windows-security
49 posts tagged windows-security.
-
Rotating Every Cipher: SChannel and the Twenty-Year Algorithm-Agility Story of Windows TLS
How one Windows DLL rotated every TLS primitive from RC4 to ML-KEM without breaking IIS, RDP, SQL Server, or .NET SslStream -- and why Vista's 2007 CNG was the inflection point.
-
Seventy-Eight Minutes That Evicted Antivirus From the Windows Kernel
How a CrowdStrike channel-file update on July 19, 2024 collapsed twenty years of resistance to evicting third-party AV from the Windows kernel.
-
Three Years of PrintNightmare: How the Oldest Windows Service Survived Four Patch Waves
How the Windows Print Spooler produced nine SYSTEM-execution primitives in 2010-2024 and why Microsoft answered with two parallel architectures, not one.
-
AppLocker vs App Control for Business: Two Locks on the Same Door, and Why Windows Still Ships Both in 2026
Windows 11 24H2 ships two parallel application-control systems. One is operational hygiene; the other is the security boundary. The line between them is a single sentence in MSRC servicing criteria.
-
Mimikatz and the Credential-Theft Decade: The Windows Security Wars Part 3 (2009-2014)
Microsoft killed the rootkit class with AppLocker, Secure Boot, ELAM, and AppContainer. Then a side project in C named Mimikatz proved the wrong layer had been hardened.
-
SYSTEM in Ten Seconds: How the Potato Family Survived Every Microsoft Mitigation
A decade of Windows local privilege escalation -- HotPotato through FakePotato -- rests on one architectural decision Microsoft has refused to revisit.
-
The Integrity-Level Stack: MIC, UIPI, and Twenty Years of UAC's Quiet Plumbing
What UAC actually is beneath the consent prompt: Mandatory Integrity Control, UIPI, the split-token model, and twenty years of bypass research as proof.
-
The Layer Above the OS: The Windows Security Wars Part 6 (2023-2026)
How Storm-0558, CrowdStrike, and the Recall saga forced Microsoft to admit the biggest attack surface on a modern Windows PC is no longer the OS itself.
-
Two Months Without Code: The Windows Security Wars Part 1 (1995-2001)
In 1995-2001 the worms won. The Trustworthy Computing memo and the ten-week Windows Security Push that followed taught the industry how to ship secure software.
-
Eight Primitives, One Worm: The Windows Security Wars Part 2 (2002-2008)
How Microsoft re-engineered Windows around security between January 2002 and October 2009 -- and why a wormable RCE patched on October 23, 2008 still infected nine to fifteen million machines.
-
Pass-the-Hash to Pass-the-PRT: Twenty-Nine Years of Windows Credential Replay in One Family Tree
Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Pass-the-Certificate, and Pass-the-PRT are one architectural lineage. Each defense bought years; none closed the family.
-
Above the Kernel: The Windows Security Wars Part 4 (2015-2019)
Windows 10 ships Virtualization-Based Security and finally puts the credential store above the kernel -- in the same five years that ransomware became a billion-dollar industry.
-
Microsoft Defender for Identity: The Defensive AD Stack That Sees What BloodHound Maps
A field guide to Microsoft Defender for Identity, the on-DC sensor and cloud analytics engine descended from Aorato, that fires named alerts on almost every offensive AD primitive in the corpus -- and the five structural blind spots it cannot close.
-
The Thirteen Months That Made Zero Trust Unavoidable: The Windows Security Wars Part 5 (2020-2023)
Four incidents in thirteen months -- SolarWinds, ProxyLogon, PrintNightmare, Log4Shell -- broke four Windows architectural assumptions and forced the Zero Trust pivot the industry had on the shelf since August 2020.
-
Attack Surface Reduction Rules: The Quiet Layer That Stopped Office Macros
How Microsoft built a 19-rule, kernel-mediated behaviour block list inside Windows Defender that turned the Emotet macro chain into a one-row, no-ticket telemetry event.
-
Beyond BitLocker: The Three File-Level Encryption Layers Microsoft Hides in Plain Sight
BitLocker is one layer of four. EFS, Personal Data Encryption, and Purview sensitivity labels close gaps BitLocker structurally cannot -- three roots, three threat models, by design.
-
Living Off the Land on Windows: The LOLBin Catalog and the Structural Ceiling Microsoft Cannot Break
How a 1996 Authenticode design choice produced the LOLBin class, why the LOLBAS catalog has 207 binaries and Microsoft only blocks ~40, and why that gap is permanent.
