Registry Archives

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

Winsage

May 21, 2025

Windows 11 Introduces Enhanced Administrator Protection to Strengthen Security Against Elevated Privilege Attacks

Microsoft has launched Administrator Protection for Windows 11, a feature designed to enhance cybersecurity by preventing privilege escalation attacks. This feature creates a security boundary around administrative operations, reducing the attack surface for cybercriminals. It introduces a hidden, system-managed local user account that generates isolated admin tokens, preventing user-level malware from compromising elevated processes. Administrator Protection eliminates auto-elevation functionality, requiring users to explicitly authorize administrative actions. It utilizes a System Managed Administrator Account (SMAA) that generates non-persistent admin tokens for specific tasks, which are discarded after use. The feature is currently available to Windows Insiders in the Canary channel and will expand to the Dev channel, with broader deployment expected in the 24H2 release. Compatibility challenges may arise in complex development environments, such as with Visual Studio.

Winsage

May 21, 2025

5 Windhawk modules I couldn’t use Windows 11 without

Windhawk is a tool for customizing the Windows 11 interface, allowing users to make significant modifications to their operating system. It provides various mods, including: - Vertical Taskbar Mod: Restores the ability to reposition the taskbar and customize its width and jump list alignment. - Taskbar Labels Mod: Allows users to display labels for app icons, customize label text, combine apps, and adjust taskbar width, with options for increasing label font size. - Start Menu Syler Mod: Enables users to apply themes to the Start menu, including options that mimic the Windows 10 look. - Classic Explorer Navigation Bar Mod: Restores familiar items to the File Explorer navigation bar, enhancing user experience. - Classic Context Menu Mod: Reverts the context menu to a more familiar format, improving accessibility to options. Windhawk also offers a portable installation option and encourages users to create a restore point before installation to safeguard against potential issues. The platform features a marketplace for various modules, allowing users to customize their experience further.

Winsage

May 20, 2025

Securing the Model Context Protocol: Building a safer agentic future on Windows

The Model Context Protocol (MCP) is a lightweight, open protocol functioning as JSON-RPC over HTTP, facilitating standardized discovery and invocation of tools. MCP defines three roles: MCP Hosts (applications accessing capabilities), MCP Clients (initiators of requests), and MCP Servers (services exposing functionalities). Windows 11 will incorporate MCP to enable developers to create intelligent applications leveraging generative AI. An early preview of MCP capabilities will be available for developer feedback. MCP introduces security risks, including cross-prompt injection, authentication gaps, credential leakage, tool poisoning, lack of containment, limited security review, registry risks, and command injection. To address these, Windows 11's MCP Security Architecture will establish security requirements for MCP servers, ensuring user safety and transparency, enforcing least privilege, and implementing security controls like proxy-mediated communication, tool-level authorization, a central server registry, and runtime isolation. MCP servers must comply with security requirements, including mandatory code signing, unchanged tool definitions at runtime, security testing, mandatory package identity, and declared privileges. An early private preview of MCP server capability will be offered to developers post-Microsoft Build for feedback, with a secure-by-default enforcement strategy planned for broader availability. Microsoft aims to enhance defenses continuously and collaborate with partners to bolster MCP's security framework.

Tech Optimizer

May 19, 2025

A spoof antivirus makes Windows Defender disable security scans

A researcher known as es3n1n explored Windows security mechanisms to bypass antivirus software validation checks in the Windows Security Center (WSC). He used tools like dnSpy and Process Monitor to analyze how legitimate antivirus solutions register with WSC. He confirmed that WSC validates the signatures of processes calling its APIs. Previously, es3n1n faced controversy when his project, no-defender, was removed from GitHub due to a DMCA takedown request from a software vendor.

Winsage

May 17, 2025

Best Windows apps this week

In this week's roundup of applications for Windows 10 and 11, it is noted that consumer support for Windows 10 will end in October 2025, but users can purchase a year of extended support and receive three years of security updates for Microsoft 365 apps. New applications highlighted include: - DiskCopy: Free disk and partition cloning software for backing up partitions or entire disks, facilitating data migration. - IrfanView: An image viewer that now includes batch file multithreading and new hotkeys in its latest version. - Registry Finder: A freeware tool for managing the Windows Registry, with improved search capabilities and usability.

Winsage

May 17, 2025

Why Windows 10 PCs are locking up and crashing after May update

Microsoft will end update support for Windows 10 in October 2025, but new patches are still being released. The latest cumulative update, KB5058379, has caused issues for users, especially those with devices from Dell, Lenovo, and HP. Microsoft is aware of the problems and has not yet deployed a fix as of May 16, but has provided a temporary workaround. For users affected by the BitLocker bug, Microsoft Support recommends the following steps to regain access: 1. Disable Secure Boot in BIOS/Firmware settings. 2. If issues persist, disable all virtualization technologies in BIOS/Firmware settings. 3. Check the Microsoft Defender System Guard Firmware Protection Status via Registry Editor or GUI method. 4. If firmware protection settings are restricted by Group Policy, disable them using Group Policy Editor or Registry Editor. A system restart is required for these changes to take effect, and these workarounds should only be temporary until a patched update is released. Disabling certain BIOS settings may compromise system security.

Winsage

May 16, 2025

Microsoft solves dual-boot problems with Windows and Linux

Microsoft addressed issues with dual-boot installations involving Linux that were caused by updates released in August, which disrupted many configurations and Linux boot media. The updates aimed to enhance security by blocking outdated boot managers but resulted in error messages indicating a security policy violation. To resolve these issues, Microsoft created the Secure Boot Advanced Targeting (SBAT) update to prevent installation on dual-boot systems, but the detection mechanism was often ineffective. The SBAT update was paused in September, and Microsoft announced that the problem was resolved with security updates released in May. Affected Windows versions include Windows Server editions from 2012 to 2022, Windows 11 (versions 23H2, 22H2, and 21H2), and Windows 10 (versions 22H2, 21H2, and Enterprise 2015 LTSB). Microsoft also provided guidance for users to prevent the SBAT update and steps to restore dual-boot systems.

Winsage

May 16, 2025

Microsoft released one of its final updates for Windows 10 — and it has broken things

Microsoft is winding down support for Windows 10 this October and has released update KB5058379, which has caused unexpected BitLocker recovery prompts for some users after a restart. This issue has been confirmed by Microsoft representatives on forums, although it is not mentioned in the update's release notes. The problem predominantly affects devices from manufacturers like Dell, HP, and Lenovo, and the specific cause is unclear. Microsoft has provided workarounds, including disabling Secure Boot and virtualization technologies, checking Microsoft Defender System Guard Firmware Protection status, and disabling firmware protection via Group Policy or Registry Editor.

Winsage

May 16, 2025

Windows 10 KB5058379 update triggering BitLocker Recovery after install

The Windows 10 KB5058379 cumulative update, released on May 13, 2025, has caused unexpected BitLocker recovery prompts for some users after installation and reboot. Reports indicate that affected devices, including those from Lenovo, Dell, and HP, automatically boot into the Windows Recovery Environment and display the BitLocker recovery screen. Users have experienced various issues, such as needing BitLocker keys to start up or devices refusing to start. A workaround involves disabling Intel Trusted Execution Technology (TXT) in the BIOS. Microsoft has not publicly acknowledged the issue but support representatives are aware and working on a resolution. Microsoft has provided steps to resolve the issue, including disabling Secure Boot and virtualization technologies, checking Microsoft Defender System Guard Firmware Protection status, and disabling firmware protection via Group Policy or Registry Editor.