error reporting Archives

Winsage

March 4, 2026

PoC Exploit Released for Microsoft Windows Error Reporting ALPC Privilege Escalation

A proof-of-concept exploit for CVE-2026-20817, a local privilege escalation vulnerability in the Windows Error Reporting (WER) service, has been released by security researcher oxfemale on GitHub. This vulnerability allows low-privileged users to gain SYSTEM-level access through crafted Advanced Local Procedure Call (ALPC) messages. The flaw is located in the WER service's SvcElevatedLaunch method, which fails to validate caller privileges before executing WerFault.exe with user-supplied command line parameters. The CVSS v3.1 base score for this vulnerability is 7.8, indicating a high severity level. It affects unpatched versions of Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022 prior to the January 2026 update. Demonstrations have shown successful exploitation on Windows 11 23H2. Security teams are advised to monitor for unusual processes related to WerFault.exe, investigate missing SeTcbPrivilege in SYSTEM tokens, and review WER-related activities from low-privilege users. Immediate application of the January 2026 security patches is recommended, and a temporary workaround involves disabling the WER service.

Winsage

March 3, 2026

PoC Exploit Released for Windows Error Reporting ALPC Privilege Escalation

A critical local privilege escalation vulnerability, tracked as CVE-2026-20817, affects Microsoft Windows through the Windows Error Reporting (WER) service. This flaw allows authenticated users with low-level privileges to execute arbitrary code with full SYSTEM privileges. The vulnerability resides in the SvcElevatedLaunch method (0x0D) and fails to validate user permissions, enabling attackers to launch WerFault.exe with malicious command-line parameters from a shared memory block. The exploit affects all versions of Windows 10 and Windows 11 prior to January 2026, as well as Windows Server 2019 and 2022. Microsoft addressed this vulnerability in the January 2026 Security Update. Organizations are advised to apply security patches and monitor for unusual WerFault.exe processes.

Winsage

February 27, 2026

Is Microsoft really spying on you with Windows telemetry?

Windows 10 was released in 2015 and faced criticism for its telemetry feature, which some viewed as a surveillance tool. In 2017, the Dutch Data Protection Authority found Microsoft's telemetry settings non-compliant with local privacy laws, leading to changes by Microsoft. Telemetry, termed diagnostic data by Microsoft, is essential for device reliability and security, with a baseline level of data collection set to "Required." Users can opt to limit data collection to this level. The Optional category of diagnostic data may include device settings and browsing history, raising privacy concerns. Microsoft introduced the Diagnostic Data Viewer in 2018 to enhance transparency, allowing users to inspect the telemetry data sent to them. As of now, Microsoft has over a billion monthly active Windows 11 users.

Winsage

January 30, 2026

I got so mad at Windows I downloaded this free utility app to disable all its spyware

The author experienced two Windows reinstallations on a secondary PC due to issues with a lost sign-in PIN and a Microsoft account login loop. This led to a realization about the invasive nature of Windows and consideration of switching to Linux. Instead, the author used a utility called ShutUp10++ to manage privacy settings and disable unwanted data collection features. Before using ShutUp10++, it is crucial to create a system restore point to safeguard against potential issues. ShutUp10++ consolidates various privacy settings into a user-friendly interface, categorizing options and allowing users to make informed decisions. Users can choose to apply changes to their profile or the entire PC and should export their settings to prevent Windows updates from reverting them.

