Demystification of the ProtectedRoots Registry Key


Well, hopefully some demystification of the key at least. 🙂 Upon looking around, I had a hard time finding really any documentation for this key: "SOFTWARE\Policies\Microsoft\SystemCertificates\root\ProtectedRoots\Flags". So, this blog is in hope my studies and notes help someone else.

Some info on the registry key and value:

  • The key was moved from Software\Policies to HKEY_USERS\.DEFAULT (Software\Microsoft\SystemCertificates\Root\ProtectedRoots)
  • This move was made since the .DEFAULT hive is meant as the local system account and not the default user profile (as is commonly mistaken)
  • To clarify the above point, this is not the same as \users\default, where this is used to create new user profiles. This registry hive has nothing to do with this. That registry data is kept in \Users\Default\ntuser.dat.
  • The SDK is your key to learning the values and what they do, more specifically the wincrypt.h file. Yes, I know, we all have the SDKs loaded and ready at our disposal. 🙂
  • In the wincrypt.h file, you will see the flag value - the default (starting in Windows Vista/2008 and later) is 0x20, which is decimal 32.
    • This disables name constraint enforcement for undefined name types
    • For those reading the wincrypt.h file, the term "LH" refers to Longhorn (codename for Vista) as opposed to something like "localhost".
  • Short of the SDK, the most recent info I found was here: CA Certificates Tools and Settings.

For those who have asked, this key is still relevant in today's modern era.

Hopefully this info helps take some of the confusion out of this registry key, I make no guarantees this read can cure insomnia, however.

Until next time...

-- If you like my blogs, please share it on social media, rate it, and/or leave a comment. --


Comments (0)

Skip to main content