I am looking for a method, using PowerShell only, to list the certificate chain for signed files. Specifically to get the Root certificate.

As I need to get a list of which Non-Microsoft root certificates certain executables (on installed software), are dependent on. This is due to a OS-baseline guidelines, that uses the PKI procedure in Microsoft KB293781. Where only specific Root certificates shall be put on specific computers. E.g the much used "VeriSign Class 3 Primary CA - G5", shall only be used when necessary.

Get-AuthenticodeSignature only lists the Issuer. E.g: Get-AuthenticodeSignature C:\windows\system32\MRT.exe

Tools like "SysInternals SigCheck" is able to do this sigcheck.exe -i C:\windows\System32\mrt.exe, and this infomation can be parsed further on. Also other tools like SignTool.exe from the Windows SDK, and AnalyzePESig by Didier Stevens can get this info.

But can this be done using only PowerShell? Perhaps using the WinVerifyTrust API in Windows. https://msdn.microsoft.com/en-us/library/windows/desktop/aa382384(v=vs.85).aspx http://support2.microsoft.com/kb/323809/en-us

Cheers, Tekk

This should be possible by accessing .NET directly in PowerShell. Here's a snippet I whipped up using the example file you had referenced in your question:

# Get a X590Certificate2 certificate object for a file
$cert = (Get-AuthenticodeSignature -FilePath C:\windows\system32\MRT.exe).SignerCertificate
# Create a new chain to store the certificate chain
$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
# Build the certificate chain from the file certificate
$chain.Build($cert)
# Return the list of certificates in the chain (the root will be the last one)
$chain.ChainElements | ForEach-Object {$_.Certificate}

Does that give you what you were looking for?