event logs Archives

Winsage

July 22, 2025

Microsoft: Windows Server KB5062557 causes cluster, VM issues

Microsoft has identified an issue with the Cluster service on Windows Server 2019 following the installation of the July security update KB5062557, released on July 8th. This issue causes the Cluster service to repeatedly stop and restart, leading to nodes failing to rejoin the cluster, entering quarantine states, and causing virtual machines to restart multiple times. Administrators using BitLocker on Cluster Shared Volumes may also face additional errors. Microsoft has advised affected organizations to contact their business support teams for assistance while a mitigation strategy is being developed. Additionally, Microsoft is working on a resolution to be included in a future Windows update.

Winsage

July 10, 2025

Microsoft admits Windows Server Update Services sync is failing

Microsoft has acknowledged ongoing issues with Windows Server Update Services (WSUS) that are affecting the synchronization and deployment of updates, leading to significant challenges for businesses. Users have reported synchronization failures and timeout errors, with many expressing frustration over the lack of communication from Microsoft. The affected platforms include various versions of Windows 10 and Windows 11, as well as multiple Windows Server versions. Error logs indicate problems such as "Unable to connect to the remote server." Currently, there is no workaround available, and Microsoft is working on repairs related to a problematic update revision. Reports of the issue have emerged globally, with some users experiencing new errors and an overwhelming number of updates being downloaded.

Winsage

July 9, 2025

Microsoft confirms Windows Server Update Services (WSUS) sync is broken

Microsoft has acknowledged a disruption affecting Windows Server Update Services (WSUS), preventing organizations from syncing with Microsoft Update and deploying the latest Windows updates. Reports indicate that synchronization has been compromised since last night, with error messages such as "A connection attempt failed" and ".NET errors indicating that 'The operation has timed out.'" Some administrators noted a brief resumption of synchronization around 12:30 am ET, but it was short-lived. Microsoft attributed the issue to a "problematic update revision in the storage layer," which affects devices trying to sync updates via WSUS. There are currently no workarounds available, and Microsoft is working on a resolution.

Winsage

July 7, 2025

Oh dear – Microsoft Windows Firewall was found to be complaining about…Microsoft code?

Microsoft acknowledged an issue with Windows Firewall following the June 2025 preview update of Windows 11 24H2 (KB5060829), which generates "Config Read Failed" error messages in security event logs. Despite frequent logging upon device restarts, Microsoft stated that this does not indicate a malfunction of Windows Firewall and can be ignored. The issue is linked to an under-development feature, and no resolution timeline has been provided. Additionally, there is a problem with displaying Chinese, Japanese, and Korean characters at 96 DPI in Chromium-based browsers, which Microsoft is working on with Google.

Winsage

July 4, 2025

Microsoft confirms KB5060829 update for Windows 11 causes worrying Firewall errors

Microsoft addressed concerns regarding the KB5060829 update for Windows 11 24H2, which caused error messages related to the Windows Firewall With Advanced Security. The error, labeled as "Config Read Failed" and logged as event 2042 in the Event Viewer, does not indicate a malfunction of the Firewall and can be safely ignored. Microsoft stated that the Windows Firewall is expected to function normally and no action is required from users. The error is associated with a feature under development and does not impact Windows processes. The issue affects a minimal number of users, as the update requires manual installation. Microsoft is aware of the problem and is working on a resolution, though no timeline has been provided.

Winsage

July 3, 2025

Microsoft asks users to ignore Windows Firewall config errors

Microsoft has advised customers to ignore certain Windows Firewall notifications, identified as 'Event 2042,' that may occur after installing the June 2025 preview update (KB5060829). These notifications indicate a 'Config Read Failed' warning but do not affect the normal operation of the Windows Firewall on Windows 11 24H2 systems. The company is aware of the issue, which is related to a new feature under development, and is working on a resolution. No action is required from users, and similar past issues have not impacted system functionality.

