Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 



heinoganda

Root Certificates and Revoked Certificates for Windows XP

Recommended Posts

Since I have the whole thread no correct solution for the update of the Roots certificates and revoked certificates found, I hereby would like to offer a way to keep them up to date.
For the security of Windows XP after the last condition no official patches more for blocking div. Roots certificates and certificate update available.
For revoked Certificate Update "rvkroots.exe" Microsoft download (http://www.microsoft.com/download/details.aspx?id=41542), unzip to a folder (eg with WinRAR), in "rvkroots.inf" entry in the string VERSION should "5,0,2195,0" loud and in VER "005". The next step is download the "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcert.sst" and paste the unzipped folder and replace older file. Then with e.g. (Create Self-Extracting Archive) WinRAR all files in the folder to an archive option SFX with the following comment:
TempMode
Silent=1
Overwrite=1
Setup=Rundll32.exe advpack.dll,LaunchINFSection rvkroots.inf,DefaultInstall

pack and you have a current update for blocking unsafe Certificates!

 
For Root Certificate Update "rootsupd.exe" Microsoft download (http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe), unzip to a folder (eg with WinRAR), in "rootsupd.inf" entry in the string VERSION should "40,0,2195,0" loud and in VER "040" , In the next step,
"http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/updroots.sst" download and paste the unzipped folder and replace older files. Then with e.g. (Create Self-Extracting Archive) WinRAR all files in the folder to an archive option SFX with the following comment:
TempMode
Silent=1
Overwrite=1
Setup=Rundll32.exe advpack.dll,LaunchINFSection rootsupd.inf,DefaultInstall

pack and you have a current root certificate update!

 

For all languages!

If you do approximately every 3 months.

To re-update extends the generated SFX files to open with WinRAR and drag to the archives newer downloads (.sst files) by drag and drop into it.

 

:)

Edited by heinoganda
  • Upvote 1

Share this post


Link to post
Share on other sites

@monroe

 

Procedure for updating the Roots certificates and revoked certificates > how to make this in this post

 

These updates do I install on my regular Windows XP! > looked this post

 

 

:)

Edited by heinoganda

Share this post


Link to post
Share on other sites

heinoganda ... thanks for the reply and links. I am going to study all this step by step later today or tomorrow.

 

I'd like to keep that Roots certificate updated as much as possible.

 

monroe

 

 

Share this post


Link to post
Share on other sites

Procedure for updating the Roots certificates and revoked certificates > how to make this in this post

Heinoganda, thanks for the clear instructions, I created a new rvkroots.exe and rootsupd.exe

 

One question:

for rvkroots, I didn't have to change the rvkroots.inf, it already had the correct VERSION="5,0,2195,0"  and Ver="005"

 

for rootsupd, the original rootsupd.inf had VERSION="38,0,2195,0" and Ver="038"

Did I understand you correctly, can I just make a manual edit to rootsupd.inf, to change that to:

VERSION="40,0,2195,0"    

Ver="040"

 

without doing any other changes? The .inf file has a lot of "WARNING!!!!" lines, so I'm not sure if this is the correct way?

If I understand you correctly, these string only need to be changed once (and only for rootsupd.inf), after I don't have to change them again, even if I create new SFX files with newer .sst files?

 

THANKS!!

 

Edited by Atari800XL

Share this post


Link to post
Share on other sites
Guest

Thanks, heinoganda. :)

Atari800XL, my understanding is that the Microsoft Update website and WSUS had issues detecting rootsupd and rvkroots versions. One instance was described on RyanVM.net last year. Another is discussed on Microsoft's TechNet.

My latest testing with Windows XP and 2003 shows no problems with current version numbers on the Microsoft Update website (v41 and v8). I leave the INF files alone.

Edited by 5eraph

Share this post


Link to post
Share on other sites

for rootsupd, the original rootsupd.inf had VERSION="38,0,2195,0" and Ver="038"

Did I understand you correctly, can I just make a manual edit to rootsupd.inf, to change that to:

VERSION="40,0,2195,0"    

Ver="040"

 

without doing any other changes? The .inf file has a lot of "WARNING!!!!" lines, so I'm not sure if this is the correct way?

If I understand you correctly, these string only need to be changed once (and only for rootsupd.inf), after I don't have to change them again, even if I create new SFX files with newer .sst files?

 

Yes. You can edit both strings manually from 38 to 40 all right. And. yes, once is enough. You don't need to change them again ever afterwards.

