{
	"id": "dde3dcaf-20c6-4a60-ab61-0fdf1dde2f94",
	"created_at": "2026-04-06T00:09:36.61504Z",
	"updated_at": "2026-04-10T03:22:10.27186Z",
	"deleted_at": null,
	"sha1_hash": "d412aa54fe7d5ce51f3aa862eef160efe1892140",
	"title": "WinVerifyTrust function (wintrust.h) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64236,
	"plain_text": "WinVerifyTrust function (wintrust.h) - Win32 apps\r\nBy GrantMeStrength\r\nArchived: 2026-04-06 00:05:31 UTC\r\nThe WinVerifyTrust function performs a trust verification action on a specified object. The function passes the\r\ninquiry to a trust provider that supports the action identifier, if one exists.\r\nFor certificate verification, use the CertGetCertificateChain and CertVerifyCertificateChainPolicy functions.\r\nLONG WinVerifyTrust(\r\n [in] HWND hwnd,\r\n [in] GUID *pgActionID,\r\n [in] LPVOID pWVTData\r\n);\r\n[in] hwnd\r\nOptional handle to a caller window. A trust provider can use this value to determine whether it can interact with the\r\nuser. However, trust providers typically perform verification actions without input from the user.\r\nThis parameter can be one of the following values.\r\nValue Meaning\r\nINVALID_HANDLE_VALUE\r\nThere is no interactive user. The trust provider performs the verification\r\naction without the user's assistance.\r\nZero The trust provider can use the interactive desktop to display its user interface.\r\nA valid window handle\r\nA trust provider can treat any value other than INVALID_HANDLE_VALUE\r\nor zero as a valid window handle that it can use to interact with the user.\r\n[in] pgActionID\r\nA pointer to a GUID structure that identifies an action and the trust provider that supports that action. This value\r\nindicates the type of verification action to be performed on the structure pointed to by pWinTrustData.\r\nThe WinTrust service is designed to work with trust providers implemented by third parties. Each trust provider\r\nprovides its own unique set of action identifiers. For information about the action identifiers supported by a trust\r\nprovider, see the documentation for that trust provider.\r\nhttps://msdn.microsoft.com/library/windows/desktop/aa388208.aspx\r\nPage 1 of 4\n\nFor example, Microsoft provides a Software Publisher Trust Provider that can establish the trustworthiness of\r\nsoftware being downloaded from the Internet or some other public network. The Software Publisher Trust Provider\r\nsupports the following action identifiers. These constants are defined in Softpub.h.\r\nValue Meaning\r\nDRIVER_ACTION_VERIFY\r\nVerify the authenticity of a Windows Hardware\r\nQuality Labs (WHQL) signed driver. This is an\r\nAuthenticode add-on policy provider.\r\nHTTPSPROV_ACTION\r\nVerify an SSL/TLS connection established by\r\nWinINet.\r\nOFFICESIGN_ACTION_VERIFY\r\nThis Action ID is not supported. Verify the\r\nauthenticity of a structured storage file by using the\r\nMicrosoft Office Authenticode add-on policy\r\nprovider.\r\nWindows Server 2003 and Windows XP:  This\r\nAction ID is supported.\r\nWINTRUST_ACTION_GENERIC_CHAIN_VERIFY\r\nVerify certificate chains created from any object\r\ntype. A callback is provided to implement the final\r\nchain policy by using the chain context for each\r\nsigner and counter signer.\r\nWINTRUST_ACTION_GENERIC_VERIFY_V2\r\nVerify a file or object using the Authenticode\r\npolicy provider.\r\nWINTRUST_ACTION_TRUSTPROVIDER_TEST\r\nWrite the CRYPT_PROVIDER_DATA structure to\r\na file after calling the Authenticode policy\r\nprovider.\r\n[in] pWVTData\r\nA pointer that, when cast as a WINTRUST_DATA structure, contains information that the trust provider needs to\r\nprocess the specified action identifier. Typically, the structure includes information that identifies the object that the\r\ntrust provider must evaluate.\r\nThe format of the structure depends on the action identifier. For information about the data required for a specific\r\naction identifier, see the documentation for the trust provider that supports that action.\r\nIf the trust provider verifies that the subject is trusted for the specified action, the return value is zero. No other value\r\nbesides zero should be considered a successful return.