 hours, 17 minutes agoanonymous on This should be the best patching experience
3 hours, 18 minutes agoOscarCP on Giving you the choice
4 hours, Just nowrick41 on Giving you the choice
4 hours, 1 minute agocyberSAR on Seriously, MBAM?
4 hours, 10 minutes agoOscarCP on Giving you the choice
4 hours, 13 minutes agoSusan Bradley on Lost Post
4 hours, 19 minutes agoSusan Bradley on Giving you the choice
4 hours, 20 minutes agogsel on imovie problems in osx 10.6.8
4 hours, 22 minutes agorick41 on Giving you the choice
4 hours, 26 minutes agoanonymous on MS-DEFCON 2 – Get ready for January updates
4 hours, 39 minutes agoFrances McKenna on Time to adapt while acknowledging the past
4 hours, 41 minutes agoSusan Bradley on Giving you the choice
4 hours, 42 minutes agoCybertooth on Giving you the choice
4 hours, 54 minutes agoCADesertRat on MS Shared Experience warning
5 hours, 40 minutes agolikescats on Files don’t copy from Win7 HDD to Win10 computer
6 hours, 2 minutes agoBundaburra on Google threatens to remove search engine from Australia
6 hours, 12 minutes agoSteveTree on This should be the best patching experience
6 hours, 25 minutes agomn-- on Files don’t copy from Win7 HDD to Win10 computer
6 hours, 25 minutes agoLicAC on Windows Defender – yes or no?
6 hours, 48 minutes agoBen Myers on SSD vs. SATA Drives
7 hours, 33 minutes agoKirsty on Google threatens to remove search engine from Australia
9 hours, 22 minutes ago
Recent Topics
-
Slow file copy
45 minutes ago
-
Do we need Java?
54 minutes ago
-
Windows 10 version changes
2 hours, 8 minutes ago
-
Lost Post
4 hours, 19 minutes ago
-
Hasta la vista, TeamViewer Free
1 hour, 30 minutes ago
-
Files don’t copy from Win7 HDD to Win10 computer
6 hours, 3 minutes ago
-
Does the HP Spectre Notebook (2016 model) have a removable wireless LAN Card?
19 hours, 30 minutes ago
-
Windows 10 2004 and Intel Ethernet Problem Solving
7 hours, 35 minutes ago
-
KB4023057 while on Win10-2004
2 hours, 22 minutes ago
-
MS Shared Experience warning
5 hours, 40 minutes ago
-
Google threatens to remove search engine from Australia
1 hour, 32 minutes ago
-
macOS Catalina running on iPad Pro 2020
9 hours, 35 minutes ago
-
How to check if someone else accessed your Google account
20 hours, 56 minutes ago
-
This should be the best patching experience
3 hours, 17 minutes ago
-
Windows 10 Insider build 19042.782 (20H2) released to Beta & Release Preview
1 day, 2 hours ago
-
Browser Settings Block Linux Mint Downloads
1 day, 2 hours ago
-
Windows 10 Insider Preview build 20296 released to DEV Channel
1 day, 9 hours ago
-
Google Analytics Notice
1 day, 10 hours ago
-
Beeper combines 15 chatting apps
1 day, 5 hours ago
-
File Explorer cannot see external 2Tb drive in full
1 day, 13 hours ago
-
Office 2010 updates.
13 hours, 13 minutes ago
-
What is ‘Meet Now’
1 day, 13 hours ago
-
Linux is now completely usable on the Mac mini M1
2 days, 9 hours ago
-
User Feed Synchronization – Disable/Delete Task?
1 day, 10 hours ago
-
AV Alert from JetAudio Plus
2 days, 11 hours ago
-
System Restore Stopped Working
1 day, 9 hours ago
-
Malwarebytes was targeted by SolarWinds hackers too
2 days, 21 hours ago
-
So I opened up an HP and where’s the hard drive?
21 hours, 37 minutes ago
-
Which version of MS Office should we buy and where can we get it?
2 days ago
-
Fiber optic not available; options please
2 days, 5 hours ago
Search for Topics
Recent blog posts
Key Links
Copyright © 2004 – 2021 AskWoody Tech LLC. All rights reserved.