The SYSTEM account cannot access the certificate store

Question

Why the SYSTEM account is not able to access the user's certificate store?

At the same time the SYSTEM account is able to read the certificate (through the CSP dll) from the smart card and put it in the certificate store (CSP is being used by winlogon.exe in this case, so I guess the winlogon.exe has some magic inside).

For example, calling CertOpenSystemStore( NULL, L"MY" ) under system account will succeed, but CertFindCertificateInStore() will not find anything, because it looks like the store is empty. When I log on, the CertFindCertificateInStore() will find the requested certificate.

Answer 1

Every user has a different MY Store, So If you are able to find something in USER A login My Store, you might not be able to get that from User 2. Try using MMC for accessing Certificate Stores of other users and service accounts.

Answer 2

Either you need to put the relevant certificates in the SYSTEM cert store or you need to impersonate the user whose store you wish to access. Impersonation can be done in multiple ways, I would suggest start looking at MSDN.

Answer 3

Thanks to Der_Meister!

The full command line, to be executed from the administrator command prompt:

psexec -s -i c:\windows\system32\mmc.exe c:\windows\system32\certmgr.msc

Then import the certificate needed by the Local System.

In my case it was a code signing certificate required by the signtool to sign the binaries. Signtool was executed by gitlab-runner service.