Windows has an internal list of undelete root certificates.

In Windows, according to this information , the root certificates are updated using the Certificate Trust List - CTL. Although it follows from the article that this is some kind of gadget for caching the list of certificates on the local server, the search helpfully suggests that there is an authrootstl.cab signed by Microsoft, which Windows, beginning with 7, unconditionally trusts, and updates it every week, and in case install update KB3004394 - every day.

In the console (MMC), you can add certificates to which there is no trust, but removing the root certificate is not so easy.

Inspired by the recent WoSign and StartCom merger scandal, I decided to remove some dumb certificate from Windows 7. Izenpe.com chose (06 e8 46 27 2f 1f 0a 8f d1 84 5c e3 69 f6 d5), because Basques and SHA- one. But it was not there. After removing the root certificate and calling https://www.izenpe.com from Chrome 55.0.2883.87, the certificate appeared in the list of third-party root certification authorities, and, accordingly, in the list of trusted root certification authorities. That, in principle, is expected.

It is a valid trustworthy certificate, with a few exceptions.
https://www.chromium.org/Home/chromium-security/root-ca-policy

Repeat the trick with Firefox 50.1.0 did not work, they use their certificate store inside the browser. With Internet Explorer 11.0.9600.18163 the trick is repeated.

It would seem that the perpetrators were found. But no, we take https://opensource.apple.com/source/security_certificates/security_certificates-55036/roots/Izenpe-RAIZ2007.crt and open through Encryption Shell Extensions, that is, double-click.

And we see that the certificate is trusted.

How is that? We go to the console and see that the ill-fated certificate is in the list of trusted root certification authorities.

Or maybe Windows all unknown root certificates are pulling in trusted storage? We take OpenSSL, we generate the root certificate, we open. Untrusted

And I have already rolled my lip that I will be able to sign my CA certificates for the github. Although none of the registry entries described in the technet article exist by default in either Windows 7 or Windows Server 2012, you can see that there is a hard-coded list of trusted certificates that are not visible in the registry, in group policies, or in the management console.