Kategorie

Online meeting platform Zoom this week announced updates to its meeting collaboration space Workplace, adding AI-powered capabilities that include a previously released “assistant” that offers post-meeting summaries and the ability to compose chats and email drafts. 

Available through Zoom’s desktop app, the Workplace collaboration platform includes the use of its Zoom AI Companion, which it released last September. 

The AI Companion, enabled in the toolbar, uses OpenAI’s ChatGPT generative AI (genAI) features to perform tasks such as presenting a summary of a meeting, identifying action items, and prompting users to share next steps with key meeting members.

The company’s new Zoom Phone capabilities also offer post-call summaries, voice mail prioritization, and task extraction, among other features. 

In January, Zoom launched a mixed reality app that works with Apple’s Vision Pro headset to offer users a 3D representation of meeting participants along with three dimensional representations of media and design files.  For example, an animator or game designer could collaborate and share the latest character model via Zoom’s 3D object sharing capabilities.

Zoom’s Workplace meeting app offers features such as a combined meetings and calendar view on one tab, along with a new “agenda” view for meeting participants. 

Users of  Zoom’s desktop app will notice the Workplace name throughout the app, the company said.

Workplace now offers what the company referred to as a “simplified navigation bar” at the top to make it easier for users to organize and find the tabs used most often. Users also can drag and drop tabs into their preferred order.

Workplace also offers a choice of new color themes and to opt for Zoom’s classic dark or light themes in a desktop’s app settings. The toolbar can also be customized by dragging and dropping items (including from the “More” menu) into place.

Finally, Workplace offers a multi-speaker view that will highlight people who are actively speaking in a meeting with more than five participants.

Another feature Zoom said will be available “soon” is the Ask AI Companion, a chatbot that will complete routine user tasks, such as creating meeting preparation materials with relevant content such as meeting summaries and chat threads, drafting agendas, and brainstorming ideas. 

“Ask AI Companion will be available throughout Zoom Workplace, so your AI-powered digital assistant is always at your fingertips, helping to elevate your performance and free up your schedule,” Zoom said in a blog post.

Collaboration Software, Generative AI, Productivity Software, Zoom Video Communications

Microsoft’s $13 billion investment in OpenAI might not trigger EU antitrust restrictions since it is unlikely to be viewed as an “acquisition” in the legal sense in that jurisdiction.

A report Wednesday by Reuters said this means Microsoft would likely avoid more formal investigation procedures and potential regulatory stumbling blocks as a result of its investment in the generative AI LLM provider.

Reached for comment, a European Commission spokesperson said that for a transaction to be “notifiable” to EC as a merger, it has to represent a change in control of the affected company “on a lasting basis.”

The spokesperson did not rule out a more formal and rigorous regulatory approach and said its investigation into the Microsoft-OpenAI deal is ongoing.

“While this transaction has not been formally notified, the Commission has been following very closely the situation of control over OpenAI already before the recent events involving its management, including Microsoft’s role on the OpenAI board and the investment agreements between Microsoft and OpenAI,” the spokesperson said.

The EC has yet to conclude, however, that the relationship between the two companies rises to the level of a “change of control” as a result of Microsoft’s investments.

Reuters’ report on the matter notes that UK and US antitrust regulators are also still in the preliminary stages of approval for the deal, with both the UK’s Competition and Markets Authority and the US Department of Justice and FTC thought to be considering their next steps in terms of formal reviews and probes.

Under EU law, a “concentration,” which would be subject to antitrust review, can take place when the change of control in one company is accomplished. This, according to the Consolidated Jurisdictional Notice, can be done by acquiring “sole control” of a company, in the sense of the controlling entity being able to exercise decisive influence over the other.

Sole control can also, however, be found to exist on a purely legal or factual basis, reflecting the myriad of board, stockholder and voting rights arrangements available to corporations doing business in the EU. A majority of voting rights, for example, could provide effective sole control, while a minority shareholder who is likely to succeed in achieving majorities at shareholders’ meetings could be found to be in de facto control.

UK and EU regulators had warned Microsoft in January that its investments in OpenAI could be subject to review despite the company’s insistence that its position on the board is non-voting and therefore that it had no ownership of OpenAI. 

Microsoft declined to comment.

Generative AI, Government, Microsoft, Regulation

Apple has published its annual environmental report detailing its progress towards becoming completely carbon neutral by 2030. While critics will, of course, condemn the report as “greenwash,” it’s hard to identity many other big firms working quite as hard to be so transparent across the impact of their business.

In the report’s introduction, Lisa Jackson, Apple’s vice president for environment, policy, and social initiatives, confirms that Apple is working in multiple directions to achieve its 2030 target.

“The proof of Apple’s commitment to climate action is in our progress: We’ve slashed emissions by more than half, all while serving more users than ever before,” said Jackson. “More hard work is ahead of us, and we’re focused on harnessing the power of innovation and collaboration to maximize our impact.”

Energy from sun and wind

To get there, the company is making deep investments in wind and solar power, new recycling, and materials process technology, and seeking to build sustainability right inside its product designs. It means climate action is on the agenda at every product design meeting, and means the packaging it uses is constantly being optimized to reduce the cost of freight.

It’s important to understand the scope Apple has in this.

The company is already carbon neutral across its own business operations, But in the last few years, it has been working with a rapidly growing number of its own suppliers to achieve the same goal in product manufacturing. More than 320 Apple suppliers have committed to using renewable energy, the company says, while more than 20% of the materials used in Apple products came from recycled sources. Its recently introduced MacBook Air is made with over 50% recycled material.

Recycling for the rest of us

Apple seems to agree that climate justice is also social justice. 

That’s why it matters that the company wants to use 100% recycled rare earth materials in its products. The iPhone 15 range uses 100% recycled cobalt in smartphone batteries. These valuable materials are often described as “conflict minerals,” because they come from active war zones and are often mined at gunpoint by forced labor — including kids. I suppose that Just as Find My iPhone makes stealing Apple’s phones less attractive, dramatic reductions in demand for such minerals might well make even forced labor less profitable. 

Apple wants carbon offset transparency

The company has lots of reasons to take pride in much of what it has achieved to mitigate the consequences of running its business, but not every process or use can be avoided or reduced. To make up for this, Apple makes big use of carbon credits.

A lot of people don’t have much faith in carbon credits as a route to environmental sustainability, which Apple seems to recognize. Not only does it call its use of these an “interim solution,” but stresses that its priority is to reduce emissions rather than rely on that kind of mitigation. 

To me, this means Apple’s reliance on carbon credits is the weakest link in the Apple 2030 story. But the fact the company sees it as an interim solution and its investment of over $200 million in high quality offset projects such as those in Africa’s Chyulu Hills or in Guizhou, China show tangible recognition of this. 

Apple also gains some brownie points for transparency on its use of carbon offsets because it has published an extensive white paper explaining its approach in a great deal more depth. This includes some key recommendations to perhaps improve the quality of such projects on an industry-wide basis. 

We need standards of trust

Apple wants more independent transparency of carbon offset projects, calls for more coordination and collaboration around them, and better national and international policies to support rapid scale up of carbon removal.

“We believe that a market gap still exists for a centralized transparent process to review individual carbon projects against agreed-upon standards,” the Apple white paper says. That’s as close as you can get to conceding that many of the carbon credit schemes being run and relied upon by big companies now might not actually be making a difference. 

But what is at least somewhat reassuring is Apple’s stated willingness to work to improve the quality of carbon offsets, and the urgency with which it seems to see these goals. “We recognize that the current carbon markets aren’t equipped to deal with the scale and integrity of impact needed to achieve a 1.5℃ pathway and remove tens of billions of tons of carbon by 2050,” the white paper states. 

“We intend to work to improve the quality of these markets. We’re also aiming to build a pipeline of projects that meet the highest-quality standards that can scale to meet the growing demand for nature-based removals. And we’ll continue to progress our goal of building much-needed solutions for high-quality engineered carbon removals to complement these efforts.”

‘Our planet is in crisis‘

Overall, this year’s Apple environmental report shows a company that has moved far beyond lip service to try to tackle the big challenge all of us share today. “Our planet is in crisis, and without urgent action on climate change, we won’t be able to keep global warming to 1.5℃, and avoid the worst climate change impacts,” Apple said.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Apple, Green IT, iOS, Technology Industry, Vendors and Providers

