Windows Registry Archives

Winsage

March 18, 2026

Researchers Reveal ‘RegPwn,’ a Windows Registry Vulnerability That Granted SYSTEM Privileges

A Windows vulnerability named "RegPwn" (CVE-2026-24291) allows low-privileged users to elevate their access to full SYSTEM privileges. Discovered by the MDSec red team, it has been in use since January 2025 and was addressed in a recent Microsoft Patch Tuesday update. The vulnerability exploits the management of Windows accessibility features, which generate a registry key that grants full control to low-privileged users. When a user activates an accessibility tool, the configurations are copied into the local machine registry hive, which remains writable by the logged-in user. This creates an opportunity for manipulation, especially when user-controlled settings interact with the Windows Secure Desktop environment. An attacker can exploit this by modifying their user-level accessibility registry key and using an oplock on a system file, allowing them to replace the local machine registry key with a symbolic link to an arbitrary system registry key. This process operates under SYSTEM privileges, enabling the attacker to write arbitrary values to restricted areas of the Windows registry. MDSec demonstrated this technique to gain access to a SYSTEM-level command prompt. Microsoft has released security updates to address this vulnerability, and MDSec has made the exploit code available on GitHub for research purposes.

Winsage

March 15, 2026

I stopped letting Windows 11 “help” with my files—my PC feels faster now

Windows File Explorer's performance has declined due to the accumulation of features that have made it more cumbersome. Users can improve performance by disabling certain features: 1. Disable OneDrive: OneDrive consumes over a gigabyte of memory during syncing. To disable it, right-click the cloud icon in the system tray, access settings, unlink the PC, and disable it from auto-launching in Task Manager. 2. Turn off Bitlocker: Bitlocker encrypts drives by default, which can slow down file operations. To disable it, go to Control Panel > System & Security > Bitlocker Encryption and select Turn Bitlocker off. 3. Disable automatic folder type discovery: This feature can cause lag when opening folders. To disable it, edit the Windows Registry by navigating to a specific path and creating a new String Value named "FolderType" with the value "NotSpecified." 4. Turn off Windows Search indexing: Windows Search consumes resources and may perform poorly. To disable it, access services.msc, stop Windows Search, and change its Startup type to Disable. Users can then download and use the tool "Everything" for a more efficient search experience.

Winsage

March 12, 2026

How to Block Windows Upgrade for Good

Recent reports indicate concerns among users about automatic upgrades of Windows PCs, particularly for those who prefer to stay on Windows 10 or a specific feature update. Despite these fears, there is no evidence that Microsoft upgrades PCs without user consent; many users may unintentionally accept upgrade prompts or face bugs that trigger updates. Microsoft's upgrade approach can feel aggressive, especially when feature updates are bundled with regular updates. If the option to receive the latest updates is enabled, automatic installations may occur, particularly when a version reaches its end of service. Users can prevent unwanted upgrades through several methods: 1. Group Policy Editor: For Windows Pro or Enterprise users, they can lock in a specific feature update by accessing the Group Policy Editor and setting the desired OS edition and feature update version. 2. Windows Registry: Windows Home users can modify the Windows Registry to restrict upgrades. This involves creating specific DWORD and String Values to set the target OS edition and feature update version. 3. InControl App: A user-friendly application that allows users to freeze their current OS edition and feature update version, preventing upgrades while still allowing monthly updates. These methods enable users to maintain control over their operating systems and avoid unexpected upgrades.

Winsage

March 11, 2026

How to disable Hyper-V for Windows 11

Microsoft's Hyper-V is a hardware virtualization platform integrated into Windows 11 Professional, Enterprise, and Education editions, allowing users to host multiple virtual machines (VMs) on a single computer. It operates using a type 1 hypervisor directly on hardware, enabling VMs to share resources like CPU, memory, and storage. Hyper-V includes features such as dynamic memory allocation, software-defined networking, and saved checkpoints. IT administrators may need to disable Hyper-V due to compatibility issues with third-party virtualization software, high-precision applications, or driver conflicts. Disabling Hyper-V can also affect security features reliant on it, such as virtualization-based security (VBS) and Device Guard. Methods to disable Hyper-V include: 1. Using the Windows Features dialog. 2. Executing a PowerShell command: Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All, HypervisorPlatform, VirtualMachinePlatform. 3. Running a DISM command:

dism /Online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All /FeatureName:HypervisorPlatform /FeatureName:VirtualMachinePlatform

. 4. Using the bcdedit command: bcdedit /set hypervisorlaunchtype off. 5. Modifying Group Policy to disable VBS. 6. Editing the Windows Registry to disable VBS or Credential Guard. For multiple managed computers, administrators can create and execute a PowerShell script or use Group Policy Objects to streamline the process. Testing in a controlled environment is recommended to ensure desired outcomes without compromising security or functionality.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

