This is a pretty rough attempt at parsing the certificate data from the Windows Registry: https://bigfix.me/relevance/details/3003682
( concatenations " ; " of (preceding text of first "%82%01" of it | it) whose(it != "" AND it does not contain "%00%00%00%01%00%00%00") of (preceding text of first "%82%0f" of it | it) of (preceding text of first "0%82" of it | it) of (preceding text of first "0%81" of it | it) of (preceding text of first "0%1e%17" of it | it) of (preceding text of last "1" of it | it) of (following text of (start of first (first matches (regex "[\u1300-\u13ff]") of it) of it) | it) whose(exists (first matches (regex "[\u1300-\u13ff]") of it)) of (preceding text of first "%06%03" of it | it) of substrings separated by "U%04" of it) of it whose(it contains "U%04") of (hexadecimal string it) of ( unique values of (it as string) of values "blob" of keys of keys "Certificates" of keys whose(name of it as uppercase contains "CA" OR name of it as uppercase contains "ROOT") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates" of (x64 registries; x32 registries) )