Winsage

March 25, 2025

How To Secure Windows on a Mid-Sized Business Budget

Access provides advice on IT challenges, career transitions, and workplace dynamics. A mid-sized company faced a ransomware scare due to a user opening a malicious attachment but recovered data without paying the ransom. To enhance security in a Windows environment on a limited budget, the following steps are recommended: 1. Evaluate data storage by centralizing it on servers rather than individual workstations to improve security and simplify backups. 2. Implement the principle of Least Privilege Access, limiting user access to only necessary resources to reduce potential damage during attacks. 3. Utilize Microsoft's AppLocker to control which applications can run on Windows desktops, blocking unauthorized software. 4. Set up a ransomware kill switch using a custom PowerShell script to monitor for suspicious activities and trigger defensive actions if ransomware is detected.

Tech Optimizer

March 20, 2025

Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs

Microsoft Incident Response has identified a new remote access trojan (RAT) called StilachiRAT, which extracts sensitive information from infected computers, including passwords, cryptocurrency wallet details, operating system specifications, and device identifiers. StilachiRAT has a self-reinstatement mechanism that allows it to reinstall itself if removed. It targets digital wallets from platforms like Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, and Bitget Wallet. The malware can harvest credentials from web browsers, monitor clipboard data, gather system information, detect camera presence, and track active Remote Desktop Protocol (RDP) sessions. It can extract credentials from Google Chrome, monitor clipboard activity, and maintain its presence using the Windows service control manager. StilachiRAT can impersonate users to monitor RDP sessions and employs anti-forensics mechanisms to evade detection. Discovered in November of the previous year, it has not yet achieved widespread distribution. Microsoft advises users to download software from official websites, use robust security software, install reputable antivirus, be vigilant against phishing attacks, avoid clicking on unexpected links, and consider using a VPN and password manager for enhanced security.

Winsage

March 10, 2025

Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines

Cisco Talos has reported a series of cyberattacks exploiting a critical vulnerability in PHP (CVE-2024-4577) to target Windows systems, primarily affecting organizations in Japan since January 2025. The vulnerability allows attackers to execute arbitrary PHP code on servers running Apache with PHP-CGI. They use a Python script, “PHP-CGICVE-2024-4577RCE.py,” to send crafted POST requests and confirm exploitation through a specific MD5 hash. After gaining access, attackers deploy a PowerShell injector script to establish a connection with their command and control (C2) server and utilize Cobalt Strike plugins for post-exploitation activities, including modifying registry keys for persistence and clearing event logs to evade detection. They conduct lateral movement using reconnaissance tools and exploit Group Policy Objects to execute malicious scripts, ultimately extracting credentials with Mimikatz. The attackers have access to a pre-configured installer script on their C2 server, suggesting potential for future attacks.

Winsage

March 5, 2025

Microsoft To Remove DES Encryption from Windows 11 24H2 & Windows Server 2025

Microsoft plans to phase out the Data Encryption Standard (DES) encryption algorithm from Kerberos authentication in future Windows releases, specifically affecting Windows Server 2025 and Windows 11 version 24H2 after updates on or after September 9, 2025. This is part of Microsoft's Secure Future Initiative aimed at eliminating outdated encryption technologies. DES, established in 1977, has become vulnerable to security breaches and was integrated into Kerberos in 1993. While Windows has not relied solely on DES, it has been disabled by default since Windows 7 and Windows Server 2008 R2, although it remains available as an optional feature. After September 2025, affected systems will enter "DES in Kerberos Disabled Mode," making DES unsupported. Microsoft advises organizations to identify and address any existing DES usage before the deadline, recommending the use of PowerShell scripts to detect DES in security event logs and to disable it through Active Directory and Group Policy settings. Organizations should transition to more secure ciphers like the Advanced Encryption Standard (AES) and ensure compatibility with AES by changing passwords for accounts on older domain controllers.