Category Archives: Security

Windows 11 Smart App Control

I’m always learning something new or surprising about Windows. In this case, I’m talking about Windows 11 since 22H2 came along in September 2022. That’s nearly 3 years ago, so to discover something mostly missing in new-ish (and brand-new) eval PCs from OEMs such as Lenovo, dynabook, and Panasonic is my surprise of the day. I’m talking about a feature in Windows Security — namely Windows 11 Smart App Control — about which I’ve been mostly oblivious until today.

This morning, I re-read a piece from Paul Thurrot from last Thursday (June 26) entitled  You Use Windows. Be Resilient (it’s Premium content, so you’ll need to sign up for a membership to read this: sorry). Under the heading of app protection, it off-handedly mentioned Smart App Control as follows:

Windows 11 has a feature called Smart App Control that’s in a weird state of flux and may or may not be configurable on your PC. Open Windows Security and navigate to App & browser control > Smart App Control, and see whether you can enable it. If you can, do so.

“Hmmm” I thought to myself, I don’t recognize this. “I’ll go look.” On the vast majority of new machines (all issued in 2023 or later) I found that — as you can see in the lead-in graphic– Smart App Control was turned off. And right below that status: a can of interesting worms. Gotcha!

A Gotcha in Windows 11 Smart App Control

That can of worms is, of course, the explanation beneath the “Off” toggle that reads “If Smart App Control is off it can’t be turned on without reinstalling Windows.” Really?!?!

That’s right. Apparently, enough people have noticed this distressing detail that MS has put together a FAQ around this very topic. It’s the one that’s accessible from the link at the bottom of the lead graphic that says Learn more about why Smart App Control is off.

TLDR: Smart App Control hooks into the OS at a deep enough level that if it’s not there when the OS gets laid down, a new, clean install is necessary to put it there from inception to make sure it works like it should. In other words, if your install of Windows 11 predates 22H2 — as so many of mine do — or the OEM doesn’t enable this feature as part of their initial Windows 11 image install — you can’t have it without an OS do-over.

What’s in My Field of (New/ish) View?

With this item in mind I examined all of my newest PCs, only to find that just one of them supports Smart App Control (SAC), albeit in “Eval mode.” Here’s what that looks like:

Of all my relatively new PCs only the dynabook X40M2 supports SAC (in evaluation mode).

Here’s a list of those PCs, for the record:

  • The preceding graphic shows I’ve got it in “Evaluation” mode on the dynabook X40M2 laptop I received earlier this month.
  • It’s turned off on the Lenovo ThinkPad T14s (original Windows 11 install date November 2024)
  • It’s turned off on the Lenovo ThinkStation P3 Ultra (original Windows 11 install date November 2023)

I just got an eval from Lenovo for its new Copilot+ capable AIO (Model Lenovo Yoga AIO 9i last Friday. I haven’t unboxed it yet, so I can’ t yet say if it has it turned off or not. I’ll report back later.

Small Sample Size Warning & Wondering

The sample size is ludicrously small (3 machines so far, with a fourth on the way later this week). But it’s now a bit clearer to me why I haven’t run into Smart App Control before. It’s just not that widely dispersed in the field yet. And I bet a lot of other long-time Windows Pros like me don’t know they can’t have it on older PCs unless they bring it in via a clean Windows 11 install.

Very interesting! Let’s just hope the dynabook survives Evaluation mode with Smart App Control intact, so I can learn more about how it works, and what it really does. And isn’t that just the way things often work, here in Windows-World? You betcha!

Facebooklinkedin
Facebooklinkedin

E-mail Link Cynicism Is Well-Considered

I’ll admit it: I’m a cynic when it comes to emails that ask me to follow a link to verify something. If somebody asks for verification unsolicited, I believe by default that request is malign. So when an email showed up asking me to verify my account to keep my email server going, my first instinct was “Heck NO!” And, as the NordVPN link-checker immediately confirmed , my instincts are good. It pops up instantly as a phishing site. Skepticism is spot on, and e-mail link cynicism is well-considered — at least IMO.

Check to See if E-mail Link Cynicism Is Well-Considered

If in doubt, check the link at a third-party site. NEVER click a link from an unknown sender. If you’re incurably curious, do it from a sandbox or VM you can blow away if something bad happens. The important thing is to think about what’s in your inbox, how it got there, and how it might bite you.