@import url(https://themes.googleusercontent.com/fonts/css?kit=lhDjYqiy3mZ0x6ROQEUoUw);ul.lst-kix_isoepzyy3bf4-8{list-style-type:none}ul.lst-kix_isoepzyy3bf4-7{list-style-type:none}ul.lst-kix_isoepzyy3bf4-6{list-style-type:none}ul.lst-kix_isoepzyy3bf4-5{list-style-type:none}ul.lst-kix_isoepzyy3bf4-4{list-style-type:none}ul.lst-kix_isoepzyy3bf4-3{list-style-type:none}ul.lst-kix_isoepzyy3bf4-2{list-style-type:none}ul.lst-kix_isoepzyy3bf4-1{list-style-type:none}.lst-kix_qqcc7cub1y3f-1>li:before{content:"\0025cb "}ul.lst-kix_isoepzyy3bf4-0{list-style-type:none}.lst-kix_qqcc7cub1y3f-0>li:before{content:"\0025cf "}.lst-kix_qqcc7cub1y3f-5>li:before{content:"\0025a0 "}.lst-kix_qqcc7cub1y3f-3>li:before{content:"\0025cf "}.lst-kix_qqcc7cub1y3f-7>li:before{content:"\0025cb "}.lst-kix_qqcc7cub1y3f-2>li:before{content:"\0025a0 "}.lst-kix_qqcc7cub1y3f-6>li:before{content:"\0025cf "}.lst-kix_qqcc7cub1y3f-4>li:before{content:"\0025cb "}.lst-kix_isoepzyy3bf4-8>li:before{content:"\0025a0 "}ul.lst-kix_9jktwi63hg68-8{list-style-type:none}ul.lst-kix_9jktwi63hg68-7{list-style-type:none}.lst-kix_isoepzyy3bf4-6>li:before{content:"\0025cf "}.lst-kix_isoepzyy3bf4-7>li:before{content:"\0025cb "}.lst-kix_isoepzyy3bf4-5>li:before{content:"\0025a0 "}.lst-kix_isoepzyy3bf4-4>li:before{content:"\0025cb "}.lst-kix_9jktwi63hg68-6>li:before{content:"\0025cf "}.lst-kix_qqcc7cub1y3f-8>li:before{content:"\0025a0 "}.lst-kix_9jktwi63hg68-7>li:before{content:"\0025cb "}.lst-kix_isoepzyy3bf4-1>li:before{content:"\0025cb "}.lst-kix_isoepzyy3bf4-0>li:before{content:"\0025cf "}.lst-kix_isoepzyy3bf4-2>li:before{content:"\0025a0 "}.lst-kix_isoepzyy3bf4-3>li:before{content:"\0025cf "}.lst-kix_9jktwi63hg68-8>li:before{content:"\0025a0 "}ul.lst-kix_9jktwi63hg68-2{list-style-type:none}ul.lst-kix_9jktwi63hg68-1{list-style-type:none}ul.lst-kix_9jktwi63hg68-0{list-style-type:none}ul.lst-kix_9jktwi63hg68-6{list-style-type:none}ul.lst-kix_9jktwi63hg68-5{list-style-type:none}ul.lst-kix_9jktwi63hg68-4{list-style-type:none}ul.lst-kix_9jktwi63hg68-3{list-style-type:none}.lst-kix_9jktwi63hg68-5>li:before{content:"\0025a0 "}.lst-kix_9jktwi63hg68-4>li:before{content:"\0025cb "}.lst-kix_9jktwi63hg68-3>li:before{content:"\0025cf "}.lst-kix_9jktwi63hg68-2>li:before{content:"\0025a0 "}.lst-kix_9jktwi63hg68-1>li:before{content:"\0025cb "}.lst-kix_9jktwi63hg68-0>li:before{content:"\0025cf "}li.li-bullet-0:before{margin-left:-18pt;white-space:nowrap;display:inline-block;min-width:18pt}ul.lst-kix_qqcc7cub1y3f-6{list-style-type:none}ul.lst-kix_qqcc7cub1y3f-5{list-style-type:none}ul.lst-kix_qqcc7cub1y3f-8{list-style-type:none}ul.lst-kix_qqcc7cub1y3f-7{list-style-type:none}ul.lst-kix_qqcc7cub1y3f-0{list-style-type:none}ul.lst-kix_qqcc7cub1y3f-2{list-style-type:none}ul.lst-kix_qqcc7cub1y3f-1{list-style-type:none}ul.lst-kix_qqcc7cub1y3f-4{list-style-type:none}ul.lst-kix_qqcc7cub1y3f-3{list-style-type:none}ol{margin:0;padding:0}table td,table th{padding:0}.zwnMkNbCmE-c7{border-right-style:solid;padding:6pt 7pt 0pt 7pt;border-bottom-color:#9e9e9e;border-top-width:1pt;border-right-width:1pt;border-left-color:#9e9e9e;vertical-align:top;border-right-color:#9e9e9e;border-left-width:1pt;border-top-style:solid;background-color:#efefef;border-left-style:solid;border-bottom-width:1pt;width:570pt;border-top-color:#9e9e9e;border-bottom-style:solid}.zwnMkNbCmE-c12{border-right-style:solid;padding:7pt 7pt 7pt 7pt;border-bottom-color:#9e9e9e;border-top-width:1pt;border-right-width:1pt;border-left-color:#9e9e9e;vertical-align:top;border-right-color:#9e9e9e;border-left-width:1pt;border-top-style:solid;background-color:#efefef;border-left-style:solid;border-bottom-width:1pt;width:190pt;border-top-color:#9e9e9e;border-bottom-style:solid}.zwnMkNbCmE-c11{border-right-style:solid;padding:6pt 7pt 0pt 7pt;border-bottom-color:#9e9e9e;border-top-width:1pt;border-right-width:1pt;border-left-color:#9e9e9e;vertical-align:top;border-right-color:#9e9e9e;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:190pt;border-top-color:#9e9e9e;border-bottom-style:solid}.zwnMkNbCmE-c5{margin-left:36pt;padding-top:0pt;padding-left:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left}.zwnMkNbCmE-c26{color:#999999;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Arial";font-style:normal}.zwnMkNbCmE-c8{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left;height:11pt}.zwnMkNbCmE-c2{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Arial";font-style:normal}.zwnMkNbCmE-c17{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:16pt;font-family:"Arial";font-style:normal}.zwnMkNbCmE-c1{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:10pt;font-family:"Arial";font-style:normal}.zwnMkNbCmE-c13{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:center}.zwnMkNbCmE-c21{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Arial"}.zwnMkNbCmE-c22{color:#000000;text-decoration:none;vertical-align:baseline;font-size:10pt;font-family:"Arial";font-style:normal}.zwnMkNbCmE-c23{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:left;height:11pt}.zwnMkNbCmE-c9{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:left;height:11pt}.zwnMkNbCmE-c16{padding-top:18pt;padding-bottom:6pt;line-height:1.5;page-break-after:avoid;text-align:left}.zwnMkNbCmE-c27{border-spacing:0;border-collapse:collapse;margin-right:auto}.zwnMkNbCmE-c20{text-decoration-skip-ink:none;-webkit-text-decoration-skip:none;color:#1155cc;text-decoration:underline}.zwnMkNbCmE-c18{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:center}.zwnMkNbCmE-c10{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:left}.zwnMkNbCmE-c25{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:left}.zwnMkNbCmE-c24{background-color:#ffffff;max-width:468pt;padding:72pt 72pt 72pt 72pt}.zwnMkNbCmE-c15{color:inherit;text-decoration:inherit}.zwnMkNbCmE-c14{orphans:2;widows:2}.zwnMkNbCmE-c6{padding:0;margin:0}.zwnMkNbCmE-c3{font-weight:400;font-family:Consolas,"Courier New"}.zwnMkNbCmE-c0{font-weight:700}.zwnMkNbCmE-c4{height:23pt}.zwnMkNbCmE-c19{font-style:italic}.title{padding-top:0pt;color:#000000;font-size:26pt;padding-bottom:3pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}.subtitle{padding-top:0pt;color:#666666;font-size:15pt;padding-bottom:16pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}li{color:#000000;font-size:11pt;font-family:"Arial"}p{margin:0;color:#000000;font-size:11pt;font-family:"Arial"}h1{padding-top:20pt;color:#000000;font-size:20pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h2{padding-top:18pt;color:#000000;font-size:16pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h3{padding-top:16pt;color:#434343;font-size:14pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h4{padding-top:14pt;color:#666666;font-size:12pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h5{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h6{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;font-style:italic;orphans:2;widows:2;text-align:left}

Posted by Mateusz Jurczyk, Google Project Zero

Before diving into the low-level security aspects of the registry, it is important to understand its role in the operating system and a bit of history behind it. In essence, the registry is a hierarchical database made of named "keys" and "values", used by Windows and applications to store a variety of settings and configuration data. It is represented by a tree structure, in which keys may have one or more sub-keys, and every subkey is associated with exactly one parent key. Furthermore, every key may also contain one or more values, which have a type (integer, string, binary blob etc.) and are used to store actual data in the registry. Every key can be uniquely identified by its name and the names of all of its ascendants separated by the special backslash character ('\'), and starting with the name of one of the top-level keys (HKEY_LOCAL_MACHINE, HKEY_USERS, etc.). For example, a full registry path may look like this: HKEY_CURRENT_USER\Software\Microsoft\Windows. At a high level, this closely resembles the structure of a file system, where the top-level key is equivalent to the root of a mounted disk partition (e.g. C:\), keys are equivalent to directories, and values are equivalent to files. One important distinction, however, is that keys are the only type of securable objects in the registry, and values play a much lesser role in the database than files do in the file system. Furthermore, specific subtrees of the registry are stored on disk in binary files called registry hives, and the hive mount points don't necessarily correspond one-to-one to the top-level keys (e.g. the C:\Windows\system32\config\SOFTWARE hive is mounted under HKEY_LOCAL_MACHINE\Software, a one-level nested key).

Fundamentally, there are only a few basic operations that can be performed in the registry. These operations are summarized in the table below:

Hives

Load hive

Unload hive

Flush hive to disk

Keys

Open key

Create key

Delete key

Rename key

Set/query key security

Set/query key flags

Enumerate subkeys

Notify on key change

Query key path

Query number of open subkeys

Close key handle

Values

Set value

Delete value

Enumerate values

Query value data

Before we dive into any of them in particular, let's first trace the registry's evolution and the path that led to its current state.

Windows 3.1

The registry was first introduced in Windows 3.1 released in 1992. It was designed as a centralized configuration store meant to address the many shortcomings of basic text configuration files from MS-DOS (e.g. config.sys) and the slightly more structured .INI files from very early versions of Windows. But the first registry was nothing like we know it today: there was only one top-level key (an equivalent of HKEY_CLASSES_ROOT) and only one hive (C:\windows\reg.dat) limited to 64 KB in size, formatted in a custom binary format represented by the magic bytes "SHCC3.10". There were no values (data was assigned directly to keys), and the registry was used solely for OLE/COM and file type registration. This is what the first Regedit.exe looked like when launched in advanced mode:

The first Registry Editor running on Windows 3.1

Despite its limitations, the Windows 3.1 registry was an important milestone, as it established long-lasting concepts like its hierarchical structure and paved the way for today's advanced registry features.

Windows NT 3.1, 3.5 and 3.51

One year later in 1993, a new version of Windows was released based on a completely refreshed and more robust kernel design: Windows NT 3.1. To this day, the original NT kernel continues to be the underpinning of all modern versions of Windows up to and including Windows 11 – and the same can be said for its registry implementation. The biggest functional registry changes found in Windows NT 3.x as compared to Windows 3.1 were:

• Introducing many new top-level keys (HKLM, HKCU, HKU) and thus extending the scope of information intended to be stored in the registry.
• Replacing the single reg.dat hive file with a number of separate hives (default, sam, security, software, system located in C:\winnt\system32\config).
• Introducing named values with several possible data types.
• Making registry keys securable.
• Eliminating the 64 KB registry hive limit.

To accommodate these new features, Windows adopted a novel binary format called "regf", which was specifically designed to support the expanded functionality. The core principles behind the format remained unchanged across the NT 3.x version line, but it continued to internally evolve, as signified by the increasing version numbers encoded in the hive file headers. Specifically, pre-release builds of Windows NT 3.1 used regf v1.0, Windows NT 3.1 RTM used regf v1.1, and Windows NT 3.5 and 3.51 used regf v1.2.

Lastly, while Regedit.exe remained the simplistic "Registration Info Editor", a new utility, RegEdt32.exe, was added with far more options and unrestricted access to the system registry. Despite its dated appearance, the structure of the UI began to resemble the shape of the modern registry and the core concepts behind today's registry editor:

RegEdt32.exe running on Windows NT 3.1

Notably, Windows NT 3.1 was the first system whose parts of code are still used today in Windows 11. Based on this observation, we can now confidently claim that the registry code base is over 30 years old.

Windows 95

Not long after, in the summer of 1995, Windows 95 was officially released to the public. It quickly became a huge hit, mostly thanks to innovations in the user interface – it was the first version to feature a taskbar, the Start menu, and the general look and feel that we now associate with Windows. With regards to the registry internals, though, it wasn't particularly interesting. It continued the trend started by Windows NT 3.x of expanding the registry into an even more central part of the operating system, and borrowed many of the same high-level concepts. However, since it was based on a completely different kernel than NT, the underlying registry implementation differed, too. All of the registry data was typically stored in just two files: C:\WINDOWS\System.dat and C:\WINDOWS\User.dat. They were encoded in yet another binary format indicated by the "CREG" signature, which was more capable than the Win3.1 format, but inferior to WinNT's regf (e.g. it didn't support security descriptors). The same format was later inherited by subsequent systems from the 9x series, namely Windows 98 and Me, but its legacy ended there. According to my knowledge, the CREG format had minimal impact on the registry's development in the NT line, so a deeper discussion of its internals isn't necessary.

