I am currently working on a scripted program which tracks changes in the operating system by taking snapshots of certain things. One of these are the certificates. The goal being to see what changes an installed program makes to the system. The current issue is that I keep seeing certificates being added that the program did not add, Windows did. My goal was to prevent Windows from downloading certificates during the test. By installing a brand new Trust Root Authority certificates store using the commands:

CertUtil -GenerateSSTFromWU <filename>

Followed by:

updroots.exe <filename>

The issue is that after installing this new store, while I do see fewer certificates being added, I continue to see a number of time-stamp certificates being added to the CurrentUser/CA store. I was hoping someone knew where these certificates we coming from and how I could perhaps pre-install them so they do not appear during the test. Thank you for your advice.

Edit:
Examples of certificates include,

Microsoft Time-Stamp PCA 2010
Microsoft Code Signing PCA 2010
Microsoft Time-Stamp PCA
GlobalSign Timestamping CA - G2
Microsoft Code Signing PCA

Edit 2.0:
Was looking around, I had mentioned that it installed the certificates in the Current User/CA store, which appears to correspond to the Intermediate Certificate Authorities store in certmgr. I believe that AuthRootAutoUpdate applies to the Trusted Root Certificate Authorities store. The question I am looking into now, is there a separate service responsible for updating Intermediate Certificate Authorities?

Windows try to get certificates from ctldl.windowsupdate.com. Firstly it try to get following files:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

And then it can take root certificates if it needs them to check identity of certificates from folder:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/