Here’s what the NordVPN site says. It’s great advice so I’ll repeat it verbatim:

Got a suspicious email or text? Check the link before clicking — it will significantly reduce the chances of you falling for a phishing attack.

When in doubt, check. If you can’t check, don’t click: wait until you can (or delete the email). If it’s really important and legit, the sender will resend and you’ll get another opportunity to recheck what’s going on.

Reverse Lookup Mojo

Indeed, if you are concerned about a reported issue or account problem, it’s much safer for YOU to visit a known, good, working vendor site to check on status. Amazon is a good example: I can’t tell you how many bogus SMS text messages I’ve gotten on my cell that ask for Amazon account details to confirm things, because I delete them as soon as they appear. As a matter of policy Amazon does not request sensitive info (passwords, credit card data, etc.) via SMS, though they do report  order and delivery status that way.

Be smart when you respond to emails. If there’s any doubt, open your own link to a trusted vendor and check things from your end. If you don’t recognize a sender asking for sensitive info, don’t respond. This is a case where doing nothing is exactly what’s right — and safest.

Facebooklinkedin
Facebooklinkedin

Leave Post KB5055523 Inetpub Folder Alone

I’d seen reporting on this yesterday, along with blithe assumptions about related cleanup (deletion). Today, MS has published a CVE-2025-21204 security note that explains what’s going on, and specifically advises users to leave post KB5055523 Inetpub folder alone — and intact.

Here’s a direct quote from the afore-linked source:

After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.

Note: KB5055523 is a security update for Build 26100.3775 (production level Windows 11 24H2) released as part of the Patch Tuesday collection on April 8, 2025.

Why Leave Post KB5055523 Inetpub Folder Alone?

It’s part of the infrastructure upon which MS relies to fend off the named vulnerability. In other words, if the folder is present, MS can use it to protect against potential attacks. MS is sometimes fond of leaving folders behind in the wake of various installs (especially feature upgrades). Anything not needed is usually fair game for Disk Cleanup or the Windows Store PC Manager app.

That said, some OCD-friendly Windows users (you know who you are) relentlessly clean up things just because they must. This is apparently a case that flies against that impetus. MS, in this particular case, says “Leave it alone.” I guess I shall, and you probably should, too.

Though the Inetpub folder is empty after the update runs (see next screencap) it is meant to be and stay there. You’ve been warned! Indeed, as you can see, it’s properties are also set to “Read-only.”

The ‘Read-only’ status signals weakly that this item should stay put.

Final Warning: Don’t!

I’ve seen various online sources assert that it’s OK to delete this folder because it caused no observable ill effects on their test PCs. If what MS says about Inetpub’s presence or absence on a PC is true, you don’t want to sight what could happen if it were to be deleted. Let this particular sleeping critter keep snoozing, please.

Facebooklinkedin
Facebooklinkedin

PowerShell-Based Defender Commands

The other day, my Canary Channel X380 Yoga hung up on Windows Update. In other words, after  some kind of WU download difficulty, it wouldn’t download from those servers. There are lots of ways to unstick WU, but one of the easiest is to get Windows Defender to update. Personally, I prefer to use a single PowerShell command with no arguments or parameters, rather than navigating into Windows Security to see if that might help. Indeed, there is a plethora of Defender controls in PowerShell. The one I used is just a single instance in a collection of over a dozen items.

Finding PowerShell-Based Defender Commands

You can see the command I used to ask PowerShell to update Defender in the lead-in graphic. It’s named Update-MpSignature, and it takes no mandatory arguments or parameters. What you’re looking at there, in fact, is the general PowerShell Module Browser at MS Learn. It’s dialed into Defender commands, shown in the breadcrumbs up top: Learn/Windows/PowerShell/Defender. As you will soon find out, there is a baker’s dozen of such things there under this heading.

Other Defender Commands get their own listings, but also appear in a handy-dandy table (simplified contents reproduced verbatim below). Indeed, each one also has its individual command reference, for which you find links in said table.

As you can see there are lots of interesting and sometimes useful ways to interact with Defender in PowerShell. They’re worth exploring and getting to know. I used a simple one to unstick WU this week, but there are lots of other tools here, ready to help you manipulate Defender in Windows Terminal or via automation scripts. Have at it!

