PowerShell Archives

Winsage

May 27, 2026

Windows Users Targeted in New Phishing Campaign

Research from FortiGuard Labs has identified a phishing campaign that disguises itself as purchase orders, prompting recipients to open harmful attachments. The campaign begins with a phishing email containing a malicious JavaScript file. When executed, this JavaScript decrypts and runs a PowerShell script that uses process hollowing to inject a .NET downloader module into the trusted Windows process MsBuild.exe. This downloader connects to a remote command and control (C2) server to download and execute additional modules, allowing the attacker to alter the malware's behavior after the initial compromise. The campaign poses significant detection challenges for Windows users due to its use of multiple encryption layers, fileless execution techniques, and process hollowing strategies. Security experts emphasize the need for organizations to enhance their detection capabilities beyond traditional methods, focusing on identifying suspicious activity across various devices and applications. The phishing attack exploits social engineering tactics and blends malicious actions with legitimate administrative tools, complicating detection efforts. Additionally, the human element plays a crucial role in breaches, highlighting the importance of effective communication and collaboration between security teams and other departments to improve security awareness and behavior.

Winsage

May 26, 2026

How to Remove Microsoft Edge (Windows 10 and 11)

Removing Microsoft Edge from Windows can be complex due to its integration as a system component, especially in Windows 10 and standard Windows 11 installations. Edge may not have a straightforward Uninstall button in the Settings page, but methods exist for uninstallation, including using Edge's own installer or command-line approaches. In the EU, users may find an easier uninstall option in Settings due to the Digital Markets Act (DMA). To uninstall Edge, users should check their Windows version and region, install a replacement browser beforehand, and be aware that updates might reinstall Edge. Elevated permissions are typically required for uninstallation methods. Method A involves using Edge's setup.exe in uninstall mode from its Installer directory, which is widely compatible. Method B allows for a Settings-based uninstall in certain EU Windows 11 builds influenced by DMA. Method C uses PowerShell to remove Edge partially but may not be effective on newer builds. Method D suggests disabling Edge instead of fully uninstalling it for better system stability. Advanced techniques exist but carry risks, including potential system integrity issues. Users should consider application dependencies and the likelihood of Windows updates restoring Edge. For enterprise environments, policy-based control is preferred over complete removal. The EU DMA is driving changes toward a more modular Windows architecture, allowing for greater user choice regarding browser components.

Winsage

May 26, 2026

Why Hyper-V Breaks Emulators on Windows 11 (And the Fix)

Enabling Hyper-V on Windows 11 can cause applications like BlueStacks or VirtualBox to lag or fail to launch due to conflicts with CPU virtualization extensions (VT-x/AMD-V). Hyper-V is a Type-1 hypervisor that monopolizes these resources, preventing Type-2 hypervisors from accessing them directly. Common issues include error messages from BlueStacks, LDPlayer, VirtualBox, VMware, and Android Studio related to virtualization availability. To check if Hyper-V is enabled, users can use Task Manager, System Information, Windows Features, Command Prompt, or PowerShell. Disabling Hyper-V can be done through various methods, including unchecking it in Windows Features, using PowerShell, the bcdedit command, or modifying BIOS settings. However, disabling Hyper-V also stops functionalities like WSL2 and Memory Integrity. Some modern emulators, such as BlueStacks and VMware Workstation Pro, have adapted to work alongside Hyper-V, while VirtualBox's compatibility remains experimental. For optimal emulator performance, users should allocate appropriate CPU cores and RAM, ensure virtualization is enabled in BIOS, enable GPU acceleration, and set the Windows power plan to "Best performance." If issues persist, users should confirm Hyper-V is off, check BIOS settings, and reset emulator configurations.

Winsage

May 26, 2026

Tame Windows 11 with Winhance + Group Policy as your preventive Affirmative Defense against undesired advertising, bloat and espionage by Allan Tépper

Users of Windows 11 face issues with unwanted advertising, bloatware, and privacy concerns. To combat these, a combination of Group Policy and Winhance is recommended. Group Policy can be used to preemptively instruct Windows to ignore specific undesired elements, while Winhance addresses issues that may re-emerge after updates. Group Policy is referred to as "Directivas de grupo local" in Castilian. Before implementing policies, Windows should be fully updated. Two essential policies to enhance control include removing default Microsoft Store packages and opting out of sending diagnostic data to Microsoft. Group Policies can be saved and shared if the target computer matches the original system's version and update status. Winhance is a tool that monitors and manages unwanted applications, offers customization options, and provides a list of third-party apps for replacing built-in applications.

Winsage

May 25, 2026

Use Tiny11 to Rescue a Computer Running Windows 10

Microsoft has ended official updates and security patches for Windows 10, raising security concerns for users. Tiny11, an unofficial and streamlined version of Windows 11, serves as an alternative for those unable to upgrade due to hardware limitations. Tiny11 reduces bloat by removing preinstalled applications but lacks regular updates and robust security protections. A valid Windows 11 license key is required to use Tiny11. Users can obtain a Tiny11 ISO by downloading it from the Internet Archive or creating their own using a script from the Tiny11 GitHub page alongside an official Windows 11 ISO. To create a bootable USB drive for installation, users need at least an 8 GB USB drive and a program like Rufus.

