CTLObject - Identifies the CTL to verify: %1 - read AuthRoot CAB and matching certificates from the URL cache. Use %5 to ...

CTLObject -- Identifies the CTL to verify:
     %1 -- read AuthRoot CAB and matching certificates from the URL
         cache.  Use %5 to download from Windows Update instead.

     %2 -- read Disallowed Certificates CAB and disallowed
         certificate store file from the URL cache.  Use %5 to download
         from Windows Update instead.

     %3 -- read registry cached AuthRoot CTL.  Use with %5 and a
         CertFile that is not already trusted to force updating the
         registry cached AuthRoot and Disallowed Certificate CTLs.

     %4 -- read registry cached Disallowed Certificates CTL.
         %5 has the same behavior as with %3.

     CTLFileName -- file or %6 path to CTL or CAB

CertDir -- folder containing certificates matching CTL entries
     An %6 folder path must end with a path separator.
     If a folder is not specified with %3 or %4, multiple
     locations will be searched for matching certificates: local
     certificate stores, crypt32.dll resources and the local URL cache.
     Use %5 to download from Windows Update when necessary.
     Otherwise defaults to the same folder or web site as the CTLObject.

CertFile -- file containing certificate(s) to verify.  Certificates
     will be matched against CTL entries, and match results displayed.
     Suppresses most of the default output.