# Parag Mali - paragmali.com > AI-authored deep dives on Windows security, endpoint protection, and supply-chain attacks - written by a multi-agent pipeline I designed and operate. Content is © Parag Mali. All rights reserved. Reading and linking are fine; reuse, redistribution, derivative works, translations, and machine-learning training require prior written permission from the author. ## Blog - [Five Ways Windows Authentication Breaks: A Machine-Checked Tour -- and Why Finding Nothing New Is the Point](https://paragmali.com/blog/five-ways-windows-authentication-breaks-a-machine-checked-to.md): A Tamarin and Dolev-Yao tour of 23 Windows authentication protocols: five recurring failure patterns, what a prover can prove, and the boundary it cannot cross. - [One Event, Three Portals: How a Single Sysmon Line Becomes a Microsoft Defender XDR Incident](https://paragmali.com/blog/one-event-three-portals-how-a-single-sysmon-line-becomes-a-m.md): Trace a single Sysmon ProcessCreate event through six hops -- from Windows kernel emission to a unified Microsoft Defender XDR incident -- and where the convergence stops. - [Below the OS: The Pre-Boot Trust Chain Where Secure Boot Inherits Its Trust From](https://paragmali.com/blog/below-the-os-the-pre-boot-trust-chain-where-secure-boot-inhe.md): Walk the eleven rungs from CPU reset to winload.efi -- Intel Boot Guard, AMD PSB, CSME, the PSP, KB5025885, and why the April 2023 MSI OEM-key leak is structurally permanent. - [Rotating Every Cipher: SChannel and the Twenty-Year Algorithm-Agility Story of Windows TLS](https://paragmali.com/blog/rotating-every-cipher-schannel-and-the-twenty-year-algorithm.md): How one Windows DLL rotated every TLS primitive from RC4 to ML-KEM without breaking IIS, RDP, SQL Server, or .NET SslStream -- and why Vista's 2007 CNG was the inflection point. - [The Same-Privilege Paradox: Twenty-One Years of Windows Kernel Self-Defense](https://paragmali.com/blog/the-same-privilege-paradox-twenty-one-years-of-windows-kerne.md): PatchGuard, KASLR, KDP, and the Win32k Lockdown are four answers to one paradox -- a defense at the attacker's privilege cannot succeed in principle. The 2005-2026 trajectory is migration out of the kernel. - [The Twenty-Year Local Admin Password Crisis: From GPP cpassword to Windows LAPS](https://paragmali.com/blog/the-twenty-year-local-admin-password-crisis-from-gpp-cpasswo.md): Microsoft published the AES key that "protected" Group Policy Preferences passwords. Twelve years later, MS14-025 still has not deleted the artefacts. Here is how Windows LAPS finally fixed the architecture -- and what it still cannot solve. - [A Mitigation That Became a Primitive: The Story of SeImpersonatePrivilege](https://paragmali.com/blog/a-mitigation-that-became-a-primitive-the-story-of-seimperson.md): How a 2003 backward-compatibility privilege became the most-abused Windows service primitive, and why every Microsoft closure path breaks something shipped. - [Seventy-Eight Minutes That Evicted Antivirus From the Windows Kernel](https://paragmali.com/blog/seventy-eight-minutes-that-evicted-antivirus-from-the-window.md): How a CrowdStrike channel-file update on July 19, 2024 collapsed twenty years of resistance to evicting third-party AV from the Windows kernel. - [Three Years of PrintNightmare: How the Oldest Windows Service Survived Four Patch Waves](https://paragmali.com/blog/three-years-of-printnightmare-how-the-oldest-windows-service.md): How the Windows Print Spooler produced nine SYSTEM-execution primitives in 2010-2024 and why Microsoft answered with two parallel architectures, not one. - [AppLocker vs App Control for Business: Two Locks on the Same Door, and Why Windows Still Ships Both in 2026](https://paragmali.com/blog/applocker-vs-app-control-for-business-two-locks-on-the-same-.md): Windows 11 24H2 ships two parallel application-control systems. One is operational hygiene; the other is the security boundary. The line between them is a single sentence in MSRC servicing criteria. - [Verify Me, Don't Trust Me: Apple PCC, Azure Confidential AI, and the Architecture of the Modern AI Cloud](https://paragmali.com/blog/verify-me-dont-trust-me-apple-pcc-azure-confidential-ai-and-.md): Apple Private Cloud Compute and Azure confidential AI ship the same promise through unrecognisably different machinery. On five axes they differ in degree. On one axis -- verifiable transparency of the production fleet -- they differ in kind. - [Mimikatz and the Credential-Theft Decade: The Windows