kernel drivers Archives

Winsage

April 10, 2026

Microsoft Locked Out VeraCrypt, WireGuard, and Windscribe from Pushing Windows Updates

Microsoft implemented a mandatory account verification process for all partners in the Windows Hardware Program who had not completed verification since April 2024, effective October 16, 2025. This requirement necessitated that partners verify their identities using a government-issued ID matching the name of the primary contact in the Partner Center. Failure to meet this deadline or pass verification resulted in account suspension, preventing further submissions. This affected the ability of developers to sign Windows kernel drivers, leading to suspensions for notable open source projects like VeraCrypt, WireGuard, and Windscribe. Mounir Idrassi, the developer of VeraCrypt, reported his account was terminated without notice, and Jason Donenfeld of WireGuard faced similar issues. Windscribe experienced a prolonged resolution process despite having a verified account for over eight years. Following these suspensions, Scott Hanselman from Microsoft announced that the accounts would be reinstated and corrective measures were being taken.

Winsage

April 7, 2026

Windows 11 is phasing out old kernel drivers: Microsoft will permanently end cross-signing in April

On March 26, 2026, Microsoft announced that starting with the April security update, it will eliminate trust in kernel drivers from the previous Cross-Signed Program for Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025. Only drivers that have passed the Windows Hardware Compatibility Program (WHCP) or are on Microsoft's allow list will be allowed to load by default. This change aims to enhance security by establishing a robust chain of trust and addressing vulnerabilities associated with old kernel drivers. Users of older hardware that rely on specialized drivers may face challenges, as drivers not WHCP-signed or explicitly allowed will be excluded from the trusted zone.

Winsage

March 31, 2026

Microsoft’s April 2026 Windows Update Ends Trust for Cross-Signed Kernel Drivers

Microsoft will eliminate default trust for kernel drivers signed through the outdated cross-signed root program with the April 2026 Windows update. All new kernel drivers must be certified via the Windows Hardware Compatibility Program (WHCP). This change will affect Windows 11 builds 24H2, 25H2, and 26H1, as well as Windows Server 2025, with future versions following the same standards. The update will begin in evaluation mode, monitoring driver loads for compliance before transitioning to enforcement mode. An allow list of reputable drivers will be maintained for legacy hardware, and enterprises can use Application Control for Business policies to authorize specific drivers. Users with older hardware may face compatibility issues if their drivers are not WHCP-certified.

Winsage

March 27, 2026

Microsoft tells crusty old kernel drivers to get with the Windows Hardware Compatibility Program

Microsoft is enhancing the security of the Windows kernel by eliminating trust for kernel drivers not certified through the Windows Hardware Compatibility Program (WHCP) starting with the April 2026 Windows Update. This change specifically targets kernel drivers signed by the now-obsolete cross-signed root program, which has been associated with security vulnerabilities. The new policy will initially be introduced in an "evaluation mode" to monitor and audit driver loads for potential compatibility issues. Custom kernel drivers can still be used under the Application Control for Business policy, but must be signed by an authority within the device's Secure Boot Platform Key or Key Exchange Key variables. The changes will impact Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025.

Winsage

March 14, 2026

Announcing Windows 11 Insider Preview Build 26220.8062 (Beta Channel)

Windows 11 Insider Preview Build 26220.8062 (KB 5079458) has been released to the Beta Channel, introducing various changes and improvements. 1. Policy-Based Removal of Preinstalled Microsoft Apps: IT administrators can now use a dynamic app removal list to remove MSIX/APPX apps by adding their package family names through Group Policy. The dynamic list is not yet available in Intune CSP. 2. Windows Setup Experience: Users can select a custom name for their user folder during the Windows setup process, which must adhere to standard naming conventions. 3. Windows Driver Policy Update: A new policy removes default trust for cross-signed drivers, allowing third-party drivers from the Windows Hardware Compatibility Program (WHCP) by default. The feature will initially operate in audit mode for at least 100 hours. 4. Point-in-Time Restore Updates: Local administrators will see a settings dialog to view or modify default restore settings, including a list of available restore points. Updated messaging has been added to the restore experience. 5. Drag Tray Rebranding: The Drag Tray has been rebranded as Drop Tray, with settings relocated to System > Multitasking. 6. Pen Settings: Refinements have been made to the Pen settings page, including an option for the pen tail button to launch the same app as the Copilot key. 7. File Explorer and Other Enhancements: Improvements have been made to the reliability of setting the preferred display language, and unexpected errors from the sfc/scannow command have been removed. Updates are gradually rolled out to Insiders who opt in via Settings > Windows Update, and features may evolve or be removed based on feedback.

