Index: /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp
===================================================================
--- /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp	(revision 52540)
+++ /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp	(revision 52541)
@@ -997,5 +997,6 @@
      * planted by the linker when absent.  In ring-0 we don't have all the
      * necessary timestamp server root certificate info, so we have to allow
-     * using counter signatures unverified there.
+     * using counter signatures unverified there.  Ditto for the early period
+     * of ring-3 hardened stub execution.
      */
     RTTIMESPEC ValidationTime;
@@ -1004,7 +1005,8 @@
     uint32_t fFlags = RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT
                     | RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY;
-#ifdef IN_RING0
-    fFlags |= RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED;
+#ifndef IN_RING0
+    if (!g_fHaveOtherRoots)
 #endif
+        fFlags |= RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED;
     return RTCrPkcs7VerifySignedData(pContentInfo, fFlags, g_hSpcAndNtKernelSuppStore, g_hSpcAndNtKernelRootStore,
                                      &ValidationTime, supHardNtViCertVerifyCallback, pNtViRdr, pErrInfo);