PowerShell Archives

Winsage

February 23, 2025

The Windows Concept Journey — ICS (Internet Connection Sharing)

Internet Connection Sharing (ICS) is a feature in Windows that allows a device with internet access to share its connection with other devices on a local area network (LAN). To enable or disable ICS, users can go to the Control Panel, access "Network Connections," right-click on the LAN or Wi-Fi device, select "Properties," click on the "Sharing" tab, and toggle the checkbox for "Allow other network users to connect through this computer’s Internet connection." ICS can also be configured using PowerShell or the netsh.exe command. It provides services such as DHCP and NAT and can share various connection types, including dial-up, PPPoE, and VPN. ICS has been integrated with UPnP since Windows XP for remote discovery and control. The settings for ICS are stored in the Windows registry at "HKLMSOFTWAREPoliciesMicrosoftWindowsNetwork Connections."

Winsage

February 23, 2025

Microsoft Windows Warning—Do Not Install This Critical Update

A significant alert has been issued regarding a new browser update threat targeting Microsoft Windows users, as reported by Palo Alto Networks’ Unit 42. Attackers are injecting malicious JavaScript into legitimate websites, misleading users into believing they need to update their browsers. These deceptive messages often use realistic branding and create urgency, prompting users to download and execute scripts that enable malware to retrieve the NetSupport RAT code. This malware allows for remote device control, data exfiltration, and modification of the Windows Registry, complicating its removal. On February 18, 2025, the NetSupport RAT delivered StealC, a credential-stealing malware designed to capture sensitive login information. The SmartApeSG campaign highlights the risks of social engineering and fileless attack techniques, exploiting trusted software update mechanisms. Recommended mitigation strategies include blocking domains linked to SmartApeSG, deploying signatures to detect malicious JavaScript, monitoring anomalous process relationships, restricting PowerShell execution policies, and educating employees about fake update prompts. Users are advised to follow conventional methods for browser updates, check for updates through their browsers, and ensure automatic updates are enabled.

Winsage

February 21, 2025

Can you really get Windows and Office for free? These hackers say yes

A group of developers called Massgrave has hacked Microsoft's activation tools for Windows and Office, uploading PowerShell scripts to GitHub that allow users to activate Windows and perpetual-license Office versions without paying licensing fees. Their tool, TSforge, supports activation for Windows versions 7, 8.x, 10, and 11, as well as Office versions from 2010 onward, excluding Microsoft 365 subscriptions. The scripts require minimal technical expertise and have been tested successfully on fresh installations of Windows 11 and updated Windows 10 machines. Massgrave acknowledges their actions as piracy and does not accept donations, emphasizing the ethical implications. The safety of the scripts is questioned, as there is a risk of malicious actors cloning their work. Microsoft is aware of the situation and plans to take action against unauthorized use of their software.

Winsage

February 20, 2025

This Is the Ultimate Tool for Setting Up a New Windows Computer

WinUtil is a free utility developed by Chris Titus that simplifies the setup process for new computers running Windows. It allows users to install multiple applications with a few clicks, featuring a user-friendly interface divided into five tabs: Software Installation, Tweaks, Config, Updates, and Microwin. Users can select desired software, make system adjustments, configure Windows preferences, manage update installations, and create customized Windows installers. The tool supports exporting application collections and tweaks for easy replication on other computers, and comprehensive documentation is available for further exploration of its features.

Winsage

February 20, 2025

Can’t quit Windows 10? You can pay Microsoft for updates after October, or try these alternatives

An ESU subscription allows customers to receive updates automatically through Windows Update, with updates also available for individual download via the Microsoft Update Catalog. Customers can set reminders to check for updates after their release, typically on the second Tuesday of each month. For a more streamlined approach, the third-party service 0patch offers critical security patches for Windows 10 for at least five years after the end-of-support date, costing between and per PC annually. 0patch provides "micropatches" for vulnerabilities discovered after October 14, 2025, which are small and applied to running processes without altering Microsoft's original files. Unauthorized alternatives, like PowerShell activation scripts from the Massgrave hacking collective, allow users to bypass Microsoft's licensing agreements for a free three-year ESU subscription, but using these scripts is illegal and poses significant risks to businesses.

AppWizard

February 20, 2025

Russian Groups Target Signal Messenger in Spy Campaign

Multiple Russian threat groups are targeting the Signal Messenger application, focusing on individuals likely to engage in sensitive military and governmental communications during the conflict in Ukraine. Researchers from Google's Threat Intelligence Group have identified these attacks as primarily aimed at individuals of interest to Russian intelligence services. The two main cyber-espionage groups involved are UNC5792 (tracked by Ukraine's CERT as UAC-0195) and UNC4221 (UAC-0185). Their goal is to deceive victims into linking their Signal accounts to devices controlled by the attackers, granting access to incoming messages. UNC5792 uses invitations that resemble legitimate Signal group invites with malicious QR codes, while UNC4221 employs a phishing kit that mimics Ukraine's Kropyva app and includes harmful QR codes on fake sites. Other Russian and Belarusian groups, including Sandworm (APT44) and Turla, are also targeting Signal Messenger in various ways, such as stealing messages from databases or local storage. Additionally, Belarus-linked group UNC1151 uses the Robocopy tool to duplicate Signal messages for future theft. The increased activity against Signal reflects a broader interest in secure messaging apps used by individuals in espionage and intelligence roles. These apps' strong security features make them attractive to at-risk individuals and communities but also high-value targets for adversaries. Russian groups are also targeting Telegram and WhatsApp, with a recent report detailing attacks by the Russian group Star Blizzard on WhatsApp accounts of government officials and diplomats.

