Security analysts sometimes see this function imported by malicious software. Attackers who have gained local admin privileges may use CryptExtAddCERMachineOnlyAndHwnd to silently add a malicious root certificate to the machine store, enabling SSL interception or code signing bypass. The HWND parameter, in this case, might be set to a hidden window ( NULL or a dummy handle) to suppress error popups.
void ImportCertToMachineStore(HWND hWnd, LPCWSTR certPath) HMODULE hMod = LoadLibrary(L"cryptext.dll"); if (hMod) auto pFunc = (pCryptExtAddCERMachineOnlyAndHwnd)GetProcAddress(hMod, "CryptExtAddCERMachineOnlyAndHwnd"); if (pFunc) HRESULT hr = pFunc(hWnd, 0, certPath); if (SUCCEEDED(hr)) MessageBox(hWnd, L"Wizard started. Certificate will go to Machine store.", L"PKI Helper", MB_OK); cryptextdll cryptextaddcermachineonlyandhwnd work
Suggests the certificate is being installed to the Local Machine store (accessible by all users) rather than just the Current User store. Security analysts sometimes see this function imported by
When CryptExtAddCertMachineOnlyAndHwnd is called, it performs several tasks: How it Works
This specific function is part of the cryptext.dll (Crypto Shell Extensions) library, which handles how Windows interacts with certificate files (.cer, .crt) through the file system and user interface. How it Works