Uncategorized

How UEFI Flash Overturned Flo6

Leave a comment

A routine UEFI firmware update brought unexpected trouble to the Flo6 system yesterday. What should have been a simple BIOS flash turned into a boot failure. The cause? A major change in Secure Boot keys. This event highlights how firmware updates can affect system trust and stability. As I was figuring out how UEFI flash overturned Flo6, I had to work my way through another CMOS reset, GPU disconnect, and more. Buckle up: here come the deets!

How UEFI Flash Overturned Flo6, and Killed Normal Boot-up

The BIOS update for Flo6 included more than microcode or AGESA changes. It replaced the Secure Boot Platform Key (PK), Key Exchange Key (KEK), and the Allowed Signatures Database (DB). These new keys came from Microsoft’s 2023 certificate chain. They replaced the older 2011 certificates that had been in use since Windows 8. This was a full trust-chain rollover, not a routine patch.

Why Did Boot Balk Afterward?

After the update, Flo6 failed to boot. The reason was a mismatch between the new firmware keys and the bootloader signatures. Windows had already staged boot components signed with the 2023 certificates. But the firmware update reset the trust chain. The system no longer recognized the bootloader as valid. Secure Boot rejected it, and the system dropped into firmware setup.

Recovery and Realignment

Once the firmware finished installing those new keys, Windows rebuilt its boot entries. It aligned its bootloader with the new DB. The system re-entered User Mode and Secure Boot resumed normal operation. Flo6 booted successfully again. The trust chain was restored, and the system stabilized.

Along that seemingly simple path, however, I had to reboot Flo6 at least a dozen times. Maybe more than that: I kinda lost count. At one point I had to pop the CR2032 CMOS battery. At another, I unpowered the GPU so the system would be forced to reset GOP stuff during a next restart, destined and designed to fail. Along the way I worked through nearly ever aspect of the ASRock board’s Secure Boot capabilities, setting things back to rights.

Lesson Learned

Firmware updates that modify Secure Boot keys are not routine. They change the foundation of system trust. If the OS and firmware are not aligned, boot issues can result. Understanding how PK, KEK, and DB work helps prevent surprises. Always check BIOS release notes for Secure Boot changes before flashing.

The Flo6 incident shows how a UEFI flash can affect more than performance or features. It can change the system’s trust model. With Secure Boot evolving, it’s more important than ever to understand what firmware updates really do.

Secure Boot has definitely  made life more interesting here in Windows-World. I’ve just ordered an MSI MAG Tomahawk B550 board to replace the ASRock model. Hopefully, it will show itself more robust in the face of Secure Boot changes. We’ll see…

Facebooklinkedin
Facebooklinkedin
Uncategorized

Secure Boot Recovery Means New Media

1 Comment

Here at Chez Tittel, I’ve been on something of a Secure Boot tear lately. Late last week, it dawned on me that this might require a change in recovery media, too. I checked: it does. Indeed, MS spells out the notion that secure boot recovery means new media in a couple of MS Learn Documents:

Basically, this boils down to the following data points, all of which determine whether or not recovery media will work properly after enabling Secure Boot:

  • Recovery media must use MS-signed UEFI bootloaders
  • Bootloaders signed with a certificate trusted in db
  • Bootloaders signed with the old 2011 CA blocked in dbx
  • Updated WinRE images (incl. new recovery media) signed with the 2023 CA

What Secure Boot Recovery Means New Media Comes Down to…

Simply put: once a PC has secure boot enabled and reports the presence of CA 2023, it needs matching secure boot media for recovery and repair. Older media won’t work because it lacks the new CA 2023 certificate. Bootloaders will fail, and/or WinRE won’t run. This will provoke a “Secure Boot violation” error or “invalid certificate” message in the bootloader. Sounds bad, eh?

The fix is easy, as long as you’ve turned Secure Boot on, and have installed the CA 2023 certificate (Garlin’s scripts at ElevenForum do this job nicely). With all these pieces in place, your current runtime meets the afore-stated requirements. Then, you can use Windows built in “Create a recovery drive” feature to build new recovery media to match this new state. Done!

Here in Windows-World when things change the supporting infrastructure must change to follow suit. Today that means generating fresh, new recovery media to match Flo6’s “secure boot on, CA 2023 installed” state. Takes only a few minutes, but means that future recovery efforts are far more likely to succeed. Good-oh!

