registry key Archives

Winsage

June 4, 2026

June 9 Patch Tuesday incoming as Secure Boot deadline looms

Microsoft has announced updates to Secure Boot, enhancing system security by modifying support and registry keys to streamline the boot process. These updates aim to improve the security of Windows devices by ensuring that only trusted software is loaded during startup. Collaborations with Dell and STMicroelectronics are also underway to provide tailored support and integrate advanced security features into chipsets, respectively.

Winsage

May 30, 2026

How to Disable Windows Defender in Windows 11 (GUI, PowerShell, CMD & Group Policy)

Disabling Windows Defender is common among users setting up virtual machines or optimizing build processes, but it can be frustrating due to Windows 11's resistance to such actions. Many guides suggest using outdated registry keys, which are often reverted by updates, leading to repeated attempts to disable the protections. Users may disable Defender for several reasons, including performance issues with virtual machines, conflicts with Android emulators, hindrances in development environments, troubleshooting disk performance, and security testing in isolated labs. However, disabling antivirus software increases exposure to threats. Microsoft Defender includes components such as Antivirus, Real-Time Protection, Cloud-Delivered Protection, Tamper Protection, and Defender for Endpoint. Tamper Protection is a significant barrier to disabling Defender, as it prevents unauthorized changes to security settings. Key considerations before disabling Defender include the need for administrator rights, the effect of Tamper Protection, potential resets from Windows Updates, temporary toggles for Real-Time Protection, and the option to install third-party antivirus software, which places Defender in passive mode. Methods to disable Defender include using the Windows Security GUI, PowerShell commands, Command Prompt, or Group Policy (available only for certain editions). Disabling Tamper Protection requires accessing the GUI or being managed by an organization. To check if Defender is disabled, users can use PowerShell to review specific fields. Common reasons for Defender reactivating include enabled Tamper Protection, system reboots, Windows Updates, lack of third-party antivirus, and security policy refreshes. Installing a legitimate third-party antivirus is often the best way to maintain a consistent state. Instead of disabling Defender, users can add exclusions for specific folders related to virtual machines or development tools, allowing them to maintain protection while avoiding conflicts. Troubleshooting common problems includes ensuring elevated sessions for PowerShell, checking Tamper Protection status, and understanding the limitations of the Group Policy editor based on the Windows edition. Disabling Defender may be appropriate in specific scenarios, but for regular use, especially on machines handling sensitive tasks, the risks generally outweigh the benefits. Using exclusions is recommended for performance improvements without compromising security.

Winsage

May 23, 2026

Windows 11 now lets you remove Microsoft Copilot app with Group Policy or Registry, as it tries to win back users

Recent feedback from Windows 11 users has led Microsoft to simplify the process of uninstalling Copilot due to dissatisfaction with its integration. A Group Policy option titled “Remove Microsoft Copilot app” has been introduced in the April 2026 Update, allowing users to remove Copilot via User Configuration > Administrative Templates > Windows Components > Windows AI. Users can also uninstall Copilot directly from the installed apps list or by right-clicking the icon, although it may reappear after a fresh installation due to certain updates. To uninstall Copilot and Microsoft 365 Copilot using Group Policy, the following conditions must be met: both apps must be installed, the user did not install them independently, and the Copilot app has not been used for over 28 days. This policy is supported on Pro, Enterprise, Education, and IoT Enterprise or LTSC versions of Windows 11. Windows 11 Home users can manually remove Copilot by creating a registry key at HKEYCURRENTUSERSoftwarePoliciesMicrosoftWindowsWindowsAI and setting a DWORD value named RemoveMicrosoftCopilotApp to 1. Alternatively, users can execute a PowerShell script to remove Copilot. Microsoft has not provided an uninstall option for Copilot in the Start menu.

Winsage

May 17, 2026

New Windows ‘MiniPlasma’ zero-day exploit gives SYSTEM access, PoC released

A cybersecurity researcher, known as Chaotic Eclipse, has released a proof-of-concept exploit for a Windows privilege escalation zero-day vulnerability called "MiniPlasma," which allows attackers to gain SYSTEM privileges on fully patched Windows systems. The vulnerability affects the cldflt.sys Cloud Filter driver and was reported by Google Project Zero in September 2020, assigned the identifier CVE-2020-17103, and claimed to be resolved by Microsoft in December 2020. However, Chaotic Eclipse asserts that the vulnerability remains unpatched. Testing confirmed that the exploit works on Windows 11 Pro, enabling command prompt access with SYSTEM privileges from a standard user account. Will Dormann, a vulnerability analyst, verified the exploit's effectiveness but noted it did not work in the latest Windows 11 Insider Preview Canary build. The exploit leverages the undocumented CfAbortHydration API to manage registry key creation improperly. Chaotic Eclipse has previously disclosed other Windows zero-day vulnerabilities and claims their actions are a protest against Microsoft's handling of vulnerabilities.

