Hi,

Our customer report the following problem.

On one Vista SP1 computer, we import the Entrust Root certificate called
“Central� to Trusted Root Certificate store. The “Central� certificate will
be removed automatically after some time.

After some troubleshooting, we find the foldershare.exe call into Lass to
delete the certificate.

The call stack in Lsass is

ChildEBP RetAddr Args to Child
04fef2e0 76bd9d5a 00000700 04fef31c 00000000
advapi32!LocalBaseRegDeleteKeyEx (FPO: [Non-Fpo]) (CONV: stdcall)
[o:\cfs.obj.x86fre\base\screg\winreg\local\objfre\i386\regdkey.c @ 110]
04fef2fc 76bd9cef 00000700 04fef31c b428bc09
advapi32!LocalBaseRegDeleteKey+0x15 (FPO: [Non-Fpo]) (CONV: stdcall)
[o:\cfs.obj.x86fre\base\screg\winreg\local\objfre\i386\regdkey.c @ 52]
04fef350 7549408f 00000700 04fef3b4 00000700 advapi32!RegDeleteKeyW+0x68
(FPO: [Non-Fpo]) (CONV: stdcall) [d:\rtm\base\screg\winreg\client\regdkey.c @
157]
04fef378 7549417a 00000700 04fef3b4 00000000
crypt32!RecursiveDeleteSubKey+0xdb (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\cryptoapi\pki\certstor\logstor.cpp @ 1867]
04fef398 75494463 0000078c 7544d7e4 04fef3b4
crypt32!ILS_DeleteElementFromRegistry+0x4f (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\cryptoapi\pki\certstor\logstor.cpp @ 2684]
04fef40c 754825b7 020dfa20 020e4890 00000001
crypt32!DeleteUnprotectedRootFromRegistryCallback+0x3c (FPO: [Non-Fpo])
(CONV: stdcall) [d:\rtm\ds\security\cryptoapi\pki\certstor\logstor.cpp @ 8910]
04fef450 75455778 020d8f90 04fef480 75494429
crypt32!IPR_DeleteUnprotectedRootsFromStore+0x8e (FPO: [Non-Fpo]) (CONV:
stdcall) [d:\rtm\ds\security\cryptoapi\pki\certstor\protroot.cpp @ 2319]
04fef474 75465d9a 020e4894 00000001 00000000 crypt32!ResyncFromRegistry+0xdc
(FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\cryptoapi\pki\certstor\logstor.cpp @ 4776]
04fef488 75465993 020e4890 00000000 00000001
crypt32!RegStoreProvControl+0x8e (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\cryptoapi\pki\certstor\logstor.cpp @ 4934]
04fef4a0 7546592f 020d89f0 00000000 00000001 crypt32!CertControlStore+0x4c
(FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\cryptoapi\pki\certstor\newstor.cpp @ 4019]
04fef4d0 754659b1 020d8900 00000000 00000001
crypt32!ControlCollectionStore+0x61 (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\cryptoapi\pki\certstor\newstor.cpp @ 3960]
04fef4e8 74f64a9f 020d8900 00000000 00000001 crypt32!CertControlStore+0x2c
(FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\cryptoapi\pki\certstor\newstor.cpp @ 4003]
04fef50c 74f7385f 004a5260 004f51f8 00000001
schannel!SslCheckForRootStoreChange+0x7b (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\protocols\schannel\spbase\cred.c @ 2843]
04fef524 74f74871 004a52c4 04fef560 04fef55c
schannel!UpdateAndDuplicateIssuerList+0x31 (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\protocols\schannel\spbase\ssl3.c @ 6451]
04fef580 74f55db4 000002d4 04fef648 004325a4
schannel!SPSsl3SrvGenServerHello+0x271 (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\protocols\schannel\spbase\ssl3.c @ 5156]
04fef59c 74f48ae3 004f51f8 04fef648 74f4a130
schannel!SPGenerateResponse+0x13d (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\protocols\schannel\spbase\ssl3.c @ 4782]
04fef5d8 74f4a111 004f51f8 04fef654 04fef648
schannel!Ssl3ClientProtocolHandler+0x4ba (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\protocols\schannel\spbase\ssl3.c @ 400]
04fef604 74f76ce0 004f51f8 04fef654 04fef648
schannel!Ssl3ProtocolHandler+0x10b (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\protocols\schannel\spbase\ssl3.c @ 99]
04fef628 74f5c885 40000054 04fef654 04fef648
schannel!ServerProtocolHandler+0x107 (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\protocols\schannel\spbase\srvprot.c @ 135]
04fef678 756f67b8 004a5260 00000000 04fef820
schannel!SpAcceptLsaModeContext+0x243 (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\protocols\schannel\lsa\ctxtapi.c @ 1102]
04fef6ec 756f6599 004615c8 0047b7b0 04fef820 lsasrv!WLsaAcceptContext+0x18e
(FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\base\lsa\server\ctxtapi.cxx @ 507]
04fef864 756fd3c7 0047b780 0047b780 004e9d80 lsasrv!LpcAcceptContext+0x157
(FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\base\lsa\server\klpcstub.cxx @ 2603]
04fef87c 756fd613 0047b780 757cc0b0 02103348 lsasrv!DispatchAPI+0x80 (FPO:
[Non-Fpo]) (CONV: stdcall) [d:\rtm\ds\security\base\lsa\server\klpcstub.cxx @
5450]
04fef938 756fda56 0047b780 04fef984 76ee4aa6 lsasrv!LpcHandler+0x2bf (FPO:
[Non-Fpo]) (CONV: stdcall) [d:\rtm\ds\security\base\lsa\server\klpc.cxx @
1471]
04fef95c 756f928c 0042ec20 b5d5734e 00000000 lsasrv!SpmPoolThreadBase+0xd3
(FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\base\lsa\server\thdpool.cxx @ 591]
04fef9a0 76ee4911 021391e8 04fef9ec 772ee4b6 lsasrv!LsapThreadBase+0xaf
(FPO: [Non-Fpo]) (CONV: stdcall)
[d:\rtm\ds\security\base\lsa\server\sphelp.cxx @ 1924]
04fef9ac 772ee4b6 021391e8 73c9cd1c 00000000
kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) (CONV: fastcall)
[d:\rtm\base\win32\client\thread.c @ 66]
04fef9ec 772ee489 756f9228 021391e8 00000000 ntdll!__RtlUserThreadStart+0x23
(FPO: [Non-Fpo]) (CONV: stdcall) [d:\rtm\base\ntos\rtl\rtlexec.c @ 2740]
04fefa00 00000000 00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
(FPO: [Non-Fpo]) (CONV: stdcall) [d:\rtm\base\ntos\rtl\rtlexec.c @ 2672]



For detail information, please refer to the following link.
http://decent/Incidents/CaseDetail.a...RS080421600066