Facebooklinkedin
Facebooklinkedin
AI, Insider stuff, Recent Activity, WED Blog, Windows 11

Copilot Amazon Differ on TB5 NVMe Availability

Leave a comment

I’m prepping for an AskWoody  story about RAID 1 setups on Windows 11. It had me popping open my half-dozen or so NVMe enclosures yesterday to see what I had at my disposal. Among my inventory, I found two identical NVMes (ideal for a RAID 1 test). I also found a Crucial T705 1TB PCIe x5 drive, which isn’t suited for any of my enclosures. It really needs Thunderbolt 5 or USB4 v2.0 to exceed the 40 Gbps speed limit that TB4/USB4 imposes. Imagine my surprise when Copilot said no such enclosures were available, while Amazon showed me at least half-a-dozen products for sale right now. Hence my claim that Copilot, Amazon differ on TB5 NVMe availability.

If Copilot Amazon Differ on TB5 NVMe Availability, Try Evidence

I work with Copilot near daily, especially on understanding and fixing Windows problems, issues and misconfigurations. Warnings about AI hallucinations are always worth remembering with Copilot. Why? Because it has repeatedly shown itself to be wrong or — as in this case — misinformed.  I reproduce Copilot’s response to my correction in which I provide the simple Amazon search that showed me 6-plus TB5 capable NVMe enclosures for sale at US$190 and up.

One big problem I see with AI information is that it includes no shades of grey. If Copilot and other AI interfaces could include confidence levels or probability of correctness, that might help. But no: Copilot, Google AI, Grok and so forth put forward their information as gospel truth. There’s a huge gap between Copilot’s initial flat statement that no TB5 NVMe enclosures are available, and its later correction to “TB5 NVMe enclosures exist, but most are early‑generation products whose real‑world performance is currently limited by host support and certification status.” Big difference!

As Always, Proceed with AI Cautiously

I don’t use or act on AI provided info unless and until I can confirm it through at least one (preferably, two or more) reliable public sources. This little “No it’s not; Well, yes it is…kinda/sorta” encounter demonstrates pretty well why that’s so. Indeed, for testing purposes I plan to buy one of the very enclosures Copilot told me yesterday didn’t exist. Today, it’s a different story!

Isn’t that just the way things go here in Windows-World sometimes? But at least, I’m going to be able to see if TB5/PCIe x5 Gen5 technology lives up to its billing when the Acasis enclosure shows up. If things work as reported, I’ll have an external USB drive that’s as fast as the internal drive on my production desktop.

Facebooklinkedin
Facebooklinkedin
Uncategorized

Secure Boot Report Card Perfected

1 Comment

On February 4th, I recounted the Secure Boot status of my local fleet, along with machines possessing CA 2023 secure boot certificates. At that time, I had 3 of 11 PCs with no CA 2023 secure boot certs. One also couldn’t enter UEFI with Secure Boot enabled. My secure boot report card is now perfected. All 11 machines have secure boot enabled AND CA 2023 certs in their credentials stores.

How Did I Get Secure Boot Report Card Perfected?

Short answer: time, effort and (in one case) a hardware purchase. Now for a somewhat longer answer. Both holdout machines with SB enabled, but no CA 2023 present were two ThinkPads. First, the X380 Yoga, a 2018 vintage 7th-gen Intel-based laptop. Second was X12Hybrid, a 2020 vintage 10th-gen Intel based tablet.

The same fix worked for both machines. The inestimable long-time member at ElevenForum.com named @Garlin has a terrific thread. It’s entitled garlin’s PowerShell scripts for updating Secure Boot CA 2023. It includes a script named Check_UEFI-CA2023.ps1. If you run that script it not only tells you if the CA 2023 cert is present or absent. If CA 2023 is absent, it also provides two commands to put it in place. That worked for both of my ThinkPad holdouts.

Note: The lead-in graphic for this story shows the following:
1. Invocation and output from the Check script just mentioned.
2. Execution of the reg edit and scheduled task to add CA 2023.
3. Final check string to show CA 2023 is present in the SecureBoot UEFI db (database).

