kernel drivers Archives

Winsage

May 11, 2026

Rustinel: Open-source endpoint detection for Windows and Linux

Open-source endpoint detection tools have typically been divided between Windows and Linux, with Windows solutions focused on Sysmon and Linux solutions on eBPF or auditd. Rustinel is a Rust-based endpoint agent that consolidates these efforts by gathering telemetry from both operating systems using ETW on Windows and eBPF on Linux, normalizing the data into a unified model. It evaluates the information against Sigma rules, YARA signatures, and atomic indicators of compromise, storing alerts in ECS-compatible NDJSON format for integration with SIEM or log-analysis platforms. Rustinel supports a range of events on Windows, including process creation, network activity, and PowerShell executions, while Linux support currently includes process, network, file, and DNS telemetry. It operates in user mode on both platforms, requiring specific conditions for installation. Unlike commercial EDR solutions that use kernel drivers, Rustinel's user-mode design prioritizes simplicity and stability, although it acknowledges limitations in tamper resistance and visibility. The agent utilizes three detection engines: Sigma for behavioral matching, YARA for scanning executables, and an IOC engine for deterministic checks. While it leverages existing content familiar to defenders, it has coverage gaps for certain advanced threats. Rustinel is available on GitHub under the Apache 2.0 license.

Winsage

May 10, 2026

Microsoft Confirms KB5083769 Breaks Macrium and Acronis Backups

Microsoft's April 2026 Windows security update, KB5083769, may disrupt image-mount operations for backup applications such as Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup due to the addition of the psmounterex.sys kernel driver to its Vulnerable Driver Blocklist. This action was taken to address a high-severity buffer overflow vulnerability, CVE-2023-43896. The inclusion of this driver in the blocklist has rendered several backup products inoperable, and Microsoft will not retract the block for security reasons. Administrators can use Event ID 3077 in the Code Integrity log to confirm that the blocklist is causing the failures. Microsoft advises updating backup applications to versions that include necessary driver protections instead of uninstalling or pausing the security patch. Additionally, the April updates have caused other issues, such as failures in Windows Server installations and devices booting into BitLocker recovery mode.

Winsage

May 7, 2026

My Windows 11 backup broke after KB5083769 — Microsoft says this simple fix might save your files

The Windows 11 security update KB5083769, released on April 14, 2026, introduces changes to the psmounterex.sys driver, causing compatibility issues with third-party backup solutions such as Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup. Microsoft states this is a necessary security adjustment, not a bug. The update also adds known vulnerable kernel drivers to a blocklist to enhance system security. Users can check if a driver is blocked by using the Event Viewer and looking for Event ID 3077 associated with a specific Policy ID.

Winsage

April 10, 2026

Microsoft Locked Out VeraCrypt, WireGuard, and Windscribe from Pushing Windows Updates

Microsoft implemented a mandatory account verification process for all partners in the Windows Hardware Program who had not completed verification since April 2024, effective October 16, 2025. This requirement necessitated that partners verify their identities using a government-issued ID matching the name of the primary contact in the Partner Center. Failure to meet this deadline or pass verification resulted in account suspension, preventing further submissions. This affected the ability of developers to sign Windows kernel drivers, leading to suspensions for notable open source projects like VeraCrypt, WireGuard, and Windscribe. Mounir Idrassi, the developer of VeraCrypt, reported his account was terminated without notice, and Jason Donenfeld of WireGuard faced similar issues. Windscribe experienced a prolonged resolution process despite having a verified account for over eight years. Following these suspensions, Scott Hanselman from Microsoft announced that the accounts would be reinstated and corrective measures were being taken.

Winsage

April 7, 2026

Windows 11 is phasing out old kernel drivers: Microsoft will permanently end cross-signing in April

On March 26, 2026, Microsoft announced that starting with the April security update, it will eliminate trust in kernel drivers from the previous Cross-Signed Program for Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025. Only drivers that have passed the Windows Hardware Compatibility Program (WHCP) or are on Microsoft's allow list will be allowed to load by default. This change aims to enhance security by establishing a robust chain of trust and addressing vulnerabilities associated with old kernel drivers. Users of older hardware that rely on specialized drivers may face challenges, as drivers not WHCP-signed or explicitly allowed will be excluded from the trusted zone.

