System Information Archives

Winsage

May 12, 2025

Microsoft Defender Discovers Zero-Day Vulnerability in Windows CLFS

The deployment of PipeMagic preceded a sophisticated exploit targeting the Common Log File System (CLFS) kernel driver, initiated from a dllhost.exe process. The exploit began with the NtQuerySystemInformation API, which leaked kernel addresses to user mode. In Windows 11, version 24H2, access to specific System Information Classes within this API was restricted to users with SeDebugPrivilege, rendering the exploit ineffective on this version. The exploit then used a memory corruption technique with the RtlSetAllBits API to overwrite its process token with 0xFFFFFFFF, granting it all available privileges and enabling process injection into SYSTEM-level operations. A CLFS BLF file was created at C:ProgramDataSkyPDFPDUDrv.blf, marking the exploit's activity.

Winsage

May 9, 2025

Huawei’s Kirin X90 may be the company’s ‘Apple Silicon’ moment — Matebook Pro 2025 features in-house hardware and software

Huawei introduced its Matebook Pro 2025 laptops, powered by the Kirin X90 system-on-chip (SoC) developed by its HiSilicon subsidiary. The Kirin X90 features a 10-core layout (4+4+2) with 20 threads and is expected to utilize a combination of Taishan V121 architecture for prime cores, Taishan V120 for performance cores, and a standard Cortex design for efficiency cores. The Matebook Pro operates on HarmonyOS, a new operating system independent of Linux and Android, allowing Huawei to reduce reliance on Microsoft. The Kirin X90 is anticipated to be manufactured using SMIC's 7nm process node, which may limit its performance. The success of HarmonyOS will depend on developers transitioning existing applications to the platform. The Matebook Pro is set to be released on May 19.

Winsage

May 9, 2025

How to upgrade your ‘incompatible’ Windows 10 PC to Windows 11

On October 14, 2025, Microsoft will stop providing security updates for Windows 10 unless users enroll in the Extended Security Updates program. Upgrading to Windows 11 may be difficult for PCs older than five or six years due to strict compatibility requirements, including a CPU on the approved list and a Trusted Platform Module (TPM) version 2.0. Users may encounter error messages if their hardware does not meet these criteria. There are workarounds for some users, particularly those with PCs designed for Windows 10, but older devices, especially with AMD processors, may face significant challenges. To upgrade, users must ensure their PC is configured to start with UEFI, supports Secure Boot, and has an enabled TPM. A registry edit can allow bypassing CPU checks and accepting older TPM versions. Alternatively, a clean installation of Windows 11 can be performed using installation media, which bypasses CPU compatibility checks but still requires TPM and Secure Boot support. Microsoft has introduced new restrictions with the Windows 11 version 24H2 update, requiring CPUs to support specific instructions (SSE4.2 and PopCnt). For those opting to use the Rufus utility to create installation media, it is essential to use version 4.6 or later to bypass compatibility checks. Users must download the Windows 11 ISO, prepare a USB drive, and follow specific steps to initiate the upgrade process.

Winsage

April 30, 2025

5 alternatives to the Windows Task Manager that you should be using

Windows Task Manager has been enhanced in Windows 11, featuring a streamlined interface and improved functionality. Alternatives to Task Manager include: - System Informer: A free, open-source tool that monitors system resources with real-time performance graphs and detailed process information. It displays CPU, memory, and disk usage, tracks file access, and offers advanced features like call stack traces. - System Explorer: Integrates system monitoring with security features, providing a clean interface for exploring processes, modules, and network connections. It includes a built-in file database and VirusTotal integration for security assessments. - Process Lasso: Extends Task Manager capabilities by allowing users to adjust CPU priority and core affinities. Features include ProBalance for automatic CPU adjustments, performance mode for optimizing CPU usage, IdleSaver for power management, and SmartTrim for memory optimization. - Process Explorer: A Sysinternals tool that offers a detailed view of running processes in a hierarchical tree format, showing user, PID, and resource usage. It includes a search capability for identifying resource usage and integrates with VirusTotal for security checks. - Task Manager DeLuxe (TMX): A portable task management tool that consolidates system stats across multiple tabs, providing quick access to CPU and memory usage, along with graphical representations of network and disk activity. It allows filtering and searching for processes and can be run from a USB drive.

Winsage

April 15, 2025

How to upgrade your ‘incompatible’ Windows 10 PC to Windows 11 now

On October 14, 2025, Microsoft will stop providing security updates for Windows 10 PCs unless users enroll in the Extended Security Updates program. Upgrading to Windows 11 on machines older than five years may result in an error message about CPU compatibility, as Microsoft will not change the requirement for a Trusted Platform Module (TPM) version 2.0. While automatic upgrades may be hindered, there are workarounds for most PCs designed for Windows 10. To upgrade, the computer must boot using UEFI, support Secure Boot, and have an enabled TPM (version 1.2 is acceptable). Users can check their system's BIOS mode and TPM status using the System Information utility and the Trusted Platform Module Management tool, respectively. If UEFI is not an option or if the PC lacks a TPM, an undocumented hack can be used to bypass compatibility checks. A new restriction with the Windows 11 version 24H2 update requires CPUs to support SSE4.2 and PopCnt instructions, making upgrades impossible for PCs built in 2008 or earlier. Most Intel CPUs from 2009 and AMD CPUs from 2013 should meet this requirement. Users can bypass CPU checks and accept any TPM version through a registry edit, which requires running the Setup program from the current Windows installation. The process involves creating a registry key and modifying its value. Alternatively, the Rufus utility can be used to create a bootable USB drive that circumvents compatibility checks, but it cannot bypass the restrictions for very old CPUs lacking support for SSE4.2 and PopCnt instructions.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

