PowerShell scripts Archives

Winsage

May 28, 2026

Your Windows PC has a security deadline in June 2026

A Secure Boot certificate refresh is being deployed across supported Windows devices via Windows Update. The Secure Boot certificates from 2011 will begin to expire in June 2026, prompting Microsoft to introduce new 2023-dated certificates to maintain security. Most users will require minimal action if their PCs are updated, but older devices may face challenges. The current certificates include: - Microsoft Corporation KEK CA 2011: expires June 24, 2026 - Microsoft UEFI CA 2011: expires June 27, 2026 - Microsoft Windows Production PCA 2011: expires October 19, 2026 The new certificates will remain valid until 2038, with plans for post-quantum cryptography around 2030. While PCs using the 2011 certificates will continue to function, they will lose access to new security protections, making them vulnerable to emerging threats. A notable example of such a threat is the BlackLotus bootkit, which exploited vulnerabilities to bypass Secure Boot. Microsoft's rollout strategy involves a staged update process that typically takes around 48 hours and may require restarts. Users are advised to keep Windows updated and check their Secure Boot status. Known issues may arise for older PCs, systems that bypassed Windows 11 requirements, Legacy BIOS systems, and custom firmware configurations. IT teams managing devices should inventory their systems, monitor specific event IDs, test updates, and document devices that cannot be updated.

Winsage

May 17, 2026

I got tired of hunting through Windows for every setting, so I built my own control center

The utility created simplifies Windows management by consolidating various settings and diagnostics into a single interface. It provides an overview of system metrics such as DNS latency, system uptime, and temporary file accumulation. The application includes dedicated pages for health checks, network insights, services, scheduled tasks, drives, drivers, power plans, gaming toggles, privacy settings, and taskbar configuration. Each diagnostic is executed through PowerShell scripts, with results displayed in a user-friendly format. The utility maintains transparency by creating .reg backups before modifying the registry and allows users to revert changes easily. It is open-source, lightweight, and designed for personal use rather than debloating. The program's structure enables users to inspect and modify scripts, ensuring clarity and control over system adjustments.

Winsage

May 16, 2026

I got tired of hunting through Windows for every setting, so I built my own control center

The utility developed streamlines access to Windows diagnostics and tweaks, consolidating functionalities typically spread across various settings panels into a single interface. It features an overview page with key system metrics and organized sections for health checks, network details, services, scheduled tasks, drives, drivers, power plans, gaming settings, privacy options, and taskbar adjustments. Each diagnostic is executed via PowerShell scripts that output JSON data for display. The application ensures transparency in registry changes by creating .reg backups before modifications and allows users to revert changes easily. It focuses on practical tweaks rather than debloating, maintaining a lightweight design without extensive features. The tool is open source and available on GitHub.

Winsage

May 12, 2026

Hackers Can Hide Malware Inside Images to Hack Windows

Researchers at Cyfirma have identified a cyberattack campaign named Operation SilentCanvas that targets Windows systems using deceptive JPEG files to infiltrate devices. The attack begins with victims receiving a file named sysupdate.jpeg, which contains a PowerShell script instead of an image. This script establishes staging environments and downloads additional malicious components while avoiding detection. The malware reconstructs command strings at runtime and downloads a secondary payload called access.jpeg, executed in memory. It exploits Microsoft's .NET compiler to create a custom launcher named uds.exe on infected machines. The malware takes control of a registry key to create a hidden desktop environment for undetected execution of malicious tools and installs a persistent Windows service, OneDriveServers, to maintain activity after reboots. Additionally, it can intercept usernames and passwords at the Windows login screen and create hidden local administrator accounts for long-term access. Security teams are advised to monitor the execution of commonly abused Windows binaries like csc.exe and ComputerDefaults.exe to mitigate risks.

Winsage

April 28, 2026

Microsoft Releases Enterprise Policy Option to Disable Windows 11 Copilot

Microsoft has introduced a new enterprise policy setting that allows IT administrators to silently uninstall the Microsoft Copilot app from managed Windows 11 devices. The RemoveMicrosoftCopilotApp policy became available after the April 2026 Patch Tuesday security updates and is compatible with enterprise management solutions like Microsoft Intune and System Center Configuration Manager (SCCM). Administrators can find the policy in the Group Policy Editor under User Configuration > Administrative Templates > Windows AI > Remove Microsoft Copilot App. It specifically targets Windows 11 Pro, Enterprise, and Education SKUs, excluding Home edition users. The uninstallation process is triggered when three conditions are met: Microsoft 365 Copilot is installed on the device, it was provisioned (not user-installed), and it has not been launched by the user in the last 28 days. The policy was initially available for Windows Insiders in January 2026 and became generally accessible afterward. However, future updates or user reinstalls from the Microsoft Store may reintroduce the Copilot app, necessitating ongoing policy enforcement for permanent removal. Organizations seeking broader exclusion may need to use PowerShell scripts or additional MDM configurations.