Arguably, the one thing that had the most lasting impact in Windows 95 related to registry was the complete redesign of Regedit.exe, both functionally and visually. It gained the ability to browse the entire registry tree, read existing values and create new ones, rename keys, and search for text strings within keys, values and data. At first glance, it looks almost identical to the modern Registry Editor, with the exception of a few missing options, such as loading custom hives or managing key security. Even the program icon has remained largely unchanged and to many power users, it is synonymous with the Windows registry up to this day:

Redesigned Regedit.exe running on Windows 95

Windows NT 4.0

The debut of Windows NT 4.0 in 1996 marked another important milestone for the registry, but this time mostly on the technical side. In terms of visuals, NT 4.0 adopted the same graphical interface as Windows 95, including the new and improved Regedit.exe. As a result of the Regedit addition, Windows NT 4.0 now included two competing registry editors: Regedit from Windows 95 and RegEdt32 from Windows NT 3.x. They shared some overlapping functionality (e.g. the ability to manually traverse the registry and inspect individual values), but each offered some unique features too: only Regedit was capable of searching for data in values, while only RegEdt32 supported managing the security of registry keys. I suspect that the presence of two different tools must have been confusing for users who wanted to modify the system's internal settings: not only did they have to understand the structure of the registry and how to navigate it, but also know which tool to use for a specific task. Both utilities made their way into Windows 2000, but they were finally merged in Windows XP into a single Regedit.exe program. RegEdt32.exe can still be found on modern versions of Windows in C:\Windows\system32 as a historical artifact, but all it currently does is just launch Regedit.exe and terminate.

As mentioned earlier, the really important changes in NT 4.0 happened under the hood. Between the release of NT 3.51 and NT 4.0, the kernel developers updated some internal aspects of the regf format to simplify it and make it more efficient. Furthermore, a new optimization called "fast leaves" was introduced, which added special four-byte hints to the subkey lists in order to speed up key lookups. These changes were substantial and not backwards-compatible, so the version had to be increased again, leading to regf v1.3. This is noteworthy because 1.3 is the earliest hive type that is considered a modern version and that is still supported by today's Windows 10 and 11, even though newer format versions up to 1.6 exist now too. It means that one can copy a hive file off of a Windows NT 4.0 system, load it in Regedit on Windows 11, examine and modify it, copy it back, and each of these steps will work without issue. What is more, the support is not just there for reading archival hives – in documented API functions such as RegSaveKeyExA, version 1.3 is represented by the REG_STANDARD_FORMAT enum, indicating that it is considered the "standard" even as of today. And indeed, there are some core system hives in Windows 11, such as UsrClass.dat mounted at HKEY_USERS\<SID>_Classes, that are still encoded in the regf v1.3 format. So in that sense, Windows NT 4.0 and 11, despite being released decades apart and representing vastly different technological eras, exhibit a fundamental connection.

Modern times

Based on the fact that both the regf hive format and the graphical interface of Regedit have essentially remained the same between 1996 and 2024, one could assume that the internal registry implementation hasn't changed that much, either. We can try to prove or disprove this hypothesis by performing a little experiment, measuring the volume of registry-related code in each consecutive version of Windows. To ensure a consistent methodology and make the survey security-relevant, we will focus on the kernel-mode part of the Configuration Manager, which largely constitutes a local attack surface. Such an analysis is technically feasible and even relatively easy to achieve, because:

• The entirety of the kernel registry-related code is compiled into a single executable image: ntoskrnl.exe.
• Debug symbols (PDB/DBG files) for the kernels of all NT-family systems were made publicly available by Microsoft, either via the Microsoft Symbol Server, symbol packages downloadable from the Microsoft website, or symbol files bundled with the system installation media.
• The kernel code follows a consistent naming convention, where all function names related to the registry start with either "Hv" (standing for Hive), "Cm" (standing for Configuration Manager) or "Vr" (likely standing for Virtualized Registry), with a few minor exceptions.
• There are some very good reverse-engineering tools available today, which can help us count the number of assembly instructions or even the number of decompiled C-like source code lines corresponding to the registry engine.

In my case, I used IDA Pro with Hex-Rays to decompile the entire kernel of each NT-line system, and then ran a post-processing script to extract the registry related functions. After counting the numbers of lines and plotting them on a diagram, here is what we get:

As we can see, there has been an enormous, steady growth of the code base, starting at around 10,000 lines of code in NT 4.0 and increasing tenfold to around 100,000 lines in Windows 11. It is important to reiterate that this only covers the kernel portions of the registry and ignores code found in user-mode libraries such as advapi32.dll, KernelBase.dll or ntdll.dll. Furthermore, I expect that the decompiled code is more dense than the original source code because it doesn't include any comments or whitespace. Taking all this into account, the total extent of the registry code managed by Microsoft is probably much bigger than the numbers shown above.

Going back to the kernel registry code, its expansion in time has been substantial, both in absolute and relative terms. But if these developments are invisible to the average user, what does all of the new code do? The changes can be divided into three major categories:

• Optimizations: changes making the registry more efficient, e.g. introducing a "hash leaf" subkey index type to make key lookups even faster in regf v1.5, or adding a native system call to rename keys in-place without involving an expensive copy+delete operation on an entire subtree.
• Backwards compatibility: changes meant to make legacy applications run seamlessly on modern systems, e.g. registry virtualization.
• New features: changes adding new functionality to the registry or adapting it to new use cases. These are either made available via a new API (thus mainly relevant to software developers), or not documented at all and only used by Windows internally. Examples include support for values larger than 1 MB, registry callbacks, support for transactions, application hives, and differencing hives.

Interestingly, the biggest changes weren't occurring with any regularity, but rather were concentrated in just four versions of Windows: NT 3.1–4.0, XP, Vista and 10 Anniversary Update (1607). This is illustrated in the timeline below:

This is of course not an exhaustive list: it includes the features that I have found to be the most interesting during the security audit, but it is missing modifications related to incremental logging, improvements to how hive files are managed and mapped in memory, and many other optimizations, stability improvements and refactorings implemented by Microsoft throughout the years. But it goes to show that the registry is a highly complex part of the Windows kernel, and one with a lot of potential for deep, interesting bugs just waiting to be discovered.

In the next post, I will share a number of useful sources of information I have discovered while researching the registry. Some of them may be more obvious than others, but all of them have significantly helped me understand certain aspects of the technology or given me the necessary context that I was missing. Until next time!

