How do I uninstall an application whose installer has a revoked signing certificate

8

Several years ago I installed an application called Net Limiter on my then Windows 7, since upgraded to Windows 10, machine. Earlier today I attempted to uninstall it while cleaning up applications I haven't used in a long time. The uninstall failed with an error message about the installer not being trusted.

https://i.imgur.com/UEoQoVn.png

After a bit of investigation I think I found the problem. The signing cert has expired and was revoked by the issuing CA.

https://i.imgur.com/DcvWWVX.png

Stymied with the original installer I went to the vendor to see if I could bypass the issue by upgrading to a newer version and then uninstalling that. Unfortunately I struck out there. The current version of the application (4.x) installed beside the old one instead of replacing it, and the most recent 3.x installer refuses to start because I have a different version already installed and "helpfully" tells me to remove it via Add/Remove programs first.

Dan is Fiddling by Firelight

Posted 2016-07-22T00:35:39.417

Reputation: 2 677

1The simplest solution. Manually place the expired certificate into your certificate store, uninstall the application, then remove the certificate when you are done. Certificates do become "not safe" just because they are expired, if you trusted the certificate originally, then your trusting it again today. – Ramhound – 2016-07-22T00:39:44.680

@Ramhound I just added the certificate to the Trusted Publishers store for Local Machine (and verified that it's present and enabled in the certificate manager); but I'm still getting the same denied error from UAC. – Dan is Fiddling by Firelight – 2016-07-22T00:47:34.787

If you disable UAC entirely, or as much as you can on Windows 10, will it allow you to uninstall the program? You might also have to trust the installer's certificate and the certificate that signed it. – Ramhound – 2016-07-22T00:49:03.853

@Ramhound Nope. UAC on the lowest slider setting didn't do anything except drop the denied message onto the normal desktop. – Dan is Fiddling by Firelight – 2016-07-22T00:51:56.060

might help to say what software this is? I'd also toy with changing the date to the past – Journeyman Geek – 2016-07-22T00:52:05.513

Any chance you can provide a copy of the uninstaller? Or extract the certificate? I wonder if you could just remove the signature entirely...

– Bob – 2016-07-22T00:55:53.623

Possible Related you might be able to sign it again with your own certificate if its a explicit revocation. – Ramhound – 2016-07-22T00:59:08.150

Signing an Edited Windows Installer package (msi file) – Ramhound – 2016-07-22T01:00:43.137

@JourneymanGeek That almost worked; and changed the nature of my problem in the process. Rolling the date back defeated the expired certificate check. Only to have the uninstaller crash with a cryptic error message that will probably require contacting the vendor to resolve. https://i.imgur.com/ijaSyJt.png

– Dan is Fiddling by Firelight – 2016-07-22T01:02:49.267

Answers

5

You can use the signtool program to strip its digital signatures. That tool comes with the Windows SDK, or with Visual Studio, though you might have to adjust some settings first. It only appears on your PATH if you launch the Visual Studio Developer Command Prompt.

For me on 64-bit Windows with the newest VS2015, the program is here:

C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe

Once you find it, use this command as administrator:

signtool remove /c C:\path\to\file.exe

The file path you'll need to supply appears in the UAC dialog when you try to launch the broken EXE.

Ben N

Posted 2016-07-22T00:35:39.417

Reputation: 32 973

This gives "SignTool Error: Unsupported file type" if you try and unsign an MSI – rolls – 2019-08-14T07:22:19.773

Asked: 2016-07-22T00:35:39.417

Viewed: 1 711 times

Active: 2016-07-22T16:57:13.083