certutil -generateSSTFromWU roots.sst
Alternatively: download http://ctldl.windowsupdate.com/msdownload/update/v3/static/t... , extract the authroot.stl file (which is in PKCS#7 format), use 'certutil -dump' to list all the subject key identifiers therein, and then download them from the same location as authrootstl.cab by appending ".crt" to the identifier.
Windows is not lying about anything, you just need to look in the right place.
Also, if you want to examine the CTL list that Windows is currently using - which should be identical to the one above unless it's brand new or there has been a problem downloading it - this will extract it from the registry:
powershell -Command "[IO.File]::WriteAllBytes('authroot-local.stl',(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate').EncodedCtl)"
 as specified in https://support.microsoft.com/en-us/kb/2677070
Latest documentation for this seems to be for IE 5. I sure as hell like to run dkpkg-reconfigure ca-certificates every once in a while after some roots get compromised and don't trust Microsoft to be on the ball.
For example, using the root discussed in the article:
1. Download the root cert from http://ctldl.windowsupdate.com/msdownload/update/v3/static/t... (or save it from the browser's certificate viewer)
2. Open certmgr and import it into 'Untrusted Certificates'.
(This just adds it for the current user's store. Could also import into the computer store by running mmc, adding the Certificates snap-in, and specifying 'Computer account' as the target.)
3. Restart browser. Go to https://certplusrootcag1-test.opentrust.com/ - it should say the certificate is revoked.
This only works for browsers like IE and Chrome, that use the Windows certificate store. Firefox has its own so would have to be done separately.
Edit: I'm referring to configuring the package as ca-certificates is installed or via dpkg-reconfigure
Microsoft's approach means that the user would have to go find the certificate on the internet and blacklist it explicitly, which allows a small window where the computer is vulnerable to some kind of attack involving a certificate signed by the unwanted authority.
edit: e-Guven is being removed "due to insufficient and outdated audits" and not a compromise (Couldn't reply below).