-
The Card That Wasn't a Card: How Windows Authentication Outgrew the Smart Card Metaphor
Smart cards, virtual smart cards, and Windows authentication 1996-2026: from PC/SC and PIV through the 2014 NTLM-secondary defect to WHfB and FIDO2.
-
The Connection That Refused to Downgrade: Twenty-Five Years of SMB Cryptography, Finally Default-On
How SMB 3.1.1 pre-authentication integrity, AES-256-GCM, and SMB-over-QUIC closed a 25-year attack tradition, and which attacks still survive in 2026.
-
Agentic Identity on Windows: When the Process Acting on Your Behalf Isn't You
Every AI agent on Windows in 2026 runs as the logged-on user. The cloud-identity layer has crossed the agent-attribution gap; the OS layer has not. This article maps the FIDO AATWG pillars onto Windows primitives and asks what is missing.
-
BitUnlocker: When Microsoft's Recovery Environment Becomes the Master Key
In July 2025, Microsoft's internal red team chained four CVEs in WinRE to bypass TPM-only BitLocker in under five minutes -- and the structural lesson is older than Windows 11.
-
Windows Security Boundaries: The Document That Decides What Gets a CVE
Microsoft maintains a single public document that decides which Windows vulnerability reports receive a CVE, a Patch Tuesday bulletin, and a bounty payout. Here is how to read it.
-
Windows Downdate: When the Update Itself Is the Attack
How Alon Leviev turned Windows Update into a downgrade primitive, rolling fully-patched Windows 11 back to vulnerable VBS components while every signature still verified.
-
"The Vault is Solid. The Delivery Truck is Not." -- Microsoft Recall's Two-Year Re-Architecture from Plaintext SQLite to VBS Enclaves
How Microsoft Recall went from a plaintext SQLite database broken in four weeks to a VBS-Enclave + TPM-sealed + Hello-gated architecture, and what TotalRecall Reloaded still extracts. (Article title borrows Alexander Hagenah's framing, attributed in §8.1.)
-
Windows Sandbox vs Windows Defender Application Guard: Two Hyper-V Sandboxes, Different Threat Models
Two Hyper-V-backed isolation containers shipped in Windows -- one survived, one was retired. The story of why disposable beat persistent, and what each model was actually for.
-
Inside Azure Confidential VMs: SEV-SNP, Intel TDX, and the Paravisor that Makes Them a Cloud Product
Azure Confidential VMs combine AMD SEV-SNP and Intel TDX with the OpenHCL paravisor and MAA policy v1.2. A textbook tour from silicon to relying party.
-
Mark of the Web, SmartScreen, and the Catalog of Trust: How Windows Decides Whether to Warn You
How Windows stacks three trust layers -- origin, reputation, and signed catalog -- and why the 2022-2024 SmartScreen bypass arc was always a propagation bug, never a cryptography bug.
-
AMSI: The Pre-Execution Window Where Defender Catches a Base64 Payload It Has Never Seen Before
How the Antimalware Scan Interface scans script content after deobfuscation but before execution, the seven runtimes it plugs into, and the nearly seven-year bypass arms race that followed.
-
AppContainer and LowBox Tokens: Windows's Capability Sandbox
How a single bit in Windows's access token, two new SID alphabets, and a per-package namespace partition let the kernel give two co-tenanted apps opposite verdicts.
-
Authenticode and Catalog Files: The Crypto Foundation Under WDAC
Every Windows trust decision -- UAC, SmartScreen, WDAC, kernel-driver loading -- bottoms out on the same PKCS#7 SignedData envelope shipped in IE 3 in August 1996. Here is the byte-level reason.
-
Control Flow Integrity on Windows: CFG, XFG, and the CET Shadow Stack
Three generations of control-flow integrity on Windows: the CFG bitmap (2014), the XFG prototype-hash (never fully shipped), and the Intel CET shadow stack (2020). Why each shipped, and what the ~70% memory-safety statistic still leaves open.
-
Direct Anonymous Attestation: The Zero-Knowledge Proof Already in Every TPM
TPM 2.0 names a zero-knowledge group-signature primitive in its spec. A billion chips ship it. Almost nobody verifies it. The story of why DAA won every standardization fight and lost every deployment one.
