PowerShell Archives

Winsage

March 2, 2026

Fake Xeno and Roblox Utilities Used to Install Windows RAT, Microsoft Warns

Cybersecurity experts at Microsoft Threat Intelligence have identified a trend where attackers distribute counterfeit gaming tools that install a remote access trojan (RAT) on users' systems. These trojanized executables, such as Xeno.exe or RobloxPlayerBeta.exe, are shared through browsers and chat platforms. The initial executable acts as a downloader, installing a portable Java runtime environment and launching a harmful Java archive, jd-gui.jar. Attackers use built-in Windows tools to execute commands via PowerShell and exploit trusted system binaries, minimizing detection risk. The embedded PowerShell script connects to remote locations, downloads an executable as update.exe, and executes it. The malware erases evidence of the downloader and modifies Microsoft Defender settings to allow RAT components to function undetected. It establishes persistence through scheduled tasks and a startup script named world.vbs, enabling prolonged access to the compromised device. Microsoft Defender can detect the malware and its behaviors, and organizations are advised to monitor outbound traffic and block identified domains and IP addresses. Users are encouraged to scrutinize Microsoft Defender exclusions and scheduled tasks for irregularities and remain cautious about downloading tools from unofficial sources.

Winsage

March 1, 2026

Forget ‘debloat apps.’ Sophia Script gives you real control over Windows 11. Here’s how it works.

Windows 11 users often find system settings dispersed and many functionalities unconfigurable. The Sophia Script for Windows is an open-source PowerShell module designed to debloat and optimize Windows 10 and 11. It requires manual adjustments to select desired optimizations. To use the script, users must download it via PowerShell or from GitHub, extract files, and run the SophiaScriptWrapper.exe to import the Sophia.ps1 file. Users can customize functions and export a custom script before executing it. The script requires specific commands to run and may prompt users for selections during operation. Users can also run individual functions without modifying the entire script. The Sophia Script offers advanced control over privacy settings and system functions, appealing to power users who seek deeper customization beyond standard interfaces.

Winsage

March 1, 2026

Forget ‘debloat apps.’ Sophia Script gives you real control over Windows 11. Here’s how it works.

Windows 11 users often find system settings scattered, making configurations difficult to access. The Sophia Script for Windows is an open-source PowerShell module designed to debloat and optimize Windows 11 and 10. It requires manual modifications for customization and can be downloaded via PowerShell or from GitHub. Users must extract files, run the SophiaScriptWrapper.exe, and import the Sophia.ps1 file to customize and export their script. To execute the script, users must navigate to the script's directory in PowerShell, set execution policies, and run the customized script. Individual functions can also be executed by navigating to the script directory and using specific commands. The Sophia Script offers extensive control over system-level functions, allowing for deep customization of privacy settings and system behaviors, but may not be suitable for all users due to its complexity.

Winsage

March 1, 2026

Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery

Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.

Winsage

March 1, 2026

Windows Package Manager 1.28.190 is final

Microsoft has launched WinGet 1.28.190, aligning its version number with App Installer to resolve discrepancies. The previous version 1.12.470 has been replaced by this update. Key changes include consistent directory separators for portable packages, compatibility of the –suppress-initial-details option with winget configure test, corrections to the experimental “font” property, and the introduction of the experimental sourceEdit feature, which allows users to set a source for package management. The update signifies a consolidation of versioning and enhances clarity for users and administrators.

Winsage

February 28, 2026

Microsoft confirms a wider roll out of Windows 11’s new colourful battery icons on the taskbar

Windows 11 users will see colorful battery icons on the taskbar as Microsoft rolls out updates, including the new Start menu, with the update KB5077241. The vibrant battery icons have been in development for nearly two years, with initial testing starting in late 2024. The rollout began last year but was limited to select PCs. An optional update in February 2026 will further expand the availability of these icons and the updated Start menu. The new battery icon replaces the plain white bar with a green icon when charging, featuring a charging bolt during the process. The icon changes color based on battery levels: it turns orange at 30% and red below 6%. Users can display the battery percentage on the taskbar by enabling it in Settings > System > Power & Battery. Recent improvements to the Windows taskbar include the return of drag-and-drop functionality, the ability to resize the taskbar, and potential options to reposition it. Microsoft is also updating Secure Boot certificates, set to expire in June 2026, and distributing new certificates issued in 2023 to more PCs. A tutorial is available for users to verify the application of these new Secure Boot certificates.