Winsage

May 24, 2026

I stopped avoiding PowerShell after these 3 Windows tweaks

The author initially found PowerShell to be less integrated into their daily Windows workflow, often accessing it through the Start menu and closing it after use. To improve accessibility, they began using Windows Terminal more frequently, pinning it to the taskbar and utilizing the "Open in Terminal" option in File Explorer. They also discovered keyboard shortcuts to launch PowerShell quickly. These changes led to increased usage of PowerShell for tasks like checking IP configurations and retrieving system information. To enhance the PowerShell experience, the author customized its appearance by installing Oh My Posh, a prompt theme engine, and experimenting with color schemes, fonts, and transparency in Windows Terminal. They also made modifications to their PowerShell profile, adding aliases and shortcuts for frequently used commands to streamline their workflow. Over time, PowerShell became an essential tool for resolving various Windows issues, transforming from a fallback option to a key component of their toolkit.

Winsage

May 23, 2026

Windows 11 now lets you remove Microsoft Copilot app with Group Policy or Registry, as it tries to win back users

Recent feedback from Windows 11 users has led Microsoft to simplify the process of uninstalling Copilot due to dissatisfaction with its integration. A Group Policy option titled “Remove Microsoft Copilot app” has been introduced in the April 2026 Update, allowing users to remove Copilot via User Configuration > Administrative Templates > Windows Components > Windows AI. Users can also uninstall Copilot directly from the installed apps list or by right-clicking the icon, although it may reappear after a fresh installation due to certain updates. To uninstall Copilot and Microsoft 365 Copilot using Group Policy, the following conditions must be met: both apps must be installed, the user did not install them independently, and the Copilot app has not been used for over 28 days. This policy is supported on Pro, Enterprise, Education, and IoT Enterprise or LTSC versions of Windows 11. Windows 11 Home users can manually remove Copilot by creating a registry key at HKEYCURRENTUSERSoftwarePoliciesMicrosoftWindowsWindowsAI and setting a DWORD value named RemoveMicrosoftCopilotApp to 1. Alternatively, users can execute a PowerShell script to remove Copilot. Microsoft has not provided an uninstall option for Copilot in the Start menu.

Winsage

May 23, 2026

Windows 11 adds policy to remove Copilot app

A new preview build of Windows 11 introduces a Group Policy option titled Remove Microsoft Copilot app, located in User Configuration settings under Administrative Templates and Windows Components. This policy is conditional, applying only when both Microsoft 365 Copilot and Microsoft Copilot are present, the Copilot app has not been user-installed, and it has not been launched in the last 28 days. Alternative methods to control the Copilot app include the Intune Settings Catalog entry to turn off Copilot, a registry DWORD at HKEYLOCALMACHINESOFTWAREPoliciesMicrosoftWindowsWindowsCopilot, and AppLocker packaged-app rules. Community discussions indicate that PowerShell uninstall methods are temporary solutions due to potential reinstallation by subsequent updates.

Winsage

May 23, 2026

CVE-2026-45585: YellowKey BitLocker Bypass

BitLocker, a security feature for data protection, has a vulnerability identified as CVE-2026-45585, also known as YellowKey, which allows unauthorized access to encrypted data on Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025. This flaw does not compromise BitLocker’s encryption but affects the recovery environment supporting it. The vulnerability can be exploited locally through the Windows Recovery Environment (WinRE) by an attacker with physical access, who can trigger an unrestricted shell and access the BitLocker-protected volume. Microsoft has provided two mitigation strategies: modifying the WinRE image to remove the autofstx.exe entry and transitioning from TPM-only protection to a TPM+PIN requirement at startup. The exploit poses challenges for detection, as it occurs pre-boot and currently lacks vendor-published indicators of compromise. Organizations using BitLocker for unattended devices are particularly at risk, as the vulnerability can lead to loss of confidentiality if an attacker gains access before the legitimate user.

Winsage

May 20, 2026

Microsoft shares mitigation for YellowKey Windows zero-day

Microsoft has addressed the YellowKey vulnerability, a zero-day flaw in Windows BitLocker identified as CVE-2026-45585. This vulnerability allows unauthorized access to BitLocker-protected drives through a specific exploitation process involving 'FsTx' files. The flaw was disclosed by an anonymous researcher known as 'Nightmare Eclipse.' Microsoft has released mitigation strategies, including removing the autofstx.exe entry from the Session Manager's BootExecute REGMULTISZ value and reestablishing BitLocker trust for WinRE. Additionally, users are advised to change BitLocker settings from "TPM-only" to "TPM+PIN" mode, requiring a pre-boot PIN for drive decryption, and to enable "Require additional authentication at startup" for unencrypted devices.