Winsage

April 10, 2026

“This is exactly the kind of thing driving me away from Windows”: even Edge users don’t want this new feature

Recent polling data shows that Microsoft Edge users dislike the browser's automatic launch upon logging into Windows 11. Microsoft is testing a feature that would have Edge open automatically at startup, which has sparked significant discussion and frustration among users. A banner notifying select users of this change has been observed, and the behavior has been confirmed in the latest Edge Beta build. User reactions on Reddit include strong negative sentiments, with some users threatening to abandon Windows 11 if this feature is enforced. Despite the backlash, Microsoft Edge is viewed as a competent browser, though its aggressive promotion tactics may alienate potential users.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

Winsage

February 17, 2026

How to Uninstall and Reinstall Chrome on Windows 11 Using Winget CMD

Google Chrome can experience performance issues on Windows due to corrupted profiles, extension conflicts, broken updates, and crashes. A complete uninstall and reinstall often resolves these issues, and the Windows Package Manager (Winget) provides a command-line method for this process. To uninstall Chrome using Winget, open Terminal as an administrator and run the command PLACEHOLDER7836d906c03bd8f1. After uninstallation, verify it with PLACEHOLDER30cf24d62406b8ee, then reinstall using PLACEHOLDER76e40aae6965d719. For a clean reinstall, delete the leftover user data folder at PLACEHOLDER142352b706501488. Commands: - Check installed version: winget list Google.Chrome - Uninstall Chrome: winget uninstall Google.Chrome - Verify removal: winget list Google.Chrome - Reinstall Chrome: winget install Google.Chrome - Silent install: winget install Google.Chrome --silent - Delete leftover data: rmdir /s /q "%LocalAppData%GoogleChrome" Before executing commands, ensure Winget is available and updated, and that you have administrator privileges. Backup data by enabling Chrome Sync. Close Chrome completely before uninstalling to avoid process interference. A clean reinstall involves deleting the Chrome user data folder, which removes bookmarks, passwords, and other stored data. Winget is faster and more suitable for scripting and remote management compared to traditional uninstall methods through the Settings app or Control Panel. Common troubleshooting for Winget includes handling errors related to package recognition, installation blocks, and access issues. If uninstalling fails, terminate any running Chrome processes and retry the command. If unsuccessful, use the Settings app for removal and then Winget for reinstallation.

Winsage

December 19, 2025

Microsoft Phases Out RC4 Encryption by 2026 to Bolster Windows Security

Microsoft has announced the phased discontinuation of the RC4 encryption cipher, with full implementation expected by mid-2026. RC4, created in 1987, has been increasingly recognized as a vulnerability, exploited in various high-profile cyberattacks. Microsoft plans to disable RC4 by default in Windows Kerberos authentication, encouraging organizations to transition to more secure alternatives like AES-256. This decision follows years of warnings from the cybersecurity community and aims to eliminate long-standing cryptographic weaknesses. The transition will require organizations to audit and upgrade their infrastructures, as many legacy applications still depend on RC4. Disabling RC4 is expected to reduce the success rates of attacks exploiting weak encryption. Microsoft has introduced tools to help administrators identify hidden RC4 usage. The change reflects a commitment to zero-trust architectures and aligns with recommendations from organizations like NIST. Experts recommend a multi-step approach for organizations to navigate this transition effectively.

Winsage

December 10, 2025

Beyond RC4 for Windows authentication

Two new PowerShell scripts from the Microsoft Kerberos-Crypto GitHub repository have been introduced to enhance cybersecurity by streamlining the monitoring of Security Event logs on domain controllers. 1. List-AccountKeys.ps1: This script queries the Security Event Log for the Keys field, enumerating the keys associated with accounts in the event logs. It provides details such as the timestamp, account name, account type, and specific account keys. For example, it can show that accounts have access to keys like RC4, AES128-SHA96, AES256-SHA96, and AES128-SHA256. 2. Get-KerbEncryptionUsage.ps1: This script allows users to query events to determine which encryption types Kerberos utilized, revealing requests that employed AES256-SHA96. It also offers filtering options for specific encryption algorithms, such as RC4. Organizations can further enhance their security by using SIEM solutions like Microsoft Sentinel or built-in Windows event forwarding to query these logs.