EnableCertPaddingCheck

Glenn Maxwell 11,861 Reputation points
2023-02-18T03:44:19.22+00:00

Hi All

i have the CVE-2013-3900 vulnerability(WinVerifyTrust Signature Validation Vulnerability). i need to add the below registry values to fix it.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,832 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,537 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,394 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
554 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,579 questions
0 comments No comments
{count} votes

Accepted answer
  1. Thameur-BOURBITA 33,976 Reputation points
    2023-02-18T23:19:37.79+00:00

    Hi @Glenn Maxwell

    Try this script, it works on my machine:

    $registryPath = "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Conf"
    
    $Name = "EnableCertPaddingCheck"
    
    $value = "1"
    
    IF(!(Test-Path $registryPath))
    
        {
    
        New-Item -Path $registryPath -Force | Out-Null
    
        New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null
        }
    
     ELSE 
        {
    
        New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null
        }
    

    Please d'on't forget to mark helpful answer

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Nijkamp, Wim 10 Reputation points
    2023-06-16T07:23:30.97+00:00

    I believe the RegistryPath is wrong.

    $registryPath = "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Conf"

    This should be:

    $registryPath = "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config"

    See: https://www.tenable.com/plugins/nessus/166555

    2 people found this answer helpful.
    0 comments No comments

  2. Thameur-BOURBITA 33,976 Reputation points
    2023-02-18T13:02:18.79+00:00

    Hi @Glenn Maxwell

    You can use Powershell to create the Path if it's not exist before the registry key . Below a example :

    $registryPath = "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Conf"
    
    $Name = "EnableCertPaddingCheck"
    
    $value = "1"
    
    IF(!(Test-Path $registryPath))
    
      {
    
        New-Item -Path $registryPath -Force | Out-Null
    
        New-ItemProperty -Path $registryPath -Name $name -Value $value `
    
        -PropertyType DWORD -Force | Out-Null}
    
     ELSE {
    
        New-ItemProperty -Path $registryPath -Name $name -Value $value `
    
        -PropertyType String -Force | Out-Null}
    $registryPath = "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Conf"
    
    $Name = "EnableCertPaddingCheck"
    
    $value = "1"
    
    IF(!(Test-Path $registryPath))
    
        {
    
        New-Item -Path $registryPath -Force | Out-Null
    
        New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null
        }
    
     ELSE 
        {
    
        New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null
        }
    

    The links below may help you:

    New-ItemProperty

    Update or Add Registry Key Value with PowerShell

    Please don't forget to mark helpful answer as accepted


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.