Jump to content

Root Certificates and Revoked Certificates for Windows XP


Recommended Posts

22 minutes ago, egrabrych said:

Another change has come.


The contents of the updroots.sst file have been changed; the contents of the other * .sst files are unchanged.

No repeat of the "out of memory" error this time.
I did have Firefox 52.9.1 ESR running, but with no tabs open.

Link to comment
Share on other sites

On 8/12/2021 at 3:59 PM, Dave-H said:

I can't imagine why it wouldn't, but I'm sure someone with a Vista installation will confirm or deny that!

A few days ago I had problems in Windows 7 to access websites, Chromium showed the "Your clock is ahead" error but the time was correct. I used @heinoganda's certificate updater and it solved the issue so I guess this tool works on Vista as well. :yes:


Link to comment
Share on other sites

Can you add Heinoganda's updater or any other updaters that have been released here to the first post? The link is in the middle of the thread and hard to find.

Link to comment
Share on other sites

9 hours ago, Dave-H said:


Dave , I'm absolutely not able to make this tool work .  Someone , please tell what am I doing wrong ? I had to reinstall my Vista from scratch , because of the new videocard I bought (but that's another story). Now I obviously have all certificates outdated . 

1 - So I start this tool version 1.6 and it tries to connect via HTTP to Level 3 Communications, Inc. (which is blocked by my firewall, of course).

IP in the range -

and some unknown to me "Limelight Networks Inc. , Great Britain" , is this where it supposed to fetch the certificates ? What are these organisations ?

2 - It will endlesly send it's requests to the above and nothing happens for hours.


Somewhat ironic to update cetificates via http , kind of defeats their purpose , anyone can send you the forged ones , no ?

So I'm back to the old method , cert. pack by legacyfan , it works , but it has no MSFN (D3) and some others are missing too.

Thank you !


Edited by Dixel
Link to comment
Share on other sites

Well , I didn't use any older versions , so no . Readme file says :

"If you have used the previous version 1.4 or 1.5 of Cert_Updater and

have not yet updated the URL's after the last Roots and Revoked certificate update,

please run "DL_URL_UPD.reg"."

Link to comment
Share on other sites

Ah right.
This is what your registry entry for the updater should look like.

Windows Registry Editor Version 5.00

"Last Update Roots"="06/10/21   22:35   Status OK"
"Last Update Revoked"="06/10/21   22:35   Status Ok"

If it's the same, I don't know why it would be looking in those strange places!


Link to comment
Share on other sites

One of the addresses of wsus.ds.download.windowsupdate.com resolves to on Level 3 for me. I suppose Microsoft has content distribution networks all over the world on various IPs.

How else would you get the certificates if the server required SSL but you didn't have the certificate because you need to run the updater? An SSL server typically asks for the newest algorythms and cerficiates to appear professional.

Link to comment
Share on other sites

15 hours ago, Dixel said:

I'm absolutely not able to make this tool work .

I have never used the tool, instead I have always used the manual process outlined on page #1 of this thread:

 Download and extract the two updroots.exe packages (they are the same except for the inf files):
 · updroots.exe [5.2.3790.4456]
 · ADVPACK.DLL  [7.0.5489.0]
 · rvkroots.inf and rootsupd.inf

 Tweak both rvkroots.inf and rootsupd.inf with:
 · VERSION="5,0,2195,0"
 · Ver="005" and Ver="040"

 Download the latest .sst files (from http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/):
 · disallowedcert.sst
 · authroots.sst
 · delroots.sst
 · roots.sst
 · updroots.sst

 Use Rundll32.exe to apply the files:
 · Rundll32.exe advpack.dll,LaunchINFSection rvkroots.inf,DefaultInstall
 · Rundll32.exe advpack.dll,LaunchINFSection rootsupd.inf,DefaultInstall

This has always worked for me.


Link to comment
Share on other sites

I didn't check the links but assuming you got the one to work for the Revoked Certificate Update:
 · http://www.microsoft.com/download/details.aspx?id=41542
...it returns rvkroots_3f2ce4676450c06f109b5b4e68bec252873ccc21.exe

Everything is the same for the Root Certificate Update except for the .inf, file, this is it:

Signature = "$Chicago$"
Provider = %Msft%
AdvancedINF = 2.0,%AdvPack%

RequiredEngine = setupapi.dll,%SetupAPI%
CheckAdminRights = 1
RunPostSetupCommands = RunPostSetupCmds

updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst

HKLM,"Software\Microsoft\Active Setup\Installed Components\%GUID%",,,"%COMPName%"
HKLM,"Software\Microsoft\Active Setup\Installed Components\%GUID%","IsInstalled",0x10001,01,00,00,00
HKLM,"Software\Microsoft\Active Setup\Installed Components\%GUID%","Version",,"%VERSION%"
HKLM,"Software\Microsoft\Active Setup\Installed Components\%GUID%","Locale",,"%LANG%"
HKLM,"Software\Microsoft\Active Setup\Installed Components\%GUID%","ComponentID",,"%COMPID%"

; !!!!!!!WARNING!!!!!!!!
; !!!!!!!WARNING!!!!!!!!
; !!!!!!!WARNING!!!!!!!!
; !!!!!!!WARNING!!!!!!!!
; >>>>> VERSION must be updated for each update roots package <<<<<
; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A} = 40,0,2195,0
; "Ver" must also match the first field of VERSION.

; Don't change this -- this is our unique GUID

; Don't change these either
COMPID=Windows Roots Update

; Same set of roots for all locales

; localizeable Strings
Msft = "Microsoft"
AdvPack = "The correct version of Advpack.dll was not found, update halted."
SetupAPI = "Required file: SetupAPI.dll, is missing from your system."

I do have a copy of rootsupd.exe from 5th June 2020 but I'm not sure I'm supposed to post such things.


Link to comment
Share on other sites

@Dave-H , no , it's not blocked by me , I'm getting error 403 , MS forbids me from looking at that page . HTTP , yes , it supposed to be HTTP , no ?

As @j7n said , on Level 3 Communications is where MS hosts them , so I unblocked that address . So minus one strange location.

Also , perhaps Limelight Networks Inc, GB is where the rest of them reside , some spare hosting ? 

It would make sense , because UK is close to me. Like very very close. The closest MS server would definitely be there. 


As for 403 error , I remembered I read somewhere on MSFN (360browser topic?) , some of the members reported MS blocked France from getting updates.

Edited by Dixel
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...