Trying to install a certificate file (xxx.cer) to the user's root certificate list with the following command
certutil -addstore -user -f Root .\xxx.cer
results in the error message
CertUtil: -addstore command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
I'm running this from an elevated admin prompt. Trying to install the certificate through the mmc-gui results in the same error message. Running it via psexec -i -s as system account works, but then, of course, the certificate is not in the user's context.
Trying to install the certificate on any other pc works fine, so the file is ok. sfc /scannow doesn't bring up any errors either.
Any idea what I could do to fix this?
The problem was with the registry key Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots where the user had no access to - read is required. For some reason there was an "unknown" user SID in the access rights to this key. Removing this and adding the correct user fixed the issue.
I found this by running procmon on certutil.exe. This revealed an "access denied" result when it tried to read this registry key.