CertWatch 1.0
laser CertWatch is an automated system certificate store checking for Windows workstation and server. Alerts users to the addition and removal of system certificates. This new, free utility will monitor any changes made to the Windows Certificate Stores on your system. Certificates can bed added or removed to your system for a variety of reasons - Windows Updates, new software packages, etc. can make alterations to the certificate store. Unfortunately, some malicious software could also add an "all purpose" certificate and essentially create an attack vector for SSL/TLS man-in-the-middle attacks or provide a foothold for a bad agent to usurp and exfiltrate information from your system without your knowledge. CertWatch performs hourly scans of all system certificate stores and will report any additions or deletions from those stores when changes are made. Hourly scans for all Windows system certificate stores. Reports when changes are made.
CertWatch operates by checking the local certificate store and verifying against Microsoft's Certificate Trust List (CTL) and Certificate Revocation List (CRL). These lists are updated regularly and contain a predefined list of items signed by a trusted entity (Microsoft).
Automated checking of expired or nearly expired certificates so that system services dependent on these certificates will not fail due to expiration (IIS [HTTPS/TLS], Active Directory, SChannel services)
Blaser CertWatch runs as a background service and scans and checks the following Windows certificate stores:
Current User (CERT_SYSTEM_STORE_CURRENT_USER)
Current Service (CERT_SYSTEM_STORE_CURRENT_SERVICE)
Local Machine (CERT_SYSTEM_STORE_LOCAL_MACHINE)
Local Machine Group Policy (CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY)
Current User Group Policy (CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY)
Services (CERT_SYSTEM_STORE_SERVICES)
Users (CERT_SYSTEM_STORE_USERS)
Local Machine Enterprise (CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE)