Windows 8 and 8.1 Forums


Win 8 UAC Relies On an Expired Certificate for Assurance!?

  1. #1


    Posts : 7
    Windows 8 (x64)

    Win 8 UAC Relies On an Expired Certificate for Assurance!?


    Why does Windows 8 User Access Control (UAC) provide an invalid security certificate to verify OS changes? Why has Microsoft® refused to update this certificate and give it valid dates? This undercuts Microsoft®'s software assurance scheme. Nowhere in the Security Certificate article in Windows® Help did I find any recommendation to trust a certificate past its "Vaid to" date.

    My PC with Windows® 8 OS was bought from a local Staples office supply store off-the-shelf in factory-sealed carton on November 21, 2013. The PC was un-boxed by this end-user; Windows® 8 was activated online with Microsoft®; and the product was registered online with the OEM, h-p, on Nov. 22, 2013. After activation, all patches and other software pushed by Windows® Update were installed in November and December 2013.

    Microsoft® Windows® UAC always required the end-user as administrator to accept responsibility for approving the installing of any patch or update or other change to the system software. In January, 2014, and ever since then, it was noticed that UAC provided a Security Certificate for assurance of the software quality, but the Certificate was no longer within its valid dates. The certificate provided in UAC specified that it was Valid from: 4/12/2012, and Valid to: 7/9/2013. The system was sold as new on November 21, 2013, more than four months after the validity expired, for this Certificate issued to Microsoft® Windows® by the Microsoft® Windows Production PCA 2011.

    . Although some others of Windows'® Security Certificates were updated for some other changes made from time to time, this cert. was never updated. This expired cert. continues to be in use by Windows® 8 and UAC to this day, with the same dates, the same cert. that expired years ago!

    Windows® Help on-line, when searched for information on security certificates, gave little specific description. The write-up did not advise relying upon certificates outside their valid dates, and it seemed to be tending toward distrust of certificates with expired validity dates. Thus, there is no assurance that all of the software items that Windows® Update has installed, have been entirely free of malware.

    (Windows Update itself seems defective in the past six months, as it repeatedly calls for downloading patches with KB numbers that were already installed, some of them even last Fall, and that are already shown as Installed in the Installed Updates list window. Perhaps this trouble resulted from a software change that was certified by the same cert.; the invalid, expired certificate. Perhaps Windows Update itself was altered and is now recommending replacing a specific security patch with a piece of new software that will remove some of the protection measures or create a specific "backdoor" for the FBI, NSA, ChiComms, or other malefactors. With the software security assurance basing itself on a presumably ineffective, outdated certificate, any such scheme seems to be possible.)

      My System SpecsSystem Spec

  2. #2


    Where is the certificate located? How do you view it to check validity?

    I've not seen anyone else complain about this so there has to be more going on here.

    Edit: Make sure the date, time and timezone are correct on your computer.
      My System SpecsSystem Spec

  3. #3


    RxDdude, please consider what I have to say.

    You seem to be believing that a security certificate is invalid, which may be true. Sync your system clock to be sure.

    You seem to have spiraled from a seemingly mistaken observation about a non existent security certificate to paranoid delusions about government conspiracy or schemes (your wording).


    In all seriousness, you might be suffering from depression or some severe boredom in your life. This can manifest into a permanent mental condition that could lead to death or institutionalization. please consider seeing a doctor.
      My System SpecsSystem Spec

  4. #4


    Posts : 7
    Windows 8 (x64)

    A Beter Procedure for accessing the subject certificate.


    Ztruker,
    . Thank you, for the courteous and thoughtful request for the relevant troubleshooting information w.r.t the expired Windows® certificate.

    . Just to get this out of the way, this system's time zone, time, & date are all valid and have always been so, sourced from the Windows time server @ time.windows.com. Currently, when updating this post a minute or two prior to completion, my system located in the western Tennessee River Valley is showing 6:54 AM CDT, Wednesday, July 15, 2015.

