local accounts Archives

Winsage

January 4, 2026

How to Install Windows Configuration Designer Using Winget Command

The Windows Configuration Designer is a tool from Microsoft that allows users to create provisioning packages for automating the setup of Windows devices. These packages, saved as .ppkg files, can pre-configure settings such as network configurations, user accounts, and device names. The tool is not pre-installed on Windows systems and is primarily intended for IT administrators. It can be downloaded from the Microsoft Store or installed via the command-line tool winget, which requires the package name to be enclosed in double quotes for proper recognition. The installation process involves opening a terminal as an administrator, checking for winget availability, and executing the installation command. The download size is approximately 30 to 50 MB, and installation typically completes in under a minute. Users can verify the installation by searching for the application or using winget commands. Alternative installation methods include using the Microsoft Store or the Windows Assessment and Deployment Kit (ADK). The tool is free and does not require a Microsoft account for winget installations.

Winsage

December 2, 2025

I accepted all of Microsoft’s suggested Windows 11 setup settings with a fresh ISO, forced online accounts and extra telemetry included — can any of it be bypassed?

The latest version of Windows 11, 25H2, has been released with minimal changes from 24H2. Windows 11 is gaining market share as Windows 10 approaches its "End of Life" phase, but user satisfaction remains a concern. Many users express frustration over the TPM 2.0 hardware requirement, which raises e-waste concerns for incompatible PCs. Setting up Windows 11 without a Microsoft account has become challenging, as Microsoft has removed popular workarounds, and a mandatory Internet connection is required during setup. Users also express apprehension about Microsoft Copilot and its data collection practices, which include gathering "Optional diagnostic data" and location services information. Although users can disable tracking features after setup, initial selections are not permanent. Windows Recall, a feature that tracks user activity through visual snapshots, is now available for compatible Copilot+ PCs but is not enabled by default. Users can disable Windows Recall in the Settings app.

Winsage

November 17, 2025

Fortnite creator & Elon Musk urge Windows 11 to add vertical taskbar, remove MSA amid Copilot AI push

Tim Sweeney, CEO of Epic Games, criticized Microsoft for its Copilot feature and the removal of the option to reposition the taskbar, which many users miss from Windows 10. He also expressed disdain for Microsoft's requirement of Microsoft Accounts (MSA) for Windows 11, which has frustrated users who prefer local accounts. Elon Musk supported Sweeney's concerns about the Windows account requirement. Microsoft's Copilot ads have received overwhelmingly negative feedback from the public, with users expressing their discontent about intrusive pop-ups and errors in the AI's recommendations. Despite Microsoft citing a lack of demand, many users desire more customization options for the taskbar. Windows 11 mandates an internet connection and MSA during setup, with limited options for local accounts in the Pro version, leading to increased frustration among users.

Winsage

November 17, 2025

Even the CEO of Epic Games is joining in with everyone dunking on the new Copilot videos

Microsoft is attempting to redefine the Windows experience with an 'agentic' operating system that utilizes AI tools like Copilot to perform tasks for users. This shift has faced criticism due to reduced customization options, particularly concerning taskbar configuration and local account features. Tim Sweeney, CEO of Epic Games, has expressed concerns about this direction, emphasizing the loss of control for users. He mentioned ExplorerPatcher, a tool that helps restore missing functionalities, which has gained support in the tech community. Despite the backlash, Microsoft is unlikely to change its course due to significant investments in Copilot. Some users have chosen to leave Windows in response to these changes.

Winsage

November 13, 2025

Why Windows sucks and how to fix it, according to a former Microsoft engineer

Former Microsoft developer Dave Plummer criticized Windows for prioritizing marketing over user experience, stating that it has become a convoluted platform filled with advertisements. He suggested introducing a "Professional" mode for power users to streamline their experience, similar to Adobe Photoshop Elements. Plummer expressed concerns about Windows' reliance on telemetry, advocating for a "privacy ledger" to enhance user trust. He also highlighted the diminishing choice between Microsoft and local accounts, arguing for a clearer option screen. Plummer noted that Windows often promotes Microsoft products at the expense of user autonomy, transforming the OS into a sales platform. Additionally, he mentioned skepticism towards Microsoft's vision of an "agentic OS," with many users desiring a return to the simplicity of Windows 7.

Winsage

November 11, 2025

Task Manager creator says Windows 11 has turned into a sales channel for all products

Dave Plummer, a retired Microsoft Windows engineer, shared a video discussing the dissatisfaction with Windows 11 among long-time users. He attributes this discontent to Microsoft's focus on integrating its own products into the user experience, which alienates loyal users. The shift began with Windows 10, which adopted a "Windows as a service" model and aimed to create a unified user base for monetization through cloud services. Windows 11 has further evolved into a platform that promotes Microsoft products over user experience, leading to intrusive advertising within the OS. Plummer suggests improvements, including a genuine "Pro Mode" for power users, a "privacy ledger" for telemetry transparency, and better options during setup. He emphasizes the need for Microsoft to refine the Windows experience to regain user trust.

