registry settings Archives

Winsage

November 25, 2025

ClickFix Attack Uses Steganography to Hide Malicious Code in Fake Windows Security Update Screen

A new wave of ClickFix attacks has emerged, using fake Windows Update screens and PNG image steganography to deploy infostealing malware like LummaC2 and Rhadamanthys. The attacks trick users into executing a command by pressing Win+R and pasting a command copied to their clipboard. Attackers have shifted from using “Human Verification” lures to more convincing full-screen fake Windows Update screens. The fake update prompts users to run a command that initiates mshta.exe with a URL containing a hex-encoded IP address, leading to the download of obfuscated PowerShell and .NET loaders. A notable feature of the campaign is the use of a .NET steganographic loader that hides shellcode within the pixel data of a PNG image, which is decrypted and reconstructed in memory. The shellcode is Donut-packed and injected into processes like explorer.exe using standard Windows APIs. Huntress has been monitoring these ClickFix clusters since early October, noting the use of the IP address 141.98.80[.]175 and various paths for the initial mshta.exe stage, with subsequent PowerShell stages hosted on domains linked to the same infrastructure. Despite the disruption of Rhadamanthys’ infrastructure in mid-November, active domains continue to serve the ClickFix lure, although the Rhadamanthys payload appears to be unavailable. To mitigate the attack, disabling the Windows Run box through Group Policy or registry settings is recommended, along with monitoring for suspicious activity involving explorer.exe. User education is critical, emphasizing that legitimate processes will not require pasting commands into the Run prompt. Analysts can check the RunMRU registry key to investigate potential ClickFix abuse.

Winsage

October 16, 2025

Microsoft has broken Active Directory for some Windows Server users

Microsoft's recent security update KB5065426 has introduced synchronization issues for Active Directory, specifically affecting applications that use the DirSync control for on-premises Active Directory Domain Services (AD DS). This problem occurs for large AD security groups with more than 10,000 members on Windows Server 2025 after installing the September 2025 update or later. Affected users can apply a registry modification to disable the changes from the update, with the following details: - Path: ComputerHKEYLOCALMACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides - Name: 2362988687 - Type: REG_DWORD - Value: 0 Microsoft is working on a comprehensive solution and has acknowledged the issue in the Known Issues section of the update.

Winsage

September 18, 2025

Microsoft’s new Xbox mode on Windows has leaked for any handheld

Windows enthusiasts have found a way to enable the new Xbox full-screen mode on Windows 11 using the latest 25H2 update, without requiring new hardware. This involves installing a Release Preview version of Windows 11 and making certain tweaks. The feature has been successfully tested on handheld gaming PCs, including MSI’s Claw devices and Asus ROG Ally range, allowing devices like the original ROG Ally to boot directly into Microsoft’s Xbox app, bypassing Asus’ proprietary software. The Xbox full-screen experience optimizes gaming by not loading the full Windows desktop or background processes, freeing up about 2GB of memory. Users are directed to the Xbox PC app, which consolidates games from various platforms. The mode includes a Game Bar for navigation and a task view tailored for handheld devices. Users can switch to traditional desktop mode, but Microsoft recommends using touch or a mouse and keyboard for better usability when exiting to the desktop. Setting up this feature is straightforward, but caution is advised due to potential system instability from modifying registry settings or using the Windows Feature Store. A guide is available on Reddit, but users should be aware of the risks involved, including the possibility of needing to revert changes or reinstall Windows.

Winsage

August 30, 2025

7 fun facts about the Windows Registry you probably didn’t know

The Windows Registry was introduced with Windows 3.1 in 1992 and has been included in every Windows release since. It was designed to streamline the management of application configuration files, evolving significantly by Windows 95. Initially, it featured a single registry file (reg.dat) with a 64KB limit, primarily for basic functions. Windows NT introduced virtualization for legacy 16-bit applications, redirecting INI files into a virtual registry file. Windows 11 includes a hidden option for a darker aesthetic by modifying registry settings. A Registry setting in Windows 10 version 1607 allows file paths up to approximately 32,767 characters, but file names have their own limitations. Modifying the WaitToKillServiceTimeout value in the Registry can speed up the shutdown process. Users can utilize third-party applications like RegScanner or Microsoft's PowerToys for enhanced registry modifications. The Registry allows users to revert to the Windows 10 context menu and add custom entries.