ul.lst-kix_c4pdvykpeuss-3{list-style-type:none}ul.lst-kix_c4pdvykpeuss-2{list-style-type:none}ul.lst-kix_c4pdvykpeuss-1{list-style-type:none}ul.lst-kix_c4pdvykpeuss-0{list-style-type:none}.lst-kix_2wnifzn4nxg9-1>li:before{content:"\0025cb "}ul.lst-kix_5uedwcx8bazf-3{list-style-type:none}ul.lst-kix_5uedwcx8bazf-4{list-style-type:none}.lst-kix_2wnifzn4nxg9-0>li:before{content:"\0025cf "}.lst-kix_2wnifzn4nxg9-2>li:before{content:"\0025a0 "}.lst-kix_4m34njm6c6og-6>li:before{content:"\0025cf "}ul.lst-kix_5uedwcx8bazf-5{list-style-type:none}ul.lst-kix_5uedwcx8bazf-6{list-style-type:none}.lst-kix_2wnifzn4nxg9-3>li:before{content:"\0025cf "}.lst-kix_4m34njm6c6og-7>li:before{content:"\0025cb "}ul.lst-kix_5uedwcx8bazf-7{list-style-type:none}ul.lst-kix_5uedwcx8bazf-8{list-style-type:none}.lst-kix_4m34njm6c6og-8>li:before{content:"\0025a0 "}ul.lst-kix_5uedwcx8bazf-0{list-style-type:none}ul.lst-kix_5uedwcx8bazf-1{list-style-type:none}ul.lst-kix_5uedwcx8bazf-2{list-style-type:none}.lst-kix_2wnifzn4nxg9-8>li:before{content:"\0025a0 "}.lst-kix_2wnifzn4nxg9-7>li:before{content:"\0025cb "}.lst-kix_2wnifzn4nxg9-5>li:before{content:"\0025a0 "}.lst-kix_2wnifzn4nxg9-4>li:before{content:"\0025cb "}.lst-kix_2wnifzn4nxg9-6>li:before{content:"\0025cf "}.lst-kix_cyvdtdmfjjuy-6>li:before{content:"\0025cf "}ul.lst-kix_cyvdtdmfjjuy-8{list-style-type:none}.lst-kix_4rhx73br1i2v-0>li:before{content:"\0025cf "}.lst-kix_5uedwcx8bazf-1>li:before{content:"\0025cb "}.lst-kix_cyvdtdmfjjuy-5>li:before{content:"\0025a0 "}.lst-kix_cyvdtdmfjjuy-7>li:before{content:"\0025cb "}.lst-kix_5uedwcx8bazf-0>li:before{content:"\0025cf "}.lst-kix_5uedwcx8bazf-2>li:before{content:"\0025a0 "}.lst-kix_cyvdtdmfjjuy-4>li:before{content:"\0025cb "}.lst-kix_cyvdtdmfjjuy-8>li:before{content:"\0025a0 "}.lst-kix_4rhx73br1i2v-2>li:before{content:"\0025a0 "}.lst-kix_5uedwcx8bazf-3>li:before{content:"\0025cf "}.lst-kix_4rhx73br1i2v-3>li:before{content:"\0025cf "}ul.lst-kix_cyvdtdmfjjuy-0{list-style-type:none}ul.lst-kix_cyvdtdmfjjuy-1{list-style-type:none}ul.lst-kix_cyvdtdmfjjuy-2{list-style-type:none}ul.lst-kix_cyvdtdmfjjuy-3{list-style-type:none}ul.lst-kix_cyvdtdmfjjuy-4{list-style-type:none}ul.lst-kix_cyvdtdmfjjuy-5{list-style-type:none}ul.lst-kix_cyvdtdmfjjuy-6{list-style-type:none}.lst-kix_4rhx73br1i2v-1>li:before{content:"\0025cb "}ul.lst-kix_cyvdtdmfjjuy-7{list-style-type:none}ul.lst-kix_4rhx73br1i2v-0{list-style-type:none}.lst-kix_4rhx73br1i2v-7>li:before{content:"\0025cb "}.lst-kix_4rhx73br1i2v-8>li:before{content:"\0025a0 "}ul.lst-kix_4rhx73br1i2v-2{list-style-type:none}.lst-kix_5uedwcx8bazf-8>li:before{content:"\0025a0 "}ul.lst-kix_4rhx73br1i2v-1{list-style-type:none}.lst-kix_5uedwcx8bazf-7>li:before{content:"\0025cb "}.lst-kix_4rhx73br1i2v-6>li:before{content:"\0025cf "}.lst-kix_4rhx73br1i2v-4>li:before{content:"\0025cb "}ul.lst-kix_4rhx73br1i2v-8{list-style-type:none}.lst-kix_5uedwcx8bazf-5>li:before{content:"\0025a0 "}ul.lst-kix_4rhx73br1i2v-7{list-style-type:none}.lst-kix_5uedwcx8bazf-4>li:before{content:"\0025cb "}.lst-kix_5uedwcx8bazf-6>li:before{content:"\0025cf "}ul.lst-kix_4rhx73br1i2v-4{list-style-type:none}ul.lst-kix_4rhx73br1i2v-3{list-style-type:none}.lst-kix_4rhx73br1i2v-5>li:before{content:"\0025a0 "}ul.lst-kix_4rhx73br1i2v-6{list-style-type:none}ul.lst-kix_4rhx73br1i2v-5{list-style-type:none}.lst-kix_4m34njm6c6og-5>li:before{content:"\0025a0 "}.lst-kix_4m34njm6c6og-4>li:before{content:"\0025cb "}ul.lst-kix_2wnifzn4nxg9-0{list-style-type:none}.lst-kix_4m34njm6c6og-3>li:before{content:"\0025cf "}ul.lst-kix_2wnifzn4nxg9-2{list-style-type:none}ul.lst-kix_2wnifzn4nxg9-1{list-style-type:none}ul.lst-kix_2wnifzn4nxg9-4{list-style-type:none}.lst-kix_4m34njm6c6og-1>li:before{content:"\0025cb "}ul.lst-kix_2wnifzn4nxg9-3{list-style-type:none}ul.lst-kix_2wnifzn4nxg9-6{list-style-type:none}.lst-kix_4m34njm6c6og-0>li:before{content:"\0025cf "}.lst-kix_4m34njm6c6og-2>li:before{content:"\0025a0 "}ul.lst-kix_2wnifzn4nxg9-5{list-style-type:none}ul.lst-kix_2wnifzn4nxg9-8{list-style-type:none}ul.lst-kix_2wnifzn4nxg9-7{list-style-type:none}.lst-kix_c4pdvykpeuss-0>li:before{content:"\0025cf "}.lst-kix_c4pdvykpeuss-3>li:before{content:"\0025cf "}ul.lst-kix_4m34njm6c6og-0{list-style-type:none}ul.lst-kix_4m34njm6c6og-2{list-style-type:none}.lst-kix_c4pdvykpeuss-4>li:before{content:"\0025cb "}ul.lst-kix_4m34njm6c6og-1{list-style-type:none}ul.lst-kix_4m34njm6c6og-4{list-style-type:none}ul.lst-kix_4m34njm6c6og-3{list-style-type:none}ul.lst-kix_4m34njm6c6og-6{list-style-type:none}.lst-kix_c4pdvykpeuss-5>li:before{content:"\0025a0 "}ul.lst-kix_4m34njm6c6og-5{list-style-type:none}ul.lst-kix_4m34njm6c6og-8{list-style-type:none}ul.lst-kix_4m34njm6c6og-7{list-style-type:none}.lst-kix_c4pdvykpeuss-2>li:before{content:"\0025a0 "}.lst-kix_c4pdvykpeuss-1>li:before{content:"\0025cb "}.lst-kix_c4pdvykpeuss-6>li:before{content:"\0025cf "}.lst-kix_c4pdvykpeuss-8>li:before{content:"\0025a0 "}.lst-kix_cyvdtdmfjjuy-0>li:before{content:"\0025cf "}.lst-kix_c4pdvykpeuss-7>li:before{content:"\0025cb "}.lst-kix_cyvdtdmfjjuy-2>li:before{content:"\0025a0 "}.lst-kix_cyvdtdmfjjuy-1>li:before{content:"\0025cb "}.lst-kix_cyvdtdmfjjuy-3>li:before{content:"\0025cf "}li.li-bullet-0:before{margin-left:-18pt;white-space:nowrap;display:inline-block;min-width:18pt}ul.lst-kix_c4pdvykpeuss-7{list-style-type:none}ul.lst-kix_c4pdvykpeuss-6{list-style-type:none}ul.lst-kix_c4pdvykpeuss-5{list-style-type:none}ul.lst-kix_c4pdvykpeuss-4{list-style-type:none}ul.lst-kix_c4pdvykpeuss-8{list-style-type:none}ol{margin:0;padding:0}table td,table th{padding:0}.fhlpihoAED-c23{border-right-style:solid;padding:5pt 5pt 5pt 5pt;border-bottom-color:#cccccc;border-top-width:1pt;border-right-width:1pt;border-left-color:#cccccc;vertical-align:top;border-right-color:#cccccc;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:72.8pt;border-top-color:#cccccc;border-bottom-style:solid}.fhlpihoAED-c20{border-right-style:solid;padding:2pt 2pt 2pt 2pt;border-bottom-color:#cccccc;border-top-width:1pt;border-right-width:1pt;border-left-color:#cccccc;vertical-align:middle;border-right-color:#cccccc;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:72.8pt;border-top-color:#cccccc;border-bottom-style:solid}.fhlpihoAED-c0{border-right-style:solid;padding:5pt 5pt 5pt 5pt;border-bottom-color:#cccccc;border-top-width:1pt;border-right-width:1pt;border-left-color:#cccccc;vertical-align:top;border-right-color:#cccccc;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:78.8pt;border-top-color:#cccccc;border-bottom-style:solid}.fhlpihoAED-c10{border-right-style:solid;padding:5pt 5pt 5pt 5pt;border-bottom-color:#cccccc;border-top-width:1pt;border-right-width:1pt;border-left-color:#cccccc;vertical-align:top;border-right-color:#cccccc;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:75.8pt;border-top-color:#cccccc;border-bottom-style:solid}.fhlpihoAED-c6{border-right-style:solid;padding:5pt 5pt 5pt 5pt;border-bottom-color:#cccccc;border-top-width:1pt;border-right-width:1pt;border-left-color:#cccccc;vertical-align:top;border-right-color:#cccccc;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:326.2pt;border-top-color:#cccccc;border-bottom-style:solid}.fhlpihoAED-c21{border-right-style:solid;padding:2pt 2pt 2pt 2pt;border-bottom-color:#cccccc;border-top-width:1pt;border-right-width:1pt;border-left-color:#cccccc;vertical-align:middle;border-right-color:#cccccc;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:94.5pt;border-top-color:#cccccc;border-bottom-style:solid}.fhlpihoAED-c28{border-right-style:solid;padding:5pt 5pt 5pt 5pt;border-bottom-color:#cccccc;border-top-width:1pt;border-right-width:1pt;border-left-color:#cccccc;vertical-align:top;border-right-color:#cccccc;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:94.5pt;border-top-color:#cccccc;border-bottom-style:solid}.fhlpihoAED-c2{border-right-style:solid;padding:2pt 2pt 2pt 2pt;border-bottom-color:#cccccc;border-top-width:1pt;border-right-width:1pt;border-left-color:#cccccc;vertical-align:middle;border-right-color:#cccccc;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:78.8pt;border-top-color:#cccccc;border-bottom-style:solid}.fhlpihoAED-c14{border-right-style:solid;padding:2pt 2pt 2pt 2pt;border-bottom-color:#cccccc;border-top-width:1pt;border-right-width:1pt;border-left-color:#cccccc;vertical-align:middle;border-right-color:#cccccc;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:326.2pt;border-top-color:#cccccc;border-bottom-style:solid}.fhlpihoAED-c16{border-right-style:solid;padding:2pt 2pt 2pt 2pt;border-bottom-color:#cccccc;border-top-width:1pt;border-right-width:1pt;border-left-color:#cccccc;vertical-align:middle;border-right-color:#cccccc;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:75.8pt;border-top-color:#cccccc;border-bottom-style:solid}.fhlpihoAED-c7{margin-left:36pt;padding-top:0pt;padding-left:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left}.fhlpihoAED-c4{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left;height:11pt}.fhlpihoAED-c9{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:10pt;font-family:"Arial";font-style:normal}.fhlpihoAED-c26{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:16pt;font-family:"Arial";font-style:normal}.fhlpihoAED-c27{color:#999999;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Arial";font-style:normal}.fhlpihoAED-c11{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Arial";font-style:normal}.fhlpihoAED-c31{padding-top:18pt;padding-bottom:6pt;line-height:1.5;page-break-after:avoid;text-align:left}.fhlpihoAED-c12{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:left}.fhlpihoAED-c25{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:center}.fhlpihoAED-c19{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:right}.fhlpihoAED-c15{text-decoration-skip-ink:none;-webkit-text-decoration-skip:none;color:#1155cc;text-decoration:underline}.fhlpihoAED-c34{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:left}.fhlpihoAED-c33{border-spacing:0;border-collapse:collapse;margin-right:auto}.fhlpihoAED-c3{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:center}.fhlpihoAED-c32{background-color:#ffffff;max-width:468pt;padding:72pt 72pt 72pt 72pt}.fhlpihoAED-c13{orphans:2;widows:2;height:11pt}.fhlpihoAED-c22{orphans:2;widows:2}.fhlpihoAED-c5{color:inherit;text-decoration:inherit}.fhlpihoAED-c8{padding:0;margin:0}.fhlpihoAED-c17{font-size:10pt}.fhlpihoAED-c24{font-weight:700}.fhlpihoAED-c18{height:11pt}.fhlpihoAED-c1{height:15.8pt}.fhlpihoAED-c30{background-color:#d9d9d9}.fhlpihoAED-c29{height:63pt}.title{padding-top:0pt;color:#000000;font-size:26pt;padding-bottom:3pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}.subtitle{padding-top:0pt;color:#666666;font-size:15pt;padding-bottom:16pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}li{color:#000000;font-size:11pt;font-family:"Arial"}p{margin:0;color:#000000;font-size:11pt;font-family:"Arial"}h1{padding-top:20pt;color:#000000;font-size:20pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h2{padding-top:18pt;color:#000000;font-size:16pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h3{padding-top:16pt;color:#434343;font-size:14pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h4{padding-top:14pt;color:#666666;font-size:12pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h5{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h6{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;font-style:italic;orphans:2;widows:2;text-align:left}

Posted by Mateusz Jurczyk, Google Project Zero

In the 20-month period between May 2022 and December 2023, I thoroughly audited the Windows Registry in search of local privilege escalation bugs. It all started unexpectedly: I was in the process of developing a coverage-based Windows kernel fuzzer based on the Bochs x86 emulator (one of my favorite tools for security research: see Bochspwn, Bochspwn Reloaded, and my earlier font fuzzing infrastructure), and needed some binary formats to test it on. My first pick were PE files: they are very popular in the Windows environment, which makes it easy to create an initial corpus of input samples, and a basic fuzzing harness is equally easy to develop with just a single GetFileVersionInfoSizeW API call. The test was successful: even though I had previously fuzzed PE files in 2019, the new element of code coverage guidance allowed me to discover a completely new bug: issue #2281.

For my next target, I chose the Windows registry. That's because arbitrary registry hives can be loaded from disk without any special privileges via the RegLoadAppKey API (since Windows Vista). The hives use a binary format and are fully parsed in the kernel, making them a noteworthy local attack surface. Furthermore, I was also somewhat familiar with basic harnessing of the registry, having fuzzed it in 2016 together with James Forshaw. Once again, the code coverage support proved useful, leading to the discovery of issue #2299. But when I started to perform a root cause analysis of the bug, I realized that:

• The hive binary format is not very well suited for trivial bitflipping-style fuzzing, because it is structurally simple, and random mutations are much more likely to render (parts of) the hive unusable than to trigger any interesting memory safety violations.
• On the other hand, the registry has many properties that make it an attractive attack surface for further research, especially for manual review. It is 30+ years old, written in C, running in kernel space but highly accessible from user-mode, and it implements much more complex logic than I had previously imagined.

And that's how the story starts. Instead of further refining the fuzzer, I made a detour to reverse engineer the registry implementation in the Windows kernel (internally known as the Configuration Manager) and learn more about its inner workings. The more I learned, the more hooked I became, and before long, I was all-in on a journey to audit as much of the registry code as possible. This series of blog posts is meant to document what I've learned about the registry, including its basic functionality, advanced features, security properties, typical bug classes, case studies of specific vulnerabilities, and exploitation techniques.

