Odd one here. We're running Exchange 2010 on a set of Server 2008 R2 systems split across two locations.
A bit ago, we noticed some CAPI2 events about the list of trusted root certificates being too long on all systems. Checked the list, and sure enough, there's about 380 in there. Many of the names don't look familiar, and about 40 of them are already expired.
So, removed all the entries that shouldn't be there, and all seemed well. But just a couple weeks later, and all of the servers at one of the locations have repopulated the bad list. Servers at the other location appear to be unaffected.
For the life of me, I cannot figure out where these trusted root certs are coming from.
I already verified they're not being pushed via GPO. (http://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx) I also confirmed that KB 931125 was never installed on the servers. (http://support.microsoft.com/kb/2801679)
I checked the application log but couldn't find anything specific about the certs being installed (although I was searching by cert names, not sure if there's a better event to look for). We have the CAPI2 log enabled, but unfortunately these are very busy systems and those logs get overwritten pretty quick.
Any ideas for where else I can look?