"About a week ago some colleagues and I discovered a set of x509 certificates wh

1. "About a week ago some colleagues and I discovered a set of x509 certificates which exhibited certain interesting properties. The subset relevant to this thread being:
2.  
3. They appeared trusted and their chains appeared valid and trusted - but no member of the chains was explicitly trusted by the system (i.e. no results via certmgr.msc).
4.  
5. On execution (not installation) of the certificates, a CA was added to the local computer as a trusted root CA (this time visible via certmgr.msc). Its chain appeared valid and trusted - but again no members were explicitly trusted.
6.  
7. The certificates of the "ghost" CAs were not viewable.
8.  
9. This behaviour was confirmed in fresh instances of Windows 8, Windows 7 and Windows Vista. Windows XP and Windows 2000 are negative. Other versions and other platforms were not tested. The x509 certificates are parsable by a number of cryptographic libraries including OpenSSL.
10.  
11. Is anyone aware of a mechanism capable of causing this pattern?"