Facebooklinkedin
Facebooklinkedin

Avoid Mystery Pop-up Windows

It’s now a truism that one should NEVER click links in email from unknown or untrusted sources. This morning, I was reminded the same is true inside a browser. There, one should avoid mystery pop-up windows with equal attention and suspicion. Indeed, this happened as I visited one of my daily Windows-related news and info sites, much to my alarm and dismay.

Why Avoid Mystery Pop-Up Windows?

Any time you’re presented with a link you don’t recognize, didn’t ask for — and probably also, don’t want —  leave it alone. In my case, I clicked CTRL-Shift-ESC to launch Task Manager. Then, I killed all related browser processes. After that, I restarted Firefox anew. It’s never smart to take any such bait, nor to let it linger on your desktop.

Indeed, Task Manager might have refused to kill one or more Firefox processes. Then,  my next step would be: restart my PC, then run an immediate virus scan. As it was, an immediate follow-up scan showed Defender still on the job. It revealed neither lurking threats nor suspicious files. Good-oh!

You’ve Been Pwned!

Right here at edtittel.com, I fought off a series of WordPress-induced injection attacks last year. I ended up having to buy into a security service that prevented hijackers from altering URLs published into social media sites (e.g. X, Facebook and LinkedIn). These redirected would-be blog post visitors to certain potentially unsavory stop-offs en route to my daily posts. It now costs me $300 a year to protect website visitors from such stuff and nonsense.

I say this to explain that such things can happen to almost any website, at any time, as unpatched vulnerabilities get exploited. Knowing that this is always a possibility, savvy users recognize that mystery pop-ups hide much more malice and potential for harm than sources for wonder and beauty. Avoid them at all costs, is received security wisdom — and my best advice as well. That goes double if they come bearing offers that seem too good to be true…

Facebooklinkedin
Facebooklinkedin

Windows Resiliency Initiative Includes Quick Machine Recovery

It’s that time of year again, when MS meetings and conferences — Ignite 2024, in this case — heat things up with future promises and new idea campaigns. Yesterday’s Windows Experience Blog from David Weston (MS VP Enterprise & OS Security) is a case in point. Entitled Windows security and resiliency: Protecting your business, it asserts that a new Windows Resiliency Initiative includes Quick Machine Recovery as a key capability. Very interesting!

Explaining Windows Resiliency Initiative Includes Quick Machine Recovery

This new initiative “takes four areas of focus” as its goal — namely (all bullet points quoted verbatim from the afore-linked blog post, except for my [bracketed] commentary):

  • Strengthen reliability based on learnings from the incident we saw in July. [Crowdstrike kernel mode error took down 8.5M Windows PCs.]
  • Enabling more apps and users to run without admin privileges.
  • Stronger controls for what apps and drivers are allowed to run.
  • Improved identity protection to prevent phishing attacks.

The first and arguably most impactful preceding item is what led MS to its announcement of Quick Machine Recovery. Here’s how Weston explains it:

This feature will enable IT administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, without needing physical access to the PC. This remote recovery will unblock your employees from broad issues much faster than what has been possible in the past. Quick Machine Recovery will be available to the Windows Insider Program community in early 2025.

In other words, this new feature should enable what savvy administrators had to do using OOB access to affected machine via KVMs smart enough to bootstrap machines otherwise unable to boot.

Great Addition: How’s the Execution?

IMO this is something MS should’ve built into Windows long ago. I’m curious to see how (and how well) it works. I’m also curious to see if it will be available for Windows 10 as well as 11. Only time will tell, but I’ll be all over this when it hits Insider Builds early next year. Good stuff — I hope!!

Facebooklinkedin
Facebooklinkedin

CVE-2024-6768 Exposes Scary Windows Vulnerability

In reading through my usual Windows news and info sources this morning I came across a scary notification at MS Power User. The named item is from the national vulnerability database. CVE-2024-6738 — which makes it item 6,738 for 2024 — comes with scary implications. It’s been reported in some form since last February. It attacks by altering meta-data for Windows base log files (BLFs) and can cause doom loops like those recently experienced from a Crowdstrike update last month. Thus, CVE-2024-6768 exposes scary Windows vulnerability that is hard to fend off and tricky to repair.

