Windows Kernel Archives

Winsage

April 10, 2026

Microsoft Locked Out VeraCrypt, WireGuard, and Windscribe from Pushing Windows Updates

Microsoft implemented a mandatory account verification process for all partners in the Windows Hardware Program who had not completed verification since April 2024, effective October 16, 2025. This requirement necessitated that partners verify their identities using a government-issued ID matching the name of the primary contact in the Partner Center. Failure to meet this deadline or pass verification resulted in account suspension, preventing further submissions. This affected the ability of developers to sign Windows kernel drivers, leading to suspensions for notable open source projects like VeraCrypt, WireGuard, and Windscribe. Mounir Idrassi, the developer of VeraCrypt, reported his account was terminated without notice, and Jason Donenfeld of WireGuard faced similar issues. Windscribe experienced a prolonged resolution process despite having a verified account for over eight years. Following these suspensions, Scott Hanselman from Microsoft announced that the accounts would be reinstated and corrective measures were being taken.

Winsage

March 31, 2026

Microsoft’s April 2026 Windows Update Ends Trust for Cross-Signed Kernel Drivers

Microsoft will eliminate default trust for kernel drivers signed through the outdated cross-signed root program with the April 2026 Windows update. All new kernel drivers must be certified via the Windows Hardware Compatibility Program (WHCP). This change will affect Windows 11 builds 24H2, 25H2, and 26H1, as well as Windows Server 2025, with future versions following the same standards. The update will begin in evaluation mode, monitoring driver loads for compliance before transitioning to enforcement mode. An allow list of reputable drivers will be maintained for legacy hardware, and enterprises can use Application Control for Business policies to authorize specific drivers. Users with older hardware may face compatibility issues if their drivers are not WHCP-certified.

Winsage

March 27, 2026

Microsoft tells crusty old kernel drivers to get with the Windows Hardware Compatibility Program

Microsoft is enhancing the security of the Windows kernel by eliminating trust for kernel drivers not certified through the Windows Hardware Compatibility Program (WHCP) starting with the April 2026 Windows Update. This change specifically targets kernel drivers signed by the now-obsolete cross-signed root program, which has been associated with security vulnerabilities. The new policy will initially be introduced in an "evaluation mode" to monitor and audit driver loads for potential compatibility issues. Custom kernel drivers can still be used under the Application Control for Business policy, but must be signed by an authority within the device's Secure Boot Platform Key or Key Exchange Key variables. The changes will impact Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025.

Tech Optimizer

March 27, 2026

Bogus Avast website fakes virus scan, installs Venom Stealer instead

A deceptive website impersonating Avast antivirus tricks users into downloading Venom Stealer malware, which steals passwords, session cookies, and cryptocurrency wallet information. The site conducts a fake virus scan, falsely reporting threats to encourage users to download a malicious file named Avastsystemcleaner.exe. This file mimics legitimate software and operates stealthily, targeting web browsers to harvest credentials and session cookies. It also captures screenshots and sends stolen data to the command-and-control domain app-metrics-cdn[.]com via unencrypted HTTP. The malware employs evasion techniques to avoid detection and is part of a long-standing cybercrime tactic that exploits user trust in security software. Indicators of compromise include the file hash SHA-256: ecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d, the domain app-metrics-cdn[.]com, and the network indicator 104.21.14.89.

Winsage

March 14, 2026

Announcing Windows 11 Insider Preview Build 26220.8062 (Beta Channel)

Windows 11 Insider Preview Build 26220.8062 (KB 5079458) has been released to the Beta Channel, introducing various changes and improvements. 1. Policy-Based Removal of Preinstalled Microsoft Apps: IT administrators can now use a dynamic app removal list to remove MSIX/APPX apps by adding their package family names through Group Policy. The dynamic list is not yet available in Intune CSP. 2. Windows Setup Experience: Users can select a custom name for their user folder during the Windows setup process, which must adhere to standard naming conventions. 3. Windows Driver Policy Update: A new policy removes default trust for cross-signed drivers, allowing third-party drivers from the Windows Hardware Compatibility Program (WHCP) by default. The feature will initially operate in audit mode for at least 100 hours. 4. Point-in-Time Restore Updates: Local administrators will see a settings dialog to view or modify default restore settings, including a list of available restore points. Updated messaging has been added to the restore experience. 5. Drag Tray Rebranding: The Drag Tray has been rebranded as Drop Tray, with settings relocated to System > Multitasking. 6. Pen Settings: Refinements have been made to the Pen settings page, including an option for the pen tail button to launch the same app as the Copilot key. 7. File Explorer and Other Enhancements: Improvements have been made to the reliability of setting the preferred display language, and unexpected errors from the sfc/scannow command have been removed. Updates are gradually rolled out to Insiders who opt in via Settings > Windows Update, and features may evolve or be removed based on feedback.

