cmdlet Archives

Winsage

December 11, 2025

Microsoft fixes Windows Explorer white flashes in dark mode

Microsoft resolved an issue in Windows 11 where users experienced bright white flashes when launching File Explorer in dark mode after installing the KB5070311 update. This glitch affected various actions within the application. The KB5072033 cumulative update fixed this issue, improving the experience in File Explorer. Additionally, the KB5072033 update addressed network connectivity loss on virtual machines and introduced enhancements to Windows PowerShell, including warnings for potentially harmful scripts. Microsoft also acknowledged a bug affecting system components like File Explorer and the Start Menu during the provisioning of Windows 11 24H2 and 25H2 devices. Furthermore, Microsoft is testing a feature to preload File Explorer in the background to enhance performance.

Winsage

December 9, 2025

Windows PowerShell now warns when running Invoke-WebRequest scripts

Microsoft has updated Windows PowerShell to include a security warning for users running scripts with the Invoke-WebRequest cmdlet, addressing a high-severity remote code execution vulnerability (CVE-2025-54100). This feature is integrated into Windows PowerShell 5.1, the default version on Windows 10 and 11, aligning its security protocols with PowerShell 7. When executing scripts with Invoke-WebRequest, users will receive an alert about potential script execution from downloaded web pages. They can choose to cancel the operation or proceed with full HTML parsing, accepting the associated risks. The update advises using the -UseBasicParsing parameter for safer processing. IT administrators will see a confirmation prompt after installing the KB5074204 update, highlighting the risks of script execution. Administrators are encouraged to update their scripts to include the -UseBasicParsing parameter to prevent automation scripts from stalling. The curl command in PowerShell is also aliased to Invoke-WebRequest, meaning the new warnings will apply to curl commands as well. Most existing PowerShell scripts using Invoke-WebRequest will continue to function with little or no modification.

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

Winsage

October 31, 2025

Windows Server Update Services (WSUS) vulnerability abused to harvest sensitive data

Counter Threat Unit™ (CTU) researchers are investigating a remote code execution vulnerability, CVE-2025-59287, in Microsoft’s Windows Server Update Service (WSUS). Microsoft released patches for affected Windows Server versions on October 14, 2025, and issued an out-of-band security update on October 23 after the emergence of proof-of-concept code. On October 24, Sophos detected exploitation of this vulnerability targeting internet-facing WSUS servers across various industries. The first recorded activity occurred at 02:53 UTC, where a threat actor executed a Base64-encoded PowerShell script to collect and exfiltrate sensitive information to Webhook.site. The script gathered data such as external IP addresses, Active Directory domain users, and network configurations, attempting to send this information via HTTP POST requests. By 11:32 UTC, the maximum limit of 100 requests was reached. Affected entities included universities and organizations in technology, manufacturing, and healthcare sectors, primarily in the United States. Censys scan data confirmed that the exploited servers had default WSUS ports 8530 and 8531 exposed publicly. CTU recommends organizations review vendor advisories, apply patches, identify exposed WSUS server interfaces, and examine logs for malicious activity. Sophos has implemented specific protections to detect related activities.

Winsage

October 8, 2025

How to deploy Data Duplication on Windows Server

Storage capacity is crucial for managing data costs and performance, leading to the use of data deduplication to reduce redundant data and optimize storage space. Microsoft’s Data Deduplication feature, introduced with Windows Server 2012, can achieve storage savings of up to 50% for user documents and 95% for virtualization libraries. Data deduplication is applicable to file servers, backup storage servers, and virtualization hosts, requiring Windows Server 2012 or later and the NTFS file system. To install Data Deduplication, users must access Server Manager, add the feature, and can also use PowerShell with the cmdlet PLACEHOLDERb80efd5ce6cbf150. Configuration involves managing settings through Server Manager, including selecting a deduplication type, setting a file age, and scheduling the deduplication process. Monitoring and optimizing deduplication can be done using the Data Deduplication Saves Evaluation Tool (ddpeval.exe) and PowerShell cmdlets like PLACEHOLDER6242a4d48a44de3e. Alternative deduplication products include Veeam Backup and Replication, Arcserve UDP, and Acronis Cyber Protect, which may offer additional features for cloud or hybrid environments. Best practices for deduplication include using the latest Windows Server versions, avoiding system volumes, ensuring adequate free space, and scheduling tasks during off-peak hours. Troubleshooting tips involve checking memory and processor performance, utilizing ddpeval.exe, and reviewing Event Viewer logs.

Winsage

July 21, 2025

Managing Windows Firewall Rules with PowerShell, Part 3: Creating a Baseline

The text discusses managing Windows firewall rules using PowerShell, particularly focusing on exporting firewall rules to a CSV file and comparing current configurations against a baseline. A PowerShell script is provided that retrieves all existing firewall rules, compiles their details into custom objects, and exports them to a CSV file. Another script is designed to compare a baseline CSV file of firewall rules with a current CSV file, checking for changes in various fields and identifying deleted rules. The script outputs any modifications found and notes if a rule has been deleted. It also mentions potential enhancements for handling new rules and duplicate rule names.

Winsage

July 15, 2025

Managing Windows Firewall Rules with PowerShell, Part 2

The Get-NetFirewallRule cmdlet has limitations in retrieving specific details such as local port numbers, remote port numbers, and protocols. To access this information, the Get-NetFirewallPortFilter cmdlet can be used. For example, to retrieve protocol, local port number, and remote port for a rule named "My Example Rule," the command is: Get-NetFirewallRule -DisplayName "My Example Rule" | Get-NetFirewallPortFilter | Select-Object Name, Protocol, LocalPort, RemotePort. To retrieve local and remote addresses, the Get-NetFirewallAddressFilter cmdlet can be used in a similar manner: Get-NetFirewallRule -DisplayName "My Example Rule" | Get-NetFirewallAddressFilter | Select-Object Name, RemoteAddress, LocalAddress. A script can consolidate this information into a single output, utilizing the following variables: $RuleName, $Rule, $PortFilter, and $AddressFilter, to create a custom PowerShell object that compiles the relevant details. The script structure is as follows: $RuleName = "My Example Rule" $Rule = Get-NetFirewallRule -DisplayName $RuleName $PortFilter = $Rule | Get-NetFirewallPortFilter $AddressFilter = $Rule | Get-NetFirewallAddressFilter $ConsolidatedInfo = [PSCustomObject]@{ Name = $Rule.DisplayName Direction = $Rule.Direction Action = $Rule.Action Protocol = $PortFilter.Protocol LocalPort = $PortFilter.LocalPort RemotePort = $PortFilter.RemotePort LocalAddress = $AddressFilter.LocalAddress RemoteAddress = $AddressFilter.RemoteAddress } Write-Host $ConsolidatedInfo.