While this blog is one of the first places to announce this effort, I did already give a talk titled "Exploring the Windows Registry as a powerful LPE attack surface" at Microsoft BlueHat Redmond in October 2023 (see slides and video recording). The upcoming blog posts will go into much deeper detail than the presentation, but if you're particularly curious and can't wait to find out more, feel free to check these resources as a starter. 🙂

Research results

In the course of the research, I filed 39 bug reports in the Project Zero bug tracker, which have been fixed by Microsoft as 44 CVEs. There are a few reasons for the discrepancy between these numbers:

• Some single reports included information about multiple problems, e.g. issue #2375 was addressed by four CVEs,
• Some groups of reports were fixed with a single patch, e.g. issues #2392 and #2408 as CVE-2023-23420,
• One bug report was closed as WontFix and not addressed in a security bulletin at all (issue #2508).

All of the reports were submitted under the Project Zero 90-day disclosure deadline policy, and Microsoft successfully met the deadline in all cases. The average time from report to fix was 81 days.

Furthermore, between November 2023 and January 2024, I reported 20 issues that had low or unclear security impact, but I believed the vendor should nevertheless be made aware of them. They were sent without a disclosure deadline and weren't put on the PZ tracker; I have since published them on our team's GitHub. Upon assessment, Microsoft decided to fix 6 of them in a security bulletin in March 2024, while the other 14 were closed as WontFix with the option of being addressed in a future version of Windows.

This sums up to a total of 50 CVEs, classified by Microsoft as:

• 39 × Windows Kernel Elevation of Privilege Vulnerability
• 9 × Windows Kernel Information Disclosure Vulnerability
• 1 × Windows Kernel Memory Information Disclosure Vulnerability
• 1 × Windows Kernel Denial of Service Vulnerability

A full summary of the security-serviced bugs is shown below:

GPZ #

CVE

Title

Reported

Fixed

2295

CVE-2022-34707

Windows Kernel use-after-free due to refcount overflow in registry hive security descriptors

2022-May-11

2022-Aug-09

2297

CVE-2022-34708

Windows Kernel invalid read/write due to unchecked Blink cell index in root security descriptor

2022-May-17

2299

CVE-2022-35768

Windows Kernel multiple memory problems when handling incorrectly formatted security descriptors in registry hives

2022-May-20

2318

CVE-2022-37956

Windows Kernel integer overflows in registry subkey lists leading to memory corruption

2022-Jun-22

2022-Sep-13

2330

CVE-2022-37988

Windows Kernel registry use-after-free due to bad handling of failed reallocations under memory pressure

2022-Jul-8

2022-Oct-11

2332

CVE-2022-38037

Windows Kernel memory corruption due to type confusion of subkey index leaves in registry hives

2022-Jul-11

2341

CVE-2022-37990

Windows Kernel multiple memory corruption issues when operating on very long registry paths

2022-Aug-3

CVE-2022-38039

CVE-2022-38038

2344

CVE-2022-37991

Windows Kernel out-of-bounds reads and other issues when operating on long registry key and value names

2022-Aug-5

2359

CVE-2022-44683

Windows Kernel use-after-free due to bad handling of predefined keys in NtNotifyChangeMultipleKeys

2022-Sep-22

2022-Dec-13

2366

CVE-2023-21675

Windows Kernel memory corruption due to insufficient handling of predefined keys in registry virtualization

2022-Oct-6

2023-Jan-10

2369

CVE-2023-21747

Windows Kernel use-after-free due to dangling registry link node under paged pool memory pressure

2022-Oct-13

2389

CVE-2023-21748

Windows Kernel registry virtualization incompatible with transactions, leading to inconsistent hive state and memory corruption

2022-Nov-30

2375

Windows Kernel multiple issues in the key replication feature of registry virtualization

2022-Oct-25

CVE-2023-21772

CVE-2023-21773

CVE-2023-21774

2378

CVE-2023-21749

Windows Kernel registry SID table poisoning leading to bad locking and other issues

2022-Oct-31

CVE-2023-21776

2379

CVE-2023-21750

Windows Kernel allows deletion of keys in virtualizable hives with KEY_READ and KEY_SET_VALUE access rights

2022-Nov-2

2392

CVE-2023-23420

Windows Kernel multiple issues with subkeys of transactionally renamed registry keys

2022-Dec-7

2023-Mar-14

2408

Windows Kernel insufficient validation of new registry key names in transacted NtRenameKey

2023-Jan-13

2394

CVE-2023-23421

Windows Kernel multiple issues in the prepare/commit phase of a transactional registry key rename

2022-Dec-14

CVE-2023-23422

CVE-2023-23423

2410

CVE-2023-28248

Windows Kernel CmpCleanupLightWeightPrepare registry security descriptor refcount leak leading to UAF

2023-Jan-19

2023-Apr-11

2418

CVE-2023-28271

Windows Kernel disclosure of kernel pointers and uninitialized memory through registry KTM transaction log files

2023-Jan-31

2419

CVE-2023-28272

Windows Kernel out-of-bounds reads when operating on invalid registry paths in CmpDoReDoCreateKey/CmpDoReOpenTransKey

2023-Feb-2

CVE-2023-28293

2433

CVE-2023-32019

Windows Kernel KTM registry transactions may have non-atomic outcomes

2023-Mar-7

2023-Jun-13

2445

CVE-2023-35356

Windows Kernel arbitrary read by accessing predefined keys through differencing hives

2023-Apr-19

2023-Jul-11

2452

Windows Kernel CmDeleteLayeredKey may delete predefined tombstone keys, leading to security descriptor UAF

2023-May-10

2446

CVE-2023-35357

Windows Kernel may reference unbacked layered keys through registry virtualization

2023-Apr-20

2447

CVE-2023-35358

Windows Kernel may reference rolled-back transacted keys through differencing hives

2023-Apr-27

2449

CVE-2023-35382

Windows Kernel renaming layered keys doesn't reference count security descriptors, leading to UAF

2023-May-2

2023-Aug-8

2454

CVE-2023-35386

Windows Kernel out-of-bounds reads due to an integer overflow in registry .LOG file parsing

2023-May-15

2456

CVE-2023-38154

Windows Kernel partial success of registry hive log recovery may lead to inconsistent state and memory corruption

2023-May-22

2457

CVE-2023-38139

Windows Kernel doesn't reset security cache during self-healing, leading to refcount overflow and UAF

2023-May-31

2023-Sep-12

2462

CVE-2023-38141

Windows Kernel passes user-mode pointers to registry callbacks, leading to race conditions and memory corruption

2023-Jun-26

2463

CVE-2023-38140

Windows Kernel paged pool memory disclosure in VrpPostEnumerateKey

2023-Jun-27

2464

CVE-2023-36803

Windows Kernel out-of-bounds reads and paged pool memory disclosure in VrpUpdateKeyInformation

2023-Jun-27

2466

CVE-2023-36576

Windows Kernel containerized registry escape through integer overflows in VrpBuildKeyPath and other weaknesses

2023-Jul-7

2023-Oct-10

2479

CVE-2023-36404

Windows Kernel time-of-check/time-of-use issue in verifying layered key security may lead to information disclosure from privileged registry keys

2023-Aug-10

2023-Nov-14

2480

CVE-2023-36403

Windows Kernel bad locking in registry virtualization leads to race conditions

2023-Aug-22

2492

CVE-2023-35633

Windows registry predefined keys may lead to confused deputy problems and local privilege escalation

2023-Oct-6

2023-Dec-12

2511

CVE-2024-26182

Windows Kernel subkey list use-after-free due to mishandling of partial success in CmpAddSubKeyEx

2023-Dec-13

2024-Mar-12

None (MSRC-84131)

CVE-2024-26174

Windows Kernel out-of-bounds read of key node security in CmpValidateHiveSecurityDescriptors when loading corrupted hives

2023-Nov-29

None (MSRC-84149)

CVE-2024-26176

Windows Kernel out-of-bounds read when validating symbolic links in CmpCheckValueList

2023-Nov-29

None (MSRC-84046)

CVE-2024-26173

Windows Kernel allows the creation of stable subkeys under volatile keys via registry transactions

2023-Nov-30

None (MSRC-84228)

CVE-2024-26177

Windows Kernel unsafe behavior in CmpUndoDeleteKeyForTrans when transactionally re-creating registry keys

2023-Dec-1

None (MSRC-84237)

CVE-2024-26178

Windows Kernel security descriptor linked list confusion in CmpLightWeightPrepareSetSecDescUoW

2023-Dec-1

None (MSRC-84263)

CVE-2024-26181

Windows Kernel registry quota exhaustion may lead to permanent corruption of the SAM database

2023-Dec-11

Exploitability

Software bugs are typically only interesting to either the offensive/defensive sides of the security community if they have practical security implications. Unfortunately, it is impossible to give a blanket statement regarding the exploitability of all registry-related vulnerabilities due to their sheer diversity on a number of levels:

• Affected platforms: Windows 10, Windows 11, various Windows Server versions (32/64-bit)
• Attack targets: the kernel itself, drivers implementing registry callbacks, privileged user-mode applications/services
• Entry points: direct registry operations, hive loading, transaction log recovery
• End results: memory corruption, broken security guarantees, broken API contracts, memory/pointer disclosure, out-of-bounds reads, invalid/controlled cell index accesses
• Root cause of issues: C-specific, logic errors, bad reference counting, locking problems
• Nature of memory corruption: temporal (use-after-free), spatial (buffer overflows)
• Types of corrupted memory: kernel pools, hive data
• Exploitation time: instant, up to several hours

As we can see, there are multiple factors at play that determine how the bugs came to be and what state they leave the system in after being triggered. However, to get a better understanding of the impact of the findings, I have performed a cursory analysis of the exploitability of each bug, trying to classify it as either "easy", "moderate" or "hard" to exploit according to my current knowledge and experience (this is of course highly subjective). The proportions of these exploitability ratings are shown in the chart below:

The ratings were largely based on the following considerations:

• Hive-based memory corruption is generally considered easy to exploit, while pool-based memory corruption is considered moderate/hard depending on the specifics of the bug.
• Triggering OOM-type conditions in the hive space is easy, but completely exhausting the kernel pools is more difficult and intrusive.
• Logic bugs are typically easier and more reliable to exploit than memory corruption.
• The kernel itself is typically easier to attack than other user-mode processes (system services etc.).
• Direct information disclosure (leaking kernel pointers / uninitialized memory via various channels) is usually straightforward to exploit.
• However, random out-of-bounds reads, as well as read access to invalid/controlled cell indexes is generally hard to do anything useful with.

Overall, it seems that more than half of the findings can be feasibly exploited for information disclosure or local privilege escalation (rated easy or moderate). What is more, many of them exhibit registry-specific bug classes which can enable particularly unique exploitation primitives. For example, hive-based memory corruption can be effectively transformed into both a KASLR bypass and a fully reliable arbitrary read/write capability, making it possible to use a single bug to compromise the kernel with a data-only attack. To demonstrate this, I have successfully developed exploits for CVE-2022-34707 and CVE-2023-23420. The outcome of running one of them to elevate privileges to SYSTEM on Windows 11 is shown on the screenshot below:

Upcoming posts in this series will introduce you to the Windows registry as a system mechanism and as an attack surface, and will dive deeper into practical exploitation using hive memory corruption, out-of-bounds cell indexes and other amusing techniques. Stay tuned!

