Tag Archives: Windows

Public Key Certificate Locations in Windows

Posted on September 13, 2010 | 1 Comment

Since last week I have been looking more at depth with how certificates work.  One thing that was bugging me was not knowing where the information is stored.  There are plenty of references to the certificates being stored in files and the registry but no actual paths.

On late Friday there was a bit of a breakthrough.  Somehow I managed to identify a location in the registry that contained a certificate (this was using regedit and doing a search on ‘cert’ if I remember right).

This subkey tree is located at HKCU\Software\Microsoft\SystemCertificates.

These certificates are considered to be CurrentUser whereas the shared ones are in LocalMachine.  Searching for SystemCertificates found an excellent reference from a Microsoft web page.  It is a bit old, but contains valuable information.

CA certificate-related registry entries correlate to the physical view of the certificate-related data that can be viewed by using the Certificates snap-in.

The registry settings in this section are a subset of the registry settings in “Certificate Services Tools and Settings.” This subset makes it possible to monitor and manage key configuration options associated with CA certificates.

The following registry keys are associated with CA certificates that were distributed via Group Policy:

  • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates

The following registry keys are associated with CA certificates that were not distributed via Group Policy:

  • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

This summary shows where the certificates live for the different combinations. The keys are encoded as “blob” values under GUID identifier key names. It appears that the blob is just a binary representation of the certificate.

Each subkey off of the SystemCertificates above shows up in Certificate Manager (certmgr.exe) under a slightly different name.

The mapping is not necessarily easy to work out.  Hopefully in a future post it will happen.  The most important ones to note are “my” and “root”.  ”My” is “Personal” and “root” is “Trusted Root Certificate Authorities”.  My current theory is that these folders can be a bit free form HOWEVER they do have a purpose and essentially control access to specific features.  For example, “root” is used extensively to guarantee that the root CA is trusted.  If the certificate lives in this folder, essentially all Windows cert operations (think SSL) will trust any certificated signed by this root CA.

Let’s take a look at certificate using normal tools and using the registry editor.

This is a test certificate that was built to try some Azure samples.  Note that it has a private key.  The certificate lives under “Personal” on “CurrentUser”.  This translates to HKCU with “My”.

Here is a bit more detail from certmgr:

Hopefully this will make some sense against the registry entry.  And, it does not.

This is where I admit that not everything as it seems.  It turns out the majority of the interesting certificates are actually on the disk.  The Personal certificates were found in “%UserProfile%\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates”.  How’s that for assuming the wrong place?

The directory and files (certificates) are hidden so you will have to play with ATTRIB or Windows Explorer options to get to them.  It looks like this:

This corresponds to the seven certificates seen in certmgr (MMC with snap-on certificate handler).  I just noticed that these names correspond to the thumbprint of the certificate (SHA1 : 16 bytes).  This should make it easier to find the certificate that we started with (test.cloudapp.net).

It matches one of the file names:

To get a better look at this file, I used attrib to strip off the system flag (attrib -s) and copied (copy /b) it to another directory.  Then I used my hexdump tool to display what it had inside.

Test Certificate binary content

Clearly this is the right one.  The chances of having the wrong filename based on SHA1 is almost impossible.

The next post will focus on the location of the private keys.

→ 1 Comment

Posted in Certificates, Windows

Tagged ,

Recovery

Posted on January 16, 2008 | 2 Comments

My main development machine is recovering.  I had an exception in Winlogon which is always fatal.  I had tried to fix the machine but things were not looking good until today.  After many different attempts, it turned out that doing a full Windows repair was the trick to solve the trap.

I had already proven that some of the files in Windows were corrupt.  Recent power outages were most likely the reason why.  Many of these files are used during the logon process but I was never able to find out which file was causing the problem.  Most likely it was a collection of files and I just couldn’t find all of them.

Given the nature of operating systems today, it is a surprise that it is not common practice to not only check for the existence of files but also their integrity.  The concept of how to do this is fairly straight-forward  and I would imagine that it has already been included in other operating systems.  Maybe it is already part of Windows and you need to configure it for that.  Regardless, it would make sense from both a security and stability point of view.

The reason why Winlogon traps are so nasty is that even though it is a user mode process, it is considered fatal if it dies.  You can never login to do anything and the machine is stuck in this limbo state until you decide to do something drastic.

Usually people just reinstall everything from scratch.  I didn’t want that and luckily I got my way.

