二楼是对的。
CertMgr.exe can fail for localMachine on Vista because of User Access Control. Right click the executable and select Properties. On the Compatibility tab at the bottom check "Run this program as an administrator". From then on running CertMgr.exe for localMachine should bring up the UAC prompt. When you select "Continue" it should complete successfully.
If you are doing this from a script, try copying certmgr.exe to the local hard drive either to %temp% or to a permanent location. Under the key HKLM or HKCU "\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" create a string value whose name is the full path to the executable. Set the value as "RUNASADMIN". Under HKCU this value will cause the UAC prompt to appear, unless you put it in quiet mode first. http://msdn2.microsoft.com/en-us/library/cc206328.aspx. I don't have Vista available to me at the moment, so I don't know what happens with the value under HKLM.