Automatic Update--How to Turn OFF?

[John]

I noticed this event in the Application Event Log with a Source of CAPI2.

Successful auto update of third-party root certificate:: Subject:
<CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US> Sha1
thumbprint: <7E784A101C8265CC2DE1F16D47B440CAD90A1945>.

I know I have auto updates turned off in the Security Center so I am puzzled
by this mysterious "call-to-home" by equifax. Any help finding how to turn
ALL auto updates off greatly appreciated.

 

[Mac]

Sounds like it is trying to do it's own update - rather than via windows
update. You'd need to ask Equifax.

 

[Jimmy Brush]

I noticed this event in the Application Event Log with a Source of CAPI2.

Successful auto update of third-party root certificate:: Subject:
<CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US> Sha1
thumbprint: <7E784A101C8265CC2DE1F16D47B440CAD90A1945>.

I know I have auto updates turned off in the Security Center so I am puzzled
by this mysterious "call-to-home" by equifax. Any help finding how to turn
ALL auto updates off greatly appreciated.

Hello,

To turn off this feature:

CAUTION: Improperly modifying the registry can harm your computer.

- Click start
- Type: regedit
- Press enter
- Browse to
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
- Create a new DWORD value in this folder called: DisableRootAutoUpdate
- Double-click it, set its value to 1, and click ok

And now, a warning from
http://technet.microsoft.com/en-us/library/bb457160.aspx:

How Disabling, Removing, or Excluding Update Root Certificates from
Users’ Computers Can Affect Users and Applications

If the user is presented with a certificate issued by a root
certification authority that is not directly trusted, and the Update
Root Certificates component is not installed on the user’s computer, the
user will be prevented from completing the action that required
authentication. For example, the user might be prevented from installing
software, viewing an encrypted or digitally signed e-mail message, or
using a browser to engage in an SSL session.

 

[Tim Judd]

I noticed this event in the Application Event Log with a Source of CAPI2.

Successful auto update of third-party root certificate:: Subject:
<CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US> Sha1
thumbprint: <7E784A101C8265CC2DE1F16D47B440CAD90A1945>.

I know I have auto updates turned off in the Security Center so I am puzzled
by this mysterious "call-to-home" by equifax. Any help finding how to turn
ALL auto updates off greatly appreciated.

Most SSL-enabled websites out there are secure because they paid another
company, a "Certificate Authority," some money to be listed as a valid
and trusted secure site. Any company can use Equifax as the CA, it is
up to the website owners/webmasters. What update you see is an update
to a 3rd parth Certificate Authority.

MSIE and Mozilla products have a built-in list of Certificate
Authorities they will trust (most of the time, the lists are identical).
Every couple of years, the Certificate Authorities expire (between
1-year to 2-years typical, it seems from my investigation), and a
renewal or an update is needed to continue that trust. It's
collectively referred to as a root certificate update. What you're
seeing above is simply an update maybe not to the root certificates
themselves, but a certificate that guarantees some site as valid. You
should be able to control 3rd party root Certificates with the browser's
preferences (or options).

This seems to be legitimate from first glances, and I wouldn't disable
it, if I were you. Have yourself a good weekend!

 

[John]

Thanks for your insightful reply. I agree with everything you have said but
I think I will update certificates myself rather than rely on an update
process I know nothing about. Call me paranoid but it seems it's one less
entry point into my computer.

Have a fabulous weekend, Tim

 

[John]

Many thanks for the expert 'How To', including caveats, Jimmy. Since it's a
registry key it can be unset, if needed, for having a certificate updated.
Like Windows Updates, I prefer to know who and what I am updateing.