Can you do the reverse? I.e. given a file name in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ or C:\Users\<name>\AppData\Roaming\Microsoft\Crypto\RSA\<SID>\, find which certificate is associated with this key(container)file? Or is it just a one-way thing?
> Why do you want to screen .PS1 files yet have the interactive prompt fully open?
the idea behind this is that PS1 screening still helps to prevent automatic (mostly accidental) script execution. SRP is bypassable, Applocker too. These are not security features and they won't get fixed. This means that PS constrained mode makes very little sense. Maybe against unexperienced users only.
> If the interactive prompt is open, your system is open.
If I have interactive access, nothing will keep me from executing arbitrary PS code. I won't even use powershell.exe console. There are plenty ways to execute arbitrary PS code without executing powershell.exe console and these ways are not protected in any way.
Why you need to update the encryption key? If existing KRA key is expired, just assign new KRA key and use it for subsequent encryption operations. There is no much need in re-encryption with new KRA key. Just maintain the history of KRA keys for decryption.
If I need to update the encryption key on a CA, is it enough to download-reencode-upload, or something special needs to be done to remove keys with old KRA key?
> Can you do the reverse?
with some degree of accuracy it is possible. The idea is the same: get the container name from a file and enumerate all certificates in the store and check if particular certificate contains key information that points to specified file name. Though, I would go in a bit different way: load the key in provider and extract public key. Again, enumerate certificate in the store and check if there is matching public key in certificate. This is how "certutil -repairstore" works.