Is there an API to pre-retrieve the list of trusted root certificates on Windows?

This is not an ideal approach, but it should do at a pinch and it may give you somewhere to start. This code will take the .sst file generated by certutil -generateSSTFromWU and add all the certificates to the root store:

#include <Windows.h>#include <WinCrypt.h>#pragma comment(lib, "crypt32.lib")#include <stdio.h>void process_cert(PCCERT_CONTEXT cert){    PCCERT_CHAIN_CONTEXT ccc;    CERT_CHAIN_PARA ccp = {sizeof(CERT_CHAIN_PARA)};    DWORD flags;    char certname[256];    CertGetNameStringA(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, certname, _countof(certname));    flags = 0;    if (!CertGetCertificateChain(HCCE_LOCAL_MACHINE, cert, NULL, NULL, &ccp, flags, NULL, &ccc))    {        printf("Certificate %s CertGetCertificateChain: %u\n", certname, GetLastError());    }    else    {        printf("Certificate %s : %x (%x)\n", certname, ccc->TrustStatus.dwErrorStatus, ccc->TrustStatus.dwInfoStatus);    }}void mainfn(void){    HCERTSTORE sst;    PCCERT_CONTEXT cert;    DWORD count;    sst = CertOpenStore(CERT_STORE_PROV_FILENAME_W, 0, (HCRYPTPROV)NULL, CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG, L"c:\\downloads\\roots.sst");    if (sst == NULL)    {        printf("CertOpenStore: %x\n", GetLastError());        return;    }    for (cert = NULL, count = 0; cert = CertEnumCertificatesInStore(sst, cert); count++) process_cert(cert);    {        DWORD err = GetLastError();        if (err != CRYPT_E_NOT_FOUND)        {            printf("CertEnumCertificate: %u\n", err);            return;        }    }}int main(int argc, char ** argv){    mainfn();    return 0;}

Alternatively, in your context, you might prefer to use the root certificates in the .sst file directly, without also adding them to the root store. (In that case you should probably enumerate the root store as well as the .sst file, so as to include any locally added certificates.)