How Windows determines which certificates have private keys?

When I open some certificates in Certificates MMC console, it shows "You have a private key that corresponds to this certificate." string on "general" tab. How does Windows determine which certificates have pr开发者_Python百科ivate keys, and which don't? I think it should be some registry entry, but which?

MMC itself uses the crypto API, and delegates that task to the provider; most likely, it uses CertificateGetCertificateContextProperty with CERT_KEY_CONTEXT_PROP_ID. The crypto provider then uses an internal strategy. The default crypto provider uses disk-based key storage; in Microsoft\Crypto\RSA\User SID (legacy CSP) or Microsoft\Crypto\Keys (CNG); see the MSDN article on key storage.