Category Archives: Security

Insider stuff, Recent Activity, Security, Thoughts & concerns, WED Blog

E-mail Link Cynicism Is Well-Considered

April 21, 2025 Ed Tittel Leave a comment

I’ll admit it: I’m a cynic when it comes to emails that ask me to follow a link to verify something. If somebody asks for verification unsolicited, I believe by default that request is malign. So when an email showed up asking me to verify my account to keep my email server going, my first instinct was “Heck NO!” And, as the NordVPN link-checker immediately confirmed , my instincts are good. It pops up instantly as a phishing site. Skepticism is spot on, and e-mail link cynicism is well-considered — at least IMO.

Check to See if E-mail Link Cynicism Is Well-Considered

If in doubt, check the link at a third-party site. NEVER click a link from an unknown sender. If you’re incurably curious, do it from a sandbox or VM you can blow away if something bad happens. The important thing is to think about what’s in your inbox, how it got there, and how it might bite you.

Here’s what the NordVPN site says. It’s great advice so I’ll repeat it verbatim:

Got a suspicious email or text? Check the link before clicking — it will significantly reduce the chances of you falling for a phishing attack.

When in doubt, check. If you can’t check, don’t click: wait until you can (or delete the email). If it’s really important and legit, the sender will resend and you’ll get another opportunity to recheck what’s going on.

Reverse Lookup Mojo

Indeed, if you are concerned about a reported issue or account problem, it’s much safer for YOU to visit a known, good, working vendor site to check on status. Amazon is a good example: I can’t tell you how many bogus SMS text messages I’ve gotten on my cell that ask for Amazon account details to confirm things, because I delete them as soon as they appear. As a matter of policy Amazon does not request sensitive info (passwords, credit card data, etc.) via SMS, though they do report order and delivery status that way.

Be smart when you respond to emails. If there’s any doubt, open your own link to a trusted vendor and check things from your end. If you don’t recognize a sender asking for sensitive info, don’t respond. This is a case where doing nothing is exactly what’s right — and safest.

Insider stuff, Recent Activity, Security, WED Blog, Windows 11

Leave Post KB5055523 Inetpub Folder Alone

April 11, 2025 Ed Tittel 2 Comments

I’d seen reporting on this yesterday, along with blithe assumptions about related cleanup (deletion). Today, MS has published a CVE-2025-21204 security note that explains what’s going on, and specifically advises users to leave post KB5055523 Inetpub folder alone — and intact.

Here’s a direct quote from the afore-linked source:

After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.

Note: KB5055523 is a security update for Build 26100.3775 (production level Windows 11 24H2) released as part of the Patch Tuesday collection on April 8, 2025.

Why Leave Post KB5055523 Inetpub Folder Alone?

It’s part of the infrastructure upon which MS relies to fend off the named vulnerability. In other words, if the folder is present, MS can use it to protect against potential attacks. MS is sometimes fond of leaving folders behind in the wake of various installs (especially feature upgrades). Anything not needed is usually fair game for Disk Cleanup or the Windows Store PC Manager app.

That said, some OCD-friendly Windows users (you know who you are) relentlessly clean up things just because they must. This is apparently a case that flies against that impetus. MS, in this particular case, says “Leave it alone.” I guess I shall, and you probably should, too.

Though the Inetpub folder is empty after the update runs (see next screencap) it is meant to be and stay there. You’ve been warned! Indeed, as you can see, it’s properties are also set to “Read-only.”

The ‘Read-only’ status signals weakly that this item should stay put.

Final Warning: Don’t!

I’ve seen various online sources assert that it’s OK to delete this folder because it caused no observable ill effects on their test PCs. If what MS says about Inetpub’s presence or absence on a PC is true, you don’t want to sight what could happen if it were to be deleted. Let this particular sleeping critter keep snoozing, please.

Insider stuff, PowerShell, Recent Activity, Security, WED Blog

PowerShell-Based Defender Commands

March 13, 2025 Ed Tittel 2 Comments

The other day, my Canary Channel X380 Yoga hung up on Windows Update. In other words, after some kind of WU download difficulty, it wouldn’t download from those servers. There are lots of ways to unstick WU, but one of the easiest is to get Windows Defender to update. Personally, I prefer to use a single PowerShell command with no arguments or parameters, rather than navigating into Windows Security to see if that might help. Indeed, there is a plethora of Defender controls in PowerShell. The one I used is just a single instance in a collection of over a dozen items.

