Article Timeliness Reminder

It has been 107 days since the article was published, the content may be outdated.

【记录】移除Windows中不受信任的证书

Last updated on December 12, 2024 pm

今天逛知乎,有人提到 EasyConnect 会给系统加上自己的 CA 证书。在自己系统里查了一下,发现是真的,因此这里记录一下删除这些恶意证书的过程。

查找恶意证书

  1. 下载 sigcheck
  2. 下载 authrootstl.cab
  3. authrootstl.cab 放入 sigcheck 的根目录
  4. 断网执行下面的命令
1
2
sigcheck64.exe -tv
sigcheck64.exe -tuv
  • 得到了如下的结果
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Machine\ROOT:
Sangfor Technologies Inc.
Cert Status: Valid
Valid Usage: All
Cert Issuer: Sangfor Technologies Inc.
Serial Number: 00 DE A4 D5 FA 33 CF 9E 9E
Thumbprint: A9062C5C1721FF87EBCBD89DF03719755560E7A0
Algorithm: sha256RSA
Valid from: 23:27 2017/4/27
Valid to: 23:27 2117/4/3
Machine\TrustedPublisher:
Sangfor Technologies Inc.
Cert Status: Valid
Valid Usage: All
Cert Issuer: Sangfor Technologies Inc.
Serial Number: 00 DE A4 D5 FA 33 CF 9E 9E
Thumbprint: A9062C5C1721FF87EBCBD89DF03719755560E7A0
Algorithm: sha256RSA
Valid from: 23:27 2017/4/27
Valid to: 23:27 2117/4/3

删除恶意证书

  • 记录要删除证书的 Thumbprint
  • 将下面的文件保存成 rm-ca.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
param(
[string]$Thumbprint=$(throw "Parameter missing: -Thumbprint Thumbprint")
)

$CAStores="cert:\currentuser\root", "cert:\currentuser\authroot", "cert:\localmachine\root", "cert:\localmachine\authroot"

$exist = 0
foreach ($store in $CAStores) {
$location = $store+"\"+$Thumbprint
if(Test-Path -Path $location) {
$exist = 1
Remove-Item -Path $location -Force
}
}
if ($exist -eq 0) {
Write-Host "Thumbprint does not exist."
}
  • 运行 .\rm-ca.ps1 -Thumbprint A9062C5C1721FF87EBCBD89DF03719755560E7A0 删除对应的证书
  • 再次 查找恶意证书 以确认成功

【记录】移除Windows中不受信任的证书
https://hexo.limour.top/remove-untrusted-certificates-windows
Author
Limour
Posted on
December 12, 2024
Updated on
December 12, 2024
Licensed under