Winsage

November 6, 2025

Windows security update triggers BitLocker recovery in some systems — bug mostly impacts Intel PCs with Modern Standby support

Microsoft has issued a service alert regarding the October 2025 Windows security update, warning that it may trigger BitLocker recovery on certain systems, specifically those running Windows 11 versions 24H2 and 25H2, as well as Windows 10 version 22H2. Affected devices may boot into the BitLocker recovery screen after installing updates released on or after October 14, 2025, requiring users to enter their recovery key. Similar issues have occurred in previous updates in May 2023, 2024, and 2022. Users should verify if BitLocker is enabled and retrieve their recovery key from their Microsoft account if needed. BitLocker is a security feature that protects data but can complicate access to local accounts if activated unexpectedly.

Winsage

November 5, 2025

Curly COMrades abuse Hyper-V for covert malware operations in VMs

Bitdefender researchers have identified advanced techniques used by the Curly COMrades threat actor, believed to have Russian backing, to exploit Microsoft’s Hyper-V virtualization platform. This group activates Hyper-V on compromised systems to deploy a lightweight virtual machine (VM) running Alpine Linux, which hosts malware tools CurlyShell and CurlCat. The operation began in early July with commands that activated Hyper-V and prepared the environment for the VM, using deceptive file names to avoid detection. The Alpine Linux VM is customized for each victim, allowing the attackers to maintain a low profile while facilitating reverse shell and proxy activities. The VM routes traffic through the host's network, masking communications as originating from the legitimate host IP. CurlyShell acts as a persistent reverse shell, while CurlCat manages SSH traffic tunneling, utilizing a private key for authentication. The attackers also employ various proxy and tunneling tools and utilize PowerShell scripts for tasks such as injecting Kerberos tickets into LSASS for lateral movement and creating local accounts to ensure ongoing access. Their command and control infrastructure involves compromised servers that relay traffic between infected hosts and the attackers' servers, with measures taken to limit forensic evidence. To detect and mitigate these threats, Bitdefender emphasizes the need for host-based network inspection and hardening, as well as monitoring for abnormal access to the LSASS process and suspicious Kerberos ticket activities. The findings indicate a shift in threat actor tactics towards using virtualization for stealth and persistence, highlighting the need for layered security measures.

Winsage

November 4, 2025

Russian hackers abuse Hyper-V to hide malware in Linux VMs

The Russian hacker group Curly COMrades has been using Microsoft Hyper-V to bypass endpoint detection and response (EDR) solutions by creating a concealed Alpine Linux-based virtual machine for running malware. They have deployed proprietary tools, CurlyShell and CurlCat, within this virtual environment to maintain operational stealth and secure communication. Active since mid-2024, the group targets government and judicial entities in Georgia and energy companies in Moldova. In early July, they gained remote access to two machines, activated Hyper-V, and disabled its management interface to deploy a minimalistic virtual machine that hosted their malware. This tactic allowed them to evade traditional host-based EDR detections. The virtual machine was configured to use the Default Switch network adapter, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell executes commands and maintains persistence, while CurlCat facilitates covert traffic tunneling. The group also utilized PowerShell scripts for persistence and pivoting to remote systems, including injecting Kerberos tickets into LSASS and creating local accounts via Group Policy. Bitdefender advises organizations to monitor for abnormal Hyper-V activation, LSASS access, and suspicious PowerShell scripts.

Winsage

November 4, 2025

Hackers Use Hyper-V to Deploy Linux Malware on Windows Systems

The Russian-aligned APT group Curly COMrades has been using hidden Alpine Linux virtual machines (VMs) on compromised Windows hosts via Microsoft Hyper-V to evade detection and maintain covert access. This technique was uncovered in mid-2025 through an investigation by Bitdefender and the Georgian CERT, which traced suspicious activities to a compromised Georgian website. The attackers activated Hyper-V on the infected machines, downloaded a disguised VM image, and named it “WSL.” The VM, operating on Alpine Linux, had a small disk footprint and low RAM usage, minimizing alerts from security systems. Within this environment, they deployed two malware implants: CurlyShell, a reverse shell for command execution, and CurlCat, a reverse proxy tool for SSH traffic. Both implants were designed to maintain a low forensic footprint. The attackers also used a PowerShell script to inject encrypted Kerberos tickets into LSASS for lateral movement and employed various tunneling tools for communication. Artifacts from their operations were stored in directories that blended with legitimate Windows files. Security teams are advised to audit Hyper-V usage, monitor for hidden VMs, and enable host-based network inspection.