Finding PowerShell-Based Defender Commands

You can see the command I used to ask PowerShell to update Defender in the lead-in graphic. It’s named Update-MpSignature, and it takes no mandatory arguments or parameters. What you’re looking at there, in fact, is the general PowerShell Module Browser at MS Learn. It’s dialed into Defender commands, shown in the breadcrumbs up top: Learn/Windows/PowerShell/Defender. As you will soon find out, there is a baker’s dozen of such things there under this heading.

Other Defender Commands get their own listings, but also appear in a handy-dandy table (simplified contents reproduced verbatim below). Indeed, each one also has its individual command reference, for which you find links in said table.

As you can see there are lots of interesting and sometimes useful ways to interact with Defender in PowerShell. They’re worth exploring and getting to know. I used a simple one to unstick WU this week, but there are lots of other tools here, ready to help you manipulate Defender in Windows Terminal or via automation scripts. Have at it!

Insider stuff, Recent Activity, Security, WED Blog, Windows 10, Windows 11

Avoid Mystery Pop-up Windows

January 3, 2025 Ed Tittel Leave a comment

It’s now a truism that one should NEVER click links in email from unknown or untrusted sources. This morning, I was reminded the same is true inside a browser. There, one should avoid mystery pop-up windows with equal attention and suspicion. Indeed, this happened as I visited one of my daily Windows-related news and info sites, much to my alarm and dismay.

Why Avoid Mystery Pop-Up Windows?

Any time you’re presented with a link you don’t recognize, didn’t ask for — and probably also, don’t want — leave it alone. In my case, I clicked CTRL-Shift-ESC to launch Task Manager. Then, I killed all related browser processes. After that, I restarted Firefox anew. It’s never smart to take any such bait, nor to let it linger on your desktop.

Indeed, Task Manager might have refused to kill one or more Firefox processes. Then, my next step would be: restart my PC, then run an immediate virus scan. As it was, an immediate follow-up scan showed Defender still on the job. It revealed neither lurking threats nor suspicious files. Good-oh!

You’ve Been Pwned!

Right here at edtittel.com, I fought off a series of WordPress-induced injection attacks last year. I ended up having to buy into a security service that prevented hijackers from altering URLs published into social media sites (e.g. X, Facebook and LinkedIn). These redirected would-be blog post visitors to certain potentially unsavory stop-offs en route to my daily posts. It now costs me $300 a year to protect website visitors from such stuff and nonsense.

I say this to explain that such things can happen to almost any website, at any time, as unpatched vulnerabilities get exploited. Knowing that this is always a possibility, savvy users recognize that mystery pop-ups hide much more malice and potential for harm than sources for wonder and beauty. Avoid them at all costs, is received security wisdom — and my best advice as well. That goes double if they come bearing offers that seem too good to be true…

Backup/Restore, Insider stuff, Recent Activity, Security, Troubleshooting, WED Blog

Windows Resiliency Initiative Includes Quick Machine Recovery

November 20, 2024 Ed Tittel Leave a comment

It’s that time of year again, when MS meetings and conferences — Ignite 2024, in this case — heat things up with future promises and new idea campaigns. Yesterday’s Windows Experience Blog from David Weston (MS VP Enterprise & OS Security) is a case in point. Entitled Windows security and resiliency: Protecting your business, it asserts that a new Windows Resiliency Initiative includes Quick Machine Recovery as a key capability. Very interesting!

Explaining Windows Resiliency Initiative Includes Quick Machine Recovery

This new initiative “takes four areas of focus” as its goal — namely (all bullet points quoted verbatim from the afore-linked blog post, except for my [bracketed] commentary):

Strengthen reliability based on learnings from the incident we saw in July. [Crowdstrike kernel mode error took down 8.5M Windows PCs.]

Enabling more apps and users to run without admin privileges.

Stronger controls for what apps and drivers are allowed to run.

Improved identity protection to prevent phishing attacks.

