registry values Archives

Winsage

June 25, 2026

Introduction to COM usage by Windows threats

Component Object Model (COM) is a technology in Windows that enables object activation, inter-process communication, and automation across different programming languages. Malware exploits COM interfaces for activities such as lateral movement, execution, downloading, exfiltration, persistence, evasion, system discovery, and automation of Windows and Office functionalities. Reverse engineering COM-heavy binaries involves navigating GUIDs and indirect vtable calls to understand malware mechanics. Research at the AVAR 2025 conference and CARO 2026 workshop discusses methodologies for analyzing COM binaries and case studies of malware families that utilize COM. COM is an application binary interface (ABI) model that allows software components to be reused and enables interaction between different programming languages through interfaces defined at the binary level. Distributed COM (DCOM) allows clients to activate COM objects on remote systems. COM classes are identified by unique class identifiers (CLSIDs), and interfaces by interface identifiers (IIDs). The Windows registry stores COM registration data, with classes and interfaces located under specific keys. Malware often acts as a COM client, utilizing the COM runtime to instantiate classes and request interfaces. ProgIDs provide human-readable registry entries for COM classes. The CoCreateInstance function helps create class objects by resolving CLSID registrations. All COM interfaces derive from IUnknown, which manages object lifetimes and interface querying. COM has its own security model, and identifying classes and interfaces used by malware is crucial for threat researchers. Tools like ComView and OleView.NET assist in inspecting COM registrations. The analysis workflow includes identifying activation API calls, extracting CLSID and IID values, consulting registry definitions, and mapping vtable calls. Qakbot, a banking trojan, exemplifies the use of COM in malware, with its architecture enabling malicious activities like credential theft. Dynamic analysis tools can log COM-related calls in real-time to trace execution flow. Notable malware families that utilize COM include Gh0stRAT, which uses Task Scheduler COM interfaces, and the Attor platform, which employs BITS for file transfers. WarmCookie demonstrates the use of COM for persistence through Task Scheduler. Understanding COM's role in malware is essential for cybersecurity professionals.

Winsage

May 26, 2026

A recent HP laptop BIOS bug is leaving high-end Windows 11 PCs stuck in an endless BitLocker recovery loop

HP laptop owners, especially those with EliteBooks, ProBooks, and ZBook workstations, are experiencing issues after a recent BIOS firmware update via Windows Update, leading to system freezes and Blue Screen of Death errors. HP has acknowledged the problem and is investigating it, noting that Microsoft’s 2023 certificates may not apply correctly during this issue. Users are advised to check the UEFICA2023Status and UEFICA2023Error registry values to assess the update process. If the UEFICA2023Status is "In Progress" for too long and UEFICA2023Error is greater than 0, the update has failed. HP recommends disabling automatic updates to avoid the problematic BIOS update and has provided a manual workaround for the BitLocker Recovery loop. Users can also revert to a stable BIOS version, though this may be challenging and may require specific hardware.

Winsage

May 17, 2026

I got tired of hunting through Windows for every setting, so I built my own control center

The utility created simplifies Windows management by consolidating various settings and diagnostics into a single interface. It provides an overview of system metrics such as DNS latency, system uptime, and temporary file accumulation. The application includes dedicated pages for health checks, network insights, services, scheduled tasks, drives, drivers, power plans, gaming toggles, privacy settings, and taskbar configuration. Each diagnostic is executed through PowerShell scripts, with results displayed in a user-friendly format. The utility maintains transparency by creating .reg backups before modifying the registry and allows users to revert changes easily. It is open-source, lightweight, and designed for personal use rather than debloating. The program's structure enables users to inspect and modify scripts, ensuring clarity and control over system adjustments.

Winsage

May 8, 2026

Windows 11 Clients: The Group Policy Editors gpedit.msc and GPMC are broken

The Group Policy Editors gpedit.msc and gpmc from the RSAT tools are experiencing functionality issues in Windows 11 due to a bug that causes an overflow error, resulting in incorrect configurations being saved. This issue was first reported by Mark Heitbrink to Microsoft in March 2026, but he has not received feedback. The bug appears to be unique to Windows 11 clients, as tests on Windows Server did not show the problem. Mark documented the bug with submission number VULN-180447 and case number 111952. He described how to reproduce the issue involving the group policy "Delay Foreground download from http" and the decimal value "4294967295," which gets altered to "2147483647" on Windows 11. Mark speculated that the issue might be due to the Windows client using the INT data type instead of unsigned INT, leading to an overflow. He noted that over 50 policies are affected by this MaxValue issue across various components.

