This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 72%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
Hi All
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
To remediate the vulnerability CVE-2013-3900 is to add the below registry values.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 84%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
To be clear in the link provided https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900under the FAQ section there are Suggested Actions. Copy the text paste into a text file and save as SomeName.reg Be sure to copy the right text for either x64 or x32 machine. Export your registry, I would do it at the Software level, so you get both entries. Then double click on the .reg file and it will update the registry for you. Go into HKLM\Software\Microsoft\Cryptography and you should see the entry. Also check Wow6432Node. Restart your computer for it to take effect.
This is better than manually trying to enter the registry info.
This is the x64 entry.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 41%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
What is the impact of Registry changes apart from fixing vulnerability?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Using the REG file examples a REG_SZ will be created by default so yes it would be correct.
--please don't forget to upvote and Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 93%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
how to create the folder..Pls help
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 86%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
According to this article: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-098
Windows server 2016, 2019 and 2022 are not in the list of affected products.
So, I still need to apply remediation steps on windows server 2016, 2019 and 2022 for CVE-2013-3900 vulnerability ?
Waiting for your prompt response
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 4%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
Hi Rafid, if you refer to MSRC, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 Those Windows OS versions are listed and you can also see that the core versions were added in April 2023.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 30%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 73%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Would it have any negative effects to go ahead and add both entries x32/x64 to a x64 system? It would be easier to create a single .reg file and add everywhere.
Also our scanner is reporting a couple of 2012r2 servers. I'm guessing that the answer didn't include 2012r2 because it's EOL?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 77%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Anyone looking to do this, can use below code
Impact of enabling the functionality change: Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted.
#Source https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
if (!(Test-Path 'HKLM:\Software\Microsoft\Cryptography\Wintrust')) {
New-Item -Path 'HKLM:\Software\Microsoft\Cryptography' -Name 'Wintrust' | Out-Null
}
if (!(Test-Path 'HKLM:\Software\Microsoft\Cryptography\Wintrust\Config')) {
New-Item -Path 'HKLM:\Software\Microsoft\Cryptography\Wintrust' -Name 'Config' | Out-Null
}
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Cryptography\Wintrust\Config' -Name 'EnableCertPaddingCheck' -Value '1' -Type DWORD
if (!(Test-Path 'HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust')) {
New-Item -Path 'HKLM:\Software\Wow6432Node\Microsoft\Cryptography' -Name 'Wintrust' | Out-Null
}
if (!(Test-Path 'HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config')) {
New-Item -Path 'HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust' -Name 'Config' | Out-Null
}
Set-ItemProperty -Path 'HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config' -Name 'EnableCertPaddingCheck' -Value '1' -Type DWORD
Write-Output 'Please reboot your system to apply the changes.'