Root Certificates and Revoked Certificates for Windows XP

[XPerceniol]

Thanks!

[Dave-H]

22 minutes ago, egrabrych said:

Another change has come.

The contents of the updroots.sst file have been changed; the contents of the other * .sst files are unchanged.

Thanks!

No repeat of the "out of memory" error this time.
I did have Firefox 52.9.1 ESR running, but with no tabs open.

[Humming Owl]

On 8/12/2021 at 3:59 PM, Dave-H said:

I can't imagine why it wouldn't, but I'm sure someone with a Vista installation will confirm or deny that!

A few days ago I had problems in Windows 7 to access websites, Chromium showed the "Your clock is ahead" error but the time was correct. I used @heinoganda's certificate updater and it solved the issue so I guess this tool works on Vista as well. 

Cheers.

[j7n]

Can you add Heinoganda's updater or any other updaters that have been released here to the first post? The link is in the middle of the thread and hard to find.

[Dave-H]

Done.

[Dixel]

9 hours ago, Dave-H said:

Done.

Dave , I'm absolutely not able to make this tool work .  Someone , please tell what am I doing wrong ? I had to reinstall my Vista from scratch , because of the new videocard I bought (but that's another story). Now I obviously have all certificates outdated . 

1 - So I start this tool version 1.6 and it tries to connect via HTTP to Level 3 Communications, Inc. (which is blocked by my firewall, of course).

IP in the range 8.238.0.0 - 8.238.255.255

and some unknown to me "Limelight Networks Inc. , Great Britain" , is this where it supposed to fetch the certificates ? What are these organisations ?

2 - It will endlesly send it's requests to the above and nothing happens for hours.

P.S. 

Somewhat ironic to update cetificates via http , kind of defeats their purpose , anyone can send you the forged ones , no ?

So I'm back to the old method , cert. pack by legacyfan , it works , but it has no MSFN (D3) and some others are missing too.

Thank you !

 

Edited October 6, 2021 by Dixel
IPs

[Dave-H]

That's very strange!
Did you import the registry file that came with the package?
As far as I know that sets the download URLs.

[Dixel]

Well , I didn't use any older versions , so no . Readme file says :

"If you have used the previous version 1.4 or 1.5 of Cert_Updater and

have not yet updated the URL's after the last Roots and Revoked certificate update,

please run "DL_URL_UPD.reg"."

[Dave-H]

Ah right.
This is what your registry entry for the updater should look like.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Cert_Updater]
"Version"="1.6"
"SST_Download_URL"="http://wsus.ds.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en"
"SST_Download_URL_D1"="http://ds.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en"
"SST_Download_URL_D2"="0"
"SST_Download_URL_D3"="0"
"SST_Download_URL_D4"="0"
"SST_Download_URL_D5"="0"
"max_number_of_download_attempts"="30"
"file_for_settings_URL"="0"
"log_file_enable"="0"
"end_timer"="0"
"AUTHDATE"="20210910"
"DELDATE"="20210910"
"ROOTDATE"="20210910"
"UPDDATE"="20210910"
"DISALLOWEDDATE"="20210316"
"Last Update Roots"="06/10/21   22:35   Status OK"
"Last Update Revoked"="06/10/21   22:35   Status Ok"
"webspider_to_compare"="1"

If it's the same, I don't know why it would be looking in those strange places!

Cert_Updater.reg

[j7n]

One of the addresses of wsus.ds.download.windowsupdate.com resolves to 8.238.102.254 on Level 3 for me. I suppose Microsoft has content distribution networks all over the world on various IPs.

How else would you get the certificates if the server required SSL but you didn't have the certificate because you need to run the updater? An SSL server typically asks for the newest algorythms and cerficiates to appear professional.

[Ben Markson]

15 hours ago, Dixel said:

I'm absolutely not able to make this tool work .

