tinyapps.org / blog


Check Windows for spurious certs #

In light of malware and OEM CA shenanigans ("Who’s your Verisign?" - Malware faking digital signatures, Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish), be sure to check certificates regularly, especially immediately following acquisition or malware cleanup.

While you could comb through Certificate Manager (certmgr.msc), Sigcheck from Sysinternals speeds things up considerably. The following example is from a system with Superfish and Fiddler certs installed:
C:\>sigcheck.exe -tuv *

Sigcheck v2.51 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Listing valid certificates not rooted to the Microsoft Certificate Trust List:

User\MY:
   DO_NOT_TRUST_FiddlerRoot
        Cert Status:    Valid
        Valid Usage:    Server Auth
        Cert Issuer:    DO_NOT_TRUST_FiddlerRoot
        Serial Number:  99 77 7A 3E 64 63 19 9C 4D 6D 66 75 10 EF 0E B6
        Thumbprint:     31745D49A0C3386A1387A755217FD5C9701A9607
        Algorithm:      sha256RSA
        Valid from:     12:00 AM 6/14/2015
        Valid to:       11:59 PM 6/13/2026
User\Root:
   DO_NOT_TRUST_FiddlerRoot
        Cert Status:    Valid
        Valid Usage:    Server Auth
        Cert Issuer:    DO_NOT_TRUST_FiddlerRoot
        Serial Number:  99 77 7A 3E 64 63 19 9C 4D 6D 66 75 10 EF 0E B6
        Thumbprint:     31745D49A0C3386A1387A755217FD5C9701A9607
        Algorithm:      sha256RSA
        Valid from:     12:00 AM 6/14/2015
        Valid to:       11:59 PM 6/13/2026
   Superfish, Inc.
        Cert Status:    Valid
        Valid Usage:    All
        Cert Issuer:    Superfish, Inc.
        Serial Number:  00 D2 FC 13 87 A9 44 DC E7
        Thumbprint:     C864484869D41D2B0D32319C5A62F9315AAF2CBD
        Algorithm:      sha1RSA
        Valid from:     6:25 AM 5/12/2014
        Valid to:       6:25 AM 5/7/2034
   DO_NOT_TRUST_FiddlerRoot
        Cert Status:    Valid
        Valid Usage:    Server Auth
        Cert Issuer:    DO_NOT_TRUST_FiddlerRoot
        Serial Number:  99 77 7A 3E 64 63 19 9C 4D 6D 66 75 10 EF 0E B6
        Thumbprint:     31745D49A0C3386A1387A755217FD5C9701A9607
        Algorithm:      sha256RSA
        Valid from:     12:00 AM 6/14/2015
        Valid to:       11:59 PM 6/13/2026
From the documentation:
 -t[u][v] Dump contents of specified certificate store ('*' for all stores).
          Specify -tu to query the user store (machine store is the default).
          Append '-v' to have Sigcheck download the trusted Microsoft
          root certificate list and only output valid certificates not rooted to
          a certificate on that list. If the site is not accessible,
          authrootstl.cab or authroot.stl in the current directory are
          used instead, if present.

/windows | Jun 14, 2016


Subscribe or visit the archives