The first and arguably most impactful preceding item is what led MS to its announcement of Quick Machine Recovery. Here’s how Weston explains it:

This feature will enable IT administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, without needing physical access to the PC. This remote recovery will unblock your employees from broad issues much faster than what has been possible in the past. Quick Machine Recovery will be available to the Windows Insider Program community in early 2025.

In other words, this new feature should enable what savvy administrators had to do using OOB access to affected machine via KVMs smart enough to bootstrap machines otherwise unable to boot.

Great Addition: How’s the Execution?

IMO this is something MS should’ve built into Windows long ago. I’m curious to see how (and how well) it works. I’m also curious to see if it will be available for Windows 10 as well as 11. Only time will tell, but I’ll be all over this when it hits Insider Builds early next year. Good stuff — I hope!!

Backup/Restore, Insider stuff, Security, WED Blog

CVE-2024-6768 Exposes Scary Windows Vulnerability

August 14, 2024 Ed Tittel Leave a comment

In reading through my usual Windows news and info sources this morning I came across a scary notification at MS Power User. The named item is from the national vulnerability database. CVE-2024-6738 — which makes it item 6,738 for 2024 — comes with scary implications. It’s been reported in some form since last February. It attacks by altering meta-data for Windows base log files (BLFs) and can cause doom loops like those recently experienced from a Crowdstrike update last month. Thus, CVE-2024-6768 exposes scary Windows vulnerability that is hard to fend off and tricky to repair.

BLF Alteration in CVE-2024-6768 Exposes Scary Windows Vulnerability

A base log file (BLF) sits at the heart of the Windows Common Log File System (aka CLFS). As MS Learn’s “Creating a Log File” article begins, it says:

Before you can use CLFS, you must create a log file using the CreateLogFile function. A log file is made up of a base log file that contains metadata, and a number of containers that hold the actual data. On any local file system, containers can be in one or more separate files; on NTFS, containers can be in one or more streams within a file.

The BLF contains key information that describes the associated containers for log data. If the BLF is wrong, the log won’t make sense and cannot be read. This doesn’t sound like a big deal, but it is. Let me explain further…

Several Interesting Copilot Responses…

When asked to describe BLF files, Copilot notes how they’re used:

Usage: These files are crucial for maintaining system stability and integrity. They help manage user-level registry information and other system-level data. For example, the Windows component that writes user-level registry information to the NTUSER.DAT file uses CLFS logging, which involves BLF files ¹.

Indeed it seems that CVE-2024-6768 wreaks havoc by breaking the base log handler with a bogus “size of data field” value. This kind of error triggers a BugCheck error, and in turn provokes a BSOD.

Further investigation shows that any time a registry change occurs BLF files get updated. They are also essential to system boot-up, application installation and update, as well as system update. To get more details ask Copilot: “When do Windows base log files get written, and when do they get read?” You’ll see what I mean right away.

What Does the Future Hold?

The Fortra release note for this vulnerability shows its history, while a companion research note shows more details. So far, MS has yet to respond. Other than research work, I see no evidence of successful exploits in the wild. That said, this kind of attack is nearly impossible to fix without knowing the exact details of the registry values changed to mung some (or more) specific .BLF file(s).

IMO, this means the only real protection is a recent image backup that will replace the altered Windows image with a known, good working copy. Stuff like this is why I keep such things handy, and make one at least daily. This could get interesting…stay tuned!

Cool Tools, Device drivers, Insider stuff, Remote Desktop (RDP), Security, Thoughts & concerns, WED Blog

Getting Past Crowdstruck Requires Access

July 24, 2024 Ed Tittel 3 Comments

Last Friday (July 19), cybersecurity firm Crowdstrike pushed an update to its threat sensors. Ultimately, that ended up with over 8 million Windows PC unable to boot, stuck on a BSOD for invalid references in a kernel-mode driver. Behind the scenes, all kinds of companies from hospitals, to government agencies, to airlines, and more, found themselves unable to use updates machines after a post-update reboot. What really caused the heartburn? Getting past Crowdstruck requires access to affected machines on a one-at-a-time basis.

If you look at the BSOD screencap at the head of this blog post, you’ll see a driver named csagent.sys. This is the CrowdStrike Agent driver which runs at kernel mode by design. That ensures it can’t be easily accessed or tampered with by hackers. But when something runs as a kernel mode driver it must be rigorously and thoroughly tested and vetted, or it can crash any PC on which it runs. Errors, in short, cannot be tolerated. Oops!

