SetReg
The SetReg tool sets the value of the registry keys that control the behavior of the Authenticode certificate verification process. These keys are called the Software Publishing State Keys. After completing the requested action, the tool displays the current state of the Software Publishing State Keys.
SetReg [Options] [Choice # {TRUE|FALSE}]
The Set Registry tool only ships with the .NET Framework SDK version 1.0 and .1.1, which you can download from the Microsoft Download Center. Later versions of the .NET Framework SDK use SignTool.
Options
The options can be one of the following values. Options given in the following table can be used only with Internet Explorer 4.0 or later.
| Option | Description |
|---|---|
| -q | Suppress the display of the Software Publishing State Key values after SetReg has completed the requested action. The values are displayed by default. |
| -? | List command syntax and options. |
Choice #
Choice # must be one of the following values.
| Choice | Description | Result |
|---|---|---|
| 1 | Trust the Test Root | This value is ignored.
|
| 2 | Use expiration date on certificates | If TRUE, checks the certificate expiration date. To ignore expiration dates, set this flag to FALSE. The default is TRUE. |
| 3 | Check the revocation list | If TRUE, performs the revocation check. To bypass revocation check, set this flag to FALSE. The default is TRUE.
|
| 4 | Offline
Revocation server OK (Individual) | If TRUE, allows offline approval for individual certificates. The default is FALSE. |
| 5 | Offline
Revocation server OK (Commercial) | If TRUE, allows offline approval for commercial certificates. The default is TRUE. |
| 6 | Java offline Revocation server OK (Individual) | If TRUE, allows offline approval for individual certificates and does not display the user interface for bad certificates. The default is FALSE. |
| 7 | Java offline Revocation server OK (Commercial) | If TRUE, allows offline approval for commercial certificates and does not display the user interface for bad certificates. The default is TRUE. |
| 8 | Make version 1 signed objects no longer valid | If TRUE, makes version 1 signed objects no longer valid. The default is FALSE. |
| 9 | Check the revocation list of the time stamp server | If TRUE, performs the revocation check on the time stamp server's certificate. The default is FALSE.
|
| 10 | Only trust items found in the Trust database | If TRUE, allows downloads from publishers that are contained in the Personal Trust Database. The default is FALSE.
|
Send comments about this topic to Microsoft
Build date: 3/6/2012
[HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing]
Change the DWORD Key "State" using these as the hex bitmask. Yes, to get TRUE you must use negative values on some of them.
1) Trust the Test Root........................... TRUE 0xA0
2) Use expiration date on certificates........... TRUE -0x100
3) Check the revocation list..................... TRUE -0x200
4) Offline revocation server OK (Individual)..... TRUE 0x400
5) Offline revocation server OK (Commercial)..... TRUE 0x800
6) Java offline revocation server OK (Individual) TRUE 0x1000
7) Java offline revocation server OK (Commercial) TRUE 0x2000
8) Invalidate version 1 signed objects........... TRUE 0x10000
9) Check the revocation list on Time Stamp Signer TRUE -0x20000
10) Only trust items found in the Trust DB........ TRUE 0x40000
Much thanks to Bent Schrader for the location of the registry entry!
I know this IE advanced setting uses/sets this registry key:
Check for publisher's certificate revocation TRUE -0x200
But also there are also some undocumented settings found in WinTrust.h:
#define WTPF_TRUSTTEST 0x00000020 // trust any "TEST" certificate
#define WTPF_TESTCANBEVALID 0x00000080 // check any test certificate for validity
Pushing out some IE settings such as "Check for publisher's certificate revocation" and "Check for server certificate revocation" via a GPO does seem to influence this registry key and set it to 0x000000C9 or 0x000002C9 which seems to be incorrect behavior as it wipes out the previous settings in this registry key and includes a value that seems invalid, 0xC9 (or 0x09 since both 0xA0 and 0x20 are technically valid/used). This is something to be aware of if you are getting .NET 4 update issues--a GPO may be changing this registry key from the expected defaults, especially setting "Offline revocation server OK (Commercial)" to false.
As of 5/10/2012, using the stated default values listed on this page, the registry entry would be 0x22800. However, on fresh installs (tested on WinXP SP3 and Win7 Enterprise x64, both fully updated/patched) the default value is 0x23C00. This article may be out of date. These settings correspond to:
Software Publishing State Key Values (0x22800):
1) Trust the Test Root........................... FALSE
2) Use expiration date on certificates........... TRUE
3) Check the revocation list..................... TRUE
4) Offline revocation server OK (Individual)..... FALSE
5) Offline revocation server OK (Commercial)..... TRUE
6) Java offline revocation server OK (Individual) FALSE
7) Java offline revocation server OK (Commercial) TRUE
8) Invalidate version 1 signed objects........... FALSE
9) Check the revocation list on Time Stamp Signer FALSE
10) Only trust items found in the Trust DB........ FALSE
Software Publishing State Key Values (0x23c00):
1) Trust the Test Root........................... FALSE
2) Use expiration date on certificates........... TRUE
3) Check the revocation list..................... TRUE
4) Offline revocation server OK (Individual)..... TRUE
5) Offline revocation server OK (Commercial)..... TRUE
6) Java offline revocation server OK (Individual) TRUE
7) Java offline revocation server OK (Commercial) TRUE
8) Invalidate version 1 signed objects........... FALSE
9) Check the revocation list on Time Stamp Signer FALSE
10) Only trust items found in the Trust DB........ FALSE
