Root Authority Certificates

has anyone had any experience parsing root authority certificate data from the registry?

No, but they're at least partially X.509. (If you export a known certificate to X.509 format, and compare the decoded binary string with the corresponding registry entry, you'll find it some way in.) Around that is some kind of wrapper, looking a bit like RIFF. In this case it looks superficially like two 4-byte fields, followed by one 4-byte field containing the length (in bytes or possibly other 'chunks') of the data that immediately follows, followed by the data. Pad 'chunks' may be present. Sequence repeats.

the key is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\_____________

As far as I see, all entries there have hex-strings for names. If you read malware reports, you'll find that many do mess around in the certificate storage, so you may looking at something bad. Google for what you find, … you never know.

I can find a list of all the Auth Root certificates on the system, but I have no way of matching them up with the ones in the registry

You'll find the CA (e.g. 'Verisign Commercial Software Publishers CA') in Unicode format in the Blob value. That is, you'll need something that allows you to search for it. Regedit doesn't seem to be of any help here.

Thanks
I don't think I'm looking at anything bad because it should be related to legitimate software (logmein). Just need to figure out why a certificate was updated at a specific time and was it because of user involvement