What are the Certificate Stores?
What are the different Certificate stores on Windows Mobile?
This store contains root certificates. They are primarily used for SSL chain validation. This store can be inspected via the Certificates Control Panel page.This store has NOTHING to do with code execution.
This store contains the user's client certs. They typically have associated private keys, and are used for client authentication to web sites, the Exchange server, S/MIME, etc. This store can also be inspected via the Control Panel.
This store contains intermediate certs for chaining. It's not currently exposed via UI, and no certificates ship in it by default.
The following are the code execution certificate stores:
Privileged Execution Trust Authorities and Unprivileged Execution Trust Authorities
These certificate stores are used by the security loader to control code execution. If an executable can be chained up to a cert in either of these stores, it is considered "signed" by the security loader and is assigned a trust level depending on the device security policies. If a binary is Authenticode signed but cannot be chained up to a certificate in these stores, it is considered unsigned by the security loader. (and there will likely be a prompt to state that)
This store governs cab installation. The cab installer tries to chain the signature on a cab up to a certificate in this store, following similar rules as described above for other binaries. All code execution certificates in the above two stores should also be in this store. For instance, if the device has the M2M certificates, they will also be in this store for application installation. Certificates in the SPC store contain an additional property which lets the cab installer know what privilege level to use when installing the application.
The biggest area of confusion I have seen here is regarding the ROOT store - it is absolutely not a code signing store.