utility Archives

Winsage

May 25, 2026

How I Changed the SID on My Windows Server Without Reinstalling (And Why You Should Care)

Cloning a Windows Server machine can lead to issues with duplicate Security Identifiers (SIDs). A Security Identifier (SID) is a unique string assigned to every machine, user, and group in Windows, functioning like a fingerprint. Duplicate SIDs can cause problems such as domain join failures, incorrect WSUS reporting, inconsistent Group Policy application, and licensing issues. The author initially attempted to use sysprep to change the SID after cloning, which resulted in stripping the domain join and causing SQL Server to fail. The author then discovered Wittytool Disk Clone, which includes a SID changer that successfully generated a new SID and updated all necessary references without disrupting the server's configuration or applications. The process took only six minutes and worked similarly on Windows Server 2019. It is more efficient to generate a new SID during the cloning process rather than afterward. Important precautions include taking a snapshot or backup before making changes and being aware that changing the SID on domain controllers is more complex. Reactivation of Windows may also be required after the SID change.

AppWizard

May 23, 2026

Android ruined link handling years ago. Here’s how I fixed it with a free app

LinkSheet is an open-source application designed to improve link-handling on Android devices by reinstating the "Open with" dialog, allowing users to choose their preferred app for opening links. It intercepts links when set as the default browser, enabling users to select from multiple apps instead of being restricted to verified ones. LinkSheet also allows users to open links in incognito mode for privacy and control over browsing habits. Users can download LinkSheet from its GitHub repository, as it is not available on the Google Play Store. After installation, users can configure their apps to prevent them from opening verified links directly. Additional features include the Use ClearURLs option to remove tracking parameters and an Enable downloader feature for direct download links.

Winsage

May 23, 2026

CVE-2026-45585: YellowKey BitLocker Bypass

BitLocker, a security feature for data protection, has a vulnerability identified as CVE-2026-45585, also known as YellowKey, which allows unauthorized access to encrypted data on Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025. This flaw does not compromise BitLocker’s encryption but affects the recovery environment supporting it. The vulnerability can be exploited locally through the Windows Recovery Environment (WinRE) by an attacker with physical access, who can trigger an unrestricted shell and access the BitLocker-protected volume. Microsoft has provided two mitigation strategies: modifying the WinRE image to remove the autofstx.exe entry and transitioning from TPM-only protection to a TPM+PIN requirement at startup. The exploit poses challenges for detection, as it occurs pre-boot and currently lacks vendor-published indicators of compromise. Organizations using BitLocker for unattended devices are particularly at risk, as the vulnerability can lead to loss of confidentiality if an attacker gains access before the legitimate user.

Winsage

May 22, 2026

Microsoft’s PowerToys is getting a low memory mode that kills idle utilities hogging Windows 11 RAM

Microsoft PowerToys is introducing a new optional low memory mode to address significant memory usage from inactive background processes. This feature, developed by an independent contributor, will close the helper process of specific utilities when not in use, allowing users to relaunch them with a hotkey, albeit with a slightly slower initial launch. The initial rollout will support four tools: Text Extractor, Color Picker, Advanced Paste, and Peek. A shared settings map and helper APIs have been introduced to facilitate this feature, which was renamed to “Close apps when inactive” during the code review process. Users can enable this memory-saving behavior globally or for specific applications, with each supported module featuring a toggle on its settings page. The feature is not yet available in PowerToys, and the default behavior will keep background processes running until users opt into the new feature. The code has passed initial validation checks and is awaiting final confirmation before public release.

Winsage

May 21, 2026

Winhanced is getting better, but I still use Xbox Mode with my Windows 11 handheld

The ROG Xbox Ally X, branded as a portable Xbox by Microsoft, has a complex update process involving Xbox Mode, Asus' Armory Crate, and Windows 11. Xbox Mode has improved recently, adding features like third-party launcher integration and enhanced stability. Winhanced, a third-party launcher for Windows 11 handhelds, offers a customizable interface and supports cloud gaming, but has reliability issues and struggles with automatic artwork sourcing. Users can save battery life by adjusting settings for Winhanced's sleep/wake feature. Despite its advantages, Winhanced is not yet a reliable alternative to Xbox Mode, which remains the preferred launcher for handheld gaming. Winhanced is developed by a small team and has shown significant improvement, but it still has limitations compared to Xbox Mode.

