We already have such prompts when trying to connect to a HTTPS website with an invalid/expired cert. It does a good job at discouraging to proceed, as it should. I see no reason similar prompt couldn't be shown when trying to install root CA on Windows machine. The problem with current Windows prompts is that they are all alike and shown too often, so users simply learned to ignore them. Actions, that may seriously affect safety and privacy (the category root CA falls into), should be protected by distinguish prompt, not the boring "run as administrator".