Winsage

August 28, 2025

Windows Users: Global UpCrypter Phishing Attack is Expanding

Cybersecurity experts have reported a significant increase in phishing emails targeting Microsoft Windows devices, linked to UpCrypter, a loader that installs remote access tools (RATs) for long-term access to compromised systems. These phishing emails often appear as missed voicemails or purchase orders, leading victims to counterfeit websites that prompt them to download a ZIP file containing a JavaScript dropper. This script executes PowerShell commands to connect to attacker-controlled servers, initiating further malware deployment. UpCrypter scans the system for security monitoring and can reboot to disrupt investigations if detected. If not, it downloads additional payloads, including PureHVNC for remote desktop access, DCRat for spying and data theft, and Babylon RAT for complete control over infected devices. Attackers use techniques like steganography, string obfuscation, and in-memory execution to evade detection. This phishing campaign, active since early August 2025, has affected various sectors, including manufacturing, technology, healthcare, construction, and retail/hospitality, with significant activity reported in countries like Austria, Belarus, Canada, Egypt, India, and Pakistan. Detections of this malware have doubled in two weeks, indicating a rapid escalation of the operation. Organizations are urged to implement robust email filtering and train employees to recognize these threats.

Winsage

August 17, 2025

The Microsoft Store loses the option to disable automatic updates

Microsoft has removed the option for users to disable automatic updates for Microsoft Store apps without prior notice. Users can now only delay updates for a maximum of five weeks, after which updates will occur automatically. Attempts to bypass this new protocol through registry edits have been unsuccessful. The change is likely motivated by security concerns, ensuring applications are kept up to date. Group policy remains an exception to this rule.

Winsage

August 1, 2025

Microsoft has fixed the only Windows bug I’ve ever liked: the Vista startup sound ‘unexpectedly’ playing on Win 11 machines

The Windows Insider program allows users to test new features before public release. Recently, some users experienced the Windows Vista start-up sound instead of the Windows 11 sound. Microsoft quickly addressed this issue in the Canary channel, reverting to the standard Windows 11 boot sound, noting that the Vista sound was used unexpectedly. The Vista sound, which is nostalgic for many, was also present in Windows 7. The latest update not only fixed the sound bug but also resolved issues with audio playback when casting to a TV and crashes in the power and battery settings menu. Users can customize their startup sounds by editing registry settings, although the option to revert to the Vista sound is not available in the sounds folder.

Winsage

July 30, 2025

Secure Windows with Microsoft’s Security Compliance Toolkit

The Microsoft Security Compliance Toolkit is a suite of tools for administrators to assess Group Policy Objects (GPOs) against Microsoft's security baselines, helping to identify discrepancies and implement secure settings. It includes tools such as the Policy Analyzer, Local Group Policy Object (LGPO) utility, and Set Object Security application. Administrators can download the toolkit from Microsoft's website, which contains zip files for various security baseline packages. The Policy Analyzer compares GPOs with local security policies to identify inconsistencies, while the LGPO tool manages local security policies and allows for policy backup and verification. The Set Object Security tool applies security descriptors to objects like files and folders. For Windows Server, administrators should test security baselines in non-production environments before deployment. With Windows Server 2025, the OSConfig platform allows for direct application of security baselines through PowerShell, simplifying the update process and maintaining compliance.

Winsage

July 26, 2025

How to Fix Windows 11 24H2 BSOD and Crashes

The Windows 11 24H2 update has caused complications, leading Microsoft to compile a list of affected hardware and software along with potential fixes. Users experiencing crashes can try the following solutions: 1. Remove Windows Hello: Users with laptops that have integrated cameras may experience system freezes. To fix this, navigate to Settings > Accounts > Sign in options, expand the Facial Recognition section, and click Remove. Optionally, remove fingerprint and PIN settings and set up a password. 2. Change Registry Settings for SSDs: The update has made certain SSDs from Western Digital and SanDisk incompatible. A temporary fix involves modifying the registry. Open the Registry Editor, navigate to ComputerHKEYLOCALMACHINESYSTEMCurrentControlSetControlStorPort, locate or create the DWORD HmbAllocationPolicy, modify its value to 0 or 2, and restart the PC. 3. Perform Windows Updates Again: Subsequent updates may resolve existing issues. Check for updates in Windows Update, download all related to the 24H2 version, and restart the PC as necessary. 4. Reroll Windows 11: Users can revert to the previous version within 10 days of the update if the option is available. Go to Settings > System > Recovery and select Go back. If the option is greyed out, users can download Windows 11 23H2 from Microsoft’s website for a clean installation, ensuring to back up data first.