Windows Error Reporting Archives

Winsage

April 9, 2026

Windows is sabotaging your expensive hardware, and these are the biggest ways how

Modern PCs, even with mid-range hardware, can experience performance issues not solely due to hardware limitations but because of how Windows operates. The operating system runs numerous background services that consume resources, including Connected User Experiences and Telemetry, Diagnostic Policy Service, and Windows Error Reporting. These services log activity and send data to Microsoft, leading to unexpected CPU spikes and disk usage. Startup applications, such as Microsoft Teams and OneDrive, also contribute to longer boot times and increased resource usage. Users should monitor and limit these applications to improve startup performance. Legacy features like SysMain, Windows Search indexing, and automatic folder type discovery can hinder performance on modern systems, as they were designed for older hardware and can cause unnecessary disk activity. Microsoft services like Copilot and OneDrive continuously run in the background, consuming memory and CPU resources, which affects overall system performance. Windows' power management settings prioritize energy efficiency over performance, leading to inconsistent responsiveness and delays during tasks. This conservative approach impacts various components, making the system feel sluggish.

Winsage

March 4, 2026

PoC Exploit Released for Microsoft Windows Error Reporting ALPC Privilege Escalation

A proof-of-concept exploit for CVE-2026-20817, a local privilege escalation vulnerability in the Windows Error Reporting (WER) service, has been released by security researcher oxfemale on GitHub. This vulnerability allows low-privileged users to gain SYSTEM-level access through crafted Advanced Local Procedure Call (ALPC) messages. The flaw is located in the WER service's SvcElevatedLaunch method, which fails to validate caller privileges before executing WerFault.exe with user-supplied command line parameters. The CVSS v3.1 base score for this vulnerability is 7.8, indicating a high severity level. It affects unpatched versions of Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022 prior to the January 2026 update. Demonstrations have shown successful exploitation on Windows 11 23H2. Security teams are advised to monitor for unusual processes related to WerFault.exe, investigate missing SeTcbPrivilege in SYSTEM tokens, and review WER-related activities from low-privilege users. Immediate application of the January 2026 security patches is recommended, and a temporary workaround involves disabling the WER service.

Winsage

March 3, 2026

PoC Exploit Released for Windows Error Reporting ALPC Privilege Escalation

A critical local privilege escalation vulnerability, tracked as CVE-2026-20817, affects Microsoft Windows through the Windows Error Reporting (WER) service. This flaw allows authenticated users with low-level privileges to execute arbitrary code with full SYSTEM privileges. The vulnerability resides in the SvcElevatedLaunch method (0x0D) and fails to validate user permissions, enabling attackers to launch WerFault.exe with malicious command-line parameters from a shared memory block. The exploit affects all versions of Windows 10 and Windows 11 prior to January 2026, as well as Windows Server 2019 and 2022. Microsoft addressed this vulnerability in the January 2026 Security Update. Organizations are advised to apply security patches and monitor for unusual WerFault.exe processes.

Winsage

February 27, 2026

Is Microsoft really spying on you with Windows telemetry?

Windows 10 was released in 2015 and faced criticism for its telemetry feature, which some viewed as a surveillance tool. In 2017, the Dutch Data Protection Authority found Microsoft's telemetry settings non-compliant with local privacy laws, leading to changes by Microsoft. Telemetry, termed diagnostic data by Microsoft, is essential for device reliability and security, with a baseline level of data collection set to "Required." Users can opt to limit data collection to this level. The Optional category of diagnostic data may include device settings and browsing history, raising privacy concerns. Microsoft introduced the Diagnostic Data Viewer in 2018 to enhance transparency, allowing users to inspect the telemetry data sent to them. As of now, Microsoft has over a billion monthly active Windows 11 users.

Winsage

January 13, 2026

Microsoft fixes 114 flaws in year’s first Windows 11 Patch Tuesday

Microsoft's January 2026 Patch Tuesday update, KB5074109, addresses 114 vulnerabilities, including a critical zero-day vulnerability (CVE-2026-20805) in the Windows Desktop Window Manager (DWM) that has been actively exploited. The update is applicable to Windows 11 versions 24H2 and 25H2 and includes security enhancements and updates to AI components. Other high-severity vulnerabilities addressed include CVE-2026-20816 (privilege escalation in Windows Installer), CVE-2026-20817 (elevation of privilege in Windows Error Reporting), CVE-2026-20840 (vulnerability in Windows NTFS), CVE-2026-20843 (flaw in Routing and Remote Access Service), CVE-2026-20860 (vulnerability in Ancillary Function Driver for WinSock), and CVE-2026-20871 (another DWM vulnerability). The update removes legacy modem drivers to minimize the attack surface and resolves reliability issues in Azure Virtual Desktop and WSL networking. It also changes the default setting for Windows Deployment Services (WDS) to disable hands-free deployment. Users can install the update through Windows Update, and a system reboot is required for full application.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Tech Optimizer