I have never used the tool, instead I have always used the manual process outlined on page #1 of this thread:

 Download and extract the two updroots.exe packages (they are the same except for the inf files):
 · updroots.exe [5.2.3790.4456]
 · ADVPACK.DLL  [7.0.5489.0]
 · rvkroots.inf and rootsupd.inf

 Tweak both rvkroots.inf and rootsupd.inf with:
 · VERSION="5,0,2195,0"
 · Ver="005" and Ver="040"

 Download the latest .sst files (from http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/):
 · disallowedcert.sst
 · authroots.sst
 · delroots.sst
 · roots.sst
 · updroots.sst

 Use Rundll32.exe to apply the files:
 · Rundll32.exe advpack.dll,LaunchINFSection rvkroots.inf,DefaultInstall
 · Rundll32.exe advpack.dll,LaunchINFSection rootsupd.inf,DefaultInstall

This has always worked for me.

Ben.
 

[Dixel]

[Dave-H]

I know you're very tight on security, do you have that URL blocked somewhere?
I notice it's http, not https.

[Ben Markson]

I didn't check the links but assuming you got the one to work for the Revoked Certificate Update:
 · http://www.microsoft.com/download/details.aspx?id=41542
...it returns rvkroots_3f2ce4676450c06f109b5b4e68bec252873ccc21.exe

Everything is the same for the Root Certificate Update except for the .inf, file, this is it:
 

[Version]
Signature = "$Chicago$"
Provider = %Msft%
AdvancedINF = 2.0,%AdvPack%

[DefaultInstall]
RequiredEngine = setupapi.dll,%SetupAPI%
CheckAdminRights = 1
AddReg=AppCompatSetup.reg
RunPostSetupCommands = RunPostSetupCmds

[RunPostSetupCmds]
updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst

[AppCompatSetup.reg]
HKLM,"Software\Microsoft\Active Setup\Installed Components\%GUID%",,,"%COMPName%"
HKLM,"Software\Microsoft\Active Setup\Installed Components\%GUID%","IsInstalled",0x10001,01,00,00,00
HKLM,"Software\Microsoft\Active Setup\Installed Components\%GUID%","Version",,"%VERSION%"
HKLM,"Software\Microsoft\Active Setup\Installed Components\%GUID%","Locale",,"%LANG%"
HKLM,"Software\Microsoft\Active Setup\Installed Components\%GUID%","ComponentID",,"%COMPID%"

[Strings]
; !!!!!!!WARNING!!!!!!!!
; !!!!!!!WARNING!!!!!!!!
; !!!!!!!WARNING!!!!!!!!
; !!!!!!!WARNING!!!!!!!!
; >>>>> VERSION must be updated for each update roots package <<<<<
; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A} = 40,0,2195,0
; "Ver" must also match the first field of VERSION.
VERSION="40,0,2195,0"    
Ver="040"

; Don't change this -- this is our unique GUID
GUID={EF289A85-8E57-408d-BE47-73B55609861A}

; Don't change these either
COMPID=Windows Roots Update
COMPName=RootsUpdate

; Same set of roots for all locales
LANG=*

;----------------------
; localizeable Strings
;----------------------
Msft = "Microsoft"
AdvPack = "The correct version of Advpack.dll was not found, update halted."
SetupAPI = "Required file: SetupAPI.dll, is missing from your system."

I do have a copy of rootsupd.exe from 5th June 2020 but I'm not sure I'm supposed to post such things.

Ben.
 

[Dixel]

@Dave-H , no , it's not blocked by me , I'm getting error 403 , MS forbids me from looking at that page . HTTP , yes , it supposed to be HTTP , no ?

As @j7n said , 8.238.102.254 on Level 3 Communications is where MS hosts them , so I unblocked that address . So minus one strange location.

Also , perhaps Limelight Networks Inc, GB is where the rest of them reside , some spare hosting ? 

It would make sense , because UK is close to me. Like very very close. The closest MS server would definitely be there. 

P.S.

As for 403 error , I remembered I read somewhere on MSFN (360browser topic?) , some of the members reported MS blocked France from getting updates.

Edited October 7, 2021 by Dixel
P.S.