Where do I find the certificate file so I can add a program to "Trusted Publishers" in the certmgr?

7

2

I have three programs that startup automatically with Windows 7.

They are:

  • Webroot SecureAnywhere
  • Soluto Anti-Frustration Software
  • everything.exe

Each of these programs bring up a blue UAC dialog everytime the machine starts. (okay so everything.exe gives me a yellow one....)

A pair of blue UAC dialogs

In an effort to stop this I've begun reading about UAC. I've read about it:

"Only elevate executable files that are signed and validated – Enabling this options will prevent any application that is not digitally signed by a vendor inside the Trusted Publishers list on your computer to run."

and it says that if I add the associated certificates to the "Trusted Publishers tree node of the certmgr I will be able to stop these blue UAC dialogs from prompting. However...I don't know where to find the certificate files for import.

While I'm pretty sure that everything.exe doesn't have a certificate, the other two programs come from reputable shops; though I can't find certificates on their websites, or any mention of where I can find them.

They're stored as *.cer or *.crt files I really don't know where they are

I'm not completely sure that the "Trusted Publishers tree node" fix is what I want. This problem is on my personal laptop.

Update

This question led me to another question about why the chain of trust is broken

leeand00

Posted 2012-08-21T03:48:39.247

Reputation: 14 882

I haven't found any certificates on my system that match the company for Soluto or Webroot. – leeand00 – 2012-08-21T03:51:07.717

Is there any more information about the cert in the link on the first dialog box? – Paul – 2012-08-21T05:26:23.737

You bet, I can read all about it but there's no file I can find. – leeand00 – 2012-08-21T11:27:12.207

1See the UPDATE: section of my answer, it shows how to generate the cer file. – Scott Chamberlain – 2012-08-21T13:21:27.937

Answers

5

Open the executable's properties and go to the Digital Signatures tab (If there is no Digital Signatures tab (which I bet everything.exe will not), then the program is not signed and you must sign it yourself with a self signed certificate. Search Stack Overflow for instructions on how to do that).

enter image description here

From there click on Details to bring up the Digital Signature Details window.

enter image description here

From that window click View Certificate to bring up the certificate page.

enter image description here

From there click Install Certficate, on the second page, when choosing the certificate store, change from Automatically select... to Place all certificates in the following store. Then browse and choose the Trusted Publishers store.

enter image description here

NOTE: The above steps puts the certificate in the User's Trusted Publisher store. If you need the Machine's trusted publisher store you must export the certifacate by going to the Details tab of the certifacte's window and clicking Copy to File

enter image description here

The default selections is fine for exporting. When you choose a name for your file, make sure you put the file extension on, it does not put it there by default.

Once you have the .cer file you can open MMC from the run diaglog add the Certficates snap-in and set it to the Computer account store.

enter image description here

That should open a snap in module called Certificates (local computer). From that screen right click on Trusted Publishers, go to All Tasks, then click Import.

enter image description here

From the new window that opens you can select the .cer file you exported from the earlier instructions and it should add it to the machine store.

All screen shots where taken from a Windows-7 Enterprise edition, but it should be the same for all other editions.

Scott Chamberlain

Posted 2012-08-21T03:48:39.247

Reputation: 28 923

What's the difference between the User's Trusted Certificate store and the Machine's Trusted Certificate store?

Does the Machine's Trusted Certificate store apply to all users on the machine and not just the current user? – leeand00 – 2012-08-21T19:04:25.400

1Correct. Also it applies to things that happen before any user logs in (like things running on start up that start before the login screen (for example: drivers)) – Scott Chamberlain – 2012-08-21T19:24:04.043

Okay just to test it all out I put Webroot in as a Machine Trusted Certificate and I put Soluto in as a Trusted Publisher certificate. When I rebooted, I still got the UAC dialog for Webroot, but did not get one for Soluto. I just added Webroot as Trusted Publisher, and I'm going to reboot and find out what happens. – leeand00 – 2012-08-22T02:12:25.743

Well I rebooted, and now all three popped up so what do ya make of that? – leeand00 – 2012-08-22T02:54:11.310

I know that my certificate for Soluto under the details tab, the Key Usage field has a little yellow ! Road sign by it. – leeand00 – 2012-08-22T02:57:10.653

(and for that matter so does Webroot... – leeand00 – 2012-08-22T02:57:47.783

Oh wait I put it in Trusted Root Certificates instead...I don't really seem to have a machine trusted certificate...if I add the right snap-in I have Homegroup Machine Certificate, is it that? – leeand00 – 2012-08-22T03:25:07.193

@leeand00 I have updated my answer with more images of how to find the machine store, did you choose the correct store? – Scott Chamberlain – 2012-08-22T06:40:11.183

1For the yellow road sign, it means something is wrong with the chain of trust. It should tell you what it is not happy about in the certificate details. You can ask new questions about fixing the the problem the details says you have for the certificate. – Scott Chamberlain – 2012-08-22T06:44:58.350

Asked: 2012-08-21T03:48:39.247

Viewed: 19 451 times

Active: 2013-03-05T21:57:14.903