Winsage

May 20, 2026

Microsoft shares mitigation for YellowKey Windows zero-day

Microsoft has addressed the YellowKey vulnerability, a zero-day flaw in Windows BitLocker identified as CVE-2026-45585. This vulnerability allows unauthorized access to BitLocker-protected drives through a specific exploitation process involving 'FsTx' files. The flaw was disclosed by an anonymous researcher known as 'Nightmare Eclipse.' Microsoft has released mitigation strategies, including removing the autofstx.exe entry from the Session Manager's BootExecute REGMULTISZ value and reestablishing BitLocker trust for WinRE. Additionally, users are advised to change BitLocker settings from "TPM-only" to "TPM+PIN" mode, requiring a pre-boot PIN for drive decryption, and to enable "Require additional authentication at startup" for unencrypted devices.

AppWizard

May 20, 2026

Google adds Android app generation and Managed Agents to Gemini developer tools

Google unveiled enhancements to its Gemini technology at the I/O 2026 event, introducing new developer tools in AI Studio and the Gemini API. Key features include the ability to generate native Android applications directly from AI Studio, which produces Kotlin code using Jetpack Compose patterns and supports hardware features like camera and GPS. The platform includes an embedded Android Emulator and allows direct publishing to the Google Play Console while adhering to Google Play's quality standards. Additionally, Google introduced Antigravity 2.0, an agent-first development platform with a revamped desktop application and SDK for custom workflows. Projects from AI Studio can be exported to Antigravity for local development. The Managed Agents feature in the Gemini API enables developers to create agents with a single API call, allowing them to reason and execute code in a secure Linux environment. This feature is available in Public Preview and simplifies infrastructure tasks for production-grade agents. Custom agents can be defined and registered, with Google encouraging developers to create their own managed agents.

Winsage

May 20, 2026

MSHTA abuse helps malware hide in Windows processes

Bitdefender's research highlights the use of Microsoft's MSHTA utility in malware attacks, noting its default activation in Windows systems. Cybercriminals exploit MSHTA to execute malicious scripts under the guise of legitimate processes, linking it to various malware families like LummaStealer and PurpleFox. The study reports a rise in MSHTA-related detections, indicating a shift towards "living-off-the-land" tactics that utilize legitimate tools to evade security alerts. Social engineering is identified as a common entry point for attacks, employing deceptive methods such as fake software downloads and phishing links. MSHTA can retrieve and execute additional payloads through multi-stage chains, complicating detection efforts. The attacks target sensitive information, including credentials and financial data, and the continued presence of MSHTA poses risks as it allows threat actors to conceal malicious actions. To mitigate these threats, organizations are advised to restrict or disable legacy scripting tools and exercise caution with untrusted downloads. The report emphasizes the challenge of detecting unusual behaviors associated with legitimate utilities in the context of cyber threats.

AppWizard

May 20, 2026

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Cybersecurity researchers have identified an ad fraud and malvertising operation called Trapdoor, targeting Android users with 455 malicious applications and 183 command-and-control domains. Users often download these disguised apps, which initiate malvertising campaigns and lead to further downloads of malicious applications. At its peak, Trapdoor generated 659 million bid requests daily, with over 24 million downloads of the associated apps, primarily from the United States. The operation exploits install attribution tools to activate malicious activities only for users acquired through fraudulent ad campaigns, while suppressing such behavior for organic downloads. Trapdoor employs advanced evasion techniques, including obfuscation and impersonation of legitimate software, to avoid detection. Google has removed the identified malicious apps from the Play Store in response to the threat.

AppWizard

May 20, 2026

Google can now vibe-code you an Android app

Google has enhanced its coding platform, AI Studio, allowing users to create native Android applications. Developers can prompt the system and preview their apps through an integrated Android emulator, with an option to install on actual devices via a connection to an Android phone. The initial rollout focuses on "personal utility" apps, "hardware-enabled experiences," and "AI-powered experiences" using the Gemini API. Google maintains that all applications must adhere to existing review processes and quality benchmarks before publication on Google Play. Additionally, Google has released a 1.0 version of its command-line interface for building Android applications and plans to integrate app recommendations into Gemini queries, along with a short-form video feed titled "Play Shorts" for user engagement.