scheduled tasks Archives

Winsage

February 17, 2025

Winhance transforms Windows 11 (and Windows 10) into the bloat-free, faster operating system you always wanted

User sentiment towards Windows 11 has led to the development of third-party tools to enhance the experience. Talon can debloat Windows 11 with just two clicks, removing unnecessary pre-installed applications like Microsoft Edge, OneDrive, Copilot, and Clipchamp. Winhance is another tool that debloats and optimizes Windows 11, also compatible with Windows 10 (22H2). Winhance features include: - Software & Apps: - Install Software - Permanently Remove Windows Apps (e.g., Microsoft Edge, OneDrive, Copilot) - Optimize: - Set UAC Notification Level - Disable/Enable Windows Security Suite - Privacy Settings - Gaming Optimizations - Windows Updates - Power Settings - Scheduled Tasks - Windows Services - Customize: - Toggle Windows Dark or Light Mode - Taskbar Customization - Start Menu Settings - Explorer Options - Notification Preferences - Sound Settings - Accessibility Options - Search Configuration To use Winhance, users must open PowerShell as Administrator, confirm privileges, enable script execution, and run a specific command to download and execute the application from GitHub. Winhance has received significant updates since its release in February, with version 2 introducing UI/UX improvements, critical fixes, and bug resolutions, including issues with Windows Search and OneDrive folder cleanup. A demonstration video is available for viewing.

Winsage

February 13, 2025

Russian Hackers Leverages Weaponized Microsoft Key Management Service (KMS) To Hack Windows Systems

The Sandworm APT group, also known as APT44 or UAC-0145, has been exploiting weaponized Microsoft Key Management Service (KMS) activators to breach Windows systems in Ukraine since late 2023. This campaign uses pirated KMS tools and counterfeit Windows updates to spread malware, targeting state bodies and critical infrastructure. The attackers deploy Trojanized KMS activators, such as “KMSAuto++x64_v1.8.4.zip,” often shared on torrent sites and forums for Ukrainian speakers. The attack begins with the BACKORDER loader, which disables Windows Defender and delivers the DarkCrystal RAT (DcRAT) to exfiltrate sensitive data. A new backdoor named Kalambur is also identified, distributed via a typosquatted domain that pretends to be a Windows Update. Security teams are advised to use Sigma rules and detection tools aligned with the MITRE ATT&CK framework to counter these threats.

Winsage

February 13, 2025

Russian Hackers Leverages Weaponized Microsoft KMS to Hack Windows Systems

The Russian state-sponsored hacking group Sandworm, affiliated with the GRU, has been using pirated Microsoft Key Management Service (KMS) activation tools to infiltrate Ukrainian Windows systems since late 2023. They distribute a harmful ZIP file named “KMSAuto++x64_v1.8.4.zip” on torrent platforms, which, when executed, deploys the BACKORDER loader and disables Windows Defender. The BACKORDER loader then downloads the Dark Crystal Remote Access Trojan (DcRAT) from attacker-controlled domains, allowing data theft, including keystrokes and browser credentials. The campaign exploits Ukraine's high prevalence of unlicensed software, estimated at 70% in the public sector, increasing vulnerability to cyberattacks. Researchers have linked this activity to Sandworm through shared infrastructure and tactics, highlighting its role in Russia's hybrid warfare strategy against Ukraine. Cybersecurity experts recommend avoiding pirated software and implementing robust security measures to mitigate these threats.