    . Where is the Certificate located? Within Windows 8 OS, is all I know. Access to the Certificate arises in the following way(s), at least.
    . Whenever I try to accept anything for installation from Windows Update, as, for example, the regular monthly Patch Tuesday downloads, I have always been blocked by the Windows feature that I mentioned, User Access Control (hereafter, UAC). The UAC dialog requests confirmation by an administrator and requires entering the logon password for the administrator user account, if the operator is already logged onto Windows in a user account having been endowed with administrator privileges; and if operating in a Windows user account without administrator privileges, e.g., a Standard or Guest account, even if such account is password-protected, the operator must enter in the UAC dialog an administrator-account username in addition to the same administrator-account password. Failing to enter the item(s) in the UAC dialog-box, this Windows user knows of no way to install any program or change any settings protected by this Cert. I cannot even start a System Restore Point without first approving whatever might be done by all changes that might be made, based on the expired certificate for my only assurance of genuineness.

    . For short, here's one, simple procedure in my OEM Windows 8 (x64) system, starting with the familiar Control Panel, open this - Control Panel\System and Security\System:
    1. Open the System window, located in System and Security area of Control Panel:
    2. Mouse-over the line item, System protection, at upper left. shows it to be a hyperlink.
    3. Left-click (L-clk) on the lhyperlink, System protection, Observe that the monitor clears all windows and displays only the UAC dialog box; and, that box has text: "Do you want to allow the following program to make changes to your computer?"
    4. A program name is listed below that; in this case, it is "System protection settings" plus this: "Verified publisher: Microsoft Windows"
    5. Ignore the Password slot if present - leave it blank - and find the pull-down button at left in the UAC d-box, labelled (approx.) "Show Details..."
    6. In the newly added text, find the line of text in color, underlined (hyperlink), that offers to let you view the security certificate.
    7. L-clk that hyperlink, and the UAC d-box will be overlaid by the Security Certificate viewer d-box. The values for Valid from: and Valid to: dates will be visible in the lower half of this d-box (in its "General" tab). The dates displayed have always been, ever since I un-boxed the PC on 11/22/2013, Valid from:4/9/2012 and Valid to:7/9/2013. Bummer!
    . You can click around in that box and on its other tabs, and discover much more information from the cert. without changing anything. When done, just L-clk on "Cancel" or "Done" or "OK" or equivalent, to close the Cert. viewer d-box; and be sure to click "No" or "Cancel" or equivalent in the UAC d-box, and it will vanish without causing any action, and the shortcuts and the opened windows will return to view on your screen immediately. Do not click on "Yes" because that will authorize the program to run its course, and you will be stuck with the results. This procedure above is pretty safe, because In THIS CASE, what you would get with a "Yes" would be the System Protection tab in the "System Properties" d-box. That tab would let you start System Restore to select a Restore Point, or would let you create a new Restore Point, or let you Cancel out without anything changing.

    . I might add, that while my then-new Windows 8 PC was still in warranty in January and February of 2014, I telephoned and discussed this issue hour after hour, night after night, with Windows® Support staff, and repeatedly requested that this certificate be updated. In my several years of XP and Vista experience, Microsoft® had frequently included new certificates in the Patch Tuesdays at a few months intervals. However, I was never able to penetrate the hours of verbal haze with which my questions were obfuscated on each of several phone calls by various Support staff, and pretty soon the miniscule 90-days warranty support accompanying purchase of this OEM Windows product was expired, and I was given to understand that I could purchase more warranty support by paying (in fading memory?) maybe $169.00 p.a. But noone would assure me that there would be any better result from Microsoft®, an updated certificate, if I paid them again. So, I was S.O.L. and still stuck. Stuck with personally approving software and OS changes that are guaranteed by this long-ago-expired form of software assurance, if I want to patch any of the vulnerabilities built into these products by the vendor. Certainly, this Windows 8 OS does need the patches.

    But, hey, it's Microsoft® software, so, what can one say? Here's hoping that I have given you all the answers you needed, to solve this problem. But you are running Windows 8.1.1, and so your certificates may have all been replaced and updated, while I am struggling to get my OEM Windows 8 updated properly in order to install Windows 8.1 and Update. This cert. is one obstacle to assuring a sound, basic Windows 8 OS, prior to trying to succeed with 8.1; Windows Update is another obstacle to proper updating, also having unexplained issues, but those will be the subject of another thread at least, and previously were identified in a Microsoft Community forum. And Windows 10 is looming on the horizon...
    ============================================================================================
    This message was produced entirely with 100% post-consumer and recycled electrons. No animals were harmed in the creation of this posting.
    Last edited by RxDdude; 15 Jul 2015 at 07:04. Reason: Windows 8 Control Panel> > System Protection is a better example than Flash Player (Adobe offered its own, 2016 certif. for the v18.0.0.209 update, last night)
      My System SpecsSystem Spec

  5. #5


    Posts : 7
    Windows 8 (x64)


    In reply to "hydranix," 2nd above, I shall only recap the known facts. This security certificate is two years out of date, and it is the most frequently-offered certificate when Windows 8's UAC is deployed to protect the system. The administrator is required by this feature of Windows 8, to approve the installation of software changes on the basis of an assurance that the software is genuine, and that assurance is based on a shaky support. Having sync'd my system clock, I am sure.