Slack’s generative AI (genAI) features are now available to all customers on paid accounts, at a cost of $10 per user each month. 

The collaboration software vendor, owned by Salesforce, brought the genAI features to enterprise customers in February (pricing wasn’t publicly announced). On Thursday, Slack extended access to a wider range of business users on Slack Pro and Business+ plans.

It means all paid customers will get access to the genAI features announced by Slack last year:

• AI-powered search. This provides personalized answers to questions based on an organization’s knowledge base. Slack AI helps users locate subject matter experts, or find information on anything from work projects to understanding unfamiliar acronyms.
• Channel recaps. This highlights key discussion points for a Slack user after a period away from the app, or for those who have recently joined a channel.
• Thread summaries. This feature recaps faster-moving discussions, provides thread summaries, and offers an overview of long conversations, with links to sources in each summary that enable users to check information where necessary.

In addition, Slack has added a “daily digest” that provides users with a recap of what’s been going on in channels they might only visit occasionally.

Slack AI queries are processed using the firm’s large language models (LLMs), which are hosted in its own virtual private cloud running on Amazon Web Service servers, the company said in a blog post Thursday. The company said customer data is not used to train the Slack AI LLM. 

Slack is one of many collaboration and productivity software vendors to introduce genAI features in the past year. Some, like Google and Microsoft charge an additional fee for access to these capabilities; others such as Zoom include them for free in paid subscriptions. IDC expects that premiums charged for AI features will contribute to growth in business spending on collaboration apps, which is forecast to reach $71.6 billion in 2027, according to a report by the analyst firm. 

Irwin Lazar, president and principal analyst at Metrigy, believes Slack customers will find value in using Slack AI to summarize conversations and improve the ability to search and surface information within chats. 

“Our research shows that about 86% of companies are willing to purchase generative AI assistants/copilots for at least some users, though most have not yet determined measurable benefit,” he said.

For companies that use Slack intensively, the $10 a month per user license fee is “a bit easier to swallow”than more expensive genAI products, such as the $30 a month fee for Microsoft 365 Copilot, he said.

Cheaper options for genAI assistants are starting to appear, too. This includes the $20 Copilot Pro from Microsoft, and a recently introduced Google Workplace “add-on” that provides access to genAI features for its Meet video conferencing and Chat messaging apps. This, like Slack AI, costs $10 per user a month, and forgoes access to genAI features in the wider Workspace productivity suite in favor of features targeted specifically at collaboration. (Google also offers $20 and $30 per user/month subscriptions to its Gemini AI assistant.)

The appearance of lower-priced genAI options likely reflects “the need to monetize a service that can be onerous for vendors to provide,” said Raúl Castañón, senior research analyst at 451 Research, part of S&P Global Market Intelligence. 

This can be good news for customers, he said. A growing range of payment options means business can opt to provide a full set of genAI features to those employees more likely to use them extensively in their day-to-day work, while providing a cheaper option for a wider user base to accelerate adoption, he said, and avoiding the risk of leaving behind a substantial number of workers.

The proliferation of AI assistants throws up other challenges for customers. In many cases, organizations will use some combination of Microsoft Teams, Google Meet/Chat, and Slack products for productivity and collaboration. This potentially means paying for two or more disconnected AI assistants, should customers wish to access genAI features in multiple products.

“[T]he challenge for organizations in mixed vendor environments, [is that] they must consider paying for multiple generative AI tools, each only having insight into one vendor’s data,” said Lazar. “We’re continuing to look at whether or not vendors will share data, or whether or not generative AI copilots will drive vendor consolidation.”

Slack has other AI features in the works. The company plans to extend its AI search and summarization capabilities to access a wider range of data sources, including Slack apps, canvases, clips, and files uploaded to the collaboration app. This will enable more detailed, contextual responses to queries. Slack’s AI will also be used to create summaries of conversations held in its “huddle” audio and video call tool. 

An integration with Salesforce’s Einstein Copilot is also on the way; it will enable Slack users to query the CRM chatbot about sales data from within the Slack app. 

Collaboration Software, Generative AI, Productivity Software, Slack

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform. "The documents contained VBA code to drop and run an executable with the name 'ctrlpanel.exe,'"

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform. "The documents contained VBA code to drop and run an executable with the name 'ctrlpanel.exe,'" Newsroomhttp://www.blogger.com/profile/[email protected]

The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). "FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team said in a new write-up. "They

The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). "FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team said in a new write-up. "TheyNewsroomhttp://www.blogger.com/profile/[email protected]

Super Low RPO with Continuous Data Protection:Dial Back to Just Seconds Before an Attack Zerto, a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use

Super Low RPO with Continuous Data Protection:Dial Back to Just Seconds Before an Attack Zerto, a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use The Hacker Newshttp://www.blogger.com/profile/[email protected]

A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure. The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin said in a technical analysis.

Sandboxes are synonymous with dynamic malware analysis. They help to execute malicious files in a safe virtual environment and observe their behavior. However, they also offer plenty of value in terms of static analysis. See these five scenarios where a sandbox can prove to be a useful tool in your investigations. Detecting Threats in PDFs PDF files are frequently exploited by threat actors to

A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure. The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin said in a technical analysis. Newsroomhttp://www.blogger.com/profile/[email protected]

Sandboxes are synonymous with dynamic malware analysis. They help to execute malicious files in a safe virtual environment and observe their behavior. However, they also offer plenty of value in terms of static analysis. See these five scenarios where a sandbox can prove to be a useful tool in your investigations. Detecting Threats in PDFs PDF files are frequently exploited by threat actors to The Hacker Newshttp://www.blogger.com/profile/[email protected]

As many as 37 individuals have been arrested as part of an international crackdown on a cybercrime service called LabHost that has been used by criminal actors to steal personal credentials from victims around the world. Described as one of the largest Phishing-as-a-Service (PhaaS) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service

As many as 37 individuals have been arrested as part of an international crackdown on a cybercrime service called LabHost that has been used by criminal actors to steal personal credentials from victims around the world. Described as one of the largest Phishing-as-a-Service (PhaaS) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service Newsroomhttp://www.blogger.com/profile/[email protected]

Introduction

In February 2024, we discovered a new malware campaign targeting government entities in the Middle East. We dubbed it “DuneQuixote”; and our investigation uncovered over 30 DuneQuixote dropper samples actively employed in the campaign. These droppers, which exist in two versions – regular droppers and tampered installer files for a legitimate tool named “Total Commander”, carried malicious code to download an additional payload in the form of a backdoor we call “CR4T”. While we identified only two CR4T implants at the time of discovery, we strongly suspect the existence of others, which may be completely different malware.

The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion methods both in network communications and in the malware code.

Initial dropper

The initial dropper is a Windows x64 executable file, although there are also DLL versions of the malware sharing the same functionality. The malware is developed in C/C++ without utilizing the Standard Template Library (STL), and certain segments are coded in pure Assembler. All samples contain digital signatures, which are, however, invalid.

Upon execution, the malware initiates a series of decoy API calls that serve no practical purpose. These calls primarily involve string comparison functions, executed without any conditional jumps based on the comparison results.

Useless function calls

The strings specified in these functions are snippets from Spanish poems. These vary from one sample to another, thereby altering the signature of each sample to evade detection using traditional detection methodologies. Following the execution of decoy functions, the malware proceeds to construct a structure for the necessary API calls. This structure is populated with offsets of Windows API functions, resolved utilizing several techniques.

Initially, the malware decrypts the names of essential Windows core DLLs using a straightforward XOR decryption algorithm. It employs multiple decryption functions to decode strings, where a single function might decrypt several strings. However, in our analysis, we observed samples where each string was decrypted using a dedicated function, each employing a slightly varied decryption algorithm.

String decryption algorithm

Once the necessary strings have been decrypted, the malware uses a standard technique for dynamically resolving API calls to obtain their memory offsets by:

• retrieving the offset of the Process Environment Block (PEB);
• locating the export table offset of kernel32.dll;
• identifying the offset for the GetProcAddress function.

In the process of obtaining the PEB offset, the malware first decrypts the constant 0x60, which is used to locate the PEB64 structure. This approach is of particular interest because, typically, malicious samples or shellcode utilizing this technique opt for a hardcoded plain text constant value for this purpose.

Getting PEB structure offset

Next, the malware begins to populate the previously created structure with the offsets of all required functions.

The dropper then proceeds to decrypt the C2 (Command and Control) address, employing a unique technique designed to prevent the exposure of the C2 to automated malware analysis systems. This method involves first retrieving the filename under which the dropper was executed, then concatenating this filename with one of the hardcoded strings from Spanish poems. Following this, the dropper calculates the MD5 hash of the concatenated string, which is then used as a key for decrypting the C2 string.

C2 decryption algorithm

Following the decryption of the C2 string, the malware attempts to establish a connection with the C2 server using a specifically hardcoded ID as the user agent to download the payload. During our research of the C2 infrastructure, we found that the payload remains inaccessible for download unless the correct user agent is provided. Furthermore, it appears that the payload may only be downloaded once per victim or is only available for a brief period following the release of a malware sample into the wild, as we were unable to obtain most of the payload implants from active C2 servers.

Once the payload is downloaded into the process’s memory, the dropper performs a verification check for the “M” (0x4D in hexadecimal) magic byte at the start of the memory blob. This check likely serves to confirm that the payload has an MZ file signature, thereby indicating it is a valid executable format.

Total Commander installer dropper

The Total Commander installer dropper is created to mimic a legitimate Total Commander software installer. It is, in fact, the legitimate installer file, but with an added malicious file section (.textbss) and a modified entry point. This tampering results in invalidating the official digital signature of the Total Commander installer.

The installer dropper retains the core functionality of the initial dropper but with several key differences. Unlike the original dropper, it omits the use of Spanish poem strings and the execution of decoy functions. It also implements a series of anti-analysis measures and checks that prevent a connection to C2 resources, if any of the following conditions are true:

• a debugger is present in the system;
• known research or monitoring tools are among running processes;
• explorer.exe process has more than two instances
• any of the following processes are running:
  • “python.exe”
  • “taskmgr.exe”
  • “procmon.exe”
  • “resmon.exe”
  • “eventvwr.exe”
  • “process_hacker.exe”
• less than 8 GB RAM available;
• the position of the cursor does not change over a certain timeframe;
• disk capacity is less than 40 GB.

If any of the anti-analysis checks fail, the malware returns a value of 1. This specific return value plays a role in the decryption of the C2 server address. It triggers the removal of the first “h” from the beginning of the C2 URL (“https“), effectively changing it to “ttps“. As a result, the altered URL prevents the establishment of a connection to the C2 server.

Memory-only CR4T implant

The “CR4T” implant is designed with the primary goal of granting attackers access to a console for command line execution on the victim’s machine. Additionally, it facilitates the download, upload, and modification of files. The malware carries a PDB string in its code:

"C:\Users\user\Desktop\code\CR4T\x64\Release\CR4T.pdb"

That’s why we dubbed it “CR4T”.

Upon execution by the dropper, the implant initiates a cmd.exe process in a hidden window and establishes two named pipes to enable inter-process communication. It then configures the user agent for communication with the C2 server, embedding the hardcoded value “TroubleShooter” as the user agent name for requests to the C2.