The Third Holdout Proves a Bit Trickier

The old NVIDIA GeForce RTX 1070Ti installed in the upstairs ASRock B550/AMD Ryzen 5 5800X desktop named “RyzenOfc” wouldn’t enter UEFI with Secure Boot enabled. Turns out the firmware on its older GPU just couldn’t coordinate with TPM changes. I bought a Gigabyte RTX 5060 because it was compact enough to fit the smallish RyzenOfc Antec A-201 case. That got me back into UEFI where I could install the default keys and get secure boot working properly.

After that, the same Garlin script cited above also got CA 2023 into the credentials store on RyzenOfc. It’s taken a good chunk of the last two weeks, and cost me a chunk of change — I also bought a new mouse and keyboard that skips USB enumeration issues and Fn key gotchas in getting to UEFI, plus the GPU — to finish this journey.

Just for grins I checked CA 2023 status on the ThinkPad P16 Gen 3 that showed up on Monday. It didn’t have the new certs, either, so I fixed it with commands from the Garlin check script, too. All good!

But at last, all my machines are Secure Boot enabled with the CA 2023 certificate installed in that environment. What a long, strange trip that turned into. I’m glad it’s over, and I learned a LOT along the way. I also heartily recommend the Garlin scripts to anybody facing uncertainty or issues in getting CA 2023 Secure Boot certs onto their PCs. Great stuff!

Facebooklinkedin
Facebooklinkedin
Hardware Reviews, Insider stuff, Recent Activity, WED Blog

P16 Gen3 Firmware Update Hangs

Leave a comment

Imagine my excitement when I got a brand-new Lenovo ThinkPad P16 Gen 3 Mobile Workstation delivered to the door yesterday.  It’s an absolute beast of a machine (more on that below), huge and powerful. As part of my usual intake routine, I apply all pending updates. Alas, one of them — the P16 Gen3 firmware update — hangs during its install. I have to take drastic measures to finish things up. Let me explain…

If P16 Gen3 Firmware Update Hangs, Then?

The system wouldn’t reboot after the UEFI itself got updated. It was stuck, unable to go forward or go back. So I exercised the nuclear option when it comes to laptops lost in limbo.  I unplugged the battery and waited for it to drain completely, as evidenced by the power button and ESC key lights that stayed on late into the night last night.

The update completed successfully after that: I’m now running N4FET47W (1.28) dated 1/23/2025. But it took some doing to get there. Lenovo Vantage downloaded the update but was unable to install it. I also tried Lenovo System Update, which is usually better at handling firmware stuff, but no dice there, either. Finally, I visited the Lenovo Support pages, plugged in the serial number, and got a standalone flash installer named n4fuj05w.exe.

Starting UEFI Update Is Good, Finishing Is Better

The installer does its initial thing inside Windows getting the UEFI, Intel Management Engine (ME), and other update elements unpacked and ready before it reboots the machine. Then the flash installer takes over. That’s what hung on me.

Initially, Copilot advised me to remove the back deck of the unit and unplug the battery to force a cold reboot quickly. But this laptop costs over US$9K and the back deck didn’t want to come off. I had to use more force than I was comfortable exercising just to get the back edge to lift a little. Copilot yammered on I should keep trying and that the unit is notorious for tight clips and challenging extraction.

Nope! I also knew that draining the power over time would achieve the same end, with no danger of scratching the finish. So I waited overnight instead.

Getting Going On Intake

Now that the updates are all in place, WU is happy, winget’s been satisfied, and the Store is caught up, I can pay attention to the machine itself. I’ve got all my apps and tools installed, and am ready to report on what I see about this monster of a laptop.

Here’s a quick summary of key components:
• It’s NOT a Copilot+ PC
• Intel Core Ultra9 275HX (8P-Cores, 16 E-Cores, 24 threads)
• 128 GB DDR5 UDIMM RAM
• Intel integrated graphics Arc Xe‑LPG Graphics (64 exe units)
• NVIDIA RTX Pro 5000 Blackwell Generation (ADA arch, 7,424 CUDA cores, 16GB GDDR6, 58 3G RT cores, 232 4G Tensor cores)
• 4TB SAMSUNG MZVLC4T0HBL1-00BLL (SSD)

