20,223 questions
Using the REG file examples a REG_SZ will be created by default so yes it would be correct.
--please don't forget to upvote and Accept as answer if the reply is helpful--
CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 72%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
Roger Roger
7,181
Reputation points
Hi All
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
To remediate the vulnerability CVE-2013-3900 is to add the below registry values.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
- On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1.
- using powershell script i have created Wintrust & config folder and added EnableCertPaddingCheck"="1" , Is Reg_SZ type correct?
- {Default}-Reg_SZ also got created, will this create any issue.
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 84%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Pete 51 Reputation points2023-04-21T17:23:16.44+00:00 To be clear in the link provided https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900under the FAQ section there are Suggested Actions. Copy the text paste into a text file and save as SomeName.reg Be sure to copy the right text for either x64 or x32 machine. Export your registry, I would do it at the Software level, so you get both entries. Then double click on the .reg file and it will update the registry for you. Go into HKLM\Software\Microsoft\Cryptography and you should see the entry. Also check Wow6432Node. Restart your computer for it to take effect.
This is better than manually trying to enter the registry info. This is the x64 entry.Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 41%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Ankita, Parab 75 Reputation points2024-02-16T10:16:14.7833333+00:00 What is the impact of Registry changes apart from fixing vulnerability?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 90%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWC%3C/text%3E%3C/svg%3E)
William Chung 1 Reputation point2025-06-09T01:36:15.8166667+00:00 From the official Microsoft Fix Action web site (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900), the registry value can be either DWORD or REG_SZ. However, I would personally choose DWORD over REG_SZ because the REG_SZ will need to be converted to DWORD by Windows when interpreting the value as a number.
For 32-bit versions of Windows, use the following text:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"=dword:1For 64-bit versions of Windows, use this text:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"=dword:1 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"=dword:1Note You must restart the system for your changes to take effect. Impact of enabling the functionality change: Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted.
Verifying that the Improvement to Authenticode Signature Verification is Implemented Correctly
Earlier versions of CVE-2013-3900 had recommended configuring EnableCertPaddingCheck to string value “1”, rather than to DWORD 1. Customers who had followed that guidance do not need to make further changes to their systems. Although Windows treats the EnableCertPaddingCheck value as a DWORD, its actual registry value type does not matter, as long as all these length and data requirements are met:
- The EnableCertPaddingCheck registry value is present (any data type)
- The value’s data length is from 1 to 4 bytes
- At least one of those bytes is a non-zero value
Compliance validation tools should not fail the EnableCertPaddingCheck inspection for its value type. Ideally, a test should read the value as a four-byte value, ignoring its type, and pass the test if the four-byte value is present and non-zero. If a scanning tool does not support specifying validation criteria that way, then given the two specific ways Microsoft has published to configure the setting, scanning tools should pass the check if either of these is true:
- EnableCertPaddingCheck is a REG_DWORD, value exactly "1"
- EnableCertPaddingCheck is a REG_SZ, value exactly "1"Impact of enabling the functionality change: Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted. Verifying that the Improvement to Authenticode Signature Verification is Implemented Correctly Earlier versions of CVE-2013-3900 had recommended configuring EnableCertPaddingCheck to string value “1”, rather than to DWORD 1. Customers who had followed that guidance do not need to make further changes to their systems. Although Windows treats the EnableCertPaddingCheck value as a DWORD, its actual registry value type does not matter, as long as all these length and data requirements are met:
- The EnableCertPaddingCheck registry value is present (any data type)
- The value’s data length is from 1 to 4 bytes
- At least one of those bytes is a non-zero value
- EnableCertPaddingCheck is a REG_DWORD, value exactly "1"
- EnableCertPaddingCheck is a REG_SZ, value exactly "1"
Sign in to comment
Accepted answer
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-02-20T20:50:08.7933333+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 93%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Shamshad Ansari 0 Reputation points2024-09-25T06:59:58.1133333+00:00 how to create the folder..Pls help
Sign in to comment -
8 additional answers
Sort by: Oldest
-
Roger Roger 7,181 Reputation points
2023-02-21T04:50:24.7566667+00:00 On Windows servers 2016/2019 i dont see the folders Wintrust\Config in registries. do i need to create these folders and the registry value EnableCertPaddingCheck"=1
-
Anonymous
2023-02-21T13:36:42.0333333+00:00 Yes, you could create them.