User-agent string

After that, the implant retrieves the computer name of the infected host as well as the username of the current user. Then it establishes a connection to the C2 server. This session provides interactive access to the command line interface of the victim’s machine via the earlier mentioned named pipes. Commands and their outputs are encoded using Base64 before being sent and decoded after receiving.

After establishing the connection, the implant remains idle, awaiting an initial command from the C2 operator to activate the required functionality. This command is represented by a one-byte value, each one mapped to a specific action on the infected system. These single character commands would likely make more sense for an English-speaking developer/operator than a Spanish-speaking one. i.e. “D” == Download, “U” == Upload (where a Spanish speaker might use “Cargar”).

Command Functionality ‘C'(0x43) Provide access to the command line interface via a named pipe. ‘D'(0x44) Download file from the C2 ‘U'(0x55) Upload file to the C2 ‘S'(0x53) Sleep “R”(0x52) Exit process “T”(0x57) Write to a file (T here possibly stands for a file-write task)

During our investigation, we discovered evidence of a PowerShell file that had been created using the “T” command:

"powershell -c \"Get-ScheduledTask | Where-Object {$_.TaskName -like 'User_Feed_Sync*' -and $_.State -eq 'Running'} | Select-Object TaskName\"

The threat actor was observed attempting to retrieve the names of all scheduled tasks on the infected machine beginning with “User_Feed_Sync“. These scheduled tasks were probably created by the Golang version of CR4T for persistence purposes.

Memory-only Golang CR4T implant

We also discovered a Golang version of the CR4T implant, which shares similar capabilities with the C version and has a similar string related to the internal naming:

"C:/Users/user/Desktop/code/Cr4tInst/main.go"

This variant provides a command line console for interaction with infected machines, as well as file download and upload capabilities. It also possesses the functionality to execute commands on the victim’s machine. A notable difference of this version is its ability to create scheduled tasks using the Golang Go-ole library. This library leverages Windows Component Object Model (COM) object interfaces for interacting with the Task Scheduler service.

CR4T using go-ole library

The malware is also capable of achieving persistence by utilizing the COM objects hijacking technique. And finally, it uses the Telegram API for C2 communications, implementing the public Golang Telegram API bindings. All the interactions are similar to the C/C++ version.

Infrastructure

The infrastructure used in this campaign appears to be located in the US at two different commercial hosters.

Domain IP First seen ASN commonline[.]space 135.148.113[.]161 2023 -12-16 23:20 16276 userfeedsync[.]com 104.36.229[.]249 2024-01-10 07:27 395092 Victims

We discovered victims in the Middle East, as per our telemetry, as early as February 2023. Additionally, there were several uploads to a semi-public malware scanning service at a later stage, more specifically starting on December 12 2023, with more than 30 submissions of the droppers in the period up to the end of January 2024. The majority of these uploads also originated from the Middle East. Other sources we suspect to be VPN exit nodes geo-located in South Korea, Luxembourg, Japan, Canada, Netherlands and the US.

Conclusions

The “DuneQuixote” campaign targets entities in the Middle East with an interesting array of tools designed for stealth and persistence. Through the deployment of memory-only implants and droppers masquerading as legitimate software, mimicking the Total Commander installer, the attackers demonstrate above average evasion capabilities and techniques. The discovery of both C/C++ and Golang versions of the CR4T implant highlights the adaptability and resourcefulness of the threat actors behind this campaign.

Indicators of Compromise

DuneQuixote Droppers
3aaf7f7f0a42a1cf0a0f6c61511978d7
5759acc816274d38407038c091e56a5c
606fdee74ad70f76618007d299adb0a4
5a04d9067b8cb6bcb916b59dcf53bed3
48c8e8cc189eef04a55ecb021f9e6111
7b9e85afa89670f46f884bb3bce262b0
4f29f977e786b2f7f483b47840b9c19d
9d20cc7a02121b515fd8f16b576624ef
4324cb72875d8a62a210690221cdc3f9
3cc77c18b4d1629b7658afbf4175222c
6cfec4bdcbcf7f99535ee61a0ebae5dc
c70763510953149fb33d06bef160821c
f3988b8aaaa8c6a9ec407cf5854b0e3b
cf4bef8537c6397ba07de7629735eb4e
1bba771b9a32f0aada6eaee64643673a
72c4d9bc1b59da634949c555b2a594b1
cc05c7bef5cff67bc74fda2fc96ddf7b
0fdbe82d2c8d52ac912d698bb8b25abc
9b991229fe1f5d8ec6543b1e5ae9beb4
5e85dc7c6969ce2270a06184a8c8e1da
71a8b4b8d9861bf9ac6bd4b0a60c3366
828335d067b27444198365fac30aa6be
84ae9222c86290bf585851191007ba23
450e589680e812ffb732f7e889676385
56d5589e0d6413575381b1f3c96aa245
258b7f20db8b927087d74a9d6214919b
a4011d2e4d3d9f9fe210448dd19c9d9a
b0e19a9fd168af2f7f6cf997992b1809
0d740972c3dff09c13a5193d19423da1
a0802a787537de1811a81d9182be9e7c
5200fa68b6d40bb60d4f097b895516f0
abf16e31deb669017e10e2cb8cc144c8
f151be4e882352ec42a336ca6bff7e3d
f1b6aa55ba3bb645d3fde78abda984f3
00130e1e7d628c8b5e2f9904ca959cd7
fb2b916e44abddd943015787f6a8dc35
996c4f78a13a8831742e86c052f19c20
4f29f977e786b2f7f483b47840b9c19d
91472c23ef5e8b0f8dda5fa9ae9afa94
135abd6f35721298cc656a29492be255
db786b773cd75483a122b72fdc392af6

Domains and IPs
Commonline[.]space
g1sea23g.commonline[.]space
tg1sea23g.commonline[.]space
telemetry.commonline[.]space
e1awq1lp.commonline[.]space
mc.commonline[.]space
userfeedsync[.]com
Service.userfeedsync[.]com
telemetry.userfeedsync[.]com

We live and work in browsers. It’s where we spend most of our time — and it’s where we waste most of our time as well. Web browsing is slow, inefficient, and full of time-sapping annoyances.

But it needn’t be that way. You can turn your browser into a lean, mean productivity machine. To do it, just follow these eight tips for Microsoft Edge (the Chromium version, not the legacy one) in Windows 10 or 11. You’ll learn how to switch between home and work profiles; put idle tabs to sleep to speed up your PC and increase battery life; use Edge’s Collection capabilities, perhaps the best productivity-enhancing browser feature of all time; and more.

(Note that these tips are written for Edge in version 23H2 of Windows 11 and version 22H2 of Windows 10; things may be slightly different if you use a different Windows version.)

So let’s get started — time’s a-wasting, and so is your productivity.

1. Switch between work and personal profiles

As work-from-home and remote work models become more common, many people use the same device for work and personal use. When it comes to using a web browser, that can quickly become problematic.

Mixing work and personal favorites makes it far more difficult to quickly get to important work websites or personal websites. When you’re working, you don’t want to wade through hundreds of links to family photos, vacation destinations, and YouTube videos of cats befriending parrots when you’re just looking for the OSHA website about mine safety regulations. And when you’re off working hours and want to watch a video of a Persian cat nuzzling a cockatiel, a website detailing the GDPs of every country in Europe and Asia is not your primary destination.

Different profiles let you completely segregate your browser use. That doesn’t just mean different favorites. It also means different Collections, different extensions, different passwords, and more.

Each Edge profile is tied to a different Microsoft account. So to use different profiles, you’ll need to create different Microsoft accounts. To create a new Microsoft account in Windows 10 or 11:

1. Go to https://account.microsoft.com. If you’re signed in to your account, click your profile icon or initials in the upper-right corner and select Sign out. Close Edge, restart it, and go back to https://account.microsoft.com/.
2. Now click the Sign in button in the middle of the page. On the screen that appears, select the Create one! link, then follow the prompts to create a new account.

You’ve now got two different Microsoft accounts you can use for Edge. When you log into one of those accounts in Windows, that will be the default account that Edge will use when you browse the web.

To switch between the two accounts, you’ll need to add that second account to Edge. To do it:

1. Click the three-dot icon at the top right of Edge, then select Settings > Profiles and click Add Profile at the top right of the screen.
2. On the screen that appears, click Add. You’ll be sent to a web page in a new instance of Edge. Click “Add new account” and select “Sign in to sync data.”
3. On the screen that appears, sign in and confirm that you want to proceed.

Once you’ve done that, you don’t have to log out of your current account and then log into the second account to use it in Edge. Instead, when you want to use the second account, click the three-dot icon at the top right of the Edge window and select Settings > Profiles. Your current profile appears at the top of the screen. To switch to your other profile, find it in the “More profiles” section at the bottom and click the Switch button next to it.

You’ll now be sent straight to that profile. When you do that, Edge will open in a new window. So you’ll have both your profiles running simultaneously, each with its own tabs, in two separate windows. (Note that you can set up multiple additional profiles, not just one additional one.)

To minimize distractions, set up work and personal profiles in Edge.

IDG

You can also tell Edge which profile to use when you visit certain websites. To do it, in Edge select Settings > Profiles > Profile preferences, and in the in the “Automatic profile switching” section, move the Account based profile switching slider to on.  From now on, whenever you visit a new website, a screen will pop up asking which account you want to use to open it. The next time you visit the site, Microsoft will remember which profile you used to visit it previously and will automatically open it in that profile.

It’s worth exploring several other settings here that allow you to customize when to use which profile. For instance, you can tell Edge to automatically open pages that are part of your company’s intranet in your Work profile.

Should you decide you want to remove a profile, in Edge go to Settings > Profiles. Switch to the profile you want to remove. Click the three-dot icon next to the “Sign Out” button and select Remove. You can always add it again later by coming back to this page and clicking the Add Profile button at the top of the screen.

2. Use Collections to turbocharge productivity

If you use only one tip in this article, this should be it: Use Edge’s Collections feature for a big productivity boost. It’s probably the best browser productivity booster you’ll ever find.

Collections let you gather web pages, images, and portions of web pages into a sidebar and organize them by categories. You can also add notes to each of your collections. You can create different collections for each of your projects and store web-based research there. For example, you can set up collections for your budgets, for marketing research, or for just about anything to do with your work.

To use it, click the Collections icon, a + sign inside two squares with rounded corners, in the toolbar at the top right of the screen. The Collections pane opens on the right as a sidebar.

The first time you use Collections, it will automatically start four collections: Wishlist, Reading List, Video Playlist, and Cookbook. You can use any of those collections or select Create new collection at the top of the pane and type in a name. To add the web page you’re on to a collection, move your mouse pointer over the collection and click the Add current page icon (a plus sign) that appears.

You can also add images and selected text or sections of web pages by dragging them to your collection. To add a note, go to a collection, click the three-dot icon that appears when you hover over the item you want to add a note to, then click Add note to item or Add note after item. You can also save the URL of an image on the web to the note.

The Collections feature is Edge’s best productivity booster.

IDG

You can also add web pages to a collection without opening the Collections pane. Right-click on a neutral area of the page and in the pop-up menu that appears, select Add page to Collections and choose the collection you want to add it to or start a new one. You can add images and selected text to a collection the same way.