  • Upvote 1

Share this post


Link to post
Share on other sites

Thanks dencorso!!!

It looks like 5eraph was working at this as well, but it's nice to have a description of exactly how this is done.

 

His versions are here (I hope/ think he'll keep them updated in the future):

(see message #622 above, where he says "I leave the INF files alone)

 

Thank you all!!

Share this post


Link to post
Share on other sites

Hi.

Why "40,0,2195,0" ?

Recent rootsupd has version "41,0,2195,0" on March 2014.

 

 

 

for rootsupd, the original rootsupd.inf had VERSION="38,0,2195,0" and Ver="038"
Did I understand you correctly, can I just make a manual edit to rootsupd.inf, to change that to:
VERSION="40,0,2195,0"    
Ver="040"
 
without doing any other changes? The .inf file has a lot of "WARNING!!!!" lines, so I'm not sure if this is the correct way?
If I understand you correctly, these string only need to be changed once (and only for rootsupd.inf), after I don't have to change them again, even if I create new SFX files with newer .sst files?

 

Yes. You can edit both strings manually from 38 to 40 all right. And. yes, once is enough. You don't need to change them again ever afterwards.

 

Share this post


Link to post
Share on other sites

Why "40,0,2195,0" ?

Recent rootsupd has version "41,0,2195,0" on March 2014.

 

That with the version number has to do with "WU" or "MU", where the version number is read from the registry and officially the last relevant version numbers in "rvkroots.exe  5,0,2195,0" as well in "rootsupd.exe  40,0,2195,0" are crucial, which may result in deviation to the last (older) official updates from "WU" or "MU" are installed again until the version numbers match. (This situation have been May 2014th)

 

As reported by "dencorso" has been carried out correctly, you have to do this only once and must in future download only the "*.sst" files and archive again in "rvkroots.exe" and "rootsupd.exe".

 

@glnz

The first three are for Windows XP and the last two are for Office Compatibility Pack. With me no problems with these updates have occurred.

Note: Officially for Windows XP since May 2014 no root certificate updates and Revoked Certificates (safety Relevant) available!

 

@all non english XP Version User

Reminder about KB3055973 (only for English-language Windows XP), since there is no official update for other language versions of Windows XP has until now appeared! (rsaenh.dll (5.1.2600.6834) and schannel.dll (5.1.2600.6838) English version in all language versions of Windows XP available, therefore easily applicable to other language versions of Windows XP if language restriction is lifted in "update_SP3QFE.inf" !)

 

addendum:

@all

Lately I've noticed that more and more Web pages with ECDSA Encrypts are (Cloadflare with Universal SSL), where Windows XP are not supported as well as these certificates are not accepted. This are Web sites that are encrypted with ECDSA accessible on Windows XP only with the Firefox Web browser. The Chrome browser has the problem that he accesses the certificate management by the operating system back and so it happens that does not display the Chrome browser these pages. Is there a way in this direction under Windows XP this ECDSA certificates are processed? (Already tried with the help of Windows 7 to export them from the registry and belongings imported in Windows XP, will indeed appear in the Certificate Manager, but without funtion when tested with the Chrome browser.)

 

:)

Edited by heinoganda

Share this post


Link to post
Share on other sites

 

Why "40,0,2195,0" ?

Recent rootsupd has version "41,0,2195,0" on March 2014.

 

That with the version number has to do with "WU" or "MU", where the version number is read from the registry and officially the last relevant version numbers in "rvkroots.exe  5,0,2195,0" as well in "rootsupd.exe  40,0,2195,0" are crucial, which may result in deviation to the last (older) official updates from "WU" or "MU" are installed again until the version numbers match. (This situation have been May 2014th)

 

As reported by "dencorso" has been carried out correctly, you have to do this only once and must in future download only the "*.sst" files and archive again in "rvkroots.exe" and "rootsupd.exe".

 

 

Umm, I know last relevant version numbers in "rvkroots.exe" is  6,0,2195,0 on 2014 July and Windows Update's rootsupd.exe replaced older version since 2014 Dec. (I dont' know reason, but I had same situation on Windows 2000, )

 

 

http://web.archive.org/web/20141212230530/http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe

v 41,0,2195,0

 

Please see "Certplus Root CA G2"

e6da157b.png

1.2.840.10045.4.3.3 = sha384ECDSA

 

Here is my Windows 2000 Screen shot.

It can't recognize sha384ECDSA cert.

It uses rsaenh.dll (5.1.2600.6834) and schannel.dll (5.1.2600.6838)

 

But recent schannel.dll has 1.2.840.10045.4.3.3(sha384ECDSA) code inside.