Winsage

January 13, 2026

Microsoft fixes 114 flaws in year’s first Windows 11 Patch Tuesday

Microsoft's January 2026 Patch Tuesday update, KB5074109, addresses 114 vulnerabilities, including a critical zero-day vulnerability (CVE-2026-20805) in the Windows Desktop Window Manager (DWM) that has been actively exploited. The update is applicable to Windows 11 versions 24H2 and 25H2 and includes security enhancements and updates to AI components. Other high-severity vulnerabilities addressed include CVE-2026-20816 (privilege escalation in Windows Installer), CVE-2026-20817 (elevation of privilege in Windows Error Reporting), CVE-2026-20840 (vulnerability in Windows NTFS), CVE-2026-20843 (flaw in Routing and Remote Access Service), CVE-2026-20860 (vulnerability in Ancillary Function Driver for WinSock), and CVE-2026-20871 (another DWM vulnerability). The update removes legacy modem drivers to minimize the attack surface and resolves reliability issues in Azure Virtual Desktop and WSL networking. It also changes the default setting for Windows Deployment Services (WDS) to disable hands-free deployment. Users can install the update through Windows Update, and a system reboot is required for full application.

Winsage

December 4, 2025

Microsoft finds an unlikely ally — Linux developer defends Windows against BSoD jokes

Windows has traditionally held a dominant market share in operating systems, but Linux is gaining traction, particularly after Microsoft ended support for Windows 10 on October 14, 2025. Zorin OS, a Linux distribution, attracted around 780,000 former Windows users within a month of this announcement. Bazzite delivered a petabyte of ISO files in one month, indicating a growing interest among Windows 10 users in alternatives to Windows 11. Linus Torvalds highlighted that many blue screen errors in Windows are linked to hardware issues rather than software bugs and recommended using Error-Correcting Code (ECC) memory for better stability. Microsoft has changed its error reporting from the blue screen of death to a black screen to enhance security and prevent destabilizing updates. There are three types of Blue Screen of Death errors: the Windows 3.1 Ctrl+Alt+Del screen, the Windows 95 kernel error, and the Windows NT kernel error.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Winsage

November 4, 2025

Microsoft WSUS Patch Breaks Hotpatching on Windows Server 2025

A recent Microsoft security update (KB5070881) aimed at fixing a critical vulnerability in the Windows Server Update Service (WSUS) inadvertently disrupted hotpatching for some Windows Server 2025 systems enrolled in the Hotpatch program. This disruption prevents affected servers from applying updates without requiring a restart, forcing administrators to revert to traditional cumulative updates until January 2026. The vulnerability, CVE-2025-59287, allowed potential remote code execution by exploiting weaknesses in WSUS. Microsoft has since released a new update (KB5070893) that addresses the vulnerability while restoring hotpatching capabilities for those who have not yet installed the problematic update.

Winsage

November 3, 2025

Microsoft: Patch for WSUS flaw disabled Windows Server hotpatching

An out-of-band security update, KB5070881, has disrupted the hotpatching feature for some Windows Server 2025 devices. This update was released alongside reports of the CVE-2025-59287 remote code execution vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has instructed U.S. government agencies to strengthen their systems against this vulnerability. Microsoft has acknowledged that the OOB update caused some Hotpatch-enrolled Windows Server 2025 systems to lose their enrollment status and has ceased distributing the update to these devices. Those who installed the update will not receive Hotpatch updates in November and December but will get standard monthly security updates. Administrators can install the KB5070893 security update to address the CVE-2025-59287 flaw without disrupting hotpatching. Microsoft has also disabled the display of synchronization error details in its WSUS error reporting system and resolved various issues affecting Windows 11.

Winsage

October 11, 2025

6 Windows Task Scheduler tricks I use instead of third-party apps

Windows Task Scheduler automates various processes without third-party applications, enhancing productivity and system performance. It can manage tasks such as reminders, cleaning, maintenance, automated backups, script execution, event-based automation, and power management. Users can create basic tasks with triggers like specific dates or system events, allowing for efficient reminders and scheduled maintenance. Task Scheduler facilitates backup processes using commands like Robocopy, ensuring reliable data management. It supports script automation in multiple programming languages and offers event-based triggers for routine tasks. Additionally, it allows for custom power management, automating shutdowns and other commands based on user-defined criteria. Overall, it serves as a versatile tool for automating numerous functions within the Windows operating system.