You can also easily delete collections so that you don’t get overwhelmed by your research. It’s ideal not just for long-term research, but for short-term research for only a day or two, which you’ll then delete.

3. Get to your most-used sites quickly

Bookmarking and organizing favorites is a great way to manage a large collection of websites, but it’s not that useful if you simply want to get to a frequently used site quickly. Edge has some tricks up its sleeve if you want to get your most-used sites pronto.

Add a site to the new tab page

When you open a new tab in Edge, a page appears that shows you news and other items you might be interested in. It’s easy to pin a site to this page so it’s accessible whenever you open a new tab.

Look toward the top of the page, just underneath the search box. If you don’t see icons for pinned pages (such as for Yahoo, Amazon, your inbox, and so on), click the Quick Links down arrow underneath the search box on the right. (If you don’t see the down arrow, click the gear icon at the far right, and in the Quick Links area of the panel that appears, click Off and change it to 1 row.)

A row of site icons appears, along with a + icon. Click the + icon and type or paste in the name and URL of the site you want to pin, then click Add. The site will now appear along with the other pinned pages.

Pinning a site keeps it handy on the new tab page.

IDG

You can rename or remove any site pinned to the new tab page by clicking the three-dot icon next to the site icon and selecting Rename or Remove from the menu that appears.

Pin tabs to the top of Edge

For even faster access to frequently used sites, you can pin them as browser tabs so they appear at the far left of all your other tabs in Edge. When you’re on the site you want to pin as a tab in Edge, right-click its tab and select Pin tab from the menu that appears. The pinned tab will now appear to the left of all your open tabs.

The icon for the pinned tab looks smaller than all of your other tabs, and it will persist even after you shut down and restart Edge. If you have multiple pinned tabs, all of them will appear to the left of any non-pinned tabs.

Pin sites you often visit to the taskbar

For Windows users, the fastest way to access a frequently used site is to pin it to the Windows taskbar. That means it’s always visible (even when Edge isn’t running), and you can launch it with a single click.

When you’re on the site you want to pin, select the three-dot icon at the top right of the browser window and select More tools > Pin to taskbar. A small screen appears with a text box in it with the name of the site. Use the name provided or type a new name into the text box and click Pin.

4. Use the Edge sidebar

Edge has a narrow sidebar to the far right of the screen that you may not know about because it’s typically hidden and can be confusing to use. Some people have no use for it and keep it hidden, but others find it useful. If you haven’t tried it yet, you should give it a try.

If it’s hidden, you can reveal it by clicking the Copilot icon (Copilot is Microsoft’s generative AI chatbot) at the top right of the Edge app. When you do that, both the Edge sidebar and the Copilot pane appear. We’ll cover Copilot later in this article, so for now you’ll learn how to use the sidebar without Copilot.

To get rid of Copilot and keep the sidebar revealed, first click the “Always show sidebar” icon at the bottom right of the sidebar — it’s just above the Settings icon. Now click the X at the top of the Copilot pane. The pane will vanish, but the sidebar, a strip of icons running down the right edge of the app window, stays there.

The Edge sidebar offers quick access to a variety of useful tools, including a calculator, unit converter and translator, shown here.

IDG

Click an icon and a pane opens up for the corresponding app. For example, click the Tools icon (it looks like a small toolbox) and you’ll get variety of useful tools, including a calculator, unit converter, translator, dictionary and more. Click the icon again and the pane vanishes.

There are also icons for opening Outlook, playing games, and more. (Check out the next tip for information about the Microsoft 365 sidebar pane.)

You can add more items to the sidebar by clicking the + icon below the main set of icons. A Customize pane appears where you can browse or search for apps such as Dropbox, Slack, Trello, and many others. When you have a new app open in the sidebar pane, its icon will appear just above the + icon. To keep the app’s icon in the sidebar, right-click it and select Pin to Sidebar.

If you don’t want the sidebar displayed, click the icon just above the Settings icon, and you’ll auto-hide the sidebar.

5. Use Edge as command central for Microsoft 365

Edge can be used as a kind of command central for working with the Microsoft 365 office suite, whether you’ve got a personal or a business version. Go to the Edge sidebar, as described in the previous tip, and click the six-sided multicolored icon. The Microsoft 365 pane appears.

Microsoft 365 apps are easily accessible from inside Edge.

IDG

The pane has icons for all of your Microsoft 365 applications, including Word, Excel, Teams, OneDrive, OneNote, and more. Click any icon to open the web version of that app in the main Edge window. It also shows files you’ve recently opened. Click any to open it in the main Edge window. You can filter the list of files by individual application, if you’d like. To see only Word files, for example, click the Word icon underneath the “Recent” heading.

Note that the files you see in the Microsoft 365 pane depend on which profile you’re logged into in Edge. If you’re logged in with your work profile, you’ll see the Microsoft 365 files you’ve been working on in your business version of M365. If you want to see your personal files, you’ll need to switch to your personal profile, as described in Tip 1.

6. Enlist a Copilot as you browse

As I mentioned earlier, you can also use Copilot, Microsoft’s genAI chatbot, from within Edge. Click the Copilot icon at the top right of Edge, and the Copilot pane appears. There’s a tremendous amount you can do with Copilot, and all of its uses are beyond the scope of this article. To learn more about what it can do and how to use it, see our story “7 ways to use Microsoft Copilot right.”

 However, here’s one use designed specifically for web browsing: giving you information about the current web page you’re viewing. Copilot shows you information such as its rating from users, a bar chart representing total visitors to the site, analysis of where the visitors come from, and so on.  To get to it, click the Insights tab at the top of the pane.

Use Copilot to get info about a website.

IDG

You can also get a summary of the web page you’re viewing (such as a news article or legal brief) by selecting the Generate page summary button in the middle of the Copilot pane. For details, see “7 ways to use Microsoft Copilot right.”

7. Put tabs to sleep to conserve system resources and boost battery life

Like most people, you likely keep multiple tabs open in Edge. That way, you can easily switch among the sites, web apps, and information important to you. It’s a great time-saver.

But it can also be a big memory and processor hog, which can slow down both your browsing and your other computing tasks. It needn’t be that way, though. You can put inactive tabs to “sleep” until you need them, freeing up resources, which will make your PC speedier and make its battery last longer, even when you have multiple tabs open. Microsoft claims that putting inactive tabs to sleep reduces memory use by an average of 32% and CPU use by an average of 37%.

Here’s how to do it:

1. In Edge, click the three-dot icon on the upper right of the screen and select Settings > System and Performance.
2. In the “Optimize Performance” section, move the slider to On next to Save resources with sleeping tabs.
3. To change the length of time it takes to put an inactive tab to sleep, next to “Put inactive tabs to sleep after the specified amount of time,” click the drop-down arrow and select a time. Your choice is anywhere from 30 seconds to 12 hours.

Putting tabs to sleep can significantly reduce CPU and memory use.

IDG

To reawaken any tab that’s been put to sleep, simply click on it, and it will resume normal activity.

There’s a chance that some sites might not work properly after they’ve been put to sleep. If that happens to you, you can tell Edge never to put that site to sleep again. To do it, in the “Never put these sites to sleep” area, click the Add button and paste in the URL of any site you don’t want to sleep.

8. Reduce power use with efficiency mode

Browsers can be power hogs, especially if you have multiple tabs open and are playing videos and music in them. That can be a particular problem if you’re using a laptop that isn’t plugged into a power source.

In Edge, efficiency mode reduces the amount of system resources the browser uses, which extends your PC’s battery life. If you enable efficiency mode, it becomes active when your laptop is unplugged. Microsoft claims efficiency mode can give you on average an extra 25 minutes of battery life. To use it:

1. In Edge, click the three-dot icon on the upper right of the screen and select Settings > System and Performance.
2. In the “Optimize Performance” section, move the slider to On next to “Efficiency mode.”

You can get an extra 25 minutes of battery life with efficiency mode, Microsoft claims.

IDG

Note that if you’re using a desktop PC or your laptop is plugged in, there’s no need to use efficiency mode.

 9. View and mark up PDFs

With Edge, there’s no need to launch a separate piece of software when you come across a PDF online or when you want to read and mark up one on your PC; its built-in PDF app is quite good. With it you can draw on and highlight sections of the PDF and erase the marks you made as well.  So save yourself time and use Edge rather than third-party software.

You don’t need to do anything to read a PDF online. Simply click it, and by default it will launch in Edge’s reader. You’ll find the markup tools, including for drawing, highlighting, and erasing, in a toolbar towards the top of the screen. To open a PDF from your hard disk, when you’re in Edge, press Ctrl-O, then navigate to the PDF you want to open and click it.

Edge has a surprisingly useful PDF viewer with markup tools.

IDG

If you prefer to use your own PDF reader, even for PDFs found online, you might be annoyed that every time you click a PDF, it opens in Edge’s PDF reader. You can change that, though, by changing your default PDF reader.

In Windows Settings, select Apps > Default Apps and in the search box at the top of the screen just below “Set a default for a file type or link type,” type in .pdf. After you do that, the listing “Microsoft Edge Microsoft Edge PDF document” appears. Click it, and a screen appears showing you all the applications on your PC that can read PDFs. Select the one you want to use instead of Edge.

10. Use Edge’s one-click form filler

How many hours a week do you spend mindlessly filling out web forms — your office or home address, shipping address, email address, phone number, and credit card information? Wouldn’t it be nice to get that time back?

With Microsoft Wallet, built into Edge, you can do that. To use it, in Edge go to Settings > Profiles. In the Microsoft Wallet section, click Open Wallet and then click Home. You’ll see sections for adding  a variety of information, such as for credit cards and other payment information, personal information, memberships, and so on. Click any item and type in the information you want to add.

Microsoft Wallet saves information that can be used to fill out forms online.

IDG

From now on, whenever you visit a web form, just click in a text box and your information will appear in a popup. Select it and the form will fill in. You can go back to Microsoft Wallet to change any information you want.

11. Save time with keyboard shortcuts

There’s a good chance you use keyboard shortcuts for some of your office applications, like Word and Excel — and you likely use some for Windows itself.

But when it comes to browsers, many people forgo the keyboard except when absolutely necessary. That’s too bad, because keyboard shortcuts are a big timesaver. So to improve your productivity, check out these keyboard shortcuts for Edge in Windows. (Mac users can generally substitute the Cmd key for Ctrl and the Opt key for Alt.)

For even more shortcuts, see Microsoft’s complete list of keyboard shortcuts for Edge.

Useful keyboard shortcuts in Microsoft Edge Key combinationTaskCtrl-Shift-BShow or hide the favorites barCtrl-DAdd the current site to favoritesAlt-D or Ctrl-LSelect the URL in the Address barCtrl-E or Ctrl-KOpen a search in the Address barCtrl-FFind on the current pageCtrl-RReload the current pageCtrl-HOpen your HistoryCtrl-MMute or unmute volume on the current tabCtrl-NOpen a new windowCtrl-Shift-NOpen a new InPrivate windowAlt-F4 or Ctrl-Shift-WClose the current windowCtrl-TOpen a new tab and switch to itCtrl-WClose the current tabCtrl-TabSwitch to the next tabCtrl-Shift-TabSwitch to the previous tabCtrl-+ (plus symbol)Zoom inCtrl– (hyphen)Zoom outCtrl-PPrint the current page

This article was originally published in March 2021 and updated in April 2024.

Browsers, Microsoft Edge, Productivity Software