[CmdletBinding()] param() $ErrorActionPreference = "Stop" Add-Type -AssemblyName System.Windows.Forms Add-Type -AssemblyName System.Drawing $script:RootPath = Split-Path -Parent (Split-Path -Parent $MyInvocation.MyCommand.Path) $script:RootCertificatePath = Join-Path $script:RootPath "assets\certificates\MrSphay-LocalTrust-Root.cer" $script:PublisherCertificatePath = Join-Path $script:RootPath "assets\certificates\MrSphay-CodeSigning.cer" $script:IconPath = Join-Path $script:RootPath "assets\MrTrust.ico" $script:SelectedFilePath = $null $script:CurrentAccent = 0 $colors = @{ Background = [Drawing.Color]::FromArgb(18, 23, 26) Panel = [Drawing.Color]::FromArgb(27, 33, 36) PanelAlt = [Drawing.Color]::FromArgb(35, 43, 47) Border = [Drawing.Color]::FromArgb(61, 73, 79) Text = [Drawing.Color]::FromArgb(234, 239, 236) Muted = [Drawing.Color]::FromArgb(165, 180, 172) Green = [Drawing.Color]::FromArgb(28, 185, 111) GreenHover = [Drawing.Color]::FromArgb(38, 205, 130) Orange = [Drawing.Color]::FromArgb(242, 153, 74) Red = [Drawing.Color]::FromArgb(235, 87, 87) } function Test-IsAdministrator { $identity = [Security.Principal.WindowsIdentity]::GetCurrent() $principal = [Security.Principal.WindowsPrincipal]::new($identity) $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Get-MrTrustCertificate { param([Parameter(Mandatory)][string]$Path) if (-not (Test-Path -LiteralPath $Path)) { throw "Certificate file not found: $Path" } [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($Path) } function Get-TrustScope { if ($script:AllUsersCheckBox.Checked) { "LocalMachine" } else { "CurrentUser" } } function Get-StorePath { param( [Parameter(Mandatory)][string]$Scope, [Parameter(Mandatory)][string]$Store ) "Cert:\$Scope\$Store" } function Test-CertificateInstalled { param( [Parameter(Mandatory)]$Certificate, [Parameter(Mandatory)][string]$Scope, [Parameter(Mandatory)][string]$Store ) $storePath = Get-StorePath -Scope $Scope -Store $Store @(Get-ChildItem -Path $storePath | Where-Object Thumbprint -eq $Certificate.Thumbprint).Count -gt 0 } function Set-Busy { param([bool]$Busy) $script:ProgressBar.Visible = $Busy if ($Busy) { $script:ProgressBar.Style = "Marquee" } } function Set-StatusText { param( [Parameter(Mandatory)][string]$Text, [Parameter(Mandatory)][Drawing.Color]$Color ) $script:StatusLabel.Text = $Text $script:StatusPill.BackColor = $Color } function Add-AnimatedButton { param( [Parameter(Mandatory)][Windows.Forms.Button]$Button, [Parameter(Mandatory)][Drawing.Color]$Normal, [Parameter(Mandatory)][Drawing.Color]$Hover ) $Button.FlatStyle = "Flat" $Button.FlatAppearance.BorderColor = $colors.Border $Button.FlatAppearance.BorderSize = 1 $Button.BackColor = $Normal $Button.ForeColor = $colors.Text $Button.Cursor = [Windows.Forms.Cursors]::Hand $Button.Add_MouseEnter({ param($sender, $eventArgs) $sender.BackColor = $Hover }) $Button.Add_MouseLeave({ param($sender, $eventArgs) $sender.BackColor = $Normal }) $Button.Add_MouseDown({ param($sender, $eventArgs) $sender.Location = [Drawing.Point]::new($sender.Location.X, $sender.Location.Y + 1) }) $Button.Add_MouseUp({ param($sender, $eventArgs) $sender.Location = [Drawing.Point]::new($sender.Location.X, $sender.Location.Y - 1) }) } function New-Label { param( [string]$Text, [int]$X, [int]$Y, [int]$Width = 220, [int]$Height = 24, [Drawing.Color]$Color = $colors.Muted, [Drawing.Font]$Font = $null ) $label = [Windows.Forms.Label]::new() $label.Text = $Text $label.Location = [Drawing.Point]::new($X, $Y) $label.Size = [Drawing.Size]::new($Width, $Height) $label.ForeColor = $Color if ($Font) { $label.Font = $Font } $label } function Update-TrustStatus { try { Set-Busy $true $rootCertificate = Get-MrTrustCertificate -Path $script:RootCertificatePath $publisherCertificate = Get-MrTrustCertificate -Path $script:PublisherCertificatePath $scope = Get-TrustScope $rootInstalled = Test-CertificateInstalled -Certificate $rootCertificate -Scope $scope -Store "Root" $publisherInstalled = Test-CertificateInstalled -Certificate $publisherCertificate -Scope $scope -Store "TrustedPublisher" $script:RootThumbprintLabel.Text = $rootCertificate.Thumbprint $script:PublisherThumbprintLabel.Text = $publisherCertificate.Thumbprint $script:ExpiryLabel.Text = $rootCertificate.NotAfter.ToString("yyyy-MM-dd") $script:ScopeValueLabel.Text = $scope if ($rootInstalled -and $publisherInstalled) { Set-StatusText -Text "Trusted" -Color $colors.Green $script:TrustSummaryLabel.Text = "MrSphay public trust is installed for $scope." } else { Set-StatusText -Text "Not installed" -Color $colors.Orange $script:TrustSummaryLabel.Text = "Trust is not fully installed for $scope." } } catch { Set-StatusText -Text "Error" -Color $colors.Red $script:TrustSummaryLabel.Text = $_.Exception.Message } finally { Set-Busy $false } } function Install-MrTrustCertificates { $scope = Get-TrustScope if ($scope -eq "LocalMachine" -and -not (Test-IsAdministrator)) { [Windows.Forms.MessageBox]::Show("All-users trust requires running MrTrust as Administrator.", "MrTrust", "OK", "Warning") | Out-Null return } $rootCertificate = Get-MrTrustCertificate -Path $script:RootCertificatePath $publisherCertificate = Get-MrTrustCertificate -Path $script:PublisherCertificatePath $message = "Install MrSphay trust for $scope?`r`n`r`nRoot:`r`n$($rootCertificate.Thumbprint)`r`n`r`nPublisher:`r`n$($publisherCertificate.Thumbprint)`r`n`r`nThis does not disable Defender or SmartScreen." $result = [Windows.Forms.MessageBox]::Show($message, "Install MrTrust", "YesNo", "Warning") if ($result -ne [Windows.Forms.DialogResult]::Yes) { return } Set-Busy $true Import-Certificate -FilePath $script:RootCertificatePath -CertStoreLocation (Get-StorePath -Scope $scope -Store "Root") | Out-Null Import-Certificate -FilePath $script:PublisherCertificatePath -CertStoreLocation (Get-StorePath -Scope $scope -Store "TrustedPublisher") | Out-Null Update-TrustStatus } function Remove-MrTrustCertificates { $scope = Get-TrustScope if ($scope -eq "LocalMachine" -and -not (Test-IsAdministrator)) { [Windows.Forms.MessageBox]::Show("All-users removal requires running MrTrust as Administrator.", "MrTrust", "OK", "Warning") | Out-Null return } $result = [Windows.Forms.MessageBox]::Show("Remove MrSphay trust for $scope?", "Remove MrTrust", "YesNo", "Question") if ($result -ne [Windows.Forms.DialogResult]::Yes) { return } Set-Busy $true $rootCertificate = Get-MrTrustCertificate -Path $script:RootCertificatePath $publisherCertificate = Get-MrTrustCertificate -Path $script:PublisherCertificatePath $targets = @( [pscustomobject]@{ Store = "Root"; Thumbprint = $rootCertificate.Thumbprint }, [pscustomobject]@{ Store = "TrustedPublisher"; Thumbprint = $publisherCertificate.Thumbprint } ) foreach ($target in $targets) { $storePath = Get-StorePath -Scope $scope -Store $target.Store Get-ChildItem -Path $storePath | Where-Object Thumbprint -eq $target.Thumbprint | Remove-Item } Update-TrustStatus } function Test-MarkOfTheWeb { param([Parameter(Mandatory)][string]$Path) try { $stream = Get-Content -LiteralPath $Path -Stream Zone.Identifier -ErrorAction Stop ($stream -join "`n") -match "ZoneId\s*=\s*[3-4]" } catch { $false } } function Get-SmartScreenExplanation { param( [bool]$SignedByMrSphay, [bool]$HasMotw ) if ($SignedByMrSphay -and $HasMotw) { "Publisher trust can be valid while SmartScreen still warns because the downloaded file has Internet origin and low Microsoft reputation." } elseif ($SignedByMrSphay) { "The publisher matches MrSphay. SmartScreen may still warn until Microsoft reputation builds for this exact app and publisher." } elseif ($HasMotw) { "This file came from the Internet and is not signed by MrSphay. SmartScreen warnings are expected." } else { "MrTrust can only help with MrSphay-signed files. SmartScreen reputation is separate from local certificate trust." } } function Test-SelectedFile { param([Parameter(Mandatory)][string]$Path) Set-Busy $true try { if (-not (Test-Path -LiteralPath $Path -PathType Leaf)) { throw "File not found: $Path" } $signature = Get-AuthenticodeSignature -LiteralPath $Path $hasMotw = Test-MarkOfTheWeb -Path $Path $signer = $signature.SignerCertificate $signedByMrSphay = $false if ($signer) { $signedByMrSphay = $signer.Thumbprint -eq "A024A89200469F099EC4A172B4F96F6428AFD41B" -or $signer.Subject -like "*MrSphay*" } $script:FileNameLabel.Text = [IO.Path]::GetFileName($Path) $script:FilePathLabel.Text = $Path $script:SignatureStatusLabel.Text = "$($signature.Status)" $script:SignerLabel.Text = if ($signer) { $signer.Subject } else { "No signer certificate" } $script:MrSphayMatchLabel.Text = if ($signedByMrSphay) { "Yes" } else { "No" } $script:MotwLabel.Text = if ($hasMotw) { "Yes" } else { "No" } $script:SmartScreenLabel.Text = Get-SmartScreenExplanation -SignedByMrSphay $signedByMrSphay -HasMotw $hasMotw if ($signedByMrSphay -and $signature.Status -eq "Valid") { $script:FileVerdictLabel.Text = "Looks good: signed by MrSphay and locally valid." $script:FileVerdictLabel.ForeColor = $colors.Green } elseif ($signedByMrSphay) { $script:FileVerdictLabel.Text = "Signed by MrSphay, but local validation is not fully valid: $($signature.Status)" $script:FileVerdictLabel.ForeColor = $colors.Orange } else { $script:FileVerdictLabel.Text = "Not a MrSphay-signed file." $script:FileVerdictLabel.ForeColor = $colors.Red } } catch { $script:FileVerdictLabel.Text = $_.Exception.Message $script:FileVerdictLabel.ForeColor = $colors.Red } finally { Set-Busy $false } } [Windows.Forms.Application]::EnableVisualStyles() $form = [Windows.Forms.Form]::new() $form.Text = "MrTrust" $form.StartPosition = "CenterScreen" $form.ClientSize = [Drawing.Size]::new(980, 660) $form.MinimumSize = [Drawing.Size]::new(920, 620) $form.BackColor = $colors.Background $form.Font = [Drawing.Font]::new("Segoe UI", 10) if (Test-Path -LiteralPath $script:IconPath) { $form.Icon = [Drawing.Icon]::new($script:IconPath) } $header = [Windows.Forms.Panel]::new() $header.Dock = "Top" $header.Height = 126 $header.BackColor = $colors.Panel $form.Controls.Add($header) $accent = [Windows.Forms.Panel]::new() $accent.Dock = "Left" $accent.Width = 8 $accent.BackColor = $colors.Green $header.Controls.Add($accent) $logoBox = [Windows.Forms.PictureBox]::new() $logoBox.Size = [Drawing.Size]::new(46, 46) $logoBox.Location = [Drawing.Point]::new(34, 30) $logoBox.SizeMode = "StretchImage" if (Test-Path -LiteralPath $script:IconPath) { $logoBox.Image = [Drawing.Icon]::new($script:IconPath).ToBitmap() } $header.Controls.Add($logoBox) $title = New-Label -Text "MrTrust" -X 96 -Y 22 -Width 260 -Height 48 -Color $colors.Text -Font ([Drawing.Font]::new("Segoe UI", 25, [Drawing.FontStyle]::Bold)) $header.Controls.Add($title) $subtitle = New-Label -Text "Trust diagnostics for MrSphay signed Windows apps" -X 100 -Y 76 -Width 520 -Height 24 -Color $colors.Muted $header.Controls.Add($subtitle) $statusText = New-Label -Text "Status" -X 720 -Y 31 -Width 180 -Height 22 $header.Controls.Add($statusText) $script:StatusPill = [Windows.Forms.Panel]::new() $script:StatusPill.Size = [Drawing.Size]::new(16, 16) $script:StatusPill.Location = [Drawing.Point]::new(720, 63) $script:StatusPill.BackColor = $colors.Orange $header.Controls.Add($script:StatusPill) $script:StatusLabel = New-Label -Text "Checking..." -X 748 -Y 58 -Width 190 -Height 28 -Color $colors.Text $script:StatusLabel.AutoEllipsis = $true $header.Controls.Add($script:StatusLabel) $script:ProgressBar = [Windows.Forms.ProgressBar]::new() $script:ProgressBar.Location = [Drawing.Point]::new(100, 108) $script:ProgressBar.Size = [Drawing.Size]::new(820, 5) $script:ProgressBar.Visible = $false $header.Controls.Add($script:ProgressBar) $tabControl = [Windows.Forms.TabControl]::new() $tabControl.Dock = "Fill" $tabControl.Appearance = "Normal" $tabControl.BackColor = $colors.Background $tabControl.ForeColor = $colors.Text $form.Controls.Add($tabControl) $trustTab = [Windows.Forms.TabPage]::new() $trustTab.Text = "Trust" $trustTab.BackColor = $colors.Background $tabControl.TabPages.Add($trustTab) $diagnosticsTab = [Windows.Forms.TabPage]::new() $diagnosticsTab.Text = "Diagnostics" $diagnosticsTab.BackColor = $colors.Background $tabControl.TabPages.Add($diagnosticsTab) $helpTab = [Windows.Forms.TabPage]::new() $helpTab.Text = "SmartScreen" $helpTab.BackColor = $colors.Background $tabControl.TabPages.Add($helpTab) $trustPanel = [Windows.Forms.Panel]::new() $trustPanel.BackColor = $colors.Panel $trustPanel.Size = [Drawing.Size]::new(880, 245) $trustPanel.Location = [Drawing.Point]::new(36, 34) $trustTab.Controls.Add($trustPanel) $scopeLabel = New-Label -Text "Scope" -X 26 -Y 24 $trustPanel.Controls.Add($scopeLabel) $script:AllUsersCheckBox = [Windows.Forms.CheckBox]::new() $script:AllUsersCheckBox.Text = "Install for all users (requires Administrator)" $script:AllUsersCheckBox.ForeColor = $colors.Text $script:AllUsersCheckBox.Location = [Drawing.Point]::new(26, 50) $script:AllUsersCheckBox.AutoSize = $true $script:AllUsersCheckBox.FlatStyle = "Flat" $script:AllUsersCheckBox.Add_CheckedChanged({ Update-TrustStatus }) $trustPanel.Controls.Add($script:AllUsersCheckBox) $trustPanel.Controls.Add((New-Label -Text "Root thumbprint" -X 26 -Y 92)) $script:RootThumbprintLabel = New-Label -Text "-" -X 205 -Y 92 -Width 580 -Height 24 -Color $colors.Text -Font ([Drawing.Font]::new("Consolas", 9)) $trustPanel.Controls.Add($script:RootThumbprintLabel) $trustPanel.Controls.Add((New-Label -Text "Publisher thumbprint" -X 26 -Y 126)) $script:PublisherThumbprintLabel = New-Label -Text "-" -X 205 -Y 126 -Width 580 -Height 24 -Color $colors.Text -Font ([Drawing.Font]::new("Consolas", 9)) $trustPanel.Controls.Add($script:PublisherThumbprintLabel) $trustPanel.Controls.Add((New-Label -Text "Expires" -X 26 -Y 160)) $script:ExpiryLabel = New-Label -Text "-" -X 205 -Y 160 -Width 200 -Height 24 -Color $colors.Text $trustPanel.Controls.Add($script:ExpiryLabel) $trustPanel.Controls.Add((New-Label -Text "Active scope" -X 26 -Y 194)) $script:ScopeValueLabel = New-Label -Text "-" -X 205 -Y 194 -Width 200 -Height 24 -Color $colors.Text $trustPanel.Controls.Add($script:ScopeValueLabel) $script:TrustSummaryLabel = New-Label -Text "Checking trust state..." -X 36 -Y 306 -Width 860 -Height 42 -Color $colors.Muted $trustTab.Controls.Add($script:TrustSummaryLabel) $installButton = [Windows.Forms.Button]::new() $installButton.Text = "Install trust" $installButton.Size = [Drawing.Size]::new(180, 48) $installButton.Location = [Drawing.Point]::new(36, 372) Add-AnimatedButton -Button $installButton -Normal $colors.Green -Hover $colors.GreenHover $installButton.Add_Click({ Install-MrTrustCertificates }) $trustTab.Controls.Add($installButton) $removeButton = [Windows.Forms.Button]::new() $removeButton.Text = "Remove trust" $removeButton.Size = [Drawing.Size]::new(180, 48) $removeButton.Location = [Drawing.Point]::new(238, 372) Add-AnimatedButton -Button $removeButton -Normal $colors.PanelAlt -Hover $colors.Border $removeButton.Add_Click({ Remove-MrTrustCertificates }) $trustTab.Controls.Add($removeButton) $refreshButton = [Windows.Forms.Button]::new() $refreshButton.Text = "Refresh" $refreshButton.Size = [Drawing.Size]::new(140, 48) $refreshButton.Location = [Drawing.Point]::new(440, 372) Add-AnimatedButton -Button $refreshButton -Normal $colors.PanelAlt -Hover $colors.Border $refreshButton.Add_Click({ Update-TrustStatus }) $trustTab.Controls.Add($refreshButton) $note = New-Label -Text "MrTrust installs public certificates only. It does not disable Defender, SmartScreen, UAC, or enterprise policies." -X 36 -Y 456 -Width 880 -Height 46 -Color $colors.Muted $trustTab.Controls.Add($note) $filePanel = [Windows.Forms.Panel]::new() $filePanel.BackColor = $colors.Panel $filePanel.Size = [Drawing.Size]::new(880, 420) $filePanel.Location = [Drawing.Point]::new(36, 34) $diagnosticsTab.Controls.Add($filePanel) $chooseButton = [Windows.Forms.Button]::new() $chooseButton.Text = "Choose .exe or .msi" $chooseButton.Size = [Drawing.Size]::new(190, 44) $chooseButton.Location = [Drawing.Point]::new(24, 24) Add-AnimatedButton -Button $chooseButton -Normal $colors.Green -Hover $colors.GreenHover $filePanel.Controls.Add($chooseButton) $scanButton = [Windows.Forms.Button]::new() $scanButton.Text = "Scan file" $scanButton.Size = [Drawing.Size]::new(130, 44) $scanButton.Location = [Drawing.Point]::new(232, 24) Add-AnimatedButton -Button $scanButton -Normal $colors.PanelAlt -Hover $colors.Border $filePanel.Controls.Add($scanButton) $script:FileVerdictLabel = New-Label -Text "Choose a Windows installer or executable to inspect." -X 24 -Y 88 -Width 820 -Height 30 -Color $colors.Muted -Font ([Drawing.Font]::new("Segoe UI", 11, [Drawing.FontStyle]::Bold)) $filePanel.Controls.Add($script:FileVerdictLabel) $filePanel.Controls.Add((New-Label -Text "File" -X 24 -Y 136)) $script:FileNameLabel = New-Label -Text "-" -X 210 -Y 136 -Width 620 -Height 24 -Color $colors.Text $filePanel.Controls.Add($script:FileNameLabel) $filePanel.Controls.Add((New-Label -Text "Path" -X 24 -Y 170)) $script:FilePathLabel = New-Label -Text "-" -X 210 -Y 170 -Width 620 -Height 40 -Color $colors.Text $script:FilePathLabel.AutoEllipsis = $true $filePanel.Controls.Add($script:FilePathLabel) $filePanel.Controls.Add((New-Label -Text "Signature status" -X 24 -Y 222)) $script:SignatureStatusLabel = New-Label -Text "-" -X 210 -Y 222 -Width 620 -Height 24 -Color $colors.Text $filePanel.Controls.Add($script:SignatureStatusLabel) $filePanel.Controls.Add((New-Label -Text "Signer" -X 24 -Y 256)) $script:SignerLabel = New-Label -Text "-" -X 210 -Y 256 -Width 620 -Height 36 -Color $colors.Text $script:SignerLabel.AutoEllipsis = $true $filePanel.Controls.Add($script:SignerLabel) $filePanel.Controls.Add((New-Label -Text "MrSphay match" -X 24 -Y 306)) $script:MrSphayMatchLabel = New-Label -Text "-" -X 210 -Y 306 -Width 180 -Height 24 -Color $colors.Text $filePanel.Controls.Add($script:MrSphayMatchLabel) $filePanel.Controls.Add((New-Label -Text "Mark-of-the-Web" -X 24 -Y 340)) $script:MotwLabel = New-Label -Text "-" -X 210 -Y 340 -Width 180 -Height 24 -Color $colors.Text $filePanel.Controls.Add($script:MotwLabel) $filePanel.Controls.Add((New-Label -Text "SmartScreen note" -X 24 -Y 374)) $script:SmartScreenLabel = New-Label -Text "-" -X 210 -Y 374 -Width 620 -Height 40 -Color $colors.Muted $filePanel.Controls.Add($script:SmartScreenLabel) $chooseButton.Add_Click({ $dialog = [Windows.Forms.OpenFileDialog]::new() $dialog.Filter = "Windows apps and installers (*.exe;*.msi;*.dll;*.cat)|*.exe;*.msi;*.dll;*.cat|All files (*.*)|*.*" if ($dialog.ShowDialog() -eq [Windows.Forms.DialogResult]::OK) { $script:SelectedFilePath = $dialog.FileName Test-SelectedFile -Path $script:SelectedFilePath } }) $scanButton.Add_Click({ if ($script:SelectedFilePath) { Test-SelectedFile -Path $script:SelectedFilePath } }) $helpPanel = [Windows.Forms.Panel]::new() $helpPanel.BackColor = $colors.Panel $helpPanel.Size = [Drawing.Size]::new(880, 420) $helpPanel.Location = [Drawing.Point]::new(36, 34) $helpTab.Controls.Add($helpPanel) $helpTitle = New-Label -Text "Why SmartScreen can still appear" -X 24 -Y 24 -Width 780 -Height 34 -Color $colors.Text -Font ([Drawing.Font]::new("Segoe UI", 14, [Drawing.FontStyle]::Bold)) $helpPanel.Controls.Add($helpTitle) $helpText = @" MrTrust handles local certificate trust. SmartScreen also uses Microsoft reputation. If Windows shows "Publisher: MrSphay Code Signing", the signature identity is being recognized. A red SmartScreen dialog can still appear when a file is new, downloaded from the Internet, rarely seen, or has not built enough Microsoft reputation yet. MrTrust will not disable SmartScreen. It can show whether a file is signed, whether it matches MrSphay, and whether Mark-of-the-Web is present. "@ $helpBody = New-Label -Text $helpText -X 24 -Y 78 -Width 820 -Height 250 -Color $colors.Muted $helpPanel.Controls.Add($helpBody) $pulseTimer = [Windows.Forms.Timer]::new() $pulseTimer.Interval = 80 $pulseTimer.Add_Tick({ $script:CurrentAccent = ($script:CurrentAccent + 1) % 40 $value = 150 + [Math]::Abs(20 - $script:CurrentAccent) * 3 $accent.BackColor = [Drawing.Color]::FromArgb(28, [Math]::Min(220, $value), 111) }) $pulseTimer.Start() $form.Add_Shown({ Update-TrustStatus }) [Windows.Forms.Application]::Run($form)