September 24, 2025

EDR Bypass Technique Puts Antivirus Tools To Sleep

Endpoint detection and response (EDR) systems and antivirus protections are increasingly targeted by threat actors using sophisticated techniques. A new method called EDR-Freeze has been introduced, which utilizes Windows Error Reporting and the MiniDumpWriteDump function to hibernate antivirus processes without needing to install vulnerable drivers. This technique operates entirely in user mode and was disclosed by an anonymous researcher known as Two One Seven Three on Zero Salarium. The MiniDumpWriteDump function can suspend all threads within a target process during the dump process, which is crucial to avoid memory corruption. The researcher faced challenges with the rapid execution of MiniDumpWriteDump and the security measures protecting EDR and antivirus processes. By reverse-engineering the WerFaultSecure program, the researcher enabled MiniDumpWriteDump for any chosen process and integrated it with the CreateProcessAsPPL tool to bypass Protected Process Light (PPL) protections. The researcher proposed a race condition attack consisting of four steps: executing WerFaultSecure with WinTCB-level protection, configuring it to dump the target process, monitoring the target process until it is suspended, and then suspending the WerFaultSecure process. A tool to execute this exploit is available on GitHub, and another researcher has developed a KQL rule for its detection. The EDR-Freeze technique exploits a vulnerability in the WerFaultSecure program, addressing the weaknesses of the BYOVD method and allowing flexible control over EDR and antivirus programs.

Winsage

September 22, 2025

New EDR-Freeze tool uses Windows WER to suspend security software

A new technique called EDR-Freeze allows evasion of security solutions through Microsoft's Windows Error Reporting (WER) system, enabling attackers to suspend endpoint detection and response (EDR) tools without relying on vulnerable drivers. Security researcher TwoSevenOneThree utilized the WER framework and the MiniDumpWriteDump API to indefinitely suspend EDR and antivirus processes by exploiting the WerFaultSecure component, which operates with Protected Process Light (PPL) privileges. The method involves spawning WerFaultSecure, invoking MiniDumpWriteDump on the target process, monitoring the target until it is suspended, and then freezing the dumper. A tool has been developed to automate this process, successfully tested on Windows 11 24H2, which froze the Windows Defender process. To mitigate this attack, monitoring WER for identifiers linked to sensitive processes is recommended, and security researcher Steven Lim has created a tool to map WerFaultSecure to Microsoft Defender Endpoint processes. Microsoft has the opportunity to enhance these components against misuse by implementing restrictions on suspicious invocations.

Tech Optimizer

September 22, 2025

Hackers Deploy New EDR-Freeze Tool to Disable Security Software

A security researcher has developed a tool called EDR-Freeze that allows for the temporary disabling of endpoint detection and response (EDR) systems and antivirus software without using vulnerable drivers. EDR-Freeze exploits the Windows Error Reporting functionality to execute a race condition attack that suspends security processes, specifically targeting the WerFaultSecure.exe process. The tool can successfully suspend the MsMpEng.exe process of Windows Defender on Windows 11 24H2. It operates entirely within user-mode and uses legitimate Windows components, making detection more difficult for security teams. The source code for EDR-Freeze is publicly available on GitHub, intended for legitimate security research, but poses risks of misuse by malicious actors. Security teams are advised to monitor for suspicious activity related to WerFaultSecure.exe and to enhance their process protection mechanisms.

Tech Optimizer

September 21, 2025

New EDR-Freeze Tool That Puts EDRs and Antivirus Into A Coma State

EDR-Freeze is a proof-of-concept tool developed by Zero Salarium that can place Endpoint Detection and Response (EDR) and antivirus solutions into a suspended state. It utilizes the MiniDumpWriteDump function from the Windows DbgHelp library to achieve this by extending the suspension of target processes. The tool circumvents the Protected Process Light (PPL) security feature using WerFaultSecure.exe, which operates at a high privilege level. By launching WerFaultSecure.exe with specific parameters, EDR-Freeze can monitor and suspend it, preventing the target EDR or antivirus process from resuming. A test on Windows 11 24H2 successfully suspended the MsMpEng.exe process of Windows Defender. Detecting this technique involves monitoring for unusual executions of WerFaultSecure.exe targeting sensitive process IDs.