Microsoft KB Archive/330240

= HOW TO: Programmatically Remove Expired Certificates from the Current User and Local Machine Certificate Stores on a Windows 2000-Based Computer =

PSS ID Number: 330240

Article Last Modified on 8/8/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional

-



This article was previously published under Q330240



IN THIS TASK

 * SUMMARY
 * Programmatically Remove Expired Certificates from the Current User and Local Machine Certificate Stores
 * Create the Script
 * Run the Script
 * REFERENCES



SUMMARY
This article discusses how to programmatically remove expired certificates from the Current User and Local Machine certificate stores on a Windows 2000-based computer.

When a certificate expires, Windows 2000 does not automatically remove it from the certificates store. In some situations, expired certificates may cause certificate-validation and revocation-checking issues. This article contains a sample script that you can use to remove expired certificates from the certificate store of the current user and the local computer.

Note To remove certificates from the Local Machine certificate store, you must be a member of the local Administrators group.

back to the top

Programmatically Remove Expired Certificates from the Current User and Local Machine Certificate Stores
To create and run a script that removes expired certificates from the certificate store of the current user and the local computer, complete the procedures that are described in the following sections.

back to the top

To Create the Script
 Download the redistributable files for CAPICOM to a folder on your hard disk.

For information about how to obtain the redistributable files for CAPICOM, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=860ee43a-a843-462f-abb5-ff88ea5896f6&DisplayLang=en

 Extract the Capicom.dll file from the Capicom.cab file. Copy the Capicom.dll file to the Winnt\System32 folder on your hard disk. Click Start, and then click Run. In the Open box, type regsvr32.exe capicom.dll, and then click OK. Click OK when you receive the following message:

DllRegisterServer in capicom.dll succeeded.

 Start Notepad, and then open a new blank document.</li>  Copy the following code, and then paste it to the new blank document. '****************************************************************************** ' ' THIS CODE AND INFORMATION IS PROVIDED &quot;AS IS&quot; WITHOUT WARRANTY OF ANY KIND, ' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED ' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. ' ' Copyright (C) 1999- 2003. Microsoft Corporation. All rights reserved. ' '****************************************************************************** ' ' CleanUpExpired.vbs ' ' This script removes all the expired certificates from the certificate stores. ' ' Note: For simplicity, this script does not handle exception. ' '******************************************************************************

Option Explicit

' CAPICOM Constants Const CAPICOM_LOCAL_MACHINE_STORE                             = 1 Const CAPICOM_CURRENT_USER_STORE                              = 2 Const CAPICOM_STORE_OPEN_READ_WRITE                       = 1 Const CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED                      = 2 Const CAPICOM_STORE_OPEN_EXISTING_ONLY                        = 128 Const CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME                   = 0 Const CAPICOM_CERTIFICATE_FIND_TIME_EXPIRED                   = 11

Const CAPICOM_ROOT_STORE                                      = &quot;ROOT&quot; Const CAPICOM_THIRD_PARTY_STORE                               = &quot;AUTHROOT&quot; Const CAPICOM_CA_STORE                                        = &quot;CA&quot; Const CAPICOM_ADDRESSBOOK_STORE                               = &quot;AddressBook&quot; Const CAPICOM_PUBLISHER_STORE                                 = &quot;SPC&quot; Const CAPICOM_TRUSTEDPEOPLE_STORE                             = &quot;TrustedPeople&quot;

' First make sure the script is executed by CScript.exe. If InStr(1, UCase(Wscript.FullName), &quot;CSCRIPT.EXE&quot;, vbTextCompare) = 0 Then Wscript.Echo &quot;This script can only be executed by CScript.exe.&quot; & vbCRLF & vbCRLF &_ &quot;You can either:&quot; & vbCRLF & vbCRLF & _ &quot;1. Set CScript.exe as the default (Run CScript //h:cscript), or&quot; & vbCRLF & _ &quot;2. Run CScript.exe directly as in, CScript &quot; & Wscript.ScriptName & &quot;.&quot; Wscript.Quit(-1) End If

Dim SystemStoreNames(5), StoreScopes(1), Store, StoreName, StoreScope, StoreScopeName, Certificate SystemStoreNames(0) = CAPICOM_ROOT_STORE SystemStoreNames(1) = CAPICOM_THIRD_PARTY_STORE SystemStoreNames(2) = CAPICOM_CA_STORE SystemStoreNames(3) = CAPICOM_ADDRESSBOOK_STORE SystemStoreNames(4) = CAPICOM_PUBLISHER_STORE SystemStoreNames(5) = CAPICOM_TRUSTEDPEOPLE_STORE

StoreScopes(0) = CAPICOM_LOCAL_MACHINE_STORE StoreScopes(1) = CAPICOM_CURRENT_USER_STORE

' Create the Store Set Store = CreateObject(&quot;CAPICOM.Store&quot;)

' Now enumerate all the certificates. For Each StoreScope in StoreScopes

' Now enumerate all the certificates. For Each StoreName in SystemStoreNames ' Set the store scope display name Select Case StoreScope Case CAPICOM_LOCAL_MACHINE_STORE StoreScopeName=&quot;machine&quot;

Case CAPICOM_CURRENT_USER_STORE StoreScopeName=&quot;user&quot; End Select

Wscript.Stdout.Writeline &quot;Opening the &quot; & StoreScopeName & &quot;'s '&quot; & StoreName & &quot;' certificate store.&quot;

Store.Open StoreScope, StoreName, CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED Or CAPICOM_STORE_OPEN_EXISTING_ONLY

For Each Certificate in Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_TIME_EXPIRED) Wscript.Stdout.Writeline &quot; '&quot; & Certificate.GetInfo(CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME) & &quot;' is expired, removing it&quot; Store.Remove Certificate Next Next

Next

' Free resources. Set Store = Nothing Set Certificate = Nothing </li> On the File menu, click Save.</li> In the File name box, type CleanUpExpired.vbs .</li> In the Save as type box, click All Files.</li> Specify a location where you want to save the file, and then click Save.</li> Quit Notepad.</li></ol>

back to the top

Run the Script
<ol> Click Start, and then click Run.</li> In the Open box, type cmd, and then click OK.</li> At the command prompt, change to the directory that contains the CleanUpExpired.vbs file that you saved in the Create the Script section of this article.</li> Type the following command, and then press ENTER:

cscript.exe cleanupexpired.vbs

</li> Type exit, and then press ENTER to quit Command Prompt.</li></ol>

back to the top

<div class="references_section">