Microsoft recommends that customers test how this change to Authenticode signature verification behaves in their environment before fully implementing it. To enable the Authenticode signature verification improvements, modify the registry to add the EnableCertPaddingCheck value as detailed below.
Warning Performing these steps to enable the functionality changes will cause non-conforming binaries to appear unsigned and, therefore, render them untrusted.
Note If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To enable the functionality to perform the following steps:
For 32-bit versions of Microsoft Windows
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification.reg).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
You can apply this .reg file to individual systems by double-clicking it.
Note You must restart the system for your changes to take effect.
For 64-bit versions of Microsoft Windows
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification64.reg).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
You can apply this .reg file to individual systems by double-clicking it.
Note You must restart the system for your changes to take effect.
Impact of enabling the functionality change: Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted.
How to disable the functionality. Perform the following to delete the registry value previously added.
For 32-bit versions of Microsoft Windows, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, disableAuthenticodeVerification.reg).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"=-
You can apply this .reg file to individual systems by double-clicking it.
Note You must restart the system for your changes to take effect.
For 64-bit versions of Microsoft Windows, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, disableAuthenticodeVerification64.reg).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"=-
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"=-
You can apply this .reg file to individual systems by double-clicking it.
Note You must restart the system for your changes to take effect.
Ref: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900