Why Getting Past Crowdstruck Requires Access

Part of the Crowdstrike software run as a Windows kernel-mode driver. That means it has the same level of access as privileged parts of the OS itself. If any of this code throws an error — as Crowdstrike has publicly admitted its update did — Windows crashes itself. That’s by design, out of an abundance of caution to avoid loss of data or other damage to affected systems.

Here’s where things get interesting. Windows can’t boot and run until the offending driver is removed. In turn, the affected PCs must boot into safe mode or a recovery image. Either can operate on the damaged Windows image, remove the bad driver, and stand Windows back up again. This is easy when admins or IT pros have physical access to affected PCs. Indeed, Copilot recommends using the “three strikes” method to get into Windows recovery. (Three consecutive boot failures autoomatically triggers Windows alternate boot.) Then, using WinRE (or Windows itself in safe mode, from the Advanced Boot Options), repairs can go forward.

The problem is that many, if not virtually all, of the affected machines stayed down, stuck in a “boot loop.” They remained that way because their operators DIDN’T have physical access to those PCs. I’ll bet that most of them had to be teleoperated through a KVM device that can work around PC problems that extend all the way down to the hardware level (outside the scope of normal remote access and RDP). This kind of thing doesn’t scale well, either, so it takes time to work through hundreds to thousands of remote PCs (think of the PC behind the counter at AA or Delta, where the gate or ticket agent is completely clueless about boot-level Windows repairs).

An “Interesting” Problem, Indeed!

Far too many cybersecurity and IT pros found themselves in the grip of the old Chinese curse (“May you live in interesting times”) after the *291* driver for Crowdstrike tried to run on Friday. Organizations that prepare and drill for these kinds of outages were doubtless at an advantage in already knowing how to broker and run boot repairs remotely. I can only imagine the hair-pulling that went on at other outfits less well-equipped to handle this outage.

Here’s a moral to ponder for those who run remote Windows PCs where physical access is impossible, difficult or impractical: Can your remote management infrastructure and automation work with a Windows PC that’s not booting, and won’t boot until it’s restarted in some special way? If your answer is “yes,” you’re probably over the Crowdstruck hump already. If your answer is “no,” you’ll probably make that a top priority as soon as you can kick-start and repair all remaining affected Windows nodes. In the meantime, my deepest sympathies…

Insider stuff, Recent Activity, Security, WED Blog

Defender Threat-Flags MTPW

June 19, 2024 Ed Tittel Leave a comment

MTPW is the intialism for MiniTool Partition Wizard, a long-time mainstay in my stable of free and capable Windows tools. I’m not sure exactly why MS/Defender decided it’s a “potentially unwanted app.” That said you can see the message from Microsoft Defender Beta as the lead-in graphic, which also labels it as a threat, albeit an abandoned one. To repeat: I don’t know why Defender threat-flags MTPW download, but there it most assuredly is.

Digging into Defender Threat-Flags MTPW

Turns out that pw12-free.exe is an old, outdated name for MiniTool Partition Wizard (note the 2020 date, if you’re not convinced). The current version is named pw-free-online.exe. It throws no Defender Beta alerts, nor does VirusTotal find it at all objectionable. I guess that makes this one of those WTF moments that Windows can occasionally throw this way.

Given a security alert, I’d much rather have it turn out to be a false positive as is apparently the case here. Indeed, Everything can’t even find a copy of the offending file on my test PC (a 2018-vintage Lenovo Yoga 380X). Another bullet dodged, apparently, or less-than-vicious threat averted. I can’t make up my mind: you decide.

The Good Thing About False Positives…

Is, of course, that you can cheerfully ignore them. Indeed, because the offending file can’t even be found, it’s no longer a concern — if ever it was one. I checked the current download (pw-free-online.exe) just to make doubly-darned sure. But there’s no threat there that I can see. Good enough for me!