    To Hydranix, you seem to have spiraled from a deficient understanding of software assurance to doubting that criminal hackers and foreign governments' cyber-espionage teams exist and are working every day. It appears that your faith in your intellectual superiority is so great that another's mentioning that such forces do exist in this world wherein they do threaten the privacy, health, and finances of real people on line can be cavalierly ascribed to unwarranted paranoia. How many accredited degrees in psychology and how many years' working experience in mental health professions have you?
    ==========================================================================================
    This message was produced entirely with 100% post-consumer and recycled electrons. No animals were harmed in the creation of this posting.
    Last edited by RxDdude; 15 Jul 2015 at 06:30.
      My System SpecsSystem Spec

  6. #6


    Harrisonburg, Va.
    Posts : 10,488
    Windows 8.1.1 Pro with Media Center


    Screenshots would help.
      My System SpecsSystem Spec

  7. #7


    I tried to replicate what your describing and was unsuccessful. The certificate that I see is valid until 10/01/2015 (MM/DD/YYYY)

    Looking into it more.
      My System SpecsSystem Spec

  8. #8


    Posts : 7
    Windows 8 (x64)


    OK, I am not aware of your listed OS, Kernel 4.x, and would not be surprised to find that one would need to be running Microsoft® Windows® 8, maybe x64 only, like mine, in order to be presented with this cert. that keeps showing up here.
    . I think I made a mistake, suggesting Adobe Flash Player. You, in this case, might be looking at an Adobe certificate rather than this Microsoft certificate. When I updated AFP a few minutes ago, from v18.0.0.203 replacing that with v18.0.0.209 that just came out last night, UAC gave me an Adobe-sourced cert that would be valid to (I don't recall exactly the mm/dd) 2016.
    . Please try it with the REVISED procedure that I just inserted in place of the procedure with AFP, in my 2nd post. This alternate route (and there are many alternative routes) keeps us within Windows OS and I think it might give you a better result, but, if your OS is a later version than my Windows 8 (and it's the HP OEM Windows 8 at that, with ~186 patches installed since Nov. 2013) then you could easily be better off than I.
    . And I also have been seeing from time to time, other certs from Microsoft, with 2015 or 2016 validity expiration dates. But most things I do, prominently including the using of Windows Update Agent to get the Security Updates and non-security updates for my IE 10, and .NET Frameworks, and Windows 8, when they become available. This old 2013 cert. has always been the cert. presented me by UAC when running Windows Update, and for so many more operations in Windows 8.
    . I just find it hard to understand why the mighty Microsoft of Redmond, Washington, has no way for a Customer to get a valid certificate for these purposes. There was, even, a package of updated certs. released by Microsoft last year, maybe Spring of last year, and a good guy gave me the clue to how to download it from microsoft.com, and that package did update several certs. that I had seen as also expired months ago, but it did not affect this major certificate at all. Bummer!
    Last edited by RxDdude; 15 Jul 2015 at 07:38. Reason: just for typos and clarification
      My System SpecsSystem Spec

  9. #9


    Posts : 7
    Windows 8 (x64)


    Quote Originally Posted by David Bailey View Post
    Screenshots would help.
    Thanks, Mr. Bailey. I can supply screenshots [actually, JPEG photos - - haven't figured out how to get a screenshot in Windows 8 since the simple, old ALT+PRT SCRN seems to have been eliminated by our benefactors at Microsoft®], but I am kind of bushed, stayed up all night preparing these replies with carefully selected post-consumer and recycled electrons, and would like to post photo or two after I can have a couple of hours of sleep. Have to get some tasks done, too, others will be waiting. Look for me by 11 PM this evening, though.
      My System SpecsSystem Spec