Winsage

March 13, 2026

Announcing Windows 11 Insider Preview Build 26300.8068 (Dev Channel)

Windows 11 Insider Preview Build 26300.8068 (KB 5079464) has been released to the Dev Channel. Key changes include: - Enhanced policy for removing preinstalled Microsoft Store apps for Windows ENT/EDU, allowing IT administrators to use a dynamic app removal list via Group Policy. - Users can now select a custom name for their user folder during the Windows setup process. - A new policy removes default trust for cross-signed drivers, allowing third-party drivers from the Windows Hardware Compatibility Program (WHCP) by default, initially operating in audit mode. - Point-in-time restore now includes a settings dialog for local administrators and displays available restore points. - Microsoft 365 Family subscribers can upgrade their plan directly from the Accounts page in Settings. - The Drag Tray feature has been rebranded to Drop Tray, with settings relocated. - Updates to Pen settings include a new option for the pen tail button. - Enhanced reliability for preferred display language settings and removal of an unexpected error from sfc/scannow. Updates are gradually rolled out to users who opt in through the Settings menu under Windows Update.

Tech Optimizer

October 11, 2025

Hackers Can Inject Malicious Code into Antivirus Processes to Create a Backdoor

A new cybersecurity technique allows attackers to exploit antivirus software by injecting malicious code into its processes, evading detection and compromising security. The method involves cloning protected services and hijacking cryptographic providers to create a backdoor in the antivirus installation folder. This technique takes advantage of antivirus solutions' reliance on operating system features and less-guarded auxiliary components. By exporting and importing registry keys, attackers can create a duplicate service that retains the original's configurations, allowing for the injection of malicious DLLs during service startup. An open-source tool named IAmAntimalware automates this process, successfully demonstrating the technique with various antivirus programs. To mitigate these threats, monitoring of module loads, auditing trusted certificates, and enforcing security features are recommended.

Winsage

June 26, 2025

Microsoft is moving antivirus providers out of the Windows kernel

Microsoft is preparing to initiate a private preview of new Windows changes aimed at relocating antivirus (AV) and endpoint detection and response (EDR) applications away from the Windows kernel. This initiative follows a significant incident involving a faulty update from CrowdStrike that disrupted 8.5 million Windows-based machines globally. Microsoft is collaborating with industry leaders such as CrowdStrike, Bitdefender, ESET, and Trend Micro to develop a new endpoint security platform. The company is engaging its top engineers, including original architects of Windows, to work on these security enhancements. The upcoming private preview will allow security vendors to suggest modifications, with several iterations anticipated before the final version is ready. Microsoft is also addressing concerns related to kernel-level drivers in anti-cheating engines for gaming and is engaging with game developers on minimizing kernel usage. A forthcoming Windows update will introduce a Quick Machine Recovery feature to expedite restoration of machines encountering boot issues. Additionally, Microsoft is redesigning the Blue Screen of Death (BSOD) from blue to black as part of its commitment to enhancing user experience and system reliability.

Winsage

June 26, 2025

Microsoft rolls out Windows security changes to prevent another CrowdStrike meltdown

Last summer's CrowdStrike incident caused significant disruptions in healthcare, banking, and air travel, resulting in billions of dollars in damages. In response, Microsoft held a security summit with experts from CrowdStrike and other firms to address vulnerabilities. Microsoft announced Safe Deployment practices and architectural changes to enhance Windows security, including relocating third-party security drivers from the Windows kernel to user space. This change aims to reduce risks associated with kernel-level flaws. Upcoming features in Windows 11 24H2 include a streamlined crash report process, replacing the Blue Screen of Death with an "unexpected restart" screen, and a quick machine recovery (QMR) capability to automate fixes during outages. Additionally, Windows Autopatch will allow network administrators to deploy updates with fewer required restarts for Windows 11 Enterprise PCs, limiting them to once every three months.

Winsage

March 13, 2025

WinRing0: Why Windows is flagging your PC monitoring and fan control apps as a threat

On Tuesday morning, PC gamers received unexpected alerts from Windows Defender regarding a tool called WinRing0, which raised concerns about potential security breaches. This issue affected various hardware monitoring applications, including Razer Synapse, SteelSeries Engine, and MSI Afterburner, leading to erratic computer behavior after the HackTool was quarantined. Developers noted that WinRing0, while useful for accessing hardware data, has been flagged due to security vulnerabilities. Microsoft is under pressure to tighten software access to low-level hardware, prompting scrutiny of WinRing0. Some developers labeled the detection as a "false positive," arguing that their applications are not malicious. Timothy Sun's company developed a proprietary SMBus driver to avoid WinRing0, but this transition required significant resources. WinRing0 has been patched, but challenges remain in getting a new version signed by Microsoft. iBuyPower has expressed interest in pursuing a signed update for WinRing0, while companies like Razer and SteelSeries are working to eliminate reliance on it in their software updates.