It does seem now that space isn’t much of a concern (remember needing to use disk compression?), it would make sense to have operating systems that can heal themselves.  This would be a combination of signing and version control but the idea is to have directories to the side that maintain the “perfect” state of the operating system files.  These files could even be used as references.  If you have more copies of the same thing, the more likely it will stay intact.

The human brain, for example, copies information to many different places with lots of duplication.  Once you have the luxury of space, there is no need to be so stringent on the number of copies left around.  If I heard correctly, this idea is also true in DNA.  If a single part was damaged (brain or DNA), there is a good chance it would still function as a whole.  I would declare this as one of the next big leaps in computer science to realize that duplication can sometimes be a good thing.

As a student at university, it became evident that efficiency was the most important.  Nature doesn’t work that way (copying and more copying) and perhaps it is time for something like Windows to pick up the clue.

Amazing as it is, the Internet can be seen as a rudimentary brain.  Lots of duplication and of course lots of information.  It is better suited for survival because it is not incredibly efficient.  The chaos of the web actually makes it more resilient to going down.

Along this line of thought, Windows could use the Internet to get trusted copies of corrupt binaries.  Instead of a DLL failing to load based on corruption, Windows could be smart enough to use multiple sources to correct the error and avoid the pain and suffering of having a unworkable machine.

If any of you are aware of solutions in this space, I would love to hear about who is doing it and how it works.

This is my first official Citrix Blogger post on WordPress.  Thanks for following me to this new location.  Everything has gone very smoothly and I am quite happy that it is over.  I had been thinking about doing this for months and when it came time to do it,  there was very little pain and everything just worked.

→ 2 Comments

Posted in Angst, Ideas

Tagged , ,

PortICA Time Zone Support

Posted on October 12, 2007 | Leave a comment

This post is really about trying to catch up with what has been going on with PortICA Time Zone Support. For those of you that haven’t read about Citrix Time Zone Support, please look at my previous post. The idea is to preserve the user’s local time zone while working on a potentially very distant machine. Time is very important to the user and even though a server might be in London, the user in Sydney can’t accept the time difference from their sense of time.

Personally, even though I live in Australia, I still have trouble adjusting to remembering time differences between locations especially with daylight savings in effect in opposite directions. The point is that I don’t want to see a different time zone in effect on systems I would use remotely.

With PortICA, we use the same framework as Presentation Server for changing the time. However, there is a key difference. PortICA changes the time zone for real versus Presentation Server which virtualizes it per user. This means that when a user connects, PortICA will automatically re-adjust the time zone based on the client’s time zone. When the user logs off or disconnects, PortICA will automatically restore the time zone.

This implementation is much simpler than a virtual method. It also gives you full compatibility with all applications. There is a catch however. Now that PortICA really changes the time zone, the user must have the privilege to change the time (in XP). By default, only administrators and power users have the rights to change the time. It is possible to give other users the rights to change the time, but it requires two different categories of changes.

First, you must have the privilege to change the time on that system. This can be changed with GPOs (policies) or the local policies (if not in the domain). This privilege isn’t necessarily a light weight thing to be giving out but it is necessary to allow the time zone support to work with users in PortICA.

Secondly, you must change the registry rights for the time zone information on the machine to allow the user to change the time zone. This isn’t known as well. There is a Microsoft support knowledge base article about this.

Earlier in PortICA development we had a service that would do the work of changing the time zone for the users that didn’t have the rights to do so. This avoided the need to set policies or change registry security rights but was not considered a secure enough solution. The idea is that the administrators need to be responsible for privilege allocation. It’s the classic balance between usability versus security.

In a way this post is a heads up to the potential complexity of supporting time zone support on PortICA for XP. The good news from this story is that Vista doesn’t have this problem due to users given the rights to change the time zone isolated from changing the actual time. From this move, it appears Microsoft has considered the decision to connect changing the time and changing the time zone incorrect. I would agree. Changing the time zone does not change the core time and therefore is much less sensitive to security threats.

My bit of advice for this is to setup a group that has rights to the privilege and registry areas. Then it is just a matter of adding users into that group (which might be a different group like remote users) to get them access to changing the time zone for PortICA.

Overall PortICA is progressing very well and should be talked about a fair amount at the upcoming iForum in Las Vegas. It has been great to see this project reach critical mass and reach wider audiences.

→ Leave a comment

Posted in PortICA, Time Zone Support

Tagged , , ,