You haven't convinced me that Windows does indeed import the certificate to the root store in all cases. Making the root store
I don't think I said that. I put a fixme in the code that explicitly warns that the store should be determined dynamically.
No, but that's what the code does. What bothers me is that your implementation is correct in only an extremely narrow set of conditions: 1. dwFlags has CRYPTUI_WIZ_NO_UI SET 2. hDestStore is NULL 3. the certificate belongs in the root store The trouble is your patch inserts the certificate in the root store whether or not any of the above conditions is not met. You also ignore the most obvious source of determining the correct destination for the certificate: hDestCertStore.
At least when the source is not a file you fail gracefully. I'd be much happier if you did the same when any of the rest of the conditions is not true, and some tests for the CRYPTUI_WIZ_NO_UI case wouldn't be that hard to write, so why not write them? --Juan