CertOpenStore(CERT_STORE_PROV_SYSTEM_REGISTRY_, ..., "Root") is taking 80-250ms here when executed first time in a process. That triggers a race condition in some CEF / NWJS games (Purgo box is an example), where NWJS seems to depend on main thread initialization going faster than 3d initialization in the other thread (otherwise it crashes). The main hitter is the mentioned CertOpenStore(). Probably more important is that the delay is always there upon first time reading root certs per process start which happens, e. g., any time an app wants to establish a seure connection to public server.
The major hitter is rootstore.c:check_and_store_certs() which validates certificate chains as a part of host certificate import which is always done fully.
The idea is that we can persist registry cache (which load is relatively quick) only adding a new certificates, also making sure that none of the previously root certs was deleted. In the latter case the patches fallback to full reimport to guarantee that the chain validation is not affected.
The patchset brings CertOpenStore(CERT_STORE_PROV_SYSTEM_REGISTRY_, ..., "Root") time from 80-250ms to 5-10ms here after the registry cache was filled once and no cert was deleted on host. The full reinitialization time (on clean prefix or when a cert was deleted) stays nearly the same.
Patch 2 introduces a relatively small independent optimization (which avoids searching for certificate in store when it was needed). It has much lesser impact on the overall process (a few ms here) but is also much simplier.