Pretty serious complement of components, eh?`

Here are the ports provided on the unit, listed by side as left, back and right:
LEFT (from front, items listed back to front)
• 1xSD slot (full-sized)
• 1xThunderbolt 4 (USB-C) up to 40 Gbps, DP1.4, USB4 compatible
• 1xUSB-A 3.2 Gen 1 (5 Gbps)
REAR (left to right, looking at rear)
• RJ-45 2.5GbE
• HDMI 2.1
• 2xThunderbolt 5 (USB-C) up to 80 Gbps, DP2.1, USB4 compatible
RIGHT
• Kensington lock slot
• 1xUSB-A 3.2 Gen 1 (5 Gbps)

Most notably, this P16’s got Thunderbolt 5 and USB5 (aka 4.2) support! Now I’ll finally be able to test TB5/USB5 stuff.  The internal SSD — a PCIe x5 Samsung model — reports speeds over 11,000 for 1GB block transfers in CrystalDiskMark. A USB4 drive attached to the high-speed USB-C port clocks in over 6,000. It’s the fastest USB I/O I’ve ever seen. Cool!

From the Belly of this Beast

Weighing in right at 6.5 lbs (2.95 kg) this is a massive monster of a laptop. But if you need lots of horsepower, capability and connectivity this could be your mobile workstation, too. Lenovo tells me its MSRP is ~US$9,200. You’ll need some serious financial backing to make this baby yours, too. So far, I like it a lot!!!

 

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11, Windows Update

CU Aftermath: One TPM Update Elicits WTF?

1 Comment

Microsoft’s February 2026 cumulative update, KB5077181, brought most Windows 11 25H2 systems up to build 26200.7840. At least, that’s what I was expecting. But as I rolled out the update across a mix of systems here at Chez Tittel, I noticed something odd. My Lenovo ThinkPads and an ASUS Zenbook A14 quietly updated and rebooted into 26200.7840. The DIY desktop (built on an ASRock motherboard with a Ryzen 5800X) threw a TPM warning and required multiple reboots after a forced cold startup. You guessed it: that one TPM elicits WTF as I must respond to “Update Y/N” for things to proceed.

One TPM Update Elicits WTF, Others Don’t

Let’s unpack what happened. First, the update itself. KB5077181 is a standard cumulative update, but it also includes boot-chain changes that affect Secure Boot and TPM values. On systems with stable firmware and well-behaved TPM implementations, these changes get absorbed quietly. That’s what happened on my Lenovo and ASUS laptops. They rebooted twice and landed on build 26200.7840 without a peep. Copilot tells me that the first reboot is for a servicing stack update, the second for the aforementioned CU.

The ASRock-based Ryzen system, aka “Flo6,” had a different reaction. Upon reboot it froze on a black screen. After I cycled power and forced a cold boot, it presented a UEFI-level prompt. That prompt  warned about changes to the TPM and Secure Boot configuration, and asked me to enter “Y” to confirm, or “N” to deny. This signals that the Platform Configuration Register 7 (PCR 7) that tracks Secure Boot components has detected a change. The system requires manual confirmation to proceed and reseal the TPM, followed with an additional reboot. But man, is that a cryptic message or what? (It appears as the lead-in graphic above.)

Why this discrepancy? It comes down to platform differences. OEM systems like Lenovo and ASUS laptops benefit from tightly integrated firmware, drivers, and update pipelines. Their UEFI implementations are mature. Also, their TPM and Secure Boot configurations get validated against Microsoft’s updates. Thus, they handle PCR changes gracefully and typically reseal the TPM silently with no user intervention.

The ASRock Difference

ASRock, on the other hand, does things differently. Though their firmware is functional and generally reliable, but it’s not as polished or tightly integrated as enterprise-grade or premium OEM systems. ASRock tends to use more standard, out-of-the-box AMI firmware. It offers only minimal validation for Secure Boot and TPM changes. Combine that with AMD’s fTP (known to be more sensitive to boot-chain changes than Intel’s PTT), and you get a prompt for TPM confirmation after updates like KB5077181.

You Get What You Pay For

That’s not to say ASRock is bad. For enthusiasts and DIY builders, their boards offer decent value and performance. But when it comes to firmware maturity and seamless integration with Windows security features, they’re noticeably behind the big OEMs.