Share this post


Link to post
Share on other sites

@blackwingcat:

For some time, if one did not set the versions to "5,0,2195,0" for rvkroots.exe, as well as "40,0,2195,0" for rootsupd.exe, both the Windows Updates and the MS Updates websites would offer older certificates than those installed. 5eraph says it's not the case, anymore. In any case, the version number in the registry seems not to affect the operation of the certificates in any way.

  • Upvote 1

Share this post


Link to post
Share on other sites

@blackwingcat

The version number "rvkroots.exe" and "rootsupd.exe" to write to the registry are unique identifiers for Windows Update or Microsoft Update and have no effect on the functionality of the certificates!

 

Regarding submitted the update "WindowsXP-KB3055973-v3-x86-Embedded-ENU.exe" where rsaenh.dll (5.1.2600.6834) and schannel.dll (5.1.2600.6838), this update does not apply to ECDSA encryption.

 

  • KB3055973 adds the following functionality: 

    This update adds support for the following Advanced Encryption Standard (AES) cipher suites in the Schannel.dll module for Windows Embedded POSReady 2009:
    • TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
    Note: These cipher suites are based on the RC4 algorithm.

 

This means that ECDSA certificates regularly not detected using the standard mechanism and not be registrable. However, if one enters directly into the Registry ECDSA certificates then these are also in the Certificate Manager visible, unfortunately without function. (Belief that I read on your blog that where you enter the certificates by Registry entry, which would explain why some ECDSA certificates are available. At least that would explain why you ECDSA certificates get displayed.)

 

Addition:

Now I have time your certificate update downloaded and looked at times more exactly where I realized where the ECDSA certificates come. You're using the Certmanager from Windows Vista to import the certificates. (ECDSA certificates are supported as Windows Vista (cipher suite)!)     Note: "Necessity is the mother of invention!"

 

In schannel.dll I also found (1.2.840.10045.4.3.3), which raises some questions in the room. It should at this point a C++ specialist look at to get more experience.

 

So on the edge, Find out more detail about ECDSA encryption (SSL Universal) as well as "Windows XP cipher suite", then you'll understand why these certificates can not function.

A consolation prize still am, it also failed. This would ECDSA certificates work a profound engagement in the encryption in the operating system take place.

 

@vinifera

You can even the constituents of the decompilation updates and quickly check if there is not any data about you is sent to Microsoft. Joking apart, I am because of the current problems of so great Telemetry Updates (Win7, Win8) a lot of thought, in this regard could not detect any network traffic. According to me known official information where partial Windows XP is in the US military still in use, because I can not imagine that because the ship of Telemetry data is desired me. Well, then there is still the one installed no more updates. 

 

:)

Edited by heinoganda

Share this post


Link to post
Share on other sites

I am somewhat confused and have some questions with the current "rvkroots.exe" and "rootsupd.exe". So far all I have done is install the rootsupd.exe (v6.0.6000.16386) ... I forgot to look first to see what version I had installed before I ran the update.

 

When I check the version number of rvkroots.exe on my computer it is v6.0.6000.16386 ... and reading the last posts by dencorso ...

 

"the version number in the registry seems not to affect the operation of the certificates in any way."

 

and heinoganda ...

 

"The version number "rvkroots.exe" and "rootsupd.exe" to write to the registry are unique identifiers for Windows Update or Microsoft Update and have no effect on the functionality of the certificates!"

 

So far I have made no changes to the registry, I downloaded everything that heinoganda had posted with the links to several posts back. I have only installed the rootsupd.exe update (6.0.6000.1638). So if that's all I have to do for now and in the future ... then I have a current "working" roots certificate on my machine by just installing the update "manually"?

 

Do I understand this correctly and there is no need for me to go through all those other steps ... with registry and inf files?

...

Edited by monroe

Share this post


Link to post
Share on other sites

@monroe

Do not be angry, but I posted a tutorial here where one lets me current Roots certificates and revoked certificate for Windows XP again. Now, the steps followed exactly, then you will understand what is at stake with these version numbers! Incidentally, there is not that you should download and install only "rvkroots.exe" and / or "rootsupd.exe".  :no:

 

:)

Share this post


Link to post
Share on other sites

heinoganda ... no way am I angry, I usually have to ask more questions or get more information on various workings of the computer or XP ... could also be of help to someone else.

 

I will have more time this evening to go over the information you provided.

 

Thanks ...

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×