Scan your Windows computer for untrusted root certificates - gHacks Tech News

Scan your Windows computer for untrusted root certificates

Root certificates are one core building block of today's Internet. They are used to verify connections and a list of trusted certificates ships with operating systems such as Windows which makes them more trustworthy than certificates added to the operating system by third-parties.

For end users, it is nearly impossible to tell which certificates are legitimate and which are not. While it is possible to display them all in a list in the Microsoft Management Console, there is no telling which ship with Windows, which are added by third-parties and which of them are legit and which are not, at least not on first glance.

The free program RCC attempts to change that by scanning Windows and Firefox root certificate stores to display certificates that should be looked at more closely.

scan root certificates

While the website of the author does not reveal how that is done, the most likely explanation is that it takes Microsoft's list of trusted root certificates into account at the very least and compare it to root certificates installed on the machine.

The program needs to be run from the command line:

  1. Download and extract it to a location on your system.
  2. Tap on the Windows-key, type cmd and hit enter.
  3. Navigate to the location of the extracted file on your system using the cd command, e.g. cd c:\users\martin\downloads
  4. Type rcc and hit enter.

The scan does not take long and the most interesting information are highlighted in red by the program. Interesting does not necessarily mean a rogue certificate though.

This means that you need to research them manually to find out more about them. While you could delete them right away, it might prevent services from running properly on your system if you do.

Find out more about a certificate

installed root certificates

You need to use a different program to find out more about listed root certificates.

  1. Tap on the Windows-key, type mmc and hit enter.
  2. Select File > Add/Remove Snap-Ins from the menu bar at the top.
  3. Select Certificates, then user account and finish.
  4. Click ok.
  5. Expand the list of certificates and open trusted root certification authorities from the listing.
  6. Locate the certificates that the scanner listed in its interface.

The console may list additional information about it, for instance the company that issues it, its intended purpose or when it is expiring.

To remove a certificate from the list, select it and hit the delete key on the keyboard afterwards. Before you do that, you may want to search the Internet for information about a certificate.

You may be able to identify some right away, for instance if a company name is used. That way you can tell right away if the certificate is still required or not on your system. If you don't use the company's services or products anymore on it, it is likely that it is not needed anymore.

Verdict

RCC is a useful program. It is portable and scans a system's and Firefox's root certificates to highlight certificates that you should investigate more closely to make sure rogue certificates are not installed on the computer system.

Summary
software image
Author Rating
1star1star1star1star1star
no rating based on 0 votes
Software Name
RCC
Operating System
Windows
Landing Page
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Tim said on April 5, 2015 at 1:20 pm
    Reply

    It’s a nice idea, although I can’t help wondering how useful this is in reality (that’s a genuine question BTW, I’m not mocking it)?

    If a piece of software has already gained admin privileges in order to install it’s own root certificate in the first place, that piece of software can already do whatever it wants on your computer, including capturing all your keystrokes and sending them to a remote server. Therefore, why would malicious software even go to the trouble of installing it’s own root cert in order to MITM you, unless the software is like SuperFish where it claims to have a ‘legitimate’ use?

  2. george kinbote said on April 5, 2015 at 2:56 pm
    Reply

    I ran VirusTotal on the download link
    1 hit: malicious site

    1. K699 said on April 6, 2015 at 9:23 am
      Reply

      Sophos and German outfit Clean MX classify the download (direct) link you’re saying as a “malicious site”, but the actual file (rcc.zip) is marked as containing malware by Qihoo 360.

      As for reports of RCC not working in Win 8.1/10, the software is in an early release state as warned by its developer and it is prone to bugs.

  3. Tasha said on April 5, 2015 at 2:59 pm
    Reply

    It crashes. Problem details:

    Problem signature:
    Problem Event Name: APPCRASH
    Application Name: rcc.exe
    Application Version: 1.2.2.1
    Application Timestamp: 552238cb
    Fault Module Name: rcc.exe
    Fault Module Version: 1.2.2.1
    Fault Module Timestamp: 552238cb
    Exception Code: c0000005
    Exception Offset: 00002e94
    OS Version: 6.1.7601.2.1.0.768.3

  4. Tom said on April 5, 2015 at 4:06 pm
    Reply

    Windows 8.1 “OS not supported”

  5. Rik said on April 5, 2015 at 4:12 pm
    Reply

    Note: Does not work with Windows 10 (“OS noty supported”)

  6. Denver said on April 5, 2015 at 4:51 pm
    Reply

    I would prefer to use built in tools when possible.
    Here is an article that might help:
    https://www.nsa.gov/ia/_files/factsheets/adf-2012-1202_defending_against_compromised_certificates.pdf

  7. John said on April 5, 2015 at 5:57 pm
    Reply

    My firewall records this program starting powershell.exe and going out to a number of websites:

    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, Outgoing TCP access allowed to: (ocsp.digicert.com;cs9.wac.edgecastcdn.net;crl3.digicert.com;cs9.wac.phicdn.net) 72.21.91.29:80

    Presumably this is where it checks the certificates.

    Blocking internet access results in the program just hanging after identifying what it calls ‘interesting certificates’. The last 4 lines shown in the first screen grab in this article never show up when access is blocked.

    Not impressed with the lack of disclosure about where the program goes on the internet. Deleted.

  8. Anthony said on April 5, 2015 at 11:39 pm
    Reply

    Always wonder how you find these little gems Martin.

    Thank you.

    I’d love to see a post about your sources.

    1. Martin Brinkmann said on April 6, 2015 at 9:53 am
      Reply

      The author contacted me directly this time.

      1. SF (author here) said on April 6, 2015 at 10:31 am
        Reply

        Martin, thanks for the nice review! Keep up the good work.

        @Tom, @Rik: please try the latest build (168), which should fix the “OS not supported” issue. Only Vista and below are truly not supported.

        @John: the scan process itself does not require Internet access; however what you are seeing is the result of RCC checking the CRL for a critical Mozilla Firefox DLL. Servers contacted are simply the ones listed in the Firefox code signature certificate chain. Also PowerShell (part of a vanilla OS install since Windows 7) is currently required for the enumeration of the Windows certificate store. I will document this in a small FAQ on the website.

        I hope to further improve both the software and the website, as time permits.

  9. aa said on April 10, 2015 at 3:02 am
    Reply

    I use Firefox portable. Is there a way to check for portable certificate stores?

  10. Dr Gadgit said on July 19, 2015 at 7:25 pm
    Reply

    I have built a windows SSL Checker that lets users view CA Root certificates in a tree view with child ‘Intermediate’ certificates below them and the program uses a white list of certificate thumbprints but i am not quite sure if my list is correct so please give me a link if you know of a list.

    The program lets users click on certificates to delete them and has a ‘Mark All Safe’ Button so it makes it easy to see if new certificates have been added behind your back.

    What i do know is that my ISP is hijacking DNS lookups for Youtube.com and can server up SSL pages for Youtube.com and I would like to get to the bottom of how they are doing this and this is why i needed to clean out all my CA certificates which lead me to write the program in the first place.

    One last thing is that Firefox on Android devices is now using DLNA to hack serial numbers from your “Smart TV’s” to be used as a type of super cookie so watchout for that one if you are using anything like the Tor network.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.