Winsage

February 24, 2026

How to Disable Copilot in Windows 11 — Uninstall, Hide, and Stop It from Coming Back

Microsoft has integrated its AI assistant, Copilot, into various parts of Windows 11, including the taskbar, Edge, and Notepad. Users have expressed a desire to remove Copilot, leading to the creation of a guide detailing methods to disable it. Copilot can be uninstalled through Settings, but additional steps are required to remove it from Edge, Notepad, and Windows Search. Users can also prevent Copilot from reinstalling after updates by adjusting registry settings. The Copilot app is categorized as a standalone application in Windows 11 24H2, making it easier to uninstall compared to previous versions. Methods to disable Copilot include: 1. Uninstalling the app via Settings. 2. Hiding the icon from the taskbar. 3. Using Group Policy Editor (limited to Pro, Enterprise, Education). 4. Removing Copilot for all users using PowerShell. 5. Adjusting settings in Edge and Notepad to disable Copilot features. 6. Editing the registry to remove Copilot from Windows Search and Paint. 7. Remapping the physical Copilot key on newer laptops. 8. Disabling silent reinstallation of Copilot through registry edits. Disabling Copilot will not affect core Windows functionality but will remove AI-specific features such as the chatbot and writing assistance.

Winsage

December 24, 2025

This neat Windows 11 registry trick offers higher NVMe SSD performance—but it’s not for everyone

Recent discoveries have revealed a registry tweak that can enhance the performance of NVMe SSDs on Windows 11, particularly improving random 4K speeds. Traditionally, Windows has treated most drives as SCSI, limiting the potential of NVMe drives. Microsoft is introducing native NVMe support in Windows Server 2025, which bypasses the SCSI conversion process for improved speed and efficiency. Users can achieve similar enhancements on Windows 11 through specific registry modifications, which must be done at their own risk. The necessary driver is included in recent updates for both Windows Server 2025 and Windows 11. Users need to adjust three registry values to enable this functionality. Once modified, NVMe drives will appear under 'Storage Media' in Device Manager. Reports indicate significant performance gains, with one user noting increases of 45% in random 4K read and 49% in write performance. Microsoft suggests enterprise users could see up to 80% higher IOPS and a 45% reduction in CPU cycles. The WD Black SN8100 SSD is noted for its high random 4K speeds, loading games faster than competitors. Many users have pointed out that Linux has had native NVMe support for some time.

Winsage

December 23, 2025

Windows 11 25H2 Includes a Faster NVMe Driver Needing Manual Installation

Windows has supported the NVMe storage media protocol since Windows 8.1, but the default driver, disk.sys, may not provide optimal performance. Microsoft has introduced a new driver, nvmedisk.sys, with Windows 11 25H2 and Windows 2025, aimed at improving NVMe performance. Users can check if they are using the older driver via Device Manager. The new driver has the potential to enhance performance for compatible NVMe drives in both sequential and random workloads. However, compatibility issues exist, as not all NVMe SSDs support nvmedisk.sys, which could lead to boot problems with Windows 11. Notebookcheck has published a guide on enabling nvmedisk.sys, which involves modifying three Windows Registry values, and it is advised that users back up their data before making changes.

Winsage

December 2, 2025

Microsoft needs to make it easier to disable automatic Windows 11 updates

Updates in the Windows ecosystem are essential for enhancing stability, performance, and security. However, users of Windows 11 have expressed frustration due to frequent updates disrupting functionalities like network connectivity and printer access. Automatic updates can interrupt productivity, with unexpected restart prompts leading to potential loss of unsaved work. Issues with third-party programs and drivers often arise post-update, and older PCs experience significant performance degradation due to background updates. Many users face limitations with internet access, as substantial update sizes can consume data quickly, especially under fair usage policies. Storage constraints on older devices can lead to operational issues, and attempts to pause updates may not always be effective. While updates are crucial for delivering new features and security fixes, their frequency can diminish their perceived importance, causing users to delay addressing issues. Disabling automatic updates can be complicated, requiring adjustments in the Windows Update service, Group Policy Editor, or Registry, which may not be accessible or user-friendly. A simple one-click "Disable" button in the Windows Update settings would enhance user control over update installations, allowing them to manage updates according to their schedules.

Winsage

October 23, 2025

‘Unusable’—Microsoft Issues Emergency Update For All Windows 11 Users

Microsoft's recent mandatory security update, "Windows 11 KB5070773," has caused significant issues for users, including problems with localhost connections and a breakdown in the Windows Recovery Environment (WinRE), rendering essential peripherals like mice and keyboards non-functional. This emergency update is being rolled out to address the critical issue of non-responsive input devices in WinRE, which hampers recovery processes. Users must download and install the update manually, although it is designed to occur automatically for Windows 11 PCs on versions 24H2 and 25H2. The update will upgrade version 25H2 to Build 26200.6901 and version 24H2 to 26100.6901. Microsoft has acknowledged the severity of the situation, stating that the issue prevents navigation of recovery options within WinRE. Additionally, some users are experiencing errors related to smart card authentication and certificates, with a temporary workaround suggested by Microsoft.

Winsage

September 4, 2025

Windows 11 will finally let you switch themes based on schedule or time via PowerToys

Windows 11 will introduce an automated feature to switch between light and dark themes based on the time of day, currently being tested through a PowerToys utility expected by October 2025. Users can set custom hours or use location services for this functionality. Task Scheduler can also be used to create tasks that automatically switch themes by modifying registry values.