-
From /hotpatch to \$1.50 a Core: The Live-Patch Pipeline Microsoft Built and Then Made Public
How Windows hot patching evolved from a 1990s compiler flag to a Secure-Kernel-mediated, three-layer pipeline shipping in three product waves between 2022 and 2025.
-
From Password-in-the-Pipe to Cloud-Issued Session: Twenty-Six Years of RDP Authentication
How five generations of Windows RDP authentication -- classic delegation, NLA via CredSSP, Restricted Admin, Remote Credential Guard, and PRT-over-RDP -- retreated from the 1998 design that gave attackers the keys to every target.
-
DPAPI and DPAPI-NG: The Credential Vault Under Everything
A 25-year tour of Windows Data Protection API: the four-stage classic chain, the 2012 DPAPI-NG redesign, the KDS root key, and the five structural ceilings the design cannot close.
-
Kerberos in Windows: The Other Half of NTLMless
After NTLM, Kerberos becomes the load-bearing authentication protocol for Windows. Eight years of attacks, the December 2025 Beyond-RC4 cadence, and the H2 2026 IAKerb / Local KDC broad enable.
-
The ACPI Tables That Quietly Secure Your Windows Machine
Five small ACPI tables -- DMAR, IORT, WSMT, SDEV, WPBT -- form the firmware-OS contract behind VBS, Credential Guard, Kernel DMA Protection, and BitLocker.
-
The Empty Hash: Credential Guard, the LsaIso Trustlet, and the Eleven-Year LSASS Extraction Tradition
Why a 2026 Mimikatz dump returns [LSA Isolated Data] instead of an NTLM hash, what LsaIso.exe really computes, and the five things Credential Guard was never going to close.
-
WDAC + HVCI: Code Integrity at Every Layer in Windows
How Windows decides which code is allowed to run, end-to-end: WDAC policy schema, HVCI per-VTL SLAT enforcement, the audit-to-enforce loop, and the residual attack surface neither feature can close.
-
WebAuthn and Passkeys on Windows: From CTAP to the Credential Provider Model
The know/have/are taxonomy collapses against modern phishing kits. Passkeys, WebAuthn Level 3, CTAP 2.x, and Windows 11 24H2 third-party providers score against the criteria that actually matter -- and recovery is the load-bearing column.
-
NTLMless: The Death of NTLM in Windows
Thirty years of pass-the-hash, NTLM relay, PetitPotam, and ESC8 -- and the Kerberos engineering that finally lets Microsoft turn NTLM off by default.
-
VBS Trustlets: What Actually Runs in the Secure Kernel
A field guide to Virtualization-Based Security trustlets on Windows 11: the five gates a binary passes to become one, the inbox roster, and where the model ends.
-
"Can This Code Do This?" -- Twenty-Five Years of Attacks on the Windows Access-Control Model
How a single kernel function, SeAccessCheck, decides every Windows operation -- and how Mimikatz, the Potato lineage, and seventy UAC bypasses each attack one of its inputs.
-
Pluton: A TPM On Silicon Microsoft Can Patch
How Microsoft moved the TPM onto the SoC die, ran it on Rust firmware, and patched it through Windows Update -- and what that cost in trust centralisation.
-
Secure Boot in Windows: The Chain From Sector Zero to Userinit, and Every Place It Has Broken
How Windows verifies and measures itself from CPU reset to logon, every rung of the boot chain, every public break, and what Pluton is being built to fix.
-
The TPM in Windows: One Primitive, Twenty-Five Years, and the Chip Microsoft Bet On Twice
How a passive 1999 cryptoprocessor became the load-bearing pillar of Windows security, and what twenty-five years of attacks taught us about its limits.
-
"Who Is This Code?" -- The Quiet 33-Year Reinvention of App Identity in Windows
NT 3.1 could prove which user typed at the keyboard but had no answer to which code was running. Eight successive primitives later, Windows is still answering the same question.
-
When SYSTEM Isn't Enough: The Windows Secure Kernel and the End of Total Kernel Trust
How Windows built a hardware-isolated kernel above Ring 0 using Hyper-V, protecting credentials and code integrity even after full NT kernel compromise.
-
BitLocker on Windows: Architecture, Attacks, and the Limits of Full-Disk Encryption
How BitLocker evolved from an optional enterprise feature to encryption-by-default, its cryptographic architecture, every known attack, and what FDE still cannot protect against.