Winsage

April 2, 2025

Your ‘unsupported’ Windows 10 PC can still run Windows 11 in 2025

Microsoft will cease support for Windows 10 on October 14, 2025. Users considering upgrading to Windows 11 may face obstacles due to hardware requirements, including TPM 2.0 and specific CPU models. Workarounds exist for upgrading incompatible PCs. To check compatibility: - Determine if the PC uses UEFI or Legacy BIOS via System Information (msinfo32.exe). - Ensure BIOS Mode is UEFI. - Check TPM status using the TPM Management tool (tpm.msc). - Verify CPU compatibility; most Intel CPUs from 2009 or later and AMD CPUs from 2013 or later should meet the standards. Option 1: Registry Edit Method (for PCs with TPM 1.2+ and UEFI) 1. Open Registry Editor (regedit.exe) as an administrator. 2. Navigate to HKEYLOCALMACHINESYSTEMSetup; create MoSetup key if absent. 3. Create DWORD (32-bit) Value named AllowUpgradesWithUnsupportedTPMOrCPU, set value to 1, and restart. 4. Download Windows 11 ISO from aka.ms/DownloadWindows11. 5. Mount the ISO file and run Setup.exe. Option 2: Using Rufus (for PCs without TPM or UEFI) 1. Download Rufus version 4.6 or later and Windows 11 ISO. 2. Prepare a USB flash drive (16GB or larger). 3. Launch Rufus, select the USB drive, choose the Windows 11 ISO, and check the box to remove requirements for 4GB+ RAM, Secure Boot, and TPM 2.0. 4. Create the bootable drive and run Setup.exe from the USB drive. These methods are unofficial workarounds. Users may encounter compatibility warnings, and the registry method is preferred for its simplicity. Some very old systems, especially those with AMD processors lacking SSE4.2 support, may still be incompatible.

Tech Optimizer

March 31, 2025

Fileless XMRig-C3 Cryptominer Targets PostgreSQL Servers

Wiz Threat Research has reported a new variant of a malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers, attributed to the threat actor JINX-0126. This actor exploits vulnerable PostgreSQL instances with weak login credentials to gain unauthorized access and deploy XMRig-C3 cryptominers. The campaign has evolved to include advanced evasion techniques, such as using unique hashes for binaries and executing payloads in a fileless manner to avoid detection. The analysis indicates that the threat actor assigns unique mining workers to each victim, with three distinct wallets identified, suggesting over 1,500 affected victims. Nearly 90% of cloud environments host PostgreSQL instances, with about one-third publicly exposed. The threat actor scans for poorly configured services, exploiting default weak credentials to gain access and execute malicious payloads. Upon successful login, the actor performs reconnaissance and executes a dropper script to deploy an obfuscated Golang binary, which contains an encrypted configuration with critical system information. The malware establishes persistence by creating cron jobs and modifying access controls. The actor also creates high-privilege roles for continued access and weakens the default admin user. The analysis identified three wallets associated with the campaign, with each wallet having around 550 workers. The Wiz Dynamic Scanner can identify exposed PostgreSQL services, while the Wiz Runtime Sensor detects malicious activities associated with this threat. The report includes specific wallet addresses, a file hosting service, and file hashes related to the malware. Techniques used by the malware align with various MITRE ATT&CK® techniques, including credential access, defense evasion, and resource hijacking.

Tech Optimizer

March 20, 2025

Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs

Microsoft Incident Response has identified a new remote access trojan (RAT) called StilachiRAT, which extracts sensitive information from infected computers, including passwords, cryptocurrency wallet details, operating system specifications, and device identifiers. StilachiRAT has a self-reinstatement mechanism that allows it to reinstall itself if removed. It targets digital wallets from platforms like Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, and Bitget Wallet. The malware can harvest credentials from web browsers, monitor clipboard data, gather system information, detect camera presence, and track active Remote Desktop Protocol (RDP) sessions. It can extract credentials from Google Chrome, monitor clipboard activity, and maintain its presence using the Windows service control manager. StilachiRAT can impersonate users to monitor RDP sessions and employs anti-forensics mechanisms to evade detection. Discovered in November of the previous year, it has not yet achieved widespread distribution. Microsoft advises users to download software from official websites, use robust security software, install reputable antivirus, be vigilant against phishing attacks, avoid clicking on unexpected links, and consider using a VPN and password manager for enhanced security.

Winsage

March 18, 2025

Microsoft Warns Windows Users—Change Your Browser As New Attacks Underway

Microsoft has issued a warning to Chrome users about a new remote access trojan called StilachiRAT, which can exfiltrate sensitive information such as stored credentials and digital wallet data. StilachiRAT can scan for configuration data across 20 cryptocurrency wallet extensions in Chrome and can extract and decrypt saved usernames and passwords. The malware can also monitor Remote Desktop Protocol (RDP) sessions, capture active window information, and impersonate users to gain unauthorized access to networks. Microsoft recommends that users switch to its Edge browser or other browsers with SmartScreen technology to enhance security. Additionally, users are advised to install software from official sources, utilize Safe Links and Safe Attachments in Office 365, and enable network protection features in Microsoft Defender for Endpoint. Despite this, Chrome remains the dominant browser among Windows users.