registry settings Archives

Winsage

March 17, 2026

Microsoft to Block Windows 11 and Server 2025 Automated Installation After Critical RCE Vulnerability

Microsoft is implementing a two-phase initiative to disable the hands-free deployment feature in Windows Deployment Services (WDS) due to a critical remote code execution vulnerability (CVE-2026-0386) identified on January 13, 2026. This vulnerability arises from improper access control related to the Unattend.xml file, which is transmitted over an unauthenticated RPC channel, allowing attackers on the same network segment to exploit it. Successful exploitation could grant SYSTEM-level privileges and compromise OS deployment images. The initiative includes: - Phase 1 (January 13, 2026): The hands-free deployment feature will remain operational but can be disabled. New Event Log alerts and registry key controls will be introduced to enforce secure practices. - Phase 2 (April 2026): The hands-free deployment feature will be completely disabled by default for administrators who have not modified registry settings. Administrators can temporarily re-enable the feature by setting AllowHandsFreeFunctionality = 1, but this is not secure. Recommendations include reviewing WDS configurations, applying security updates, setting registry keys for secure behavior, monitoring Event Viewer for alerts, and considering alternative deployment methods. Microsoft’s KB article 5074952 provides further guidance for impacted organizations.

Winsage

March 11, 2026

How to disable Hyper-V for Windows 11

Microsoft's Hyper-V is a hardware virtualization platform integrated into Windows 11 Professional, Enterprise, and Education editions, allowing users to host multiple virtual machines (VMs) on a single computer. It operates using a type 1 hypervisor directly on hardware, enabling VMs to share resources like CPU, memory, and storage. Hyper-V includes features such as dynamic memory allocation, software-defined networking, and saved checkpoints. IT administrators may need to disable Hyper-V due to compatibility issues with third-party virtualization software, high-precision applications, or driver conflicts. Disabling Hyper-V can also affect security features reliant on it, such as virtualization-based security (VBS) and Device Guard. Methods to disable Hyper-V include: 1. Using the Windows Features dialog. 2. Executing a PowerShell command: Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All, HypervisorPlatform, VirtualMachinePlatform. 3. Running a DISM command:

dism /Online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All /FeatureName:HypervisorPlatform /FeatureName:VirtualMachinePlatform

. 4. Using the bcdedit command: bcdedit /set hypervisorlaunchtype off. 5. Modifying Group Policy to disable VBS. 6. Editing the Windows Registry to disable VBS or Credential Guard. For multiple managed computers, administrators can create and execute a PowerShell script or use Group Policy Objects to streamline the process. Testing in a controlled environment is recommended to ensure desired outcomes without compromising security or functionality.

Winsage

February 24, 2026

How to Disable Copilot in Windows 11 — Uninstall, Hide, and Stop It from Coming Back

Microsoft has integrated its AI assistant, Copilot, into various parts of Windows 11, including the taskbar, Edge, and Notepad. Users have expressed a desire to remove Copilot, leading to the creation of a guide detailing methods to disable it. Copilot can be uninstalled through Settings, but additional steps are required to remove it from Edge, Notepad, and Windows Search. Users can also prevent Copilot from reinstalling after updates by adjusting registry settings. The Copilot app is categorized as a standalone application in Windows 11 24H2, making it easier to uninstall compared to previous versions. Methods to disable Copilot include: 1. Uninstalling the app via Settings. 2. Hiding the icon from the taskbar. 3. Using Group Policy Editor (limited to Pro, Enterprise, Education). 4. Removing Copilot for all users using PowerShell. 5. Adjusting settings in Edge and Notepad to disable Copilot features. 6. Editing the registry to remove Copilot from Windows Search and Paint. 7. Remapping the physical Copilot key on newer laptops. 8. Disabling silent reinstallation of Copilot through registry edits. Disabling Copilot will not affect core Windows functionality but will remove AI-specific features such as the chatbot and writing assistance.

Winsage

January 29, 2026

Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence

Praetorian Inc. has launched Swarmer, a tool that enables low-privilege attackers to maintain stealthy persistence in the Windows registry while avoiding detection by Endpoint Detection and Response (EDR) systems. Swarmer uses mandatory user profiles and the Offline Registry API to modify the NTUSER hive without triggering standard registry hooks. It operates by creating an NTUSER.MAN file that replaces the NTUSER.DAT hive upon user login, allowing low-privilege users to manipulate registry settings without alerting EDR tools. Swarmer employs functions from Microsoft’s Offline Registry Library, enabling it to perform operations without invoking Reg* API calls, thus evading detection mechanisms. Swarmer's workflow involves exporting the HKCU registry, modifying it, and executing the tool with specific commands to place the modified NTUSER.MAN file into the user profile. It can be used as an executable or a PowerShell module. While it presents a novel method for persistence, Swarmer has limitations, such as being unable to update without admin access and requiring user login to activate. Detection strategies include monitoring for NTUSER.MAN file creation and Offreg.dll usage in non-standard processes.

