On certain sites the certificate chain can not be built up to the trusted root certificate because this trusted root cert is not known to Windows. But if we visit such site using IE or Chrome, Windows automatically downloads (verified) the trusted root somewhere and silently installs it to Trusted Certificate Authorities storage. After this we can build the certificate chain up to the newly installed root. If we manually remove newly downloaded trusted root certificate from Windows storage, the chain can't be built again.
I know about Authority Information Access extension. The problem is that the topmost available certificate in the chain (the child of missing trusted root) does NOT have such extension included. And even if it had, Windows would not automatically trust the downloaded certificate.
So there must be some other source of knowledge about trusted roots. The question is - how can we use that source ourselves. The topmost available certificate is available here if anyone is interested in inspecting it.
This link http://support.microsoft.com/kb/931125 explains how Windows updates root certificates silently in Vista and 7.