Windows Archives

Winsage

June 25, 2026

Introduction to COM usage by Windows threats

Component Object Model (COM) is a technology in Windows that enables object activation, inter-process communication, and automation across different programming languages. Malware exploits COM interfaces for activities such as lateral movement, execution, downloading, exfiltration, persistence, evasion, system discovery, and automation of Windows and Office functionalities. Reverse engineering COM-heavy binaries involves navigating GUIDs and indirect vtable calls to understand malware mechanics. Research at the AVAR 2025 conference and CARO 2026 workshop discusses methodologies for analyzing COM binaries and case studies of malware families that utilize COM. COM is an application binary interface (ABI) model that allows software components to be reused and enables interaction between different programming languages through interfaces defined at the binary level. Distributed COM (DCOM) allows clients to activate COM objects on remote systems. COM classes are identified by unique class identifiers (CLSIDs), and interfaces by interface identifiers (IIDs). The Windows registry stores COM registration data, with classes and interfaces located under specific keys. Malware often acts as a COM client, utilizing the COM runtime to instantiate classes and request interfaces. ProgIDs provide human-readable registry entries for COM classes. The CoCreateInstance function helps create class objects by resolving CLSID registrations. All COM interfaces derive from IUnknown, which manages object lifetimes and interface querying. COM has its own security model, and identifying classes and interfaces used by malware is crucial for threat researchers. Tools like ComView and OleView.NET assist in inspecting COM registrations. The analysis workflow includes identifying activation API calls, extracting CLSID and IID values, consulting registry definitions, and mapping vtable calls. Qakbot, a banking trojan, exemplifies the use of COM in malware, with its architecture enabling malicious activities like credential theft. Dynamic analysis tools can log COM-related calls in real-time to trace execution flow. Notable malware families that utilize COM include Gh0stRAT, which uses Task Scheduler COM interfaces, and the Attor platform, which employs BITS for file transfers. WarmCookie demonstrates the use of COM for persistence through Task Scheduler. Understanding COM's role in malware is essential for cybersecurity professionals.

Winsage

June 25, 2026

Making Windows a developer platform, again

Setting up a PC with the base Dev Config has been streamlined for developers, utilizing the Winget configuration service to install applications, execute updates, and apply developer settings on Windows. Users can access setup scripts by cloning a GitHub repository or downloading a zip archive, with clear instructions provided by Microsoft. The installation may require a reboot during the Windows Subsystem for Linux (WSL) installation, but the script resumes automatically afterward. The process installs applications such as PowerShell, Git, GitHub command-line interfaces, Windows App SDK, Visual Studio Code, and language support for Node.js, Python, and .NET. It also includes developer-friendly fonts and a theme engine for Windows Terminal, along with options for customizing File Explorer and the Windows Task Bar. After WSL installation, developers can use WSL Comfort scripts to install additional tools and personalize their Windows Terminal experience. This utility has two phases: the Windows component configures WSL and Ubuntu, while the Linux component fine-tunes the WSL environment, allowing for zsh and starship terminal display tools. It also integrates popular command-line interfaces and supports the Homebrew package installer, targeting existing Ubuntu instances without needing a new Linux distribution installation.

Winsage

June 25, 2026

Microsoft admits 8GB RAM is fine for Windows 11, after years of pushing 16GB as the baseline

Microsoft has revised its Surface buying guide, now recommending 8GB of RAM for everyday tasks, while stating that 16GB or more is necessary for fully utilizing Copilot+ PC features. Previously, Microsoft had advocated for 16GB as the minimum for a satisfactory Windows 11 experience. Earlier this year, Microsoft suggested 32GB of RAM for serious gamers but retracted this recommendation due to backlash over costs. The introduction of Apple's MacBook Neo with 8GB of RAM at an attractive price has influenced Microsoft's stance, leading to the launch of Surface devices with 8GB of RAM. The buying guide promotes 8GB for everyday tasks, while an AI store assistant suggests 16GB for a "future-proof" laptop. Historically, Windows 10 had a minimum RAM requirement of 2GB, with 4GB recommended for optimal performance, but Windows 11 has increased these requirements. Microsoft's investments in AI infrastructure have contributed to a RAM shortage. The Copilot+ PC branding aimed for a new hardware tier but has not met expectations. The introduction of the MacBook Neo has prompted reactions from PC manufacturers, and concerns exist about the optimization of Windows 11 on ARM architecture.

Winsage

June 25, 2026

PowerToys replaced tools I used to install on every Windows PC

Raycast for Windows, a productivity app, was initially a valuable tool for launching applications and executing actions quickly. However, the introduction of the Command Palette in Microsoft PowerToys provided similar functionality, leading to Raycast being less essential for the user's needs. The user found that the Command Palette effectively served as a fast app launcher, integrating well with other PowerToys features. The user also transitioned from GlazeWM, a tiling window manager, to FancyZones in PowerToys for better window management, as FancyZones offered more tailored window layout options. Additionally, Text Extractor in PowerToys streamlined the user's optical character recognition (OCR) tasks by allowing easy text extraction from images. Overall, PowerToys consolidated several utilities into one suite, enhancing the user's productivity while reducing the need for multiple separate applications.