Winsage

November 25, 2025

ClickFix Attack Uses Steganography to Hide Malicious Code in Fake Windows Security Update Screen

A new wave of ClickFix attacks has emerged, using fake Windows Update screens and PNG image steganography to deploy infostealing malware like LummaC2 and Rhadamanthys. The attacks trick users into executing a command by pressing Win+R and pasting a command copied to their clipboard. Attackers have shifted from using “Human Verification” lures to more convincing full-screen fake Windows Update screens. The fake update prompts users to run a command that initiates mshta.exe with a URL containing a hex-encoded IP address, leading to the download of obfuscated PowerShell and .NET loaders. A notable feature of the campaign is the use of a .NET steganographic loader that hides shellcode within the pixel data of a PNG image, which is decrypted and reconstructed in memory. The shellcode is Donut-packed and injected into processes like explorer.exe using standard Windows APIs. Huntress has been monitoring these ClickFix clusters since early October, noting the use of the IP address 141.98.80[.]175 and various paths for the initial mshta.exe stage, with subsequent PowerShell stages hosted on domains linked to the same infrastructure. Despite the disruption of Rhadamanthys’ infrastructure in mid-November, active domains continue to serve the ClickFix lure, although the Rhadamanthys payload appears to be unavailable. To mitigate the attack, disabling the Windows Run box through Group Policy or registry settings is recommended, along with monitoring for suspicious activity involving explorer.exe. User education is critical, emphasizing that legitimate processes will not require pasting commands into the Run prompt. Analysts can check the RunMRU registry key to investigate potential ClickFix abuse.

Winsage

October 16, 2025

Microsoft has broken Active Directory for some Windows Server users

Microsoft's recent security update KB5065426 has introduced synchronization issues for Active Directory, specifically affecting applications that use the DirSync control for on-premises Active Directory Domain Services (AD DS). This problem occurs for large AD security groups with more than 10,000 members on Windows Server 2025 after installing the September 2025 update or later. Affected users can apply a registry modification to disable the changes from the update, with the following details: - Path: ComputerHKEYLOCALMACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides - Name: 2362988687 - Type: REG_DWORD - Value: 0 Microsoft is working on a comprehensive solution and has acknowledged the issue in the Known Issues section of the update.

Winsage

September 18, 2025

Microsoft’s new Xbox mode on Windows has leaked for any handheld

Windows enthusiasts have found a way to enable the new Xbox full-screen mode on Windows 11 using the latest 25H2 update, without requiring new hardware. This involves installing a Release Preview version of Windows 11 and making certain tweaks. The feature has been successfully tested on handheld gaming PCs, including MSI’s Claw devices and Asus ROG Ally range, allowing devices like the original ROG Ally to boot directly into Microsoft’s Xbox app, bypassing Asus’ proprietary software. The Xbox full-screen experience optimizes gaming by not loading the full Windows desktop or background processes, freeing up about 2GB of memory. Users are directed to the Xbox PC app, which consolidates games from various platforms. The mode includes a Game Bar for navigation and a task view tailored for handheld devices. Users can switch to traditional desktop mode, but Microsoft recommends using touch or a mouse and keyboard for better usability when exiting to the desktop. Setting up this feature is straightforward, but caution is advised due to potential system instability from modifying registry settings or using the Windows Feature Store. A guide is available on Reddit, but users should be aware of the risks involved, including the possibility of needing to revert changes or reinstall Windows.

Winsage

August 30, 2025

7 fun facts about the Windows Registry you probably didn’t know

The Windows Registry was introduced with Windows 3.1 in 1992 and has been included in every Windows release since. It was designed to streamline the management of application configuration files, evolving significantly by Windows 95. Initially, it featured a single registry file (reg.dat) with a 64KB limit, primarily for basic functions. Windows NT introduced virtualization for legacy 16-bit applications, redirecting INI files into a virtual registry file. Windows 11 includes a hidden option for a darker aesthetic by modifying registry settings. A Registry setting in Windows 10 version 1607 allows file paths up to approximately 32,767 characters, but file names have their own limitations. Modifying the WaitToKillServiceTimeout value in the Registry can speed up the shutdown process. Users can utilize third-party applications like RegScanner or Microsoft's PowerToys for enhanced registry modifications. The Registry allows users to revert to the Windows 10 context menu and add custom entries.

Winsage

August 28, 2025

Windows Users: Global UpCrypter Phishing Attack is Expanding

Cybersecurity experts have reported a significant increase in phishing emails targeting Microsoft Windows devices, linked to UpCrypter, a loader that installs remote access tools (RATs) for long-term access to compromised systems. These phishing emails often appear as missed voicemails or purchase orders, leading victims to counterfeit websites that prompt them to download a ZIP file containing a JavaScript dropper. This script executes PowerShell commands to connect to attacker-controlled servers, initiating further malware deployment. UpCrypter scans the system for security monitoring and can reboot to disrupt investigations if detected. If not, it downloads additional payloads, including PureHVNC for remote desktop access, DCRat for spying and data theft, and Babylon RAT for complete control over infected devices. Attackers use techniques like steganography, string obfuscation, and in-memory execution to evade detection. This phishing campaign, active since early August 2025, has affected various sectors, including manufacturing, technology, healthcare, construction, and retail/hospitality, with significant activity reported in countries like Austria, Belarus, Canada, Egypt, India, and Pakistan. Detections of this malware have doubled in two weeks, indicating a rapid escalation of the operation. Organizations are urged to implement robust email filtering and train employees to recognize these threats.

Winsage

August 17, 2025

The Microsoft Store loses the option to disable automatic updates

Microsoft has removed the option for users to disable automatic updates for Microsoft Store apps without prior notice. Users can now only delay updates for a maximum of five weeks, after which updates will occur automatically. Attempts to bypass this new protocol through registry edits have been unsuccessful. The change is likely motivated by security concerns, ensuring applications are kept up to date. Group policy remains an exception to this rule.