SysInternals Archives

Winsage

May 8, 2025

Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

Threat actors associated with the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, before a patch was released on April 8, 2025. This vulnerability affects the Windows Common Log File System (CLFS) driver, allowing attackers to elevate their privileges to full system access. The Play ransomware group targeted an unnamed organization in the United States, likely gaining initial access through a public-facing Cisco Adaptive Security Appliance (ASA). During this intrusion, no ransomware payload was deployed; instead, the attackers used a custom information-stealing tool named Grixba. Microsoft attributed this activity to the threat group Storm-2460, known for deploying PipeMagic malware. The exploitation affected various sectors, including IT, real estate in the U.S., finance in Venezuela, software in Spain, and retail in Saudi Arabia. The vulnerability received a CVSS score of 7.8 and was addressed in Microsoft's April 2025 Patch Tuesday updates. The attack involved creating files in the path C:ProgramDataSkyPDF, injecting a DLL into the winlogon.exe process, extracting credentials from LSASS memory, creating new administrator users, and establishing persistence. The Play ransomware group has been active since June 2022 and employs double-extortion tactics. Organizations are urged to apply the security updates released on April 8, 2025, especially for vulnerable Windows versions, while Windows 11 version 24H2 is not affected due to existing security mitigations.

Winsage

April 30, 2025

5 alternatives to the Windows Task Manager that you should be using

Windows Task Manager has been enhanced in Windows 11, featuring a streamlined interface and improved functionality. Alternatives to Task Manager include: - System Informer: A free, open-source tool that monitors system resources with real-time performance graphs and detailed process information. It displays CPU, memory, and disk usage, tracks file access, and offers advanced features like call stack traces. - System Explorer: Integrates system monitoring with security features, providing a clean interface for exploring processes, modules, and network connections. It includes a built-in file database and VirusTotal integration for security assessments. - Process Lasso: Extends Task Manager capabilities by allowing users to adjust CPU priority and core affinities. Features include ProBalance for automatic CPU adjustments, performance mode for optimizing CPU usage, IdleSaver for power management, and SmartTrim for memory optimization. - Process Explorer: A Sysinternals tool that offers a detailed view of running processes in a hierarchical tree format, showing user, PID, and resource usage. It includes a search capability for identifying resource usage and integrates with VirusTotal for security checks. - Task Manager DeLuxe (TMX): A portable task management tool that consolidates system stats across multiple tabs, providing quick access to CPU and memory usage, along with graphical representations of network and disk activity. It allows filtering and searching for processes and can be run from a USB drive.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

Winsage

March 3, 2025

5 reasons to use Process Explorer instead of the default Task Manager on Windows

Process Explorer is a tool from the Sysinternals Suite that serves as an alternative to the Windows Task Manager, providing advanced system monitoring and troubleshooting capabilities. It offers detailed information about processes, including paths and descriptions, and allows users to inspect or delete files. The tool integrates with VirusTotal to scan running processes for malware, provides real-time monitoring of CPU, GPU, RAM, and I/O activity with precise graphs, and enables users to forcefully kill stubborn processes or terminate entire process trees. Additionally, it helps users identify which processes are using locked files, facilitating better file management.

Winsage

March 3, 2025

How to make Microsoft Windows services work for you

Windows services are essential for the functionality of the operating system, and while many can be deactivated, caution is advised. Daemon Master is a tool that allows users to configure executables, shortcuts, or batch files as services that start automatically with Windows. To create a service with Daemon Master, users must launch the application, click “New,” assign a service name and display name, and optionally add a description. The default start type is “Automatic,” and users can specify the path to the desired EXE file. After saving, the service will appear as “stopped” and can be started by right-clicking and selecting “Start service.” Services run in the background, but users can access the program window temporarily by selecting “Start service on desktop.” Services can be managed by starting, pausing, resuming, or stopping them, and unnecessary third-party services can be disabled through the system configuration. Troubleshooting can involve restarting specific services, like the Print Spooler for printing issues. To delete a service, users must identify its name, stop it using the command prompt, and then delete it with the sc.exe tool. Tools like Autoruns can also be used for managing services. While deactivating services may not improve performance, it can reduce security vulnerabilities, and programs like Ashampoo Winoptimizer can help users assess the necessity of installed services.

Winsage

February 20, 2025

5 most useful SysInternals tools for optimizing your Windows PC

SysInternals is a suite of 74 utilities from Microsoft designed to enhance the performance and reliability of Windows PCs. Users can download the entire suite or select individual tools from the Microsoft SysInternals Learn page. 1. AutoRuns: Identifies unnecessary background processes and obsolete registry entries, providing detailed information about each entry. It allows users to review installed drivers and spot potentially harmful entries. Launched via Start menu or by typing Autoruns.exe in the Run dialog. 2. TCPView: Monitors all TCP and UDP connections in real-time, categorizing them by version and displaying ports and connection timestamps. It helps identify bandwidth-hogging processes. Launched via Start menu or by typing tcpview.exe in the Run dialog. 3. RamMap: Provides an in-depth analysis of memory consumption across processes, helping identify memory-hogging applications and diagnose memory leaks. It offers options to clear memory, including emptying working sets, standby lists, and modified lists. Launched via Start menu or by typing rammap.exe in the Run dialog. 4. DiskView: Offers detailed insights into hard drive usage with a color-coded map of disk sectors, helping users identify fragmentation and unused space. Launched via Start menu or by typing diskview.exe in the Run dialog. 5. CacheSet: Optimizes the Windows file system cache by allowing users to adjust cached data management settings and clear the cache with a single click. Launched by typing cacheset.exe in the Run dialog. The SysInternals Suite is cost-free, effective, and compatible with Windows Recovery mode, making it a practical choice for users looking to enhance their PC's performance.

Winsage

February 11, 2025

9 SysInternals tools that should be built into Windows

Windows is a popular operating system known for its versatility but often lacks advanced troubleshooting and system monitoring tools. SysInternals is a suite of utilities developed by Microsoft for power users and IT professionals, offering enhanced control over systems. Key tools in the SysInternals suite include: - Process Explorer (procexp.exe): Provides a detailed overview of running processes, including resource usage and file access, and allows users to identify locked files and potential malware. - Process Monitor (procmon.exe): Records file system, registry, and process activities in real-time, with filtering options to diagnose performance issues and application errors. - Autoruns (autoruns.exe): Displays all startup programs and processes, allowing users to disable or delete unnecessary entries to improve performance and security. - TCPView (tcpview.exe): Shows active TCP and UDP connections, detailing which processes are using network connections, enabling users to manage network activity. - SDelete (sdelete.exe): A command-line tool for secure file deletion that overwrites data to prevent recovery, useful for safeguarding sensitive information. - ZoomIt (zoomit.exe): Enhances presentations by allowing users to zoom in on screen areas and annotate, beneficial for educators and IT professionals. - RamMap (rammap.exe): Analyzes physical memory allocation, helping identify memory leaks and inefficient usage. - PendMoves (pendmoves.exe): Lists files scheduled for movement or deletion upon reboot, aiding in troubleshooting file modification issues. - BgInfo (bginfo.exe): Generates a desktop background displaying vital system information, customizable for user needs. The integration of these tools into Windows would enhance its diagnostic and troubleshooting capabilities, benefiting both everyday and power users.