Winsage

February 11, 2025

9 SysInternals tools that should be built into Windows

Windows is a popular operating system known for its versatility but often lacks advanced troubleshooting and system monitoring tools. SysInternals is a suite of utilities developed by Microsoft for power users and IT professionals, offering enhanced control over systems. Key tools in the SysInternals suite include: - Process Explorer (procexp.exe): Provides a detailed overview of running processes, including resource usage and file access, and allows users to identify locked files and potential malware. - Process Monitor (procmon.exe): Records file system, registry, and process activities in real-time, with filtering options to diagnose performance issues and application errors. - Autoruns (autoruns.exe): Displays all startup programs and processes, allowing users to disable or delete unnecessary entries to improve performance and security. - TCPView (tcpview.exe): Shows active TCP and UDP connections, detailing which processes are using network connections, enabling users to manage network activity. - SDelete (sdelete.exe): A command-line tool for secure file deletion that overwrites data to prevent recovery, useful for safeguarding sensitive information. - ZoomIt (zoomit.exe): Enhances presentations by allowing users to zoom in on screen areas and annotate, beneficial for educators and IT professionals. - RamMap (rammap.exe): Analyzes physical memory allocation, helping identify memory leaks and inefficient usage. - PendMoves (pendmoves.exe): Lists files scheduled for movement or deletion upon reboot, aiding in troubleshooting file modification issues. - BgInfo (bginfo.exe): Generates a desktop background displaying vital system information, customizable for user needs. The integration of these tools into Windows would enhance its diagnostic and troubleshooting capabilities, benefiting both everyday and power users.

Winsage

December 26, 2024

ACPI wake alarm does not disable; How to disable it?

If your Windows system is waking up at night due to an ACPI Wake Alarm, you can try several solutions to resolve the issue: 1. Adjust Hibernate Settings: Change the Hibernate after Sleep feature in Power Options to a higher value or disable it by setting it to 0 (Never). 2. BIOS/UEFI Configuration: Access the BIOS/UEFI setup and disable the Wake on RTC Alarm if enabled. 3. PowerShell and Command Line for Wake Timers: Use commands like PLACEHOLDERd65d9fd27963b5bd to review power settings and PLACEHOLDER0384fd2e90496902 to disable specific devices from waking the computer. 4. Disable Wake Timers: In Power Settings, set Allow wake timers to disable for both On Battery and Plugged In states. 5. Check Security and Maintenance Settings: Uncheck the option for Allow scheduled maintenance to wake up my computer in the Security and Maintenance settings. 6. Task Scheduler Settings: Review scheduled tasks and uncheck the “Wake the computer to run this task” option in the Conditions tab. 7. Event Viewer Analysis: Check the Event Viewer under Windows Logs > System to identify the Wake Source, which may indicate the ACPI Wake Alarm. The issue often arises from ACPI wake alarms that can override wake timer settings, necessitating a thorough examination of all related configurations to fully disable them.

Winsage

December 17, 2024

Hackers Exploit Microsoft Management Console to Drop Backdoor Payloads on Windows

The Securonix Threat Research team has identified a phishing campaign called the “FLUX#CONSOLE campaign,” which targets tax-related themes using Microsoft Common Console Document (MSC) files to deliver a backdoor payload. The attack begins with a phishing email containing a decoy PDF titled “Income-Tax-Deduction-and-Rebates202441712.pdf,” which conceals an MSC file that executes malicious payloads. The campaign employs various tactics, including tax-themed lures, exploitation of MSC files, DLL sideloading using DISM.exe, persistence through scheduled tasks, and advanced obfuscation techniques. The attack chain involves tricking users into opening a malicious MSC file disguised as a PDF, which contains XML commands to download or extract a malicious DLL named DismCore.dll. The DLL is sideloaded using Dism.exe, and the malware communicates with a Command-and-Control server at “hxxps://siasat[.]top,” exfiltrating data via encrypted HTTPS traffic. The attackers maintained access for about 24 hours, targeting victims in Pakistan. The tactics used do not align with known advanced persistent threat groups, highlighting the growing threat of MSC files as a delivery method for malware. Indicators of Compromise (IOCs) include the C2 address siasat[.]top and analyzed file hashes for the malicious files involved in the campaign.