Security Wars Part 3 (2009-2014)](https://paragmali.com/blog/mimikatz-and-the-credential-theft-decade-the-windows-securit.md): Microsoft killed the rootkit class with AppLocker, Secure Boot, ELAM, and AppContainer. Then a side project in C named Mimikatz proved the wrong layer had been hardened. - [SYSTEM in Ten Seconds: How the Potato Family Survived Every Microsoft Mitigation](https://paragmali.com/blog/system-in-ten-seconds-how-the-potato-family-survived-every-m.md): A decade of Windows local privilege escalation -- HotPotato through FakePotato -- rests on one architectural decision Microsoft has refused to revisit. - [The Integrity-Level Stack: MIC, UIPI, and Twenty Years of UAC's Quiet Plumbing](https://paragmali.com/blog/the-integrity-level-stack-mic-uipi-and-twenty-years-of-uacs-.md): What UAC actually is beneath the consent prompt: Mandatory Integrity Control, UIPI, the split-token model, and twenty years of bypass research as proof. - [From ION to did:web: The Seven-Year Compromise Behind Microsoft Entra Verified ID](https://paragmali.com/blog/from-ion-to-didweb-the-seven-year-compromise-behind-microsof.md): Microsoft built a Bitcoin-anchored decentralized identity network, ran it for three years, then quietly turned it off. This is what actually ships in May 2026 and why. - [The 28-Hour Bargain: How Continuous Access Evaluation Made Long-Lived Tokens Safe](https://paragmali.com/blog/the-28-hour-bargain-how-continuous-access-evaluation-made-lo.md): How Microsoft Entra Continuous Access Evaluation lets access tokens safely live up to 28 hours by pairing them with a near-real-time revocation channel. - [The Layer Above the OS: The Windows Security Wars Part 6 (2023-2026)](https://paragmali.com/blog/the-layer-above-the-os-the-windows-security-wars-part-6-2023.md): How Storm-0558, CrowdStrike, and the Recall saga forced Microsoft to admit the biggest attack surface on a modern Windows PC is no longer the OS itself. - [Two Months Without Code: The Windows Security Wars Part 1 (1995-2001)](https://paragmali.com/blog/two-months-without-code-the-windows-security-wars-part-1-199.md): In 1995-2001 the worms won. The Trustworthy Computing memo and the ten-week Windows Security Push that followed taught the industry how to ship secure software. - [Eight Primitives, One Worm: The Windows Security Wars Part 2 (2002-2008)](https://paragmali.com/blog/eight-primitives-one-worm-the-windows-security-wars-part-2-2.md): How Microsoft re-engineered Windows around security between January 2002 and October 2009 -- and why a wormable RCE patched on October 23, 2008 still infected nine to fifteen million machines. - [Forged from 2016: How Storm-0558 Turned One Stolen Signing Key into U.S. Government Email Access](https://paragmali.com/blog/forged-from-2016-how-storm-0558-turned-one-stolen-signing-ke.md): A 2016 consumer Microsoft signing key, never rotated, forged tokens that read U.S. government email for six weeks before a paying customer noticed. A technical reconstruction. - [Pass-the-Hash to Pass-the-PRT: Twenty-Nine Years of Windows Credential Replay in One Family Tree](https://paragmali.com/blog/pass-the-hash-to-pass-the-prt-twenty-nine-years-of-windows-c.md): Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Pass-the-Certificate, and Pass-the-PRT are one architectural lineage. Each defense bought years; none closed the family. - [Above the Kernel: The Windows Security Wars Part 4 (2015-2019)](https://paragmali.com/blog/above-the-kernel-the-windows-security-wars-part-4-2015-2019.md): Windows 10 ships Virtualization-Based Security and finally puts the credential store above the kernel -- in the same five years that ransomware became a billion-dollar industry. - [Every UAC Prompt Is an ALPC Handshake: A Field Guide to Windows' Most-Attacked Local IPC Fabric](https://paragmali.com/blog/every-uac-prompt-is-an-alpc-handshake-a-field-guide-to-windo.md): ALPC and LRPC are the asynchronous local-IPC fabric under every Windows service. This is the story of the kernel object Microsoft does not document and the attack surface almost every Patch Tuesday still fixes. - [Microsoft Defender for Identity: The Defensive AD Stack That Sees What BloodHound Maps](https://paragmali.com/blog/microsoft-defender-for-identity-the-defensive-ad-stack-that-.md): A field guide to Microsoft Defender for Identity, the on-DC sensor and cloud analytics engine descended from Aorato, that fires named alerts on almost every offensive AD primitive in the corpus -- and the five structural blind