我如何在Windows中find证书的安装date？

证书存储在以下两个位置的registry中，最终的键值与证书缩略图相同。 因此，如果您有指纹值，您将能够查询正确的regkey

[HKLM\SOFTWARE\Microsoft\SystemCertificates\] [HKCU\Software\Microsoft\SystemCertificates\] 

在这里使用PowerShell函数Get-RegistryKeyLastWriteTime可以查询上次写入时间的registry项。

下面的PowerShell函数完整的代码链接死亡（这不是我的工作）

 Function Get-RegistryKeyTimestamp { <# .SYNOPSIS Retrieves the registry key timestamp from a local or remote system. .DESCRIPTION Retrieves the registry key timestamp from a local or remote system. .PARAMETER RegistryKey Registry key object that can be passed into function. .PARAMETER SubKey The subkey path to view timestamp. .PARAMETER RegistryHive The registry hive that you will connect to. Accepted Values: ClassesRoot CurrentUser LocalMachine Users PerformanceData CurrentConfig DynData .NOTES Name: Get-RegistryKeyTimestamp Author: Boe Prox Version History: 1.0 -- Boe Prox 17 Dec 2014 -Initial Build .EXAMPLE $RegistryKey = Get-Item "HKLM:\System\CurrentControlSet\Control\Lsa" $RegistryKey | Get-RegistryKeyTimestamp | Format-List FullName : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa Name : Lsa LastWriteTime : 12/16/2014 10:16:35 PM Description ----------- Displays the lastwritetime timestamp for the Lsa registry key. .EXAMPLE Get-RegistryKeyTimestamp -Computername Server1 -RegistryHive LocalMachine -SubKey 'System\CurrentControlSet\Control\Lsa' | Format-List FullName : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa Name : Lsa LastWriteTime : 12/17/2014 6:46:08 AM Description ----------- Displays the lastwritetime timestamp for the Lsa registry key of the remote system. .INPUTS System.String Microsoft.Win32.RegistryKey .OUTPUTS Microsoft.Registry.Timestamp #> [OutputType('Microsoft.Registry.Timestamp')] [cmdletbinding( DefaultParameterSetName = 'ByValue' )] Param ( [parameter(ValueFromPipeline=$True, ParameterSetName='ByValue')] [Microsoft.Win32.RegistryKey]$RegistryKey, [parameter(ParameterSetName='ByPath')] [string]$SubKey, [parameter(ParameterSetName='ByPath')] [Microsoft.Win32.RegistryHive]$RegistryHive, [parameter(ParameterSetName='ByPath')] [string]$Computername ) Begin { #region Create Win32 API Object Try { [void][advapi32] } Catch { #region Module Builder $Domain = [AppDomain]::CurrentDomain $DynAssembly = New-Object System.Reflection.AssemblyName('RegAssembly') $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) # Only run in memory $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('RegistryTimeStampModule', $False) #endregion Module Builder #region DllImport $TypeBuilder = $ModuleBuilder.DefineType('advapi32', 'Public, Class') #region RegQueryInfoKey Method $PInvokeMethod = $TypeBuilder.DefineMethod( 'RegQueryInfoKey', #Method Name [Reflection.MethodAttributes] 'PrivateScope, Public, Static, HideBySig, PinvokeImpl', #Method Attributes [IntPtr], #Method Return Type [Type[]] @( [Microsoft.Win32.SafeHandles.SafeRegistryHandle], #Registry Handle [System.Text.StringBuilder], #Class Name [UInt32 ].MakeByRefType(), #Class Length [UInt32], #Reserved [UInt32 ].MakeByRefType(), #Subkey Count [UInt32 ].MakeByRefType(), #Max Subkey Name Length [UInt32 ].MakeByRefType(), #Max Class Length [UInt32 ].MakeByRefType(), #Value Count [UInt32 ].MakeByRefType(), #Max Value Name Length [UInt32 ].MakeByRefType(), #Max Value Name Length [UInt32 ].MakeByRefType(), #Security Descriptor Size [long].MakeByRefType() #LastWriteTime ) #Method Parameters ) $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) $FieldArray = [Reflection.FieldInfo[]] @( [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'), [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') ) $FieldValueArray = [Object[]] @( 'RegQueryInfoKey', #CASE SENSITIVE!! $True ) $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder( $DllImportConstructor, @('advapi32.dll'), $FieldArray, $FieldValueArray ) $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) #endregion RegQueryInfoKey Method [void]$TypeBuilder.CreateType() #endregion DllImport } #endregion Create Win32 API object } Process { #region Constant Variables $ClassLength = 255 [long]$TimeStamp = $null #endregion Constant Variables #region Registry Key Data If ($PSCmdlet.ParameterSetName -eq 'ByPath') { #Get registry key data $RegistryKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($RegistryHive, $Computername).OpenSubKey($SubKey) If ($RegistryKey -isnot [Microsoft.Win32.RegistryKey]) { Throw "Cannot open or locate $SubKey on $Computername" } } $ClassName = New-Object System.Text.StringBuilder $RegistryKey.Name $RegistryHandle = $RegistryKey.Handle #endregion Registry Key Data #region Retrieve timestamp $Return = [advapi32]::RegQueryInfoKey( $RegistryHandle, $ClassName, [ref]$ClassLength, $Null, [ref]$Null, [ref]$Null, [ref]$Null, [ref]$Null, [ref]$Null, [ref]$Null, [ref]$Null, [ref]$TimeStamp ) Switch ($Return) { 0 { #Convert High/Low date to DateTime Object $LastWriteTime = [datetime]::FromFileTime($TimeStamp) #Return object $Object = [pscustomobject]@{ FullName = $RegistryKey.Name Name = $RegistryKey.Name -replace '.*\\(.*)','$1' LastWriteTime = $LastWriteTime } $Object.pstypenames.insert(0,'Microsoft.Registry.Timestamp') $Object } 122 { Throw "ERROR_INSUFFICIENT_BUFFER (0x7a)" } Default { Throw "Error ($return) occurred" } } #endregion Retrieve timestamp } } 

用法：

 $RegistryKey = Get-Item "HKLM:<key name>" $RegistryKey | Get-RegistryKeyTimestamp | Format-List 

您应该能够在Windows中search您的应用程序事件日志以查找证书，但是如果您的事件日志已经溢出，并且您没有打开日志轮换/存档，那么这些数据可能永远丢失。

只要search确切友好的名称string或指纹（不带空格），例如下面的事件日志评论中显示：

 Successful auto update of third-party root certificate:: Subject: <CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM> Sha1 thumbprint: <CA3AFBCF1240364B44B216208880483919937CF7>. 

对于这个证书：