\r\nIf the trust provider does not verify that the subject is trusted for the specified action, the function returns a status\r\ncode from the trust provider.\r\nhttps://msdn.microsoft.com/library/windows/desktop/aa388208.aspx\r\nPage 2 of 4\n\nNote  The return value is a LONG, not an HRESULT as previously documented. Do not use HRESULT macros\r\nsuch as SUCCEEDED to determine whether the function succeeded. Instead, check the return value for equality to\r\nzero.\r\nFor example, a trust provider might indicate that the subject is not trusted, or is trusted but with limitations or\r\nwarnings. The return value can be a trust-provider-specific value described in the documentation for an individual\r\ntrust provider, or it can be one of the following error codes.\r\nReturn code Description\r\nTRUST_E_SUBJECT_NOT_TRUSTED\r\nThe subject failed the specified verification action. Most trust\r\nproviders return a more detailed error code that describes the\r\nreason for the failure.\r\nNote\r\nThe TRUST_E_SUBJECT_NOT_TRUSTED return code may\r\nbe returned depending on the value of the\r\nEnableCertPaddingCheck registry key under\r\nHKLM\\Software\\Microsoft\\Cryptography\\Wintrust\\Config.\r\nIf EnableCertPaddingCheck is set to \"1\", then an additional\r\ncheck is performed to verify that the WIN_CERTIFICATE\r\nstructure does not contain extraneous information. The check\r\nvalidates that there is no non-zero data beyond the PKCS #7\r\nstructure. For more information, please refer to the following\r\nsecurity advisory:\r\nhttp://technet.microsoft.com/security/advisory/2915720#section1.\r\nTRUST_E_PROVIDER_UNKNOWN The trust provider is not recognized on this system.\r\nTRUST_E_ACTION_UNKNOWN The trust provider does not support the specified action.\r\nTRUST_E_SUBJECT_FORM_UNKNOWN\r\nThe trust provider does not support the form specified for the\r\nsubject.\r\nThe WinVerifyTrust function enables applications to invoke a trust provider to verify that a specified object satisfies\r\nthe criteria of a specified verification operation. The pgActionID parameter identifies the verification operation, and\r\nthe pWinTrustData parameter identifies the object whose trust is to be verified. A trust provider is a DLL registered\r\nwith the operating system. A call to WinVerifyTrust forwards that call to the registered trust provider, if there is one,\r\nthat supports that specified action identifier.\r\nFor example, the Software Publisher Trust Provider can verify that an executable image file comes from a trusted\r\nsoftware publisher and that the code in the file has not been modified since it was signed. In this case, the\r\nhttps://msdn.microsoft.com/library/windows/desktop/aa388208.aspx\r\nPage 3 of 4\n\npWinTrustData parameter specifies the name of the file and the type of file, such as a Microsoft Portable Executable\r\nimage file.\r\nEach trust provider supports a specific set of actions that it can evaluate. Each action has a GUID that identifies it. A\r\ntrust provider can support any number of action identifiers, but two trust providers cannot support the same action\r\nidentifier.\r\nFor an example that demonstrates how to use this function to verify the signature of a portable executable (PE) file,\r\nsee Example C Program: Verifying the Signature of a PE File.\r\nRequirement Value\r\nMinimum supported client Windows XP [desktop apps only]\r\nMinimum supported server Windows Server 2003 [desktop apps only]\r\nTarget Platform Windows\r\nHeader wintrust.h (include Softpub.h)\r\nLibrary Wintrust.lib\r\nDLL Wintrust.dll\r\nSource: https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx\r\nhttps://msdn.microsoft.com/library/windows/desktop/aa388208.aspx\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx"
	],
	"report_names": [
		"aa388208.aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775434176,
	"ts_updated_at": 1775791330,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d412aa54fe7d5ce51f3aa862eef160efe1892140.pdf",
		"text": "https://archive.orkl.eu/d412aa54fe7d5ce51f3aa862eef160efe1892140.txt",
		"img": "https://archive.orkl.eu/d412aa54fe7d5ce51f3aa862eef160efe1892140.jpg"
	}
}