The takeaway? Platform matters. As Windows continues to evolve its security posture, particularly around Secure Boot, TPM, and boot checks, users should expect some variation in how different systems respond to updates. OEM systems generally offer a smoother ride. DIY builds like my ASRock-based Flo6, appear to need more attention and manual intervention.

For those who live in the trenches of Windows-World, it’s just another reminder of how things sometimes work, or not. The best antidote is to know your hardware, expect the unexpected, and keep recovery media handy, just in case something goes awry. I’m glad I didn’t need recovery for this update. Indeed, I started wondering when I had to cycle power for a cold start, and an extra reboot to get to the desktop.

Facebooklinkedin
Facebooklinkedin
Hardware Reviews, Insider stuff, Recent Activity, Troubleshooting, WED Blog

Zotac 4070 Shows Up Munged

Leave a comment

Got an email last night from the USPS, informing me that the Zotac 4070 card I ordered would be delivered by 6:30 PM. This morning I walked to the mailbox to retrieve that item. As you can see in the edge-on photo, the 800-lb gorilla had his way with the card during shipment. The front plate is badly bent. Worse, the right-hand fan (from the top) doesn’t spin freely, as it properly should. I’m asking for a refund, as the Zotac 4070 shows up munged.

If Zotac 4070 Shows Up Munged, Now What?

I’m ordering a replacement card. Given the issues finding a performance GPU that’s also compact, I’m “trading down” to get a 5060 model for my next try. I just ordered a Gigabyte RTX 5060 Mini from Amazon, for delivery tomorrow. In the meantime, I’m fighting with the vendor platform — Mercari, in this case — for a refund. Somehow, the sale shows as completed even though I hadn’t even had the card in my hands for 18 hours when that status made itself known. I’m hoping I’ll get the purchase price back, but I have a bad feeling…

As I opened the package, in fact, I saw the front plate had been savaged in transit. “That can’t be good,” I thought. It wasn’t. Gosh only knows what hit this unit, but it literally looks stepped on. I can only hope I’ll get a refund: we’ll see about that.

Tomorrow Is Another Day

Amazon will put the next candidate in my hands tomorrow morning. I’ve never had trouble with their delivery resulting in damage of any kind, let alone the mauling that the Zotac card took en route. Fingers crossed that I can get it installed, and Secure Boot working, on the upstairs B550/5800X PC. These things happen here in Windows-World. Several lessons learned from this encounter, none of them good. Sigh, and sigh again…

 

Facebooklinkedin
Facebooklinkedin
Device drivers, Insider stuff, Recent Activity, WED Blog, Windows 11

So Long Samsung ML-2850

Leave a comment

Over the weekend, I saw a story at Tom’s Hardware that reported MS is phasing out V3 and V4 printer drivers.  “Hmmm,” I thought, “I bet this means my 2009 vintage monochrome laser printer is included.” Copilot confirmed that it’s time to say so long, Samsung ML-2850. It runs V3 printer drivers and MS is halting support for same, like now.

Succession Plans After So Long, Samsung ML-2850

The printer still works fine. And it still works — for the time being, at least — with Windows 11. But it’s just a matter of time before it won’t work any more. That might hit as early as whenever 26H2 hits public release. Or it might last as long as 27H2. But its days are now officially numbered.

Here’s my plan: I’m going to use up the laser cartridge(s) I have at my disposal. When the ML-2850 runs out of toner, it’s toast. At that point, I’ll drop it off at Goodwill, where I routinely recycle my used electronika.

How long does that give this device to remain in use here at Chez Tittel? I might print 100 pages of output a month on this printer, max — probably less. So it could be 6 months or more  before I pull the plug and pack it off to Goodwill. Let’s see what happens, shall we?

But Wait, There’s More…

My Dell 2155cn is also facing obsolescence, but it qualifies as a V4 driver, not V3. So I’ve probably got another year or two before it, too, goes off to Goodwill for lack of driver support. What will I buy next? I’m thinking something like the HP M455dn, which is a low-end business class networked color laser printer that retails for US$550-800 depending on bells and whistles. Or whatever its equivalent may be when I exhaust my final set of CMYK cartridges for that printer (I’ve got a set of spares, and CMY all ahow 100% in the Dell Printer Hub’s toner status display, with B at 80%).

