Restricting write access on root certificate store

[Guest]

How/where can I set permissions in Windows XP which restricts and end-user's write permission on the root CA store on a PC. What I am trying to emulate is a configuration where and IT organization installs all root certificates during PC provisioning and then prevents end-user's from adding to the store.

Is there a group policy that can be used to accomplish this? I have found _some_ (not sure if it's all) registry and file locations where permissions can be applied, but I'm still not certain how correct or comprehensive the info I have is. So far, I've attempted to apply restrictions in the following locations:
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\AuthRoot

 

[Miha Pihler]

Sorry for the question, but what are you trying to do? What would be the
point of this?

I am just trying to understand...

Be careful when removing Root CA certificates. There are certaing 5 of them
that must be installed for normal Windows operation!

Thanks,

Mike

 

[Guest]

We have a customer who's corporate PC configuration is as described... root certificates pre-configured and end-user's with no write-permissions on the root ca store. I'm not certain their rationale, only their setup. Our software was attempting to write to the root ca store even if the required certs were already present. I am attempting to replicate (to the best of my ability) their configuration in order to reproduce the problem.

 

[Miha Pihler]

Hm... if you think it is a registry then take a tool called Regmon from
Sysinternals (www.sysinternals.com). It will tell you about permissions when
accessing the registry.

Mike