registry key Archives

Winsage

February 27, 2026

Announcing Windows 11 Insider Preview Build 26220.7934 (Beta Channel)

Windows 11 Insider Preview Build 26220.7934 (KB5077242) has been released to the Beta Channel. Key updates include: - Enhanced security and performance for batch files with a new secure mode that ensures batch files remain unchanged during execution, improving performance and security. - Shared audio feature now includes individual volume sliders for each listener and a taskbar indicator for ongoing audio sharing sessions. - A new command for Narrator users allows reading the status bar contents in applications like Word and Excel. - The rollout of improved taskbar animations has been temporarily paused. - Reliability improvements for removing Windows Update files and windows.old files. - Enhanced typing reliability with the ADLaM keyboard. - The Paint app has introduced a freeform rotate feature for shapes, text, and selections. Insiders can access these updates through Settings > Windows Update, and features may be gradually rolled out using Controlled Feature Rollout technology. A desktop watermark is displayed for Windows Insider pre-release builds.

Winsage

February 27, 2026

Announcing Windows 11 Insider Preview Build 26300.7939 (Dev Channel)

Windows 11 Insider Preview Build 26300.7939 (KB 5077243) has been released to the Dev Channel, introducing new features and improvements. Key updates include enhanced security and performance for batch files through a new secure mode, individual volume sliders for shared audio between Bluetooth LE Audio devices, a new Narrator command to read status bar contents in applications, improved reliability for removing Windows Update files, and enhanced typing reliability with the ADLaM keyboard. The rollout of improved taskbar animations has been temporarily paused. Updates are gradually being rolled out to Insiders who have opted in through Settings > Windows Update.

Tech Optimizer

February 16, 2026

How to Uninstall McAfee on Windows 11 (3 Methods Including winget)

To uninstall McAfee on Windows 11, go to Settings → Apps → Installed apps, find McAfee, and select Uninstall. Alternatively, use the command winget uninstall --id "McAfee.TotalProtection" in an elevated terminal. After uninstalling, run McAfee’s MCPR removal tool to remove any leftover files and registry entries. Windows Security (Defender) will automatically activate after McAfee is removed. McAfee is often preinstalled on Windows 11 laptops by manufacturers like Dell, HP, Lenovo, and ASUS. It is recommended to create a system restore point before uninstalling and ensure you have administrative rights. After uninstalling, check for any remaining McAfee entries in installed apps, running services, Task Manager processes, leftover folders, and scheduled tasks. If issues arise during uninstallation, booting into Safe Mode or using the MCPR tool can help. Windows Security is a built-in antivirus that activates automatically after McAfee removal, providing protection.

Winsage

January 12, 2026

EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup

A new tool named EDRStartupHinder was unveiled on January 11, 2026, which allows attackers to inhibit the launch of antivirus and endpoint detection and response (EDR) solutions during the Windows startup process. Developed by security researcher Two Seven One Three, it targets Windows Defender and various commercial security products on Windows 11 25H2 systems by redirecting essential system DLLs during boot using the Windows Bindlink API and Protected Process Light (PPL) security mechanisms. The tool employs a four-step attack chain that includes creating a malicious service with higher priority than the targeted security services, redirecting critical DLLs to attacker-controlled locations, and modifying a byte in the PE header of the DLLs to cause PPL-protected processes to refuse loading them. This results in the termination of the security software. EDRStartupHinder has been tested successfully against Windows Defender and other unnamed antivirus products, demonstrating its effectiveness in preventing these security solutions from launching. The source code for EDRStartupHinder is publicly available on GitHub, raising concerns about its potential misuse. Security teams are advised to monitor for Bindlink activity, unauthorized service creation, and registry modifications related to service groups and startup configurations to detect this attack vector. Microsoft has not yet issued any statements regarding patches or mitigations for this technique.

Winsage

December 25, 2025

Native NVMe support in Windows Server 2025 promises dramatic speed gains

Microsoft has introduced native NVMe support in Windows Server 2025, enhancing the performance of modern NVMe devices, including PCIe Gen5 SSDs and high-end Host Bus Adapters (HBAs). This feature eliminates the translation layers that previously routed NVMe I/O through SCSI, resulting in reduced processing overhead and latency. Testing shows that Windows Server 2025 can achieve up to 80% higher 4K random read IOPS and approximately 45% fewer CPU cycles per I/O compared to Windows Server 2022. The enhancements benefit enterprise applications such as SQL Server, OLTP workloads, and virtualization environments using Hyper-V, as well as analytics and AI/ML workloads. To utilize native NVMe, system administrators must use the in-box Windows NVMe driver, and the feature requires an opt-in process with the latest cumulative update and registry key or Group Policy configuration. Organizations should validate the implementation to assess its impact on their production environments.

