Windows Registry Archives

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

Tech Optimizer

February 11, 2026

How to Disable Windows 11 Defender: Temporary and Permanent

Microsoft Defender Antivirus is the built-in security solution for Windows 11, protecting against viruses, malware, and ransomware. Users may need to disable it temporarily or permanently for various reasons, including software installation, penetration testing, performance issues, transitioning to third-party antivirus solutions, or troubleshooting conflicts. Temporary disabling can be done through the Windows Security app, which will automatically re-enable after a restart. Permanent disabling requires changes in Group Policy, applicable only to Windows 11 Pro, Enterprise, and Education editions, and necessitates disabling Tamper Protection first. Another method for permanent disabling is installing a third-party antivirus, which automatically deactivates Defender's real-time protection. Windows 11 Home users cannot use Group Policy for permanent disabling but can still temporarily disable Defender or install a third-party antivirus. Disabling Defender exposes the system to threats, and users should ensure they have alternative protection in place. Major Windows updates may reset Defender settings, and caution is advised when modifying system settings.

Winsage

January 29, 2026

Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence

Praetorian Inc. has launched Swarmer, a tool that enables low-privilege attackers to maintain stealthy persistence in the Windows registry while avoiding detection by Endpoint Detection and Response (EDR) systems. Swarmer uses mandatory user profiles and the Offline Registry API to modify the NTUSER hive without triggering standard registry hooks. It operates by creating an NTUSER.MAN file that replaces the NTUSER.DAT hive upon user login, allowing low-privilege users to manipulate registry settings without alerting EDR tools. Swarmer employs functions from Microsoft’s Offline Registry Library, enabling it to perform operations without invoking Reg* API calls, thus evading detection mechanisms. Swarmer's workflow involves exporting the HKCU registry, modifying it, and executing the tool with specific commands to place the modified NTUSER.MAN file into the user profile. It can be used as an executable or a PowerShell module. While it presents a novel method for persistence, Swarmer has limitations, such as being unable to update without admin access and requiring user login to activate. Detection strategies include monitoring for NTUSER.MAN file creation and Offreg.dll usage in non-standard processes.

Tech Optimizer

January 29, 2026

eScan Antivirus Update Server Hacked to Push Malicious Update packages

A supply chain breach has affected MicroWorld Technologies' eScan antivirus product, allowing malicious actors to use the vendor's update infrastructure to spread malware. Discovered on January 20, 2026, by Morphisec, the attack involved a trojanized update package that deployed multi-stage malware on enterprise and consumer endpoints globally. The initial compromise occurred through a malicious update replacing the legitimate Reload.exe binary, which was digitally signed with a valid eScan certificate. This led to the execution of a downloader (CONSCTLX.exe) and further malware stages that evaded defenses and disabled security features. The malware obstructs automatic updates by altering system configurations, including the hosts file and registry keys. Indicators of compromise include specific file names and SHA-256 hashes for the trojanized update and downloader. Network administrators are advised to block traffic to identified command and control domains and IPs. Affected organizations should verify their systems for signs of compromise and contact MicroWorld Technologies for a manual patch.

Winsage

January 28, 2026

This free tool lets you make all the Windows registry changes you’ve been avoiding

Windows 11 generally provides a satisfactory experience, but power users often seek more control due to telemetry services, background applications, and bloatware. Winaero Tweaker offers a user-friendly graphical interface for making system adjustments, including restoring the classic context menu and File Explorer ribbon. It allows users to disable ads across various platforms with a one-click solution and provides an easy way to eliminate bloatware by disabling unnecessary background apps and services. Winaero Tweaker also enables users to disable automatic driver updates, giving them control over their system's drivers. Compared to the Registry Editor, Winaero Tweaker simplifies the customization process with clear toggles and explanations, making it accessible for both novice and experienced users.

