Installing/deleting root certificate without CertMgr / CertUtil asking the end-user for confirmation

Question

When you install or delete a root CA certificate using the commandline tools CertUtil.exe or CertMgr.exe, Windows asks the user for confirmation using a MessageBox (for certificates other than root CA ones, this question is not asked), even for the root CA certificate store for the current user.

For unattended certificate updates, that is a hassle.

I have seen this behaviour on Windows XP, Vista and 7 (I have not checked Windows Server 2003 and 2008 yet, but I assume they ask this question as well).

I have two questions:

1. Why is Windows asking that question, even when you install/delete it from a command-line tool?
2. How can I suppress this (other than observing the dialog boxes coming up and sending Windows messages to press the "Yes" button)?

The MessageBox confirmation dialogs look like this:

[Root Certificate Store]
Do you want to DELETE the following certificate from the Root Store?
...
[&Yes]  [&No]

and this:

[Security Warning]
You are about to install a certificate from a certification authority (CA) claiming to represent:
...
[&Yes]  [&No]

--jeroen

Answer 1

The easiest solution is to incorporate the answer in the script like this:

echo Y | CertUtil.exe ....

This method doesn't always work for all programs, so it still needs some testing on your side.

For message-boxes, you can use nircmd with the dlg parameter.
In a script, you may also use the built-in command timeout /t seconds to give the message box the specified number of seconds in which to appear.

Here is an extract of the help file:

nircmd.exe dlg [Process Name] [Window Title] [Action] [Parameters]

Allows you to interact with standard dialog-boxes and message-boxes of Windows. When a dialog-box is opened, you can use this command to "click" the ok/cancel/yes/no buttons, or fill the text-boxes in the dialog-box.

The following command will choose the 'Yes' answer for any question dialog-box of Explorer process:
dlg "explorer.exe" "" click yes

The following command will choose the 'Cancel' answer for any question dialog-box of any process:
dlg "" "" click cancel

Parameters description:

[Process Name]: Specifies the process that created the desired window. You can specify only the process name or the full path of the process. If this parameter is empty string("" ), the command will be executed on any process.

[Window Title]: Specifies the title of the window that you want the execute the action. If this parameter is empty string("" ), the command will be executed on any window, regardless the window title.

[Action]: You can specify one of the following options:
click: Click the specified button. You can specify one of the following predefined values (For standard Windows dialog-boxes only !): yes, no, ok, cancel, retry, ignore, close, help. You can also specify any control ID as numeric value.
settext: Set the text of the specified control. The first parameter of this action specifies the ID of the control, and the second parameter specifies the text.

Answer 2

For those cases such as removing a trusted root certificate from the user store, that does not require any non-native software, I resort to removing the certificate out of the registry with reg delete. Note the X's below represent the thumbprint of the certificate.

reg delete HKCU\Software\Microsoft\SystemCertificates\Root\Certificates\XXXXXXXXXXXXXXXXXXXXXXX /f

Answer 3

For someone who, like me, was looking for how to respond with "yes" to the certutil.exe window via nircmd, follow command.

C:\Users\<user>\Desktop>nircmdc.exe dlg "certutil.exe" "" click yes execmd certutil.exe -p xxxxx -user -importpfx cert.p12