Winsage

May 15, 2026

Why I’m still tweaking Windows 11’s Registry, even after April’s “improvements”

Windows 11's April update includes performance boosts, a refined File Explorer, and a revamped Settings app, but primarily addresses existing issues rather than customization preferences. Users still face challenges with the lack of easily accessible customization options, leading many to rely on registry tweaks to adjust settings not available through the standard Settings menu. Key registry modifications include restoring the classic right-click menu, adding an "End Task" option to the taskbar's right-click menu, disabling Bing search in the Start menu, and removing the Recommended section from the Start Menu. These tweaks enhance functionality and convenience, as the updates do not sufficiently address user customizability concerns.

Winsage

May 12, 2026

Hackers Can Hide Malware Inside Images to Hack Windows

Researchers at Cyfirma have identified a cyberattack campaign named Operation SilentCanvas that targets Windows systems using deceptive JPEG files to infiltrate devices. The attack begins with victims receiving a file named sysupdate.jpeg, which contains a PowerShell script instead of an image. This script establishes staging environments and downloads additional malicious components while avoiding detection. The malware reconstructs command strings at runtime and downloads a secondary payload called access.jpeg, executed in memory. It exploits Microsoft's .NET compiler to create a custom launcher named uds.exe on infected machines. The malware takes control of a registry key to create a hidden desktop environment for undetected execution of malicious tools and installs a persistent Windows service, OneDriveServers, to maintain activity after reboots. Additionally, it can intercept usernames and passwords at the Windows login screen and create hidden local administrator accounts for long-term access. Security teams are advised to monitor the execution of commonly abused Windows binaries like csc.exe and ComputerDefaults.exe to mitigate risks.

Tech Optimizer

May 4, 2026

Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha

Microsoft Defender mistakenly flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, leading to their removal from Windows systems globally. This issue arose after a Defender signature update on April 30th, with affected certificates including 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4. The certificates were removed from the AuthRoot store under the Registry key HKLMSOFTWAREMicrosoftSystemCertificatesAuthRootCertificates. Microsoft has addressed the issue in Security Intelligence update version 1.449.430.0, which also restored the removed certificates. The false positives were linked to detections related to a recent DigiCert breach, where threat actors obtained valid code-signing certificates used for signing malware. DigiCert revoked 60 code-signing certificates, including those linked to the "Zhong Stealer" malware campaign. The malware utilized certificates issued to companies like Lenovo and Kingston, but the certificates flagged by Microsoft Defender are root certificates and do not correspond to the revoked code-signing certificates.

Winsage

April 16, 2026

Windows 11’s April update is locking some users out of their PCs

Users have reported issues with Windows 11 update KB5083769, which has triggered BitLocker recovery key prompts, locking some users out of their PCs. Microsoft acknowledged that the problem mainly affects corporate devices with specific BitLocker Group Policy settings. The issue is limited to systems where BitLocker is enabled, certain Group Policy configurations are set, and the Secure Boot State PCR7 Binding is “Not Possible.” Affected users need to enter their BitLocker recovery key or contact IT support for assistance. Microsoft has also provided guidance for IT departments to perform a Known Issue Rollback to remove the problematic updates, though this may expose systems to vulnerabilities.

Winsage

April 16, 2026

Microsoft: April updates trigger BitLocker key prompts on some servers

Microsoft announced that certain Windows Server 2025 devices may experience a BitLocker recovery prompt after installing the April 2026 KB5082063 Windows security update. The recovery mode will be triggered under specific conditions: BitLocker must be enabled on the operating system drive, the Group Policy for TPM validation must be configured with PCR7, the Secure Boot State PCR7 Binding must indicate "Not Possible," the Windows UEFI CA 2023 certificate must be in the Secure Boot Signature Database, and the device must not be using the 2023-signed Windows Boot Manager. Microsoft stated that this issue is unlikely to affect personal devices, as the configurations are mainly found in enterprise-managed systems. They are working on a resolution and recommend administrators remove the Group Policy configuration before deploying the update. If removal is not possible, applying a Known Issue Rollback (KIR) is advised to prevent triggering the recovery prompt. Microsoft has previously addressed similar BitLocker recovery prompt issues in May 2025, August 2024, and August 2022.

Winsage

April 9, 2026

This fake Windows support website delivers password-stealing malware

A phishing campaign has been identified that uses a counterfeit Microsoft support website, microsoft-update[.]support, to trick users into downloading a malicious Windows update disguised as WindowsUpdate 1.0.0.msi. This file, created on April 4, 2026, appears legitimate but contains malware designed to steal sensitive information. The campaign targets French-speaking users, leveraging recent data breaches in France to create convincing scams. The malware, once executed, installs an Electron application that runs a Python interpreter, which then deploys various data theft tools. It employs two persistence mechanisms: modifying the Windows registry and creating a shortcut in the Startup folder. The malware connects to external sites for reconnaissance and data exfiltration, using domains like datawebsync-lvmv.onrender[.]com and store8.gofile[.]io. The malware's components have evaded detection by antivirus tools, with VirusTotal reporting zero detections for the main executable and its launcher. Users are advised to check their registry, remove suspicious files, change passwords, and run a full system scan if they suspect installation of the malicious update. Safe updating practices include using the built-in Windows update feature and being cautious of phishing attempts. Indicators of compromise include specific file hashes, domains associated with the phishing campaign, and file system artifacts related to the malware's installation.