BLF Alteration in CVE-2024-6768 Exposes Scary Windows Vulnerability

A base log file (BLF) sits at the heart of the Windows Common Log File System (aka CLFS). As MS Learn’s “Creating a Log File” article begins, it says:

Before you can use CLFS, you must create a log file using the CreateLogFile function. A log file is made up of a base log file that contains metadata, and a number of containers that hold the actual data. On any local file system, containers can be in one or more separate files; on NTFS, containers can be in one or more streams within a file.

The BLF contains key information that describes the associated containers for log data. If the BLF is wrong, the log won’t make sense and cannot be read. This doesn’t sound like a big deal, but it is. Let me explain further…

Several Interesting Copilot Responses…

When asked to describe BLF files, Copilot notes how they’re used:

Usage: These files are crucial for maintaining system stability and integrity. They help manage user-level registry information and other system-level data. For example, the Windows component that writes user-level registry information to the NTUSER.DAT file uses CLFS logging, which involves BLF files1.

Indeed it seems that CVE-2024-6768 wreaks havoc by breaking the base log handler with a bogus “size of data field” value. This kind of error triggers a BugCheck error, and in turn provokes a BSOD.

Further investigation shows that any time a registry change occurs BLF files get updated. They are also essential to system boot-up, application installation and update, as well as system update. To get more details ask Copilot: “When do Windows base log files get written, and when do they get read?” You’ll see what I mean right away.

What Does the Future Hold?

The Fortra release note for this vulnerability shows its history, while a companion research note shows more details. So far, MS has yet to respond. Other than research work, I see no evidence of successful exploits in the wild. That said, this kind of attack is nearly impossible to fix without knowing the exact details of the registry values changed to mung some (or more) specific .BLF file(s).

IMO, this means the only real protection is a recent image backup that will replace the altered Windows image with a known, good working copy. Stuff like this is why I keep such things handy, and make one at least daily. This could get interesting…stay tuned!

Facebooklinkedin
Facebooklinkedin

Getting Past Crowdstruck Requires Access

Last Friday (July 19), cybersecurity firm Crowdstrike pushed an update to its threat sensors. Ultimately, that ended up with over 8 million Windows PC unable to boot, stuck on a BSOD for invalid references in a kernel-mode driver. Behind the scenes, all kinds of companies from hospitals, to government agencies, to airlines, and more, found themselves unable to use updates machines after a post-update reboot. What really caused the heartburn? Getting past Crowdstruck requires access to affected machines on a one-at-a-time basis.

If you look at the BSOD screencap at the head of this blog post, you’ll see a driver named csagent.sys. This is the CrowdStrike Agent driver which runs at kernel mode by design. That ensures it can’t be easily accessed or tampered with by hackers. But when something runs as a kernel mode driver it must be rigorously and thoroughly tested and vetted, or it can crash any PC on which it runs. Errors, in short, cannot be tolerated. Oops!

Why Getting Past Crowdstruck Requires Access

Part of the Crowdstrike software run as a Windows kernel-mode driver. That means it has the same level of access as privileged parts of the OS itself. If any of this code throws an error — as Crowdstrike has publicly admitted its update did — Windows crashes itself. That’s by design,  out of an abundance of caution to avoid loss of data or other damage to affected systems.

Here’s where things get interesting. Windows can’t boot and run until the offending driver is removed. In turn, the affected PCs must boot into safe mode or a recovery image. Either can operate on the damaged Windows image, remove the bad driver, and stand Windows back up again. This is easy when admins or IT pros have physical access to affected PCs. Indeed, Copilot recommends using the “three strikes” method to get into Windows recovery. (Three consecutive boot failures autoomatically triggers Windows alternate boot.) Then, using WinRE (or Windows itself in safe mode, from the Advanced Boot Options), repairs can go forward.

The problem is that many, if not virtually all, of the affected machines stayed down, stuck in a “boot loop.” They remained that way because their operators DIDN’T have physical access to those PCs. I’ll bet that most of them had to be teleoperated through a KVM device that can work around PC  problems that extend all the way down to the hardware level (outside the scope of normal remote access and RDP). This kind of thing doesn’t scale well, either, so it takes time to work through hundreds to thousands of remote PCs (think of the PC behind the counter at AA or Delta, where the gate or ticket agent is completely clueless about boot-level Windows repairs).