Winsage

February 24, 2026

How to migrate applications to Windows 11

Organizations are transitioning from Windows 10 to Windows 11 following the end-of-support date for Windows 10. Windows 11 is designed to support most applications that ran on Windows 10, but challenges may arise due to undocumented legacy applications and configurations. A thorough evaluation of devices, including installed applications and data locations, is essential to minimize disruptions during the upgrade. Migrations can be categorized as clean installations or in-place upgrades. A clean installation erases the previous OS and data, while an in-place upgrade retains existing settings and applications. In-place upgrades are not allowed for certain transitions, such as from Windows 10 Home to Windows 11 Pro without first upgrading to Windows 10 Pro. IT professionals often prefer clean installations to avoid carrying over issues from the previous OS. During an in-place upgrade, data in library folders is retained, but data in the Windows folder may be at risk. Compatibility issues may arise with poorly designed applications or drivers post-upgrade, particularly with legacy applications reliant on outdated frameworks. Preparation for migration includes creating an inventory of applications, identifying potential incompatibilities, and ensuring backups of data. IT must also confirm hardware meets Windows 11 requirements. If a clean installation is chosen, strategies for application installation must be developed, utilizing tools like System Center Configuration Manager or Microsoft Intune. Validation and testing of migration tools should occur in a lab environment, followed by a pilot deployment on a small percentage of machines. After successful pilot testing, the final deployment can proceed, followed by an audit to address any issues. Careful planning and testing are crucial for a smooth migration process.

Tech Optimizer

February 24, 2026

Fake Huorong Site Delivers ValleyRAT Backdoor in Targeted Malware Campaign

A cyber operation is targeting users of Huorong Security antivirus software through a typosquatted domain, huoronga[.]com, which mimics the legitimate site huorong.cn. Users who mistakenly visit the counterfeit site may download a file named BR火绒445[.]zip, which contains a trojanized installer that leads to the installation of ValleyRAT, a remote access trojan. The malware employs various techniques to evade detection, including using an intermediary domain for downloads, creating Windows Defender exclusions, and establishing a scheduled task for persistence. The backdoor facilitates activities such as keylogging and credential access while disguising its operations within legitimate processes like rundll32.exe. Attribution points to the Silver Fox APT group, and there has been a significant increase in ValleyRAT samples documented in recent months. Security measures include ensuring software downloads are from the official site and monitoring for specific malicious activities.

Winsage

February 24, 2026

How to Disable Copilot in Windows 11 — Uninstall, Hide, and Stop It from Coming Back

Microsoft has integrated its AI assistant, Copilot, into various parts of Windows 11, including the taskbar, Edge, and Notepad. Users have expressed a desire to remove Copilot, leading to the creation of a guide detailing methods to disable it. Copilot can be uninstalled through Settings, but additional steps are required to remove it from Edge, Notepad, and Windows Search. Users can also prevent Copilot from reinstalling after updates by adjusting registry settings. The Copilot app is categorized as a standalone application in Windows 11 24H2, making it easier to uninstall compared to previous versions. Methods to disable Copilot include: 1. Uninstalling the app via Settings. 2. Hiding the icon from the taskbar. 3. Using Group Policy Editor (limited to Pro, Enterprise, Education). 4. Removing Copilot for all users using PowerShell. 5. Adjusting settings in Edge and Notepad to disable Copilot features. 6. Editing the registry to remove Copilot from Windows Search and Paint. 7. Remapping the physical Copilot key on newer laptops. 8. Disabling silent reinstallation of Copilot through registry edits. Disabling Copilot will not affect core Windows functionality but will remove AI-specific features such as the chatbot and writing assistance.

Winsage

February 22, 2026

You Can Now Install—and Update—Microsoft Store Apps Using the Command Line

Microsoft has introduced a new command line interface for the Microsoft Store, accessible through PowerShell by typing "store." Users must have all current Windows 11 updates installed for functionality. The interface features ASCII art and a list of sub-commands, allowing users to search, install, and update software with minimal keystrokes. Users can install applications without needing to remember exact names, and commands like "store install firefox" yield accurate results. Limitations include the inability to install applications not available in the Microsoft Store. Users can also search for apps, gain insights into specific applications, and browse categories. The command "store updates" allows users to manage application updates efficiently.