Insider stuff, Security, Thoughts & concerns, WED Blog

WordPress Link Access API Hack

June 6, 2024 Ed Tittel Leave a comment

Whoa! I just got messages from a colleague on LinkedIn, and have confirmed for both that social media platform and Facebook, that something wicked this way comes. That is, it seems there’s a WordPress link access API hack that enables malicious redirection whenever a link compaction program calls my site for link info. You can see what this looks like in the lead-in graphic. To mangle Talking Heads my reaction is “That’s not my beautiful site! Those aren’t my URLs.” Ai-yi-yi!

Fixing WordPress Link Access API Hack

Scan, remove bad references. remove any suspect WordPress elements. Put a security scan service in place to prevent recurrences. That’s what my Web guy is working on right now. For whatever odd and obviously invalid reason, I thought my WP service already covered all these bases. Now that I know that’s untrue, it will get fixed as soon as that work gets done.

Wow! What an astonishing PITA for something so modest and focused. It seems that several configuration files got modified through a vulnerable plug-in and included references to malicious URLs as of 5/21. We’re changing all the passwords, fixing what’s wrong, and cleaning up the mess. I’m hopeful things will be back to normal by tomorrow.

Going forward, we’ve added explicit ongoing security scans, and regular reviews of software selections, patch levels, and protective software to the mix. Hopefully, this won’t happen again. But if you see something odd any time you access one of my posts or Web pages, do like MS MVP Simon Allison did, and let me know right away that something seems funny or broken. Every little bit of insight and info helps!

Note Added 6/5 2:40 PM

The URL/API portion of the site has been replaced, and no more malicious or suspect URLs get generated. The issue is apparently fixed, but we’re still scanning all files in the entire site to make sure no other unwanted content/malicious payloads are lurking anywhere. All’s well that ends well, but the road goes on forever and the party never ends…

Insider stuff, PowerShell, Recent Activity, Security, WED Blog

MS Defender Update Targets Deployment Images

June 7, 2023 Ed Tittel Leave a comment

If you can trust the header data in this MS Support note (I do) it was updated on June 5, 2023. The item is entitled “Windows Defender update for Windows Operating system installation. It describes how to imbue offline Windows images with the latest and greatest Defender capabilities. In fact, that article includes a warning not to apply them to live images. Thus, it’s clear that this MS Defender update targets deployment images.

I got my date information about the article from its HTML meta-data:

<meta name="lastPublishedDate" content="2023-06-05">
<meta name="firstPublishedDate" content="2020-12-04">

How MS Defender Update Targets Deployment Images

Pre-requisites to run the updates — for WIM and VHD files — include:

Works on OS install images for 64-bit Windows 10 and 11, and Windows Server 2016 and 2019
OS environment must include PowerShell version 5.1 or newer (current production version is 7.3.4 as I write this)
Microsoft.Powershell.Security and DISM modules installed
The PowerShell session for the script <code>DefenderUpdateWinImage.ps1</code> runs with admin privileges. (“Run as administrator” or equivalent.)

The script provides switches to apply, remove or roll back, and list details for the installed update. Useful for those who maintain Windows images and want their security levels up to current snuff.

Find all the details in the MS Support article previously named. Do this before your next scheduled update window, for sure. Of course, this means you’re using Windows Defender as part of your security infrastructure.

MS Is BIG in Security

I just worked on a promotional piece for a joint Rubrik and MIcrosoft security webinar (YouTube video). Amazingly, MS describes itself as “the biggest cyber security company in the world” and did over US$20B in such business in 2022. I guess they do have some legs to stand on in this arena. And indeed, they’re doing all kinds of fascinating stuff with AI and ML to improve their security posture and incident response capabilities. Great stuff!

Add-MpPreference	Modifies settings for Windows Defender.
Get-MpComputerStatus	Gets the status of antimalware software on the computer.
Get-MpPreference	Gets preferences for the Windows Defender scans and updates.
Get-MpThreat	Gets the history of threats detected on the computer.
Get-MpThreatCatalog	Gets known threats from the definitions catalog.
Get-MpThreatDetection	Gets active and past malware threats that Windows Defender detected.
Remove-MpPreference	Removes exclusions or default actions.
Remove-MpThreat	Removes active threats from a computer.
Set-MpPreference	Configures preferences for Windows Defender scans and updates.
Start-MpScan	Starts a scan on a computer.
Start-MpWDOScan	Starts a Windows Defender offline scan.
Update-MpSignature	Updates the antimalware definitions on a computer.