An “Interesting” Problem, Indeed!

Far too many cybersecurity and IT pros found themselves in the grip of the old Chinese curse (“May you live in interesting times”) after the *291* driver for Crowdstrike  tried to run on Friday. Organizations that prepare and drill for these kinds of outages were doubtless at an advantage in already knowing how to broker and run boot repairs remotely. I can only imagine the hair-pulling that went on at other outfits less well-equipped to handle this outage.

Here’s a moral to ponder for those who run remote Windows PCs where physical access is impossible, difficult or impractical: Can your remote management infrastructure and automation work with a Windows PC that’s not booting, and won’t boot until it’s restarted in some special way? If your answer is “yes,” you’re probably over the Crowdstruck hump already. If your answer is “no,” you’ll probably make that a top priority as soon as you can kick-start and repair all remaining affected Windows nodes. In the meantime, my deepest sympathies…

Facebooklinkedin
Facebooklinkedin

Defender Threat-Flags MTPW

MTPW is the intialism for MiniTool Partition Wizard, a long-time mainstay in my stable of free and capable Windows tools. I’m not sure exactly why MS/Defender decided it’s a “potentially unwanted app.” That said you can see the message from Microsoft Defender Beta as the lead-in graphic, which also labels it as a threat, albeit an abandoned one. To repeat: I don’t know why Defender threat-flags MTPW download, but there it most assuredly is.

Digging into Defender Threat-Flags MTPW

Turns out that pw12-free.exe is an old, outdated name for MiniTool Partition Wizard (note the 2020 date, if you’re not convinced). The current version is named pw-free-online.exe. It throws no Defender Beta alerts, nor does VirusTotal find it at all objectionable. I guess that makes this one of those WTF moments that Windows can occasionally throw this way.

Given a security alert, I’d much rather have it turn out to be a false positive as is apparently the case here. Indeed, Everything can’t even find a copy of the offending file on my test PC (a 2018-vintage Lenovo Yoga 380X). Another bullet dodged, apparently, or less-than-vicious threat averted. I can’t make up my mind: you decide.

The Good Thing About False Positives…

Is, of course, that you can cheerfully ignore them. Indeed, because the offending file can’t even be found, it’s no longer a concern — if ever it was one. I checked the current download (pw-free-online.exe) just to make doubly-darned sure. But there’s no threat there that I can see. Good enough for me!

Facebooklinkedin
Facebooklinkedin

WordPress Link Access API Hack

Whoa! I just got messages from a colleague on LinkedIn, and have confirmed for both that social media platform and Facebook, that something wicked this way comes. That is, it seems there’s a WordPress link access API hack that enables malicious redirection whenever a link compaction program calls my site for link info. You can see what this looks like in the lead-in graphic. To mangle Talking Heads my reaction is “That’s not my beautiful site! Those aren’t my URLs.” Ai-yi-yi!

Fixing WordPress Link Access API Hack

Scan, remove bad references. remove any suspect WordPress elements. Put a security scan service in place to prevent recurrences. That’s what my Web guy is working on right now. For whatever odd and obviously invalid reason, I thought my WP service already covered all these bases. Now that I know that’s untrue, it will get fixed as soon as that work gets done.

Wow! What an astonishing PITA for something so modest and focused. It seems that several configuration files got modified through a vulnerable plug-in and included references to malicious URLs as of 5/21. We’re changing all the passwords, fixing what’s wrong, and cleaning up the mess. I’m hopeful things will be back to normal by tomorrow.

Going forward, we’ve added explicit ongoing security scans, and regular reviews of software selections, patch levels, and protective software to the mix. Hopefully, this won’t happen again. But if you see something odd any time you access one of my posts or Web pages, do like MS MVP Simon Allison did, and let me know right away that something seems funny or broken. Every little bit of insight and info helps!

Note Added 6/5 2:40 PM

The URL/API portion of the site has been replaced, and no more malicious or suspect URLs get generated. The issue is apparently fixed, but we’re still scanning all files in the entire site to make sure no other unwanted content/malicious payloads are lurking anywhere. All’s well that ends well, but the road goes on forever and the party never ends…

 

Facebooklinkedin
Facebooklinkedin