System Store Locations
A system store is a collection that consists of one or more physical sibling stores. For each system store, there are predefined physical sibling stores. After opening a system store such as MY at CERT_SYSTEM_STORE_CURRENT_USER, the store provider calls CertOpenStore to open each of the physical stores in the system store collection. In the open process, each of these physical stores is added to the system store collection using CertAddStoreToCollection. All certificates in those physical stores are available through the logical system store collection.
For each system store location, the predefined systems stores are:
- MY
- Root
- Trust
- CA
In CERT_SYSTEM_STORE_CURRENT_USER, there is also a predefined UserDS store. A smart card store is planned for this location.
Here are the system stores followed by further remarks:
- CERT_SYSTEM_STORE_CURRENT_USER
- CERT_SYSTEM_STORE_LOCAL_MACHINE
- CERT_SYSTEM_STORE_CURRENT_SERVICE
- CERT_SYSTEM_STORE_SERVICES
- CERT_SYSTEM_STORE_USERS
- CERT_SYSTEM_CURRENT_USER_GROUP_POLICY
- CERT_SYSTEM_LOCAL_MACHINE_GROUP_POLICY
- CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
- Remarks
CERT_SYSTEM_STORE_CURRENT_USER
CERT_SYSTEM_STORE_CURRENT_USER system stores are at the following registry location:
HKEY_CURRENT_USER
Software
Microsoft
SystemCertificates
The predefined physical stores associated with those system stores are as follows.
| System store | Physical store |
|---|---|
| MY | .Default |
| Root | .Default.LocalMachine .SmartCard |
| Trust | .Default.GroupPolicy .LocalMachine |
| CA | .Default.GroupPolicy .LocalMachine |
| UserDS | .UserCertificate |
CERT_SYSTEM_STORE_LOCAL_MACHINE
CERT_SYSTEM_STORE_LOCAL_MACHINE system stores are at the following registry location:
HKEY_LOCAL_MACHINE
Software
Microsoft
SystemCertificates
The predefined physical stores are associated with those system stores are as follows.
| System store | Physical store |
|---|---|
| MY | .Default |
| Root | .Default.AuthRoot .GroupPolicy .Enterprise .SmartCard |
| Trust | .Default.GroupPolicy .Enterprise |
| CA | .Default.GroupPolicy .Enterprise |
CERT_SYSTEM_STORE_CURRENT_SERVICE
CERT_SYSTEM_STORE_CURRENT_SERVICE system stores are at the following registry location:
HKEY_LOCAL_MACHINE
Software
Microsoft
Cryptography
Services
ServiceName
SystemCertificates
The predefined physical stores associated with those system stores are as follows.
| System store | Physical store |
|---|---|
| MY | .Default |
| Root | .Default.LocalMachine |
| Trust | .Default.LocalMachine |
| CA | .Default.LocalMachine |
CERT_SYSTEM_STORE_SERVICES
CERT_SYSTEM_STORE_SERVICES system stores are at the following registry location:
HKEY_LOCAL_MACHINE
Software
Microsoft
Cryptography
Services
ServiceName
SystemCertificates
The predefined physical stores associated with those system stores are as follows.
| System store | Physical store |
|---|---|
| ServiceName\MY | .Default |
| ServiceName\Root | .Default.LocalMachine |
| ServiceName\Trust | .Default.LocalMachine |
| ServiceName\CA | .Default.LocalMachine |
CERT_SYSTEM_STORE_USERS
CERT_SYSTEM_STORE_USERS system stores are at the following registry location:
HKEY_USERS
UserName
Software
Microsoft
SystemCertificates
The predefined physical stores associated with those system stores are as follows.
| System store | Physical store |
|---|---|
| userid\MY | .Default.LocalMachine |
| userid\Root | .Default.LocalMachine |
| userid\Trust | .Default.LocalMachine |
| userid\CA | .Default.LocalMachine |
CERT_SYSTEM_CURRENT_USER_GROUP_POLICY
CERT_SYSTEM_CURRENT_USER_GROUP_POLICY system stores are at the following registry location:
HKEY_CURRENT_USER
Software
Policy
Microsoft
SystemCertificates
CERT_SYSTEM_LOCAL_MACHINE_GROUP_POLICY
CERT_SYSTEM_LOCAL_MACHINE_GROUP_POLICY system stores are at the following registry location:
HKEY_LOCAL_MACHINE
Software
Policy
Microsoft
SystemCertificates
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE contains certificates shared across domains in the enterprise and downloaded from the global enterprise directory. To synchronize the client's enterprise store, the enterprise directory is polled every eight hours and certificates are downloaded automatically in the background.
The predefined physical stores associated with these system stores are as follows.
| System store | Physical store |
|---|---|
| MY | .Default |
| Root | .Default |
| Trust | .Default |
| CA | .Default |
Remarks
Additional physical stores can be associated with a system store by using CertRegisterPhysicalStore.
CERT_SYSTEM_STORE_SERVICE and CERT_SYSTEM_STORE_USERS stores are opened by prefixing the name of the store in the string passed to pvPara with the service or user name such as ServiceName\Trust or .Default\MY. The CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS location can open the same store in CERT_SYSTEM_CURRENT_SERVICE or CERT_SYSTEM_STORE_CURRENT_USER by using the textual security identifier (SID) of the current service or user.
Stores in CERT_SYSTEM_STORE_USER_GROUP_POLICY and CERT_SYSTEM_LOCAL_MACHINE_GROUP_POLICY in a network setting are downloaded to the client computer from the Group Policy Template (GPT) during computer startup or user logon. These stores can be updated on the client computer after startup or logon when the GPT is changed on the domain server by an administrator. The CertControlStore function allows an application to be notified when stores in either of these locations have changed.
The following system store locations can be opened remotely:
- CERT_SYSTEM_STORE_LOCAL_MACHINE
- CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
- CERT_SYSTEM_STORE_SERVICES
- CERT_SYSTEM_STORE_USERS
System store locations are opened remotely by prefixing the store name in the string passed to pvPara with the computer name. Examples of remote system store names are:
- ComputerName\CA
- \\ComputerName\CA
- ComputerName\ServiceName\Trust
- \\ComputerName\ServiceName\Trust
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for