--please don't forget to
upvoteandAccept as answerif the reply is helpful--
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 49%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Matt D. Sardi 40 Reputation points2023-03-24T12:44:16.2033333+00:00 These reg keys do not resolve this vulnerability. I am still waiting for Microsoft to provide an updated and working resolution.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 99%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Mohit Sharma 15 Reputation points2023-04-04T13:19:53.8966667+00:00 Why do you think they don't? These reg keys have resolved this vulnerability for us and no longer appears in our vulnerability scanner.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 55.00000000000001%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Shijin Nath 6 Reputation points2023-04-27T11:24:28.9133333+00:00 Impact of enabling the functionality change: Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
Microsoft does not have a permanent fix yet. The fix is suggested understanding the risk of going with it.
https://community.tenable.com/s/article/WinVerifyTrust-Signature-Validation-Mitigation-CVE-2013-3900
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 30%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Brian Simpson 15 Reputation points2023-07-07T22:21:07.63+00:00 Matt, actually worked for me.
Sign in to comment -
-
Brian Simpson 15 Reputation points
2023-07-03T18:06:12.7966667+00:00 Made the .reg from the entries below. Transferred it to the user's machine and ran. Waiting for SP360 to refresh and I'll verify the fix.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"
-
Brian Simpson 15 Reputation points
2023-07-07T22:16:28.49+00:00 Proved the fix.
Microsoft stated that they have re-published the CVE-2013-3900 to inform customers about the availability of EnableCertPaddingCheck. This behavior remains available as an opt-in feature via the registry key setting and is available on all supported editions of Windows released since December 10, 2013. <P>
Microsoft recommends that executable authors consider conforming all signed binaries to the new verification standard by ensuring that they contain no extraneous information in the WIN_CERTIFICATE structure. Microsoft also recommends that customers appropriately test this change to evaluate how it will behave in their environments.<P>
Microsoft recommends that customers test how this change to Authenticode signature verification behaves in their environment before fully implementing it. To enable the Authenticode signature verification improvements, modify the registry to add the EnableCertPaddingCheck value as detailed below.<BR>
- HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config "EnableCertPaddingCheck"="1"<BR>
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config "EnableCertPaddingCheck"="1"<P>
QID Detection Logic (Authenticated):<BR>
This QID checks for the presence of these registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config and HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config, and checks whether the value 'EnableCertPaddingCheck' associated with these keys is set to 1.<BR>
If these keys are missing or the value is not set to 1, then this QID gets reported as a vulnerability is several security monitoring programs, including SP360<P>
"
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 10%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
Dhanraj D 11 Reputation points2024-12-16T10:20:03.31+00:00 Hi,
When Microsoft released the remediation steps for this vulnerability, the data type of registry value "EnableCertPaddingCheck" = 1 as REG_SZ and we set this value as "REG_SZ" across all computers. However, I can see that Microsoft changed the data type from "REG_SZ" to "REG_DWORD" on Nov 12th, 2024.
So, my question is if we need to set the value again as "REG_DWORD" or having it as "REG_SZ" as per the initial recommendation is enough to arrest this vulnerability.
Any help would be greatly appreciated on this.
Thanks and Regards,
D.Dhanraj
Sign in to comment -
-
Brian Simpson 15 Reputation points
2023-07-07T22:22:32.6766667+00:00 - Make the .reg from the entries below.
- Transfer it to the user's machine and run.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 73%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
BradH2000 0 Reputation points2023-07-14T14:36:38.2033333+00:00 Would it have any negative effects to go ahead and add both entries x32/x64 to a x64 system? It would be easier to create a single .reg file and add everywhere.
Also our scanner is reporting a couple of 2012r2 servers. I'm guessing that the answer didn't include 2012r2 because it's EOL?
Sign in to comment