Winsage

March 13, 2026

Announcing Windows 11 Insider Preview Build 26300.8068 (Dev Channel)

Windows 11 Insider Preview Build 26300.8068 (KB 5079464) has been released to the Dev Channel. Key changes include: - Enhanced policy for removing preinstalled Microsoft Store apps for Windows ENT/EDU, allowing IT administrators to use a dynamic app removal list via Group Policy. - Users can now select a custom name for their user folder during the Windows setup process. - A new policy removes default trust for cross-signed drivers, allowing third-party drivers from the Windows Hardware Compatibility Program (WHCP) by default, initially operating in audit mode. - Point-in-time restore now includes a settings dialog for local administrators and displays available restore points. - Microsoft 365 Family subscribers can upgrade their plan directly from the Accounts page in Settings. - The Drag Tray feature has been rebranded to Drop Tray, with settings relocated. - Updates to Pen settings include a new option for the pen tail button. - Enhanced reliability for preferred display language settings and removal of an unexpected error from sfc/scannow. Updates are gradually rolled out to users who opt in through the Settings menu under Windows Update.

Winsage

February 26, 2026

PoC Published for Microsoft Windows Flaw That Allows Low-Privileged Users to Force Irrecoverable BSODs

Security researchers have developed a working Proof of Concept (PoC) exploit for a vulnerability in the Windows kernel, identified as CVE-2026-2636, which allows low-privileged users to induce a Blue Screen of Death (BSoD), resulting in a Denial of Service. This vulnerability is linked to the Windows Common Log File System (CLFS) driver, specifically the CLFS.sys component, and arises from improper handling of invalid or special elements within CLFS (CWE-159). The PoC demonstrates that a non-administrative user can trigger the bug by executing a crafted ReadFile operation on a handle linked to an opened .blf log file without the expected I/O Request Packet (IRP) flags set. This leads to a critical inconsistency in the driver, causing Windows to invoke the kernel routine KeBugCheckEx, which results in a BSoD. The CVE-2026-2636 has a CVSS score of 5.5 (Medium) and poses a high impact on availability, allowing any authenticated user to crash the host reliably. Microsoft addressed this vulnerability in the September 2025 cumulative update, protecting systems running Windows 11 2024 LTSC and Windows Server 2025 by default. However, older or unpatched builds remain vulnerable. Organizations are advised to verify the deployment of the September 2025 updates, prioritize patching multi-user systems, and monitor for unusual spikes in BSoD events.

Tech Optimizer

February 25, 2026

Fix “kernel security check failure”: Step-by-step guide

The "kernel security check failure" error on Windows indicates corruption in critical system memory or internal data structures, triggering a bug check to prevent further damage. It is marked by the Blue Screen of Death (BSOD) displaying the message “KERNELSECURITYCHECK_FAILURE” and stop code 0x139. Causes include outdated or incompatible drivers, corrupted system files, faulty RAM, disk errors, third-party software conflicts, faulty Windows updates, overclocking, and malware threats. Common fixes involve updating Windows and drivers, scanning for corrupted files, using Check Disk (CHKDSK), running Windows Memory Diagnostic, and performing System Restore. If unresolved, a clean installation of Windows may be necessary. Regular updates and avoiding unnecessary software installations can help prevent future occurrences.

Winsage

February 11, 2026

Microsoft fixes six actively exploited flaws in latest Windows 11 update

Microsoft's February 2026 Patch Tuesday addressed 59 vulnerabilities in Windows 11, with six confirmed as actively exploited. The most critical vulnerability is CVE-2026-21510, a Windows Shell security feature bypass with a CVSS rating of 8.8, allowing attackers to evade warnings by tricking users into opening malicious files. Another significant vulnerability, CVE-2026-21513, also rated at 8.8, affects MSHTML and allows remote attackers to bypass execution prompts through malicious code in HTML or shortcut files. CVE-2026-21514 impacts Microsoft Word and enables adversaries to disable OLE mitigations, posing risks through document-based attacks. Two local privilege escalation vulnerabilities are CVE-2026-21519 in Desktop Window Manager and CVE-2026-21533 in Windows Remote Desktop Services, with CVSS scores of 7.8. CVE-2026-21525 is a denial-of-service vulnerability in Remote Access Connection Manager. The update includes 53 additional vulnerabilities across various Microsoft products and services, with CVE-2026-21531 in Azure SDK rated at 9.8 and CVE-2026-20841 affecting Windows Notepad rated at 8.8. The cumulative update for Windows 11 (KB5077181) also includes enhancements and resolves WPA3 Wi-Fi connectivity issues. Microsoft reminded users of the June 2026 expiration of Secure Boot certificates, which requires timely updates to ensure secure booting. Users can install the updates via Windows Update.

Tech Optimizer

January 22, 2026

Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware

A large-scale campaign is exploiting the truesight.sys Windows security driver from Adlice Software’s RogueKiller antivirus to disable endpoint detection and response (EDR) and antivirus solutions, facilitating the deployment of ransomware and remote access malware. This attack utilizes over 2,500 validly signed variants of the driver, allowing attackers to manipulate legacy driver signing rules to load pre-2015 signed drivers on Windows 11 machines. The vulnerable TrueSight driver exposes an IOCTL command that enables attackers to terminate security processes, providing them with kernel-level access to bypass user-mode protections. The infection chain typically starts with phishing emails or compromised sites, leading to the installation of a downloader that retrieves additional malicious components. The malware establishes persistence and deploys an EDR killer module targeting nearly 200 security products. Once defenses are disabled, the final payload, often a remote access trojan or ransomware, executes with minimal visibility, completing the attack in as little as 30 minutes.