Winsage

November 17, 2024

LodaRAT Malware Attacking Windows Users To Steal Login Details

A new variant of the LodaRAT malware is targeting Windows users globally to steal sensitive information, including login credentials and browser cookies. Discovered by Rapid7, this updated version has enhanced functionalities for data exfiltration, malware delivery, screen capture, and remote control of the victim's camera and mouse. The malware is being distributed through tools like DonutLoader and CobaltStrike and has been found on systems already infected with other malware families. Victims are reported worldwide, with approximately 30% of samples from the United States. LodaRAT ensures persistence on infected systems by adding entries to the Windows registry, creating scheduled tasks, and disguising itself as legitimate software. It conducts reconnaissance to gather system information, which is sent to a command and control server. Key features of the latest version include downloading additional payloads, remote command execution, mouse and keyboard control, screen capture, browser credential theft, Windows Firewall manipulation, file exfiltration, audio recording, and local user account creation. To mitigate the risk of infections, users are advised to keep software updated, implement email filtering, use antivirus solutions, educate employees on phishing risks, back up data, and monitor for unusual activity.

Winsage

November 7, 2024

This free tool ‘purifies’ Windows 11 and skips Microsoft account logins

A new PowerShell script called UnattendedWinstall allows Windows 11 users to bypass the mandatory Microsoft account login during setup. The script can be downloaded from the UnattendedWinstall GitHub releases page, with version 2.0.0 being the latest. It utilizes Windows' "response files" to automate tasks and modify system settings, effectively removing the login prompt. UnattendedWinstall offers several additional functionalities: - Bypasses Windows 11's system requirements. - Disables Windows Security services by default. - Turns off User Account Controls by default. - Permits execution of PowerShell scripts by default. - Removes most pre-installed bloatware applications. - Disables features like Copilot and Windows Recall. - Limits Windows Update to security updates for a year. - Optimizes the Windows registry for better performance. - Disables unnecessary scheduled tasks. - Enables the “Ultimate Performance” power plan. Users are advised to exercise caution when using the script and to test it in a virtual machine first. Reactivating Windows Security is recommended after execution. Microsoft may not endorse such tools, and their availability could be at risk if issues arise. However, the tool allows users to continue receiving security updates.

Winsage

November 7, 2024

Winos4.0 Malware Found in Game Apps, Targets Windows Users

A newly identified malware framework called "Winos4.0" targets Windows users through game-related applications. It is a sophisticated variant of Gh0strat, capable of executing remote actions and granting attackers control over compromised systems. Winos4.0 is distributed via seemingly harmless applications, which download a BMP file that extracts and activates the Winos4.0 DLL file. The malware establishes persistence by creating registry keys or scheduled tasks. Its capabilities include clipboard monitoring, system information gathering, and detection of antivirus software and security applications. Winos4.0 targets educational institutions, particularly in "Campus Administration." It maintains communication with command-and-control (C2) servers to download encrypted modules and receive commands for actions like document management and screen capture. Fortinet compares Winos4.0 to frameworks like Cobalt Strike and Sliver, noting its encrypted data exchanges and C2 communication. Users are advised to download applications only from reputable sources.

Winsage

November 3, 2024

UnattendedWinstall 2.0 uses Microsoft answer files to simplify and customize Windows 10 and 11 installations — download it now

UnattendedWinstall is a tool for automating and personalizing the installation of Windows 10 and 11 using Microsoft’s answer files. It allows users to customize Windows settings and packages, making it efficient for deploying Windows across multiple devices. The tool defaults to Windows Pro, bypasses Windows 11 system requirements, and offers options to disable Windows Defender and User Account Control. It simplifies the setup by skipping Microsoft account creation and removing unnecessary applications while keeping essential tools. It also includes privacy-focused registry tweaks and restricts updates to security patches for the first year. UnattendedWinstall supports 32-bit, 64-bit, and ARM64 architectures and requires users to save an autounattend.xml file on their installation media. The UWScript.ps1 file can be used for existing installations, but answer files are not compatible with in-place upgrades. UnattendedWinstall 2.0 provides users with comprehensive control over system settings and is available for download from a designated source.