PowerShell Archives

Winsage

March 26, 2026

Is It Time for a New Laptop Battery? This Secret Windows Report Will Let You Know

Windows laptops allow users to generate a battery report through Windows PowerShell. To create the report, users must open Windows Terminal as an administrator and enter the command powercfg /batteryreport /output "C:battery-report.html". This command generates an HTML file named battery-report.html saved in the C: drive. The report includes information about the laptop's battery health, recent usage, battery usage over the last three days, usage history, battery capacity history, and battery life estimates. The report shows the design capacity and full charge capacity of the battery, along with a comparison of expected and actual battery life. For example, a laptop designed for 6 hours and 2 minutes of battery life may currently last only 4 hours and 52 minutes.

Winsage

March 19, 2026

Want to set up Windows like a power user? Start with these 4 tools

The command line on Windows can be intimidating for average users, but tools like Windows Terminal enhance its usability with features such as tabbed browsing and improved text rendering. Winget allows users to install multiple applications simultaneously in the background, streamlining the setup process for new PCs. Oh My Posh improves the PowerShell prompt by providing contextual information and customizable themes. Git enables users to track changes and revert mistakes in files, while the bat command allows for quick viewing of text files in the terminal with syntax highlighting. These tools collectively enhance the Windows user experience by making the command line more accessible and efficient.

Winsage

March 11, 2026

How to disable Hyper-V for Windows 11

Microsoft's Hyper-V is a hardware virtualization platform integrated into Windows 11 Professional, Enterprise, and Education editions, allowing users to host multiple virtual machines (VMs) on a single computer. It operates using a type 1 hypervisor directly on hardware, enabling VMs to share resources like CPU, memory, and storage. Hyper-V includes features such as dynamic memory allocation, software-defined networking, and saved checkpoints. IT administrators may need to disable Hyper-V due to compatibility issues with third-party virtualization software, high-precision applications, or driver conflicts. Disabling Hyper-V can also affect security features reliant on it, such as virtualization-based security (VBS) and Device Guard. Methods to disable Hyper-V include: 1. Using the Windows Features dialog. 2. Executing a PowerShell command: Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All, HypervisorPlatform, VirtualMachinePlatform. 3. Running a DISM command:

dism /Online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All /FeatureName:HypervisorPlatform /FeatureName:VirtualMachinePlatform

. 4. Using the bcdedit command: bcdedit /set hypervisorlaunchtype off. 5. Modifying Group Policy to disable VBS. 6. Editing the Windows Registry to disable VBS or Credential Guard. For multiple managed computers, administrators can create and execute a PowerShell script or use Group Policy Objects to streamline the process. Testing in a controlled environment is recommended to ensure desired outcomes without compromising security or functionality.

Winsage

March 6, 2026

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer

Microsoft revealed a social engineering campaign named ClickFix that exploits the Windows Terminal application to deploy Lumma Stealer malware. Detected in February 2026, this campaign instructs users to access Windows Terminal using the Windows + X → I shortcut, enhancing its perceived legitimacy. Attackers evade detection by manipulating users into executing harmful commands through deceptive prompts. The attack chain involves pasting a hex-encoded command into Windows Terminal, which opens additional Terminal and PowerShell instances, leading to a PowerShell process that decodes a script. This process downloads a ZIP payload containing a renamed 7-Zip binary, which extracts files and initiates a multi-stage attack, including retrieving payloads, establishing persistence, configuring Microsoft Defender exclusions, exfiltrating data, and deploying Lumma Stealer by injecting it into "chrome.exe" and "msedge.exe." Lumma Stealer targets browser artifacts to harvest credentials. A secondary attack pathway involves downloading a batch script that writes a Visual Basic Script to the Temp folder and connects to Crypto Blockchain RPC endpoints, also using QueueUserAPC() for code injection into browsers to extract data.