Winsage

December 19, 2025

Windows Server 2025 gains native NVMe support, 14 years after its introduction — groundbreaking I/O stack drops SCSI emulation limitations for massive throughput and CPU efficiency gains

Windows Server 2025 now supports native NVMe I/O, moving away from SCSI bus commands. This feature requires a registry key modification or group policy MSI to activate. Users can see performance improvements of up to 80% in IOPS and a 45% reduction in CPU utilization during high I/O loads. Testing on a two-socket Intel system with 208 logical cores and a Solidigm D7-PS1010 SSD showed a 45% increase in IOPS with one thread, 78% with eight threads, and 71% with 16 threads, alongside a 41% and 47% decrease in CPU load during 4K random reads with eight and 16 threads, respectively. The I/O processing workflow has been redesigned for better performance, enhancing overall latency and responsiveness. Community feedback is mixed, with some users experiencing negligible differences and others suggesting that only PCIe 5.0 NVMe devices can fully utilize the new I/O stack. There is no timeline for this feature's rollout to Windows 11, and its effectiveness may vary based on drive firmware quality. Home computing tasks may not see significant improvements, but multitasking and gaming experiences could benefit from reduced CPU load and improved system responsiveness.

Winsage

November 25, 2025

ClickFix attack uses fake Windows Update screen to push malware

Recent observations have identified ClickFix attack variants where cybercriminals use deceptive Windows Update animations on full-screen browser pages to hide malicious code within images. Victims are misled into executing harmful commands through specific key sequences that copy and execute commands via JavaScript. Security researchers have documented these attacks since October, noting the use of LummaC2 and Rhadamanthys information stealers. Attackers utilize steganography to embed malware payloads within PNG images, reconstructing and decrypting them in memory using PowerShell and a .NET assembly called the Stego Loader. A dynamic evasion tactic known as ctrampoline complicates detection by initiating calls to numerous empty functions. The shellcode extracted from the encrypted image can execute various file types directly in memory. Following a law enforcement operation on November 13, the Rhadamanthys variant's payload delivery through fake Windows Update domains ceased, although the domains remain active. Researchers recommend disabling the Windows Run box and monitoring suspicious process chains to mitigate risks.

Winsage

November 25, 2025

ClickFix Attack Uses Steganography to Hide Malicious Code in Fake Windows Security Update Screen

A new wave of ClickFix attacks has emerged, using fake Windows Update screens and PNG image steganography to deploy infostealing malware like LummaC2 and Rhadamanthys. The attacks trick users into executing a command by pressing Win+R and pasting a command copied to their clipboard. Attackers have shifted from using “Human Verification” lures to more convincing full-screen fake Windows Update screens. The fake update prompts users to run a command that initiates mshta.exe with a URL containing a hex-encoded IP address, leading to the download of obfuscated PowerShell and .NET loaders. A notable feature of the campaign is the use of a .NET steganographic loader that hides shellcode within the pixel data of a PNG image, which is decrypted and reconstructed in memory. The shellcode is Donut-packed and injected into processes like explorer.exe using standard Windows APIs. Huntress has been monitoring these ClickFix clusters since early October, noting the use of the IP address 141.98.80[.]175 and various paths for the initial mshta.exe stage, with subsequent PowerShell stages hosted on domains linked to the same infrastructure. Despite the disruption of Rhadamanthys’ infrastructure in mid-November, active domains continue to serve the ClickFix lure, although the Rhadamanthys payload appears to be unavailable. To mitigate the attack, disabling the Windows Run box through Group Policy or registry settings is recommended, along with monitoring for suspicious activity involving explorer.exe. User education is critical, emphasizing that legitimate processes will not require pasting commands into the Run prompt. Analysts can check the RunMRU registry key to investigate potential ClickFix abuse.

Winsage

November 23, 2025

Windows: New “Digital Signage Mode” Ends Bluescreens

The new Digital Signage Mode introduced by Microsoft allows Windows to display system error messages, such as the Blue Screen of Death, for only 15 seconds before turning the screen black. This feature aims to prevent public visibility of technical errors on digital signage while still allowing support teams to address issues. The mode also applies to other disruptive Windows dialogs, but it is specifically designed for non-interactive public displays and does not extend to kiosks, which require direct user interaction. The mode can be enabled through the Windows Settings app or a registry key.

Tech Optimizer

November 14, 2025

Beware of Fake Bitcoin Tool That Hides DarkComet RAT Malware With it

A recent malware campaign has seen attackers disguising the DarkComet remote access trojan as Bitcoin-related applications to target cryptocurrency users. DarkComet RAT allows attackers to gain extensive control over compromised systems, despite its original creator discontinuing it years ago. The malware features capabilities such as keystroke logging, file theft, webcam surveillance, and remote desktop control, posing significant risks to users. The malicious file was distributed as a compressed RAR archive named “94k BTC wallet.exe,” which helps evade email filters. Security analysts at Point Wild discovered that the malware ensures persistence by copying itself to %AppData%RoamingMSDCSCexplorer.exe and creating a registry key for automatic execution at system startup. It attempts to connect to a command-and-control server at kvejo991.ddns.net over TCP port 1604. The malware injects its payload into legitimate Windows processes to perform keylogging and screen capture while remaining undetected. Captured keystrokes are stored in log files and exfiltrated through the command-and-control channel. Users are advised to avoid downloading cryptocurrency tools from untrusted sources and to keep security software updated.