Default system stores, including MY, CA, and ROOT, are now implemented as logical stores with a number of pre-defined physical stores as their member stores. The member physical stores of a system store are opened automatically when the system store is opened. A user may add additional physical stores to any system store collection. The CryptoAPI function CertRegisterPhysicalStore adds a new physical store to a system store collection. CertUnregisterPhysicalStore disassociates a physical store from a logical system store. CertRegisterSystemStore creates a new system store under a registry hKey, while CertUnregisterSystemStore removes a system store from the registry.
In earlier CryptoAPI versions, a system store was a single, physical store and not a logical store that used a set of physical stores. In the CryptoAPI version initially supplied with Microsoft® Windows NT® 5.0, system stores have become logical stores with associated physical stores. All the certificates in an existing system store remain available, but the physical addition of new certificates will be made in the physical stores that make up the logical system store.
Users who prefer to continue to use physical system stores and not convert to logical stores can open system stores with the CERT_STORE_PROV_SYSTEM_REGISTRY provider. This provider will continue to use each system store as a single, physical store.
The functions CertEnumSystemStoreLocation, CertEnumSystemStore, and CertEnumPhysicalStore list system store locations, available system stores, and all physical stores that are members of a system store.
System stores are also relocatable. By default, a system store is opened relative to a registry subkey following a predefined pattern. See System Store Locations for details. Setting CERT_SYSTEM_STORE_RELOCATE_FLAG in the dwFlags parameter passed to CertOpenStore places a system store in the registry under a user specified registry subkey instead of the predefined one.