@@teknixstuff Oh, it did. And it was horrible. At that time, Microsoft had two optional softwares: "Windows Defender" and "Microsoft Security Essentials". Defender didn't really do what it does today, that was MSE's job. Both programs later got merged at some point into what we have now. What I was saying earlier was about *Windows 10*, where Defender should _definitely_ have catched this, because malware actually does this to stay in the system.
Windows defender in Windows 11 does automatically delete this, I tried to do this on utilman (override accessibility menu with cmd), and the CMD window did appear, but immediately disappeared. And when I log back in, I see that the value is gone.
This is NOT a bug or exploit! This key has legitimate use, and, when used with an actual debugger, can make finding and fixing bugs easier! The reason you encounter the issues in the video is that svchost is not a debugger, and instead just exits without doing anything when executed like this, essentially causing winlogon to act as though not present.
@@teknixstuff Yep, that was what I explained in the video - but the fact that Defender doesn't catch the debugger values being used in this way when referencing a system file is somewhat a concern. They've patched or added Defender flags for other things that aren't outright malicious, like the sethc.exe cmd workaround.
@@yourpcpal Yes, but sethc has obvious security implications and few legitimate uses. Debugging winlogon is a thing that is common to legitimately do, and Microsoft's docs even explain how to do it properly for certain things.
@@teknixstuff you're not getting what I'm saying. Setting that key manually is actually not common at all. In my years of working in IT I've never had to (or heard of anyone else having to) debug winlogon in this way.
heyoooooo! enjoying this. its the first vid ive seen from you and i am now subscribbled to you and hope to see more of ya. dunno if you're new or not but regardless you're makin' it, bc you were in my recommended feed!
Hey PCPal I always love your videos! Could you maybe make a video sometime on install a Windows virus (for educational purposes only of course)? I think it would be interesting to see how something like this works and what you can learn about the dangers and security of your computer.
This seems actually very dangerous, however, it it possible that Microsoft will release an update even for every non-supported Windows version (maybe like when Wannacry was terrorizing the world, Microsoft released an update for Win XP). Doesn't the Windows Defender monitor the registry as part of the Real-Time protection ? Great video, hope it gets more views !
@@yourpcpal they rarely unless its a script that does over ...im not sure how many lines but it has to be more than the entire script of 20 LTT videos cause of how bad it is
On later versions of Windows (e.g. Windows 10), will the Command Prompt (where you can run regedit) from the Recovery Options also work to solve this problem?
@@yourpcpalYou need to load the registry hives from your actual OS image. File > Load Registry Hive, and from memory i think they're in C:\System32\Config. WinPE is just a cutdown version of Windows, so it still has its own registry, which regedit will open by default
Doesn't windows keep a backup of a factory fresh copy of your registry??? Couldn't you just go into recovery mode and boot up windows with the backup registry?????
Oh crap. This is a nightmare. The fact Windows Defender didn't check this key and instantly removed it, is worrysome.
Windows XP never had defender.
@@teknixstuff Oh, it did. And it was horrible. At that time, Microsoft had two optional softwares: "Windows Defender" and "Microsoft Security Essentials". Defender didn't really do what it does today, that was MSE's job. Both programs later got merged at some point into what we have now.
What I was saying earlier was about *Windows 10*, where Defender should _definitely_ have catched this, because malware actually does this to stay in the system.
@@teknixstuff Windows 10's version of Defender didn't catch this either, which is probably what they're referencing
Windows defender in Windows 11 does automatically delete this, I tried to do this on utilman (override accessibility menu with cmd), and the CMD window did appear, but immediately disappeared. And when I log back in, I see that the value is gone.
@BurnerAccount101-ui4et thanks for this comment! Will confirm later. Interesting that they didn't roll out whatever is detecting it to Windows 10.
This is NOT a bug or exploit! This key has legitimate use, and, when used with an actual debugger, can make finding and fixing bugs easier! The reason you encounter the issues in the video is that svchost is not a debugger, and instead just exits without doing anything when executed like this, essentially causing winlogon to act as though not present.
@@teknixstuff Yep, that was what I explained in the video - but the fact that Defender doesn't catch the debugger values being used in this way when referencing a system file is somewhat a concern. They've patched or added Defender flags for other things that aren't outright malicious, like the sethc.exe cmd workaround.
@@yourpcpal Yes, but sethc has obvious security implications and few legitimate uses. Debugging winlogon is a thing that is common to legitimately do, and Microsoft's docs even explain how to do it properly for certain things.
@@teknixstuff you're not getting what I'm saying. Setting that key manually is actually not common at all. In my years of working in IT I've never had to (or heard of anyone else having to) debug winlogon in this way.
heyoooooo! enjoying this. its the first vid ive seen from you and i am now subscribbled to you and hope to see more of ya. dunno if you're new or not but regardless you're makin' it, bc you were in my recommended feed!
Thanks
Hey PCPal I always love your videos! Could you maybe make a video sometime on install a Windows virus (for educational purposes only of course)? I think it would be interesting to see how something like this works and what you can learn about the dangers and security of your computer.
This channel should be more popular
This seems actually very dangerous, however, it it possible that Microsoft will release an update even for every non-supported Windows version (maybe like when Wannacry was terrorizing the world, Microsoft released an update for Win XP). Doesn't the Windows Defender monitor the registry as part of the Real-Time protection ? Great video, hope it gets more views !
Thanks :)
Also to answer your question, I believe Windows Defender does monitor certain registry keys but it seems MS devs have overlooked this one.
@@yourpcpal they rarely unless its a script that does over ...im not sure how many lines but it has to be more than the entire script of 20 LTT videos cause of how bad it is
Here before your channel explodes like an atomic bomb and gains 100k subs
same lol
this is an issue on modern windows as well as xp then?
@@iGPR3 Yep, haven't tested on 11 yet but it definitely does the same thing on 10, just without a bluescreen
@@yourpcpal damn, microsoft better hop on this asap. wouldnt be surprised if it takes them a good while though
On later versions of Windows (e.g. Windows 10), will the Command Prompt (where you can run regedit) from the Recovery Options also work to solve this problem?
Your comment was super interesting. On trying, it seems not as the whole list of keys doesn't show for some reason.
snipboard.io/S0KW1x.jpg
Yes
@@yourpcpalits because its a Windows PE environment which is completely seperate from your normal Windows installation
In theory you should be able to load the hide file the same way in the registry editor (load hive), delete the key, unload the hive, and reboot.
@@yourpcpalYou need to load the registry hives from your actual OS image. File > Load Registry Hive, and from memory i think they're in C:\System32\Config.
WinPE is just a cutdown version of Windows, so it still has its own registry, which regedit will open by default
A nie można w trybie awaryjnym?
Nope, winlogon is still loaded in safe mode so you just get a black screen.
@@yourpcpal copy that 🍻
Doesn't windows keep a backup of a factory fresh copy of your registry??? Couldn't you just go into recovery mode and boot up windows with the backup registry?????
I don't know about the recent versions of Windows. But versions before Windows 10 don't do that. You have to manually make your own backups.
This is wild considering I use a combo. Of Mac and a laptop
Good that it destroys Windows... then you can install some Linux based distro instead... :-)