I’ve got at least 2 years left on that printer, it seems. Then, I’ll buy another. Interesting note: it will probably be the last printer I ever purchase, seeing as how the Samsung has lasted 17 years, and the Dell more than 13. It seems that obsolescence comes calling long before the hardware itself runs out. That was also the case for my Apple LaserWriter 1, purchased in 1985 and still running like a champ when I gave it away in 2005. For all I know, it’s still running today — that thing was built like a battleship.

MS Changes Its Tune (Added 2/25/26)

The news is out all over the place that MS is NOT dropping support for older V3, V4 printers and their drivers. Looks like they’re just limiting what OEMs can do to update or improve such drivers. The roadmap page that had promised deprecation is changed. At Windows Central, Zac Bowden quotes MS as follows:

“Windows has not ended support for legacy printer drivers. If your printer works with Windows today, it will continue to work, and no action is required,”

I guess that means this was a false alarm, of sorts. I’m still planning to retire the Samsung and Dell printers, and replace them. But the urgency is definitely dialed down. Change is the unvarying attribute of life here Windows-World. In this case, change is good!

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11

Sysmon Lands in Windows 11 Beta

2 Comments

Lots of Windows nerds have spent years bolting Sysinternals’ Sysmon into every PC we work on. For them — and me — the latest Windows 11 Beta build (26220.7752) brings a welcome surprise: Sysmon is now a built-in optional feature. That’s right — no more downloading, unzipping, or scripting installs from Sysinternals. No need to run its handy web-based version, either. Microsoft has quietly slipped this powerful tool into the OS itself, and it’s ready to roll with some simple PowerShell commands.

What Sysmon Lands in Windows 11 Beta Means

Sysmon (System Monitor) has long been a staple in toolkits for security pros, blue teamers, and forensic analysts. It provides deep visibility into system activity — process creation, network connections, file writes, registry changes, and more. Until now, deploying Sysmon meant managing binaries and XML configuration files. With its inclusion as a Windows Optional Feature, Sysmon becomes easier to deploy, update, and manage across PC fleets.

PowerShell: Enable and Install Sysmon

To enable the built-in Sysmon feature from Windows itself, and then start monitoring stuff, run these two commands:

Enable-WindowsOptionalFeature -Online -FeatureName Sysmon
sysmon -i

In case it’s not obvious, the first command enables the Sysmon feature; the second installs it, ready for use.

Quick Peek: View Sysmon Events

Here’s a PowerShell one-liner that shows the 25 most recent Sysmon events.  Gives a taste of how it works and what it shows:

Get-WinEvent -LogName “Microsoft-Windows-Sysmon/Operational” -MaxEvents 25 | Format-Table -AutoSize

Unless your PC is acting up or ill, sysmon mostly shows process creation and termination (like here).

What Sysmon Illuminates

Sysmon shines brightest when you need to understand what’s really happening under the hood in Windows. It logs detailed info about process creation, including parent-child relationships, command-line arguments, and DLLs loaded. Sysmon captures network connections with source and destination IPs, ports, and process IDs. It can even detect code injections, image loads, and registry modifications. With a well-tuned configuration, Sysmon becomes a forensic goldmine. It’s like a time machine for system activity. Properly used, it can help you trace malware behavior, insider threats, and suspicious persistence mechanisms.

Adding Sysmon Into the Mix Is Good!

The integration of Sysmon into Windows 11 Beta is a quiet but powerful shift. It signals Microsoft’s growing commitment to built-in security observability and makes it easier than ever to deploy advanced monitoring at scale. For IT pros and security teams, this is a win. If you’re running a Beta build, it’s time to fire up PowerShell, flip the switch, and start watching your system like never before.

Showcasing Sysmon in Action

Sysmon’s long history in the Windows ecosystem is best illustrated through several well‑known case studies that show how deeply it illuminates system behavior. Both cases listed below not only show Sysmon’s diagnostic power but also its ability to reveal subtle, causal relationships that define complex system activity.

  • Mark Russinovich – Case of My Mom’s Chronically Infected PC: A classic Sysinternals investigation where Sysmon and related tools helped uncover persistent malware reinfection patterns. [URL is 404, look for episode 108 through the WayBack Machine {checked}]
  • License to Kill: Malware Hunting with the Sysinternals Tools (2021): In this case study, Mark Russinovich demonstrates how Sysmon’s detailed process‑creation and network‑connection telemetry exposes true behavior of a persistently compromised system that traditional antivirus repeatedly missed. By correlating Sysmon events with suspicious activity patterns, he shows how threat hunters can reconstruct attacker techniques, identify persistence mechanisms, and ultimately eradicate deeply embedded malware.

Together, these cases demonstrate Sysmon’s unique strengths: high‑fidelity process creation logging, deep visibility into network connections, precise registry and file‑system monitoring, and the ability to reconstruct causal chains that ordinary Windows logs simply cannot express. Whether used for diagnostics, security investigations, or system forensics, Sysmon remains one of the most powerful visibility tools available on Windows.

And that, dear readers, is why Sysmon is already well-regarded in Windows-World. That’s ultimately what makes it a amazing addition to the collection of built-in Windows features.

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, USB devices, WED Blog, Windows 11

Sprucing Up My Desktop Peripherals

Leave a comment

If you look back at my recent bloggage, you’ll see that I spent far too much time recently jumping into and rooting around in UEFI. Specifically, I found myself exposed to the oddities of the Asrock UEFI, which turns out to be finicky in many unexpected ways. Among many other bits of techno-trivia, I learned that my keyboard can’t send function key events to UEFI. I also learned that my logitech mouse sometimes is detected as (!) SATA storage during device enumeration at bootup. So, I’m sprucing up my desktop peripherals to steer clear of those issues. Let me explain…

Why I’m Sprucing Up My Desktop Peripherals

Function keys are helpful and even necessary during inital PC start for access to UEFI. They also drive many functions inside UEFI (e.g. F10 to “save & exit”). When the UEFI can’t read them, it’s anywhere from mildly annoying to maddening. My trusty old MS Comfort Curve 4000 (CC) is what’s known as a “composite USB HID device.” Alas, during POST and UEFI handoff, some PC firmware (including Asrock’s) handles only basic HID devices, not composite ones. To make that stuff work, in other words, I have to use a keyboard different from the CC. Sigh #1.

The older Logitech Unifying transceivers that work with mice and keyboards of that era also show another Asrock firmware quirk. They may sometimes (but not always) be recognized as SATA storage devices during first-time device enumeration. This threw me into an endless cycle of A6 POST errors on the B550 when I was trying to get the upstairs machine working last week. Here again, switching to a wired mouse fixed that issue. Sigh #2.

New Secure Boot, New Accoutrement

My fundamental problem is that I’m recycling old gear on a newer system. So it’s time to buy something new to bring it more in synch with the demands of modern UEFI, Secure Boot certificates, TPM 2.0 and suchlike. After walking thru my options with Copilot I’ve chosen a couple of Logitech items (I’m a long-time fan, and reviewed  lot of their peripherals in the 2000s for Tom’s Hardware):

  • Logitech Wavekeys keyboard (PN: YR0096) mostly matches the CC layout and feel, and is a basic HID device. Thus, its Fn keys should work properly in POST and UEFI.
  • In the same box, a Logi Bolt transceiver (xcvr PN: CU0021) which is supposedly superior to the old unifying xcvr, nor subject to mis-detection as a SATA device.
  • Logitech Signature M650 mouse (PN: MR0091) mostly matches the MS Mobile Mouse 4000 downstairs and the Logi mouse upstairs. Also works with Logi Bolt xcvr so I need only one transceiver for both devices.

I used the Bolt xcvr from the keyboard, so it came up instantly. I had to download and install the Logi Options+ app to get it to recognize the mouse through that same xcvr (it shipped with one of its own). But that was fast and easy, and the wireless link is quick and accurate. Alas, I got down on wireless keyboards back in the 2000s when I had a bad experience with transmission lag. If you type reasonably quickly (I’m at least 40 wpm or better) that’s not acceptable. So far, so good, with these Logitech devices.

Change is a watchword here in Windows-World. Like it or not (and I’m still figuring that out) my peripherals are changing. So are lots of others things. Adapt and thrive is the plan…

Facebooklinkedin
Facebooklinkedin

Author, Editor, Expert Witness