Winsage

March 31, 2026

Microsoft’s April 2026 Windows Update Ends Trust for Cross-Signed Kernel Drivers

Microsoft will eliminate default trust for kernel drivers signed through the outdated cross-signed root program with the April 2026 Windows update. All new kernel drivers must be certified via the Windows Hardware Compatibility Program (WHCP). This change will affect Windows 11 builds 24H2, 25H2, and 26H1, as well as Windows Server 2025, with future versions following the same standards. The update will begin in evaluation mode, monitoring driver loads for compliance before transitioning to enforcement mode. An allow list of reputable drivers will be maintained for legacy hardware, and enterprises can use Application Control for Business policies to authorize specific drivers. Users with older hardware may face compatibility issues if their drivers are not WHCP-certified.

Winsage

March 27, 2026

Microsoft tells crusty old kernel drivers to get with the Windows Hardware Compatibility Program

Microsoft is enhancing the security of the Windows kernel by eliminating trust for kernel drivers not certified through the Windows Hardware Compatibility Program (WHCP) starting with the April 2026 Windows Update. This change specifically targets kernel drivers signed by the now-obsolete cross-signed root program, which has been associated with security vulnerabilities. The new policy will initially be introduced in an "evaluation mode" to monitor and audit driver loads for potential compatibility issues. Custom kernel drivers can still be used under the Application Control for Business policy, but must be signed by an authority within the device's Secure Boot Platform Key or Key Exchange Key variables. The changes will impact Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025.

Winsage

March 14, 2026

Announcing Windows 11 Insider Preview Build 26220.8062 (Beta Channel)

Windows 11 Insider Preview Build 26220.8062 (KB 5079458) has been released to the Beta Channel, introducing various changes and improvements. 1. Policy-Based Removal of Preinstalled Microsoft Apps: IT administrators can now use a dynamic app removal list to remove MSIX/APPX apps by adding their package family names through Group Policy. The dynamic list is not yet available in Intune CSP. 2. Windows Setup Experience: Users can select a custom name for their user folder during the Windows setup process, which must adhere to standard naming conventions. 3. Windows Driver Policy Update: A new policy removes default trust for cross-signed drivers, allowing third-party drivers from the Windows Hardware Compatibility Program (WHCP) by default. The feature will initially operate in audit mode for at least 100 hours. 4. Point-in-Time Restore Updates: Local administrators will see a settings dialog to view or modify default restore settings, including a list of available restore points. Updated messaging has been added to the restore experience. 5. Drag Tray Rebranding: The Drag Tray has been rebranded as Drop Tray, with settings relocated to System > Multitasking. 6. Pen Settings: Refinements have been made to the Pen settings page, including an option for the pen tail button to launch the same app as the Copilot key. 7. File Explorer and Other Enhancements: Improvements have been made to the reliability of setting the preferred display language, and unexpected errors from the sfc/scannow command have been removed. Updates are gradually rolled out to Insiders who opt in via Settings > Windows Update, and features may evolve or be removed based on feedback.

Winsage

March 13, 2026

Announcing Windows 11 Insider Preview Build 26300.8068 (Dev Channel)

Windows 11 Insider Preview Build 26300.8068 (KB 5079464) has been released to the Dev Channel. Key changes include: - Enhanced policy for removing preinstalled Microsoft Store apps for Windows ENT/EDU, allowing IT administrators to use a dynamic app removal list via Group Policy. - Users can now select a custom name for their user folder during the Windows setup process. - A new policy removes default trust for cross-signed drivers, allowing third-party drivers from the Windows Hardware Compatibility Program (WHCP) by default, initially operating in audit mode. - Point-in-time restore now includes a settings dialog for local administrators and displays available restore points. - Microsoft 365 Family subscribers can upgrade their plan directly from the Accounts page in Settings. - The Drag Tray feature has been rebranded to Drop Tray, with settings relocated. - Updates to Pen settings include a new option for the pen tail button. - Enhanced reliability for preferred display language settings and removal of an unexpected error from sfc/scannow. Updates are gradually rolled out to users who opt in through the Settings menu under Windows Update.

Tech Optimizer

October 11, 2025

Hackers Can Inject Malicious Code into Antivirus Processes to Create a Backdoor

A new cybersecurity technique allows attackers to exploit antivirus software by injecting malicious code into its processes, evading detection and compromising security. The method involves cloning protected services and hijacking cryptographic providers to create a backdoor in the antivirus installation folder. This technique takes advantage of antivirus solutions' reliance on operating system features and less-guarded auxiliary components. By exporting and importing registry keys, attackers can create a duplicate service that retains the original's configurations, allowing for the injection of malicious DLLs during service startup. An open-source tool named IAmAntimalware automates this process, successfully demonstrating the technique with various antivirus programs. To mitigate these threats, monitoring of module loads, auditing trusted certificates, and enforcing security features are recommended.