Winsage

February 19, 2025

These Windows 11 registry hacks will turn you into a PC pro

The Windows Registry Editor is accessed by pressing Win-R, typing regedit, and confirming with “OK.” The registry files are located in “C:WindowsSystem32config” and user-specific files in “C:Users[username].” The five main branches of the registry are: - HkeyCurrentUser: Configuration settings for the current user. - HkeyLocalMachine: Global settings for all users, requiring administrative rights for changes. - HkeyUsers: Contains user IDs for system profiles. - HkeyClassesRoot: Manages file name extensions and program shortcuts. - HkeyCurrentConfig: Links to keys under HkeyLocalMachineSystemCurrentControlSetHardware ProfilesCurrent. Users can create subkeys and values, which can be of different types. To modify the registry, select a key, use the “New” context menu, and double-click to edit. Creating a backup of the registry is recommended before making changes, which can be done using the Registry Backup Portable tool. To restore the registry, select the most recent backup and click “Restore Now.” Microsoft’s Process Monitor can be used to analyze registry values by filtering for “RegSetValue” and tracking changes. Certain registry values are restricted from modification for security reasons, such as the “widgets” feature in Windows 11. However, methods like batch files and PowerShell scripts can override these protections. Windows transmits diagnostic data to Microsoft, impacting user privacy. Tools like O&O Shutup10 and W10Privacy help manage telemetry settings.

Winsage

February 17, 2025

Winhance transforms Windows 11 (and Windows 10) into the bloat-free, faster operating system you always wanted

User sentiment towards Windows 11 has led to the development of third-party tools to enhance the experience. Talon can debloat Windows 11 with just two clicks, removing unnecessary pre-installed applications like Microsoft Edge, OneDrive, Copilot, and Clipchamp. Winhance is another tool that debloats and optimizes Windows 11, also compatible with Windows 10 (22H2). Winhance features include: - Software & Apps: - Install Software - Permanently Remove Windows Apps (e.g., Microsoft Edge, OneDrive, Copilot) - Optimize: - Set UAC Notification Level - Disable/Enable Windows Security Suite - Privacy Settings - Gaming Optimizations - Windows Updates - Power Settings - Scheduled Tasks - Windows Services - Customize: - Toggle Windows Dark or Light Mode - Taskbar Customization - Start Menu Settings - Explorer Options - Notification Preferences - Sound Settings - Accessibility Options - Search Configuration To use Winhance, users must open PowerShell as Administrator, confirm privileges, enable script execution, and run a specific command to download and execute the application from GitHub. Winhance has received significant updates since its release in February, with version 2 introducing UI/UX improvements, critical fixes, and bug resolutions, including issues with Windows Search and OneDrive folder cleanup. A demonstration video is available for viewing.

Tech Optimizer

February 15, 2025

Simplify database authentication management with the Amazon Aurora PostgreSQL pg_ad_mapping extension

Authentication is essential for security in enterprise environments, protecting sensitive data and resources from unauthorized access. Kerberos authentication is utilized for Amazon Aurora PostgreSQL-Compatible Edition with AWS Directory Service for Microsoft Active Directory, particularly through the pg_ad_mapping extension, which enhances access control management. Aurora PostgreSQL supports multiple authentication methods, including password authentication, AWS Identity and Access Management (IAM) database authentication, and Kerberos authentication. By default, password authentication is enabled, while IAM and Kerberos can be used independently. Users are assigned specific roles based on the authentication method: rds_iam for IAM, rds_ad for Kerberos, and no specific roles for password authentication. Kerberos authentication integrates with Microsoft Active Directory, allowing centralized authentication and single sign-on (SSO) capabilities. With versions 14.10 and 15.5, Aurora PostgreSQL introduced the pg_ad_mapping extension, which allows administrators to manage access through Active Directory (AD) security groups instead of provisioning individual users. This extension checks AD group memberships upon user login and assigns corresponding database roles, prioritizing roles based on assigned weights. The pg_ad_mapping extension includes functions such as pgadmap_set_mapping to add mappings between AD security groups and database roles, pgadmap_read_mapping to list existing mappings, and pgadmap_reset_mapping to delete or reset mappings. To deploy the solution, a CloudFormation stack is used to create necessary resources, including an AWS Managed Microsoft AD server, an Aurora PostgreSQL database cluster, and a Windows EC2 instance. Users can be added to AD groups, and roles can be mapped to facilitate access management. Security best practices for Aurora PostgreSQL include using IAM policies for resource management, implementing security groups for database access control, utilizing encryption for data protection, and employing Transport Layer Security (TLS) for secure connections. For auditing, the pg_stat_gssapi view can be used to identify authenticated users, and enabling the log_connections parameter will log session establishments, including AD user identities.

Winsage

February 15, 2025

Windows 11 fully streamlined in just two clicks? Talon utility promises to rip all the bloatware out of Microsoft’s OS in a hassle-free way

Talon is a debloating tool for Windows 11 developed by Raven, designed to simplify the process of removing unnecessary software and features. It allows users to achieve a streamlined experience with just two clicks, offering various debloat options, including a basic removal and tailored profiles like 'Gaming' that install popular platforms such as Discord and Steam. Talon automates the debloating process, making it accessible to less tech-savvy users, and utilizes established tools like ChrisTitusTech’s WinUtil and Raphi’s Win11Debloat. The tool's code is open source, promoting transparency and user safety. Users are advised to consider the risks of third-party applications while also having access to alternative resources for manual decluttering.