How to reset Windows trusted certificates store to its default

Theoretically, you could apply the following method:

  1. Delete all root CA certificates except the ones that are absolutely needed by Windows itself, as indicated here.

  2. Install the current list of trusted root CA from the current package. Note that validation of this package requires that you still trust one of the "necessary" root CA, which is why you must keep them in the first step.

I emphasize that I have not tested this method. As a preparatory step, you may want to first make a backup of all these certificates: run certmgr.msc, open the Root store, select them all (e.g. with Ctrl-A), then right-click and choose to export them all as a PKCS#7 file. That file will contain a copy of all the certificates, which should allow you to repair things, if the method above fails in some way. There again, the recovery is untested.

Be wary of the multiplicity of stores. certmgr.msc shows an aggregate view containing certificates from various sources ("physical stores"). To understand what you are about to do, in the certificate manager, right-click on the Certificates node (root node of the tree in the left pane), select View then Options, and select the Physical certificate stores box. This process is described in this blog entry (with screenshots).


I found the following simple method to remove the locally trusted CA certificates not present in the official and current Microsoft Certificate Trust List:

First download Sigcheck (https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck) and then execute:

>sigcheck.exe -tuv
... 
Listing valid certificates not rooted to the Microsoft Certificate Trust List:

User\Root:
   Test Purpose CA
        Cert Status:    Valid
        Valid Usage:    All
        Cert Issuer:    Some development Root CA
        Serial Number:  01
        Thumbprint:     9CB31B0AE15867B5E29C4F7E21FE195C2AF24FE3
        Algorithm:      sha1RSA
        Valid from:     2:10 PM 2/5/2015
        Valid to:       2:10 PM 2/5/2025
   LLAMA.PE Root CA - R2
        Cert Status:    Valid
        Valid Usage:    All
        Cert Issuer:    Some third party Root CA
        Serial Number:  01 E0 DA 86 CC 7D 58 ED D8 62 E6 47 A2
        Thumbprint:     1B4AEFF4FB8E2BEFEB3A8FE60D03D24269AB4A6B
        Algorithm:      sha256RSA
        Valid from:     7:00 PM 3/14/2017
        Valid to:       7:00 PM 3/14/2037
...

Then simply delete all the displayed CAs with something like certmgr.msc.

Notes

  • This method will only help to delete locally trusted CA certificates that don't exist in the Microsoft Certificate Trust List, but it won't install the Microsoft Certificate Trust List CAs not currently installed in the local store (e.g. the manually removed ones).
  • This checks the current user store, not the machine store. For checking the machine store, just omit the u in the arguments.
  • The output seems to include only valid certificates, e.g. I've observed that a locally trusted CA with a signature that Windows was unable to validate wasn't listed and I had to check it and remove it manually.

Credits to the following site, http://woshub.com/how-to-check-trusted-root-certification-authorities-for-suspicious-certs/.