Detecting new certificates via Powershell
I'm trying to figure out a way to detect whenever a new user certificate is registered to the user's personal certificate store.  I can enumerate the current certificates in the personal store but really need a way to be notified when a new certificate appears.  I thought one way might be to monitor the folder where the files associated with the certificates are created.  Is there a specific event or something that I can monitor either through the powershell script itself or via the task manager to kick off my certificate script?
July 22nd, 2015 1:05pm

Why?

Why not use Group Policy and AD to manage user certificates?

Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2015 1:31pm

These are 3rd party certificates and we wish to assign friendly names when they show up in the personal store.  But we need to know when they show up to do so.  I'm not aware of any basic functionality in Windows that allows for the permanent assignment of friendly names to certificates that are only assigned to the personal store as long as the smart card is in the reader.  That is my "why"


July 22nd, 2015 2:24pm

There is no automatic way to do this.  You can grab the event in the event log that is generated.  I\t should have all of the cert info like subject.  This will allow you to run an event log task that can rename the cert.

First learn to use EL tasks and how to add scripts. There are a number of blogs on this.

Look at the registry and decide which events are useful.

Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2015 2:29pm

Here is a bootstrap. This is the kind of event generated when a cert has an issue or is added or removed.

Log Name:      Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
Source:        Microsoft-Windows-CertificateServicesClient-Lifecycle-User
Date:          7/15/2015 6:12:04 PM
Event ID:      1003
Task Category: None
Level:         Warning
Keywords:      
User:          W8TEST\jsmith
Computer:      W8Test
Description:
A certificate is about to expire. Please refer to the "Details" section for more information.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-Lifecycle-User" Guid="{bea18b89-126f-4155-9ee4-d36038b02680}" />
    <EventID>1003</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2015-07-15T22:12:04.223422100Z" />
    <EventRecordID>99</EventRecordID>
    <Correlation />
    <Execution ProcessID="2816" ThreadID="3608" />
    <Channel>Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational</Channel>
    <Computer>W8Test</Computer>
    <Security UserID="XXXXXXXXXXXXXXXXXXXXXXXXX" />
  </System>
  <UserData>
    <CertNotificationData ProcessName="taskhost.exe" AccountName=XXXXXXXXX" Context="User">
      <CertificateDetails Thumbprint="1d32c66b90b66034444444444e3417d29e">
        <EKUs>
          <EKU Name="Client Authentication" OID="1.3.6.1.5.5.7.3.2" />
        </EKUs>
        <NotValidAfter>2015-07-16T00:11:12Z</NotValidAfter>
      </CertificateDetails>
    </CertNotificationData>
  </UserData>
</Event>

You need to look up the event ID for an added cert.  Add a cert and look at this store for the new cert. 

You can define and install the tasks via GP distribution of scheduled tasks.

July 22nd, 2015 2:43pm

Note that certs are not stored as files on the system.  They are stored in an encrypted form.\

PowerShell can directly read the cert store.

dir cert:\CurrentUser\My

You cannot park event on the cert store with a scripting system. It may not be at all possible with code.

Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2015 2:46pm

Here is a blog on how to use the new cert events and definitions of all events:

http://blogs.msdn.com/b/key_developments/archive/2013/03/13/windows-8-certificate-notifications.aspx

July 22nd, 2015 3:40pm

These are 3rd party certificates and we wish to assign friendly names when they show up in the personal store.  But we need to know when they show up to do so.  I'm not aware of any basic functionality in Windows that allows for the permanent assignment of friendly names to certificates that are only assigned to the personal store as long as the smart card is in the reader.  That is my "why"


Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2015 6:20pm

These are 3rd party certificates and we wish to assign friendly names when they show up in the personal store.  But we need to know when they show up to do so.  I'm not aware of any basic functionality in Windows that allows for the permanent assignment of friendly names to certificates that are only assigned to the personal store as long as the smart card is in the reader.  That is my "why"


July 22nd, 2015 6:20pm

It appears I found a way to do this.  We are not running Windows 8 so unfortunately, I cannot make use of the new events and I can't find any other event id in Windows 7 that is tied to a certificate registration.  However, I found that if I use FileSystemWatcher to monitor the user's local certificate store (userid\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\) for the creation of new files (addition of a certificate) then I can trigger the routine to run through the user's certificate inventory and modify the friendly name property. 

Seems to be working.


Free Windows Admin Tool Kit Click here and download it now
July 24th, 2015 8:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics