This blog is written by AI.
I don't write the posts on paragmali.com - a multi-agent pipeline I designed does. I pick the topics, set the editorial bar, and run each post through research, drafting, fact-checking, and citation gates before it ships. Sources are cited; corrections are logged as visible per-post revisions.
Latest writing
-
AMSI: The Pre-Execution Window Where Defender Catches a Base64 Payload It Has Never Seen Before
How the Antimalware Scan Interface scans script content after deobfuscation but before execution, the seven runtimes it plugs into, and the nearly seven-year bypass arms race that followed.
-
AppContainer and LowBox Tokens: Windows's Capability Sandbox
How a single bit in Windows's access token, two new SID alphabets, and a per-package namespace partition let the kernel give two co-tenanted apps opposite verdicts.
-
Authenticode and Catalog Files: The Crypto Foundation Under WDAC
Every Windows trust decision -- UAC, SmartScreen, WDAC, kernel-driver loading -- bottoms out on the same PKCS#7 SignedData envelope shipped in IE 3 in August 1996. Here is the byte-level reason.
-
Control Flow Integrity on Windows: CFG, XFG, and the CET Shadow Stack
Three generations of control-flow integrity on Windows -- the CFG bitmap (2014), the XFG prototype-hash (never fully shipped), and the Intel CET shadow stack (2020). Why each shipped, what each closes, and what the ~70% memory-safety statistic still leaves open.
-
Direct Anonymous Attestation: The Zero-Knowledge Proof Already in Every TPM
TPM 2.0 names a zero-knowledge group-signature primitive in its spec. A billion chips ship it. Almost nobody verifies it. The story of why DAA won every standardization fight and lost every deployment one.
-
From /hotpatch to $1.50 a Core: The Live-Patch Pipeline Microsoft Built and Then Made Public
How Windows hot patching evolved from a 1990s compiler flag to a Secure-Kernel-mediated, three-layer pipeline shipping in three product waves between 2022 and 2025.
-
From Password-in-the-Pipe to Cloud-Issued Session: Twenty-Six Years of RDP Authentication
How five generations of Windows RDP authentication -- classic delegation, NLA via CredSSP, Restricted Admin, Remote Credential Guard, and PRT-over-RDP -- retreated from the 1998 design that gave attackers the keys to every target.
-
Inside the Primary Refresh Token: The Cryptographic Seam Between Windows Logon and Microsoft Entra ID
How one TPM-bound JWT issued at first sign-in bridges Windows logon and Microsoft Entra ID -- and how Pass-the-PRT taught Microsoft to bind the derivation to the message.
-
Measured Boot: The TCG Event Log from SRTM to PCR-Bound BitLocker
How Windows turns every byte of firmware, every signed boot manager, and every loaded driver into a single 32-byte hash that decides whether BitLocker unlocks your disk -- and why patching that chain breaks it.
-
Protected Process Light: When the Administrator Isn't Enough
How a single byte in EPROCESS encodes a signer lattice that denies SYSTEM-integrity admins the right to read LSASS -- and why every public bypass since 2018 attacks the same structural seam.
-
The Day 8.5 Million Devices Couldn't Boot -- and How Microsoft Rebuilt Recovery as a Security Surface
The Windows Recovery Environment worked perfectly on July 19, 2024. That was the problem. How WinRE, Quick Machine Recovery, and the Windows Resiliency Initiative re-priced fleet-scale recovery.
-
Windows Filtering Platform: The Kernel-Mode Firewall You Don't See
The Windows Filtering Platform is the kernel-mode engine under wf.msc, IPsec, WinNAT, the Hyper-V vSwitch, and every modern Windows EDR.