Winsage

March 4, 2026

OpenAI’s Codex is now on Windows

OpenAI has launched its Codex agentic coding application for Windows, expanding its reach beyond the Mac platform. The Mac version received over 1 million downloads in its first week and currently has 1.6 million weekly active users, with over 500,000 developers awaiting the Windows version. The Windows version is designed for real-world usage, featuring native sandboxing capabilities and OS-level controls for secure operation. It includes a WinUI skill for Windows application development and mirrors the Mac version in functionality while introducing Windows-specific features. Codex emphasizes managing the agent over just coding, providing a unique interface described as a "command center for agents." It operates on OpenAI’s latest coding model, GPT-5.3-Codex, with options to switch to earlier versions and adjust reasoning levels. Codex for Windows is available to users across various tiers, including ChatGPT Free, Go, Plus, Pro, Business, Enterprise, and Edu.

Winsage

March 2, 2026

Fake Xeno and Roblox Utilities Used to Install Windows RAT, Microsoft Warns

Cybersecurity experts at Microsoft Threat Intelligence have identified a trend where attackers distribute counterfeit gaming tools that install a remote access trojan (RAT) on users' systems. These trojanized executables, such as Xeno.exe or RobloxPlayerBeta.exe, are shared through browsers and chat platforms. The initial executable acts as a downloader, installing a portable Java runtime environment and launching a harmful Java archive, jd-gui.jar. Attackers use built-in Windows tools to execute commands via PowerShell and exploit trusted system binaries, minimizing detection risk. The embedded PowerShell script connects to remote locations, downloads an executable as update.exe, and executes it. The malware erases evidence of the downloader and modifies Microsoft Defender settings to allow RAT components to function undetected. It establishes persistence through scheduled tasks and a startup script named world.vbs, enabling prolonged access to the compromised device. Microsoft Defender can detect the malware and its behaviors, and organizations are advised to monitor outbound traffic and block identified domains and IP addresses. Users are encouraged to scrutinize Microsoft Defender exclusions and scheduled tasks for irregularities and remain cautious about downloading tools from unofficial sources.

Winsage

March 1, 2026

Forget ‘debloat apps.’ Sophia Script gives you real control over Windows 11. Here’s how it works.

Windows 11 users often find system settings dispersed and many functionalities unconfigurable. The Sophia Script for Windows is an open-source PowerShell module designed to debloat and optimize Windows 10 and 11. It requires manual adjustments to select desired optimizations. To use the script, users must download it via PowerShell or from GitHub, extract files, and run the SophiaScriptWrapper.exe to import the Sophia.ps1 file. Users can customize functions and export a custom script before executing it. The script requires specific commands to run and may prompt users for selections during operation. Users can also run individual functions without modifying the entire script. The Sophia Script offers advanced control over privacy settings and system functions, appealing to power users who seek deeper customization beyond standard interfaces.

Winsage

March 1, 2026

Forget ‘debloat apps.’ Sophia Script gives you real control over Windows 11. Here’s how it works.

Windows 11 users often find system settings scattered, making configurations difficult to access. The Sophia Script for Windows is an open-source PowerShell module designed to debloat and optimize Windows 11 and 10. It requires manual modifications for customization and can be downloaded via PowerShell or from GitHub. Users must extract files, run the SophiaScriptWrapper.exe, and import the Sophia.ps1 file to customize and export their script. To execute the script, users must navigate to the script's directory in PowerShell, set execution policies, and run the customized script. Individual functions can also be executed by navigating to the script directory and using specific commands. The Sophia Script offers extensive control over system-level functions, allowing for deep customization of privacy settings and system behaviors, but may not be suitable for all users due to its complexity.

Winsage

March 1, 2026

Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery

Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.

Winsage

March 1, 2026

Windows Package Manager 1.28.190 is final

Microsoft has launched WinGet 1.28.190, aligning its version number with App Installer to resolve discrepancies. The previous version 1.12.470 has been replaced by this update. Key changes include consistent directory separators for portable packages, compatibility of the –suppress-initial-details option with winget configure test, corrections to the experimental “font” property, and the introduction of the experimental sourceEdit feature, which allows users to set a source for package management. The update signifies a consolidation of versioning and enhances clarity for users and administrators.