Shadow Copy Archives

Winsage

December 29, 2025

Windows 11’s Point-in-Time Restore: A Quiet Safety Net for When Things Go Wrong

Windows 11 Point-in-Time Restore is a recovery feature that captures snapshots of the system's state, including system files, applications, settings, and user data, allowing users to revert to a recent stable state when issues arise. It operates automatically once activated, using Volume Shadow Copy technology for comprehensive backups. The feature can quickly reverse changes made within the last 72 hours, addressing problems like faulty driver installations without requiring a complete reinstallation of Windows. However, it has limitations, such as storing restore points locally for a maximum of 72 hours, not recovering long-deleted files, and requiring significant storage space. To enable it, users must use ViveTool to unlock the feature, configure settings for snapshot frequency and retention, and access restore options through the Windows Recovery Environment if needed. It is particularly useful for casual users who frequently modify their systems but may not suffice for power users needing comprehensive backup solutions.

Winsage

November 27, 2025

See all the Windows 11 features that Microsoft has been testing so far in November — before the next big update

Microsoft has begun rolling out new features for Windows 11, including previews for versions 25H2 and 26H1, specifically build 28000.1199. Key updates include: 1. Xbox Full Screen Experience (FSE): This feature is being tested for all PCs with build 26220.7271, transforming the desktop into a console-like interface and reducing memory consumption by approximately 2GB. Users can activate it via Settings > Gaming > Full screen experience, and it requires enrollment in the Xbox Insider program. 2. Point-in-time Restore: This feature allows users to revert their computer to a previous state, recovering from issues like buggy updates or malware. It uses the Volume Shadow Copy Service to create restore points and is enabled by default on devices with a minimum of 200GB storage running Home and Pro editions. Users can manage it via Settings > Recovery > Point-in-time. 3. Voice Typing with Fluid Dictation: The Fluid Dictation feature is now integrated into Voice Typing, automatically correcting grammar and punctuation. It is enabled by default on Copilot+ PCs. 4. Microsoft Store App Uninstall Option: An "Uninstall" option for apps is now available in the Microsoft Store through the app's context menu on the "Library" page.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Tech Optimizer

November 15, 2025

RONINGLOADER Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools

A new malware called RONINGLOADER specifically targets Chinese users and can disable security tools. It operates as a multi-stage loader that spreads a modified version of gh0st RAT and bypasses antivirus protections. RONINGLOADER infiltrates systems through fake software installers that mimic legitimate applications like Google Chrome and Microsoft Teams. Once inside, it disables Windows Defender and Chinese security solutions such as Qihoo 360 Total Security and Huorong. The malware uses a signed driver that appears legitimate to Windows but is designed to terminate security processes. If one method of disabling security fails, RONINGLOADER has multiple fallback strategies. The Dragon Breath APT group is behind this campaign, having refined their techniques based on previous operations. The infection begins with a trojanized NSIS installer that drops components onto the victim's system. One installer deploys genuine software, while the other initiates the attack chain. RONINGLOADER creates a directory at C:Program FilesSnieoatwtregoable and deposits two files: Snieoatwtregoable.dll and an encrypted file named tp.png. The DLL decrypts tp.png using XOR encryption and a rotation operation, then loads new system libraries to eliminate security hooks. It elevates privileges using the runas command and scans for active security software, specifically targeting Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. To terminate these processes, it uses a signed driver named ollama.sys, which is digitally signed by Kunming Wuqi E-commerce Co., Ltd. This driver can terminate processes using kernel-level APIs that standard security tools cannot intercept. Additionally, RONINGLOADER blocks network connections for Qihoo 360 before injecting code into the Volume Shadow Copy service process, utilizing Windows thread pools with file write triggers to evade detection.

Winsage

April 21, 2025

How to keep using Windows 10 in a virtual machine after support ends

Microsoft will end support for Windows 10 on October 14, 2025. Users can run Windows 10 in a virtual machine (VM) to continue using it safely. The tool Disk2Vhd can convert a physical Windows 10 installation into a virtual hard drive (VHD or VHDX) for use in virtualization software like VirtualBox or Hyper-V. To use Disk2Vhd, download and extract it, launch the appropriate executable, select partitions for conversion, and choose between VHD and VHDX formats based on the virtualization software. After conversion, transfer the VHD file to the target computer and set up a new VM, integrating the backup file instead of creating a new virtual hard drive. Users can also reinstall Windows 10 in a VM using an installation medium and the Media Creation Tool to download the ISO file. When creating a VM, allocate at least 4GB of virtual memory and install necessary programs and guest extensions afterward. Creating a backup point after installation is recommended for stability.

TrendTechie

April 4, 2025

«Майнкрафт в кино» слили на торренты, но ленту лучше даже не включать: испортите и без того плохое впечатление

A leaked version of the anticipated film adaptation of Minecraft has surfaced online, described as a technical draft rather than a rough cut. The characters and locations are underdeveloped, with poor animations that detract from the experience. The editing and sound quality are also lacking, with missing background music and unclear dialogue. Early reviews indicate a low freshness rating of 53% on Rotten Tomatoes. Director Jared Hess states that the final version will include Easter eggs and a balanced narrative, which the leaked version does not possess. Pirates have reportedly confused the leaked draft with other versions, leading to disappointment among viewers. It is advised to avoid watching this draft to prevent spoiling the experience of the complete film.

Winsage

December 26, 2024

How I virtualized my Windows 11 PC using Disk2vhd and VirtualBox

Virtualization technology allows users to create a virtualized instance of their primary operating system using tools like Disk2vhd and VirtualBox. Disk2vhd is a free utility that converts storage drives into .vhd files for Physical to Virtual migration of Windows 11. The process involves downloading Disk2vhd, running it with administrator privileges, selecting drives, and creating the .vhd file while disabling the Use vhdx and Prepare for use in virtual PC options, but enabling Use Volume Shadow Copy for external drives. To deploy a virtual machine in VirtualBox, users must ensure CPU virtualization is enabled in the BIOS, install VirtualBox, and create a new VM by specifying its name, storage folder, type as Microsoft Windows, and version as Windows 11 (64-bit). Users then allocate memory and processors, select the option to use an existing virtual hard disk, browse for the .vhd file, and finish the setup. Once the VM is deployed, it should boot into the Windows 11 environment. If it loads the recovery environment, users can follow prompts to repair the system. However, running Windows 11 in a VM may lead to performance issues unless the host system has a high-end processor and sufficient RAM and CPU cores allocated. This project allows experimentation with the daily driver without risking its integrity.

Winsage

November 1, 2024

How to use Windows 11 Volume Shadow Copy for backing up files

Windows 11 includes a feature called Shadow Copy, which allows users to create backups of files and maintain a history of previous versions. To set up Shadow Copy, users must use Task Scheduler to automate backups. The process involves creating a new task, configuring triggers and actions, and ensuring specific settings are enabled. Backed-up files are stored in a hidden folder and can be accessed through the Previous Versions feature in File Explorer. Users can also utilize System Restore and File History for additional backup options. Shadow Copy has been part of Windows for over two decades and is designed to protect against accidental deletions or modifications, but not against hardware failures or theft.