Winsage

June 25, 2026

The Useful Feature That Isn’t Enabled By Default On Your Windows 11 Laptop

The Night Light feature reduces blue light impact from screens, creating a warmer visual experience. Devices like Macs, iPhones, and iPads have a similar feature called Night Shift. Utilizing Night Light can enhance comfort during late-night work and alleviate eye strain. The 20-20-20 rule, lowering screen brightness, and enabling dark mode can further help with eye care. To enable Night Light on Windows, users can press Win + A to access Quick Settings or go through the Settings app by pressing Win + I, selecting System, then Display, and toggling the Night Light option. Third-party applications like f.lux can provide additional customization. Once activated, users can adjust the warmth using a "Strength" slider in the Night Light settings. Night Light also offers a scheduling feature to automate activation from sunset to sunrise or at specific times set by the user.

Winsage

June 25, 2026

Windows 11 Secure Boot update released to all, hours ahead of expiry

Microsoft has begun rolling out the Secure Boot 2023 certificate update to eligible Windows 11 and Windows 10 PCs ahead of the expiration of the Microsoft Corporation KEK CA 2011 on June 24, 2026. This update enhances device targeting data for automatic Secure Boot certificate updates. Secure Boot is a firmware-level security feature that verifies digital signatures of boot components to prevent rootkits and bootkits. The certificates for Secure Boot were first issued in 2011, with subsequent expirations for related certificates occurring in June and October 2026. Users can check their Secure Boot certificate status through the Windows Security app or System Information. If a PC does not receive the update, it will still boot normally but will lose the ability to receive future boot-level security updates. Multiple restarts after updates are expected due to the Secure Boot certificate process. A new folder, C:WindowsSecureBoot, is not malware but is used for staging cryptographic certificate files. Windows 10 users enrolled in the Extended Security Updates program will also receive the Secure Boot update, while those not enrolled will not. The expiration of the KEK CA 2011 means Microsoft will not be able to sign new Secure Boot revocation payloads using the old key, but existing signed payloads will remain functional.

Winsage

June 24, 2026

Fixing a broken Windows 11 PC just got easier, and it won’t erase your files

Microsoft has introduced a new feature called point-in-time restore for Windows 11, which allows users to easily revert to previous system states. This feature is available across all editions of Windows 11, including Enterprise, Pro, and Home, and automatically generates restore points every 24 hours. Point-in-time restore captures a comprehensive snapshot of the system, including the operating system, applications, configurations, settings, and local files. It is enabled by default for Windows Home and Pro devices unless under enterprise management, while enterprise-managed systems require Windows 11 version 26H2 for activation. Systems with an OS volume smaller than 200GB have this feature disabled by default. Unlike the traditional System Restore, which requires manual image capture and does not include user files, point-in-time restore integrates user data and can be managed remotely by IT professionals. During its public preview, over two million devices enabled the feature, allowing Microsoft to refine it based on user feedback.

Winsage

June 24, 2026

Windows 11 is now five years old

Windows 11 was unveiled by Microsoft on June 24, 2021, marking its fifth anniversary. The operating system features a modern interface, improvements to virtual desktops, support for Android apps, integration of Microsoft Teams into the taskbar, a refreshed Microsoft Store, and enhanced security measures. However, it faced criticism for removing certain taskbar functionalities and imposing strict hardware requirements, leading to increased sales of TPM chips. Microsoft has begun to address user feedback by redesigning the Start menu, reinstating missing taskbar features, and enhancing Windows Update. Recent updates suggest a commitment to improving Windows 11, which is expected to remain relevant in the operating system market.

Winsage

June 24, 2026

Point-in-Time Restore for Windows 11 is Generally Available

Microsoft has rolled out the Point-in-time restore feature for Windows 11, enhancing recovery capabilities. Users need to install the June Week D preview update to access it, and the rollout is a Controlled Feature Release (CFR), meaning availability will vary by device. This feature is available in Windows 11 Enterprise, Pro, and Home editions, allowing users to revert systems to a prior state quickly. It offers automatic restore points, improved reliability, integrated management through the Settings app, lower storage impact, and future remote management capabilities via Intune. For Windows 11 Home and Pro users, Point-in-time restore is enabled by default in versions 24H2 and 25H2, and can be managed in the Settings app under System > Recovery > Point-in-time restore.

Winsage

June 24, 2026

AMD releases hotfix for driver install issues on Windows 10 PCs

AMD released a graphics driver update, version 26.6.2, which added support for AMD FSR 4.1 to the Radeon RX 7000 series. Users reported installation issues on Windows 10, prompting AMD to release a hotfix, version 26.6.3, to address these problems. The hotfix is available for download and is compatible with all supported graphics cards on 64-bit Windows 10 and 11. AMD plans to release a WHQL driver update with necessary fixes the following week.