Tech Optimizer

February 11, 2026

How to Disable Windows 11 Defender: Temporary and Permanent

Microsoft Defender Antivirus is the built-in security solution for Windows 11, protecting against viruses, malware, and ransomware. Users may need to disable it temporarily or permanently for various reasons, including software installation, penetration testing, performance issues, transitioning to third-party antivirus solutions, or troubleshooting conflicts. Temporary disabling can be done through the Windows Security app, which will automatically re-enable after a restart. Permanent disabling requires changes in Group Policy, applicable only to Windows 11 Pro, Enterprise, and Education editions, and necessitates disabling Tamper Protection first. Another method for permanent disabling is installing a third-party antivirus, which automatically deactivates Defender's real-time protection. Windows 11 Home users cannot use Group Policy for permanent disabling but can still temporarily disable Defender or install a third-party antivirus. Disabling Defender exposes the system to threats, and users should ensure they have alternative protection in place. Major Windows updates may reset Defender settings, and caution is advised when modifying system settings.

Winsage

January 29, 2026

Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence

Praetorian Inc. has launched Swarmer, a tool that enables low-privilege attackers to maintain stealthy persistence in the Windows registry while avoiding detection by Endpoint Detection and Response (EDR) systems. Swarmer uses mandatory user profiles and the Offline Registry API to modify the NTUSER hive without triggering standard registry hooks. It operates by creating an NTUSER.MAN file that replaces the NTUSER.DAT hive upon user login, allowing low-privilege users to manipulate registry settings without alerting EDR tools. Swarmer employs functions from Microsoft’s Offline Registry Library, enabling it to perform operations without invoking Reg* API calls, thus evading detection mechanisms. Swarmer's workflow involves exporting the HKCU registry, modifying it, and executing the tool with specific commands to place the modified NTUSER.MAN file into the user profile. It can be used as an executable or a PowerShell module. While it presents a novel method for persistence, Swarmer has limitations, such as being unable to update without admin access and requiring user login to activate. Detection strategies include monitoring for NTUSER.MAN file creation and Offreg.dll usage in non-standard processes.

Tech Optimizer

January 29, 2026

eScan Antivirus Update Server Hacked to Push Malicious Update packages

A supply chain breach has affected MicroWorld Technologies' eScan antivirus product, allowing malicious actors to use the vendor's update infrastructure to spread malware. Discovered on January 20, 2026, by Morphisec, the attack involved a trojanized update package that deployed multi-stage malware on enterprise and consumer endpoints globally. The initial compromise occurred through a malicious update replacing the legitimate Reload.exe binary, which was digitally signed with a valid eScan certificate. This led to the execution of a downloader (CONSCTLX.exe) and further malware stages that evaded defenses and disabled security features. The malware obstructs automatic updates by altering system configurations, including the hosts file and registry keys. Indicators of compromise include specific file names and SHA-256 hashes for the trojanized update and downloader. Network administrators are advised to block traffic to identified command and control domains and IPs. Affected organizations should verify their systems for signs of compromise and contact MicroWorld Technologies for a manual patch.

Winsage

January 28, 2026

This free tool lets you make all the Windows registry changes you’ve been avoiding

Windows 11 generally provides a satisfactory experience, but power users often seek more control due to telemetry services, background applications, and bloatware. Winaero Tweaker offers a user-friendly graphical interface for making system adjustments, including restoring the classic context menu and File Explorer ribbon. It allows users to disable ads across various platforms with a one-click solution and provides an easy way to eliminate bloatware by disabling unnecessary background apps and services. Winaero Tweaker also enables users to disable automatic driver updates, giving them control over their system's drivers. Compared to the Registry Editor, Winaero Tweaker simplifies the customization process with clear toggles and explanations, making it accessible for both novice and experienced users.

Winsage

January 12, 2026

Windows 11 File Explorer Lag: Legacy XP Feature Fix via Registry Tweak

File Explorer in Windows 11 has been reported to have performance issues, particularly delays when navigating folders with many media files or documents. This problem is linked to the auto-discovery feature, which optimizes folder display settings based on content but incurs a significant computational burden. Disabling this feature through registry modifications can lead to improved performance, with users experiencing faster navigation and reduced folder load times. Microsoft has acknowledged these issues and plans to preload File Explorer for quicker launches, but the underlying problems remain largely unaddressed. Users have shared their experiences and solutions, including registry tweaks that set folder types to "NotSpecified" to eliminate scanning overhead. Despite some incremental updates from Microsoft, many users still face core lags, prompting ongoing community-driven fixes and discussions about the need for deeper audits of legacy code.