1

Is it possible to listen on the certificate store when certificates is added/removed? I am hoping to avoid unreliable card reader listening.

Banshee
  • 15,376
  • 38
  • 128
  • 219

4 Answers4

1

You should be able to find all certificates in Windows Registry in the System Store, which means you should be able to track changes using WMI Registry Events, as described in this SO answer https://stackoverflow.com/a/145934/1659828.

Community
  • 1
  • 1
Honza Brestan
  • 10,637
  • 2
  • 32
  • 43
0

SysInternals Process Monitor (downloadable from Microsoft TechNet, written by Mark Russinovich) allows you to monitor registry activity of various processes.

Specifically to watch changes to certificates in certificate stores, use the following filters:

  • Path contains "cert"
  • Operation begins with "RegSet" or "RegDelete" or "RegRename"

The image below shows an example.

Process Monitor capturing certificate store changes

To find out which certificate it corresponds to, use "regedit", go to the path shown, and read the binary data of the Blob. The corresponding ASCII text will be shown on the right side, which reveals information of the certificate, including the subject name.

robbie fan
  • 618
  • 1
  • 6
  • 10
-1

You can use file Watcher:

Here

Minh Do Van
  • 44
  • 3
-1

You could use some hash function, like md5 or sha1, to detect changes in certificate store file.

R.Sicart
  • 671
  • 3
  • 10
  • Not very informative, dont really know what to do with this. – Banshee Jul 10 '14 at 09:22
  • In forensics, to be sure that a file is not modified when copying it, people usually use some hash function (i.e like md5()) before and after copying the file and compares the result. Following the same principle you can know when a file is modified if the last hash function result is different. – R.Sicart Jul 10 '14 at 20:47