  10. #10


    Quote Originally Posted by RxDdude View Post
    In reply to "hydranix," 2nd above, I shall only recap the known facts. This security certificate is two years out of date, and it is the most frequently-offered certificate when Windows 8's UAC is deployed to protect the system. The administrator is required by this feature of Windows 8, to approve the installation of software changes on the basis of an assurance that the software is genuine, and that assurance is based on a shaky support. Having sync'd my system clock, I am sure.
    I think you're a little mistaken. When a code signing certificate expires, timestamped code signed by the certificate doesn't expire. Files on a computer can go years without being updated, when they're signed, you know the code hasn't changed, and signing them again with an updated certificate won't make them any more secure or safe. Quite the opposite in fact.

    Quote Originally Posted by RxDdude View Post
    To Hydranix, you seem to have spiraled from a deficient understanding of software assurance to doubting that criminal hackers and foreign governments' cyber-espionage teams exist and are working every day. It appears that your faith in your intellectual superiority is so great that another's mentioning that such forces do exist in this world wherein they do threaten the privacy, health, and finances of real people on line can be cavalierly ascribed to unwarranted paranoia.
    No, I haven't actually. Where exactly did I do any of these things?

    Quote Originally Posted by RxDdude View Post
    OK, I am not aware of your listed OS, Kernel 4.x, and would not be surprised to find that one would need to be running Microsoft® Windows® 8, maybe x64 only, like mine, in order to be presented with this cert. that keeps showing up here.
    I use the Linux kernel 4.x.x as the basis of the operating system I use day-to-day. I also have several versions of Windows.

    Quote Originally Posted by RxDdude View Post
    . I think I made a mistake, suggesting Adobe Flash Player. You, in this case, might be looking at an Adobe certificate rather than this Microsoft certificate. When I updated AFP a few minutes ago, from v18.0.0.203 replacing that with v18.0.0.209 that just came out last night, UAC gave me an Adobe-sourced cert that would be valid to (I don't recall exactly the mm/dd) 2016.
    Adobe flash player is very insecure, and probably the most exploited software to date. Just recently several remote code execution 0-day exploits were leaked. It's very unwise to use Flash player on a computer which you pass any kind of sensitive information through.

    Quote Originally Posted by RxDdude View Post
    . And I also have been seeing from time to time, other certs from Microsoft, with 2015 or 2016 validity expiration dates. But most things I do, prominently including the using of Windows Update Agent to get the Security Updates and non-security updates for my IE 10, and .NET Frameworks, and Windows 8, when they become available. This old 2013 cert. has always been the cert. presented me by UAC when running Windows Update, and for so many more operations in Windows 8.
    Perhaps you have UAC turned up all the way. You would be better off modifying your group policy for UAC to better suit your needs.

    Quote Originally Posted by RxDdude View Post
    . I just find it hard to understand why the mighty Microsoft of Redmond, Washington, has no way for a Customer to get a valid certificate for these purposes. There was, even, a package of updated certs. released by Microsoft last year, maybe Spring of last year, and a good guy gave me the clue to how to download it from microsoft.com, and that package did update several certs. that I had seen as also expired months ago, but it did not affect this major certificate at all. Bummer!
    The certificate was valid when it was used to sign and timestamp whatever software you are trying to run. This is all that matters, and even still, it matters very little in terms of security.
    Last edited by hydranix; 15 Jul 2015 at 19:55.
      My System SpecsSystem Spec

Page 1 of 2 12 LastLast
Win 8 UAC Relies On an Expired Certificate for Assurance!?
Related Threads
Windows 8.1 Expired Problem in Windows Updates & Activation
Hi, I just bought a new laptop last month and it has windows 8.1 by default. And today there's a pop up that said I need to activate my windows. I dont know what should I do, it said that it will expire in April 28th. When I checked on properties the windows is Windows 8.1 Single Language and...
49314
8.1 preview has expired in General Support
I was never given the option to upgrade to 8.1 official from the preview. Now the preview has just told me it expired and will reboot itself every couple hours. I'm in the middle of a huge project right now. Does anyone have any ideas? I was actually planning to buy a new computer in the next...
More... See also: https://www.eightforums.com/tutorials/5757-compare-windows-8-editions.html
Eight Forums Android App Eight Forums IOS App Follow us on Facebook