Winsage

January 12, 2026

Windows 11 File Explorer Lag: Legacy XP Feature Fix via Registry Tweak

File Explorer in Windows 11 has been reported to have performance issues, particularly delays when navigating folders with many media files or documents. This problem is linked to the auto-discovery feature, which optimizes folder display settings based on content but incurs a significant computational burden. Disabling this feature through registry modifications can lead to improved performance, with users experiencing faster navigation and reduced folder load times. Microsoft has acknowledged these issues and plans to preload File Explorer for quicker launches, but the underlying problems remain largely unaddressed. Users have shared their experiences and solutions, including registry tweaks that set folder types to "NotSpecified" to eliminate scanning overhead. Despite some incremental updates from Microsoft, many users still face core lags, prompting ongoing community-driven fixes and discussions about the need for deeper audits of legacy code.

Winsage

January 9, 2026

Use These Windows Registry Hacks to Tame the Disruptive Windows Updates

Many users are frustrated with Microsoft's management of Windows updates, which can disrupt workflows during critical tasks. While completely disabling updates poses security risks, users can modify the Windows Registry to regain control. To prevent automatic downloading and installation of updates, users can create a key in the Registry at HKEYLOCALMACHINESOFTWAREPoliciesMicrosoftWindows, naming it WindowsUpdate, and then create another key named AU. A DWORD value named AUOptions can be set to 2 to prompt for permission before updates. To stop automatic restarts during logged-in sessions, users can navigate to HKEYLOCALMACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU and create a DWORD value named NoAutoRebootWithLoggedOnUsers, setting its value to 1. To lock Windows to a specific version and avoid feature upgrades, users can access HKEYLOCALMACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate and create a DWORD value named TargetReleaseVersion set to 1, along with two String values: ProductVersion for the current version and TargetReleaseVersionInfo for the desired version. To prevent automatic driver updates, users can go to HKEYLOCALMACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate and create a DWORD value named ExcludeWUDriversInQualityUpdate, setting its value to 1. To extend the pause limit for updates beyond five weeks, users can access HKEYLOCALMACHINESOFTWAREMicrosoftWindowsUpdateUXSettings and create a DWORD value named FlightSettingsMaxPauseDays, setting its value to 365 or any preferred duration. These modifications allow for greater control over Windows updates, although emergency updates may still occur.

Winsage

January 8, 2026

How to get started with PowerToys Command Palette on Windows 11 — an answer to macOS Spotlight for Windows PCs

The Command Palette is a feature in PowerToys for Windows 11 that allows advanced users to access applications, settings, and system tools quickly, similar to macOS Spotlight. To install it, users must install PowerToys via Command Prompt or the Microsoft Store. Configuration involves enabling the Command Palette, customizing activation shortcuts, and adjusting display settings. Users can search for applications, settings, and files, perform calculations, access clipboard history, and execute system commands. Keyboard modifiers enhance functionality, and users can create custom search shortcuts with community plugins. The Command Palette also includes a Registry browser extension for navigating the Windows Registry.

Winsage

January 1, 2026

Windows Registry Tweak Unlocks 80% SSD Speed Boost on Consumer PCs

A modification in the Windows Registry can enable a native NVMe driver, potentially doubling the performance of solid-state drives (SSDs) by enhancing random read and write speeds by up to 80%. This driver is typically reserved for enterprise environments and is not officially available for consumer versions of Windows 11. The modification carries risks, including the possibility of rendering a system unbootable and disrupting features like BitLocker encryption. Early adopters have reported mixed results, with some experiencing significant performance improvements while others face stability issues. The tweak highlights the disparity between consumer and enterprise hardware capabilities and reflects ongoing discussions within the tech community about optimizing SSD performance.

Winsage

December 28, 2025

Your Windows SSD Could Be Faster, Microsoft’s New Update Reveals Why

Microsoft introduced a native NVMe driver in Windows Server 2025 to improve SSD performance by eliminating bottlenecks associated with the SCSI translation protocol. This driver allows for direct communication between NVMe drives and Windows, resulting in substantial improvements in random IOPS and reduced CPU overhead for enterprise systems. Tech-savvy users have found a way to enable this driver on Windows 11, leading to reported increases in throughput of up to 45 percent in specific storage tests. The performance enhancements are particularly noticeable in random access workloads, although users should be cautious when modifying the Windows registry due to potential risks. Speed improvements may not be significant for average users but could benefit power users and those running IOPS-intensive applications.