spots it cannot close. - [The Thirteen Months That Made Zero Trust Unavoidable: The Windows Security Wars Part 5 (2020-2023)](https://paragmali.com/blog/the-thirteen-months-that-made-zero-trust-unavoidable-the-win.md): Four incidents in thirteen months -- SolarWinds, ProxyLogon, PrintNightmare, Log4Shell -- broke four Windows architectural assumptions and forced the Zero Trust pivot the industry had on the shelf since August 2020. - [AD Is a Graph: How BloodHound Made Defenders Think Like Attackers](https://paragmali.com/blog/ad-is-a-graph-how-bloodhound-made-defenders-think-like-attac.md): From Lambert's 2015 essay to Microsoft Security Exposure Management in 2024 -- how the attack-path graph became the default model for Active Directory security. - [Attack Surface Reduction Rules: The Quiet Layer That Stopped Office Macros](https://paragmali.com/blog/attack-surface-reduction-rules-the-quiet-layer-that-stopped-.md): How Microsoft built a 19-rule, kernel-mediated behaviour block list inside Windows Defender that turned the Emotet macro chain into a one-row, no-ticket telemetry event. - [Beyond BitLocker: The Three File-Level Encryption Layers Microsoft Hides in Plain Sight](https://paragmali.com/blog/beyond-bitlocker-the-three-file-level-encryption-layers-micr.md): BitLocker is one layer of four. EFS, Personal Data Encryption, and Purview sensitivity labels close gaps BitLocker structurally cannot -- three roots, three threat models, by design. - [Living Off the Land on Windows: The LOLBin Catalog and the Structural Ceiling Microsoft Cannot Break](https://paragmali.com/blog/living-off-the-land-on-windows-the-lolbin-catalog-and-the-st.md): How a 1996 Authenticode design choice produced the LOLBin class, why the LOLBAS catalog has 207 binaries and Microsoft only blocks ~40, and why that gap is permanent. - [The Card That Wasn't a Card: How Windows Authentication Outgrew the Smart Card Metaphor](https://paragmali.com/blog/the-card-that-wasnt-a-card-how-windows-authentication-outgre.md): Smart cards, virtual smart cards, and Windows authentication 1996-2026: from PC/SC and PIV through the 2014 NTLM-secondary defect to WHfB and FIDO2. - [The Connection That Refused to Downgrade: Twenty-Five Years of SMB Cryptography, Finally Default-On](https://paragmali.com/blog/the-connection-that-refused-to-downgrade-twenty-five-years-o.md): How SMB 3.1.1 pre-authentication integrity, AES-256-GCM, and SMB-over-QUIC closed a 25-year attack tradition, and which attacks still survive in 2026. - [Who Decided This Token Is Good? A Field Guide to Conditional Access and Entra ID Protection](https://paragmali.com/blog/who-decided-this-token-is-good-a-field-guide-to-conditional-.md): A wire-level tour of Microsoft Entra Conditional Access, Identity Protection, and Continuous Access Evaluation, plus the five things they cannot do. - [Agentic Identity on Windows: When the Process Acting on Your Behalf Isn't You](https://paragmali.com/blog/agentic-identity-on-windows-when-the-process-acting-on-your-.md): Every AI agent on Windows in 2026 runs as the logged-on user. The cloud-identity layer has crossed the agent-attribution gap; the OS layer has not. This article maps the FIDO AATWG pillars onto Windows primitives and asks what is missing. - [Certified Pre-Owned: AD CS and Active Directory's Second Trust Root](https://paragmali.com/blog/certified-pre-owned-ad-cs-and-active-directorys-second-trust.md): AD CS ESC1-ESC16: how Microsoft shipped Certificate Services in 2000, what SpecterOps named in 2021, and why the catalog grows faster than the patches. - [Privileged Identity Management: How a Two-State Role Assignment Retired Standing Admin](https://paragmali.com/blog/privileged-identity-management-how-a-two-state-role-assignme.md): Microsoft Entra PIM did not add eight features. It added one field to the role-assignment object -- and everything else, from activation policies to GDAP, is downstream. - [BitUnlocker: When Microsoft's Recovery Environment Becomes the Master Key](https://paragmali.com/blog/bitunlocker-when-microsofts-recovery-environment-becomes-the.md): In July 2025, Microsoft's internal red team chained four CVEs in WinRE to bypass TPM-only BitLocker in under five minutes -- and the structural lesson is older than Windows 11. - [The Registry Adventure: How One Researcher Read 100,000 Lines of Windows Kernel C and Found 50 Bugs](https://paragmali.com/blog/the-registry-adventure-how-one-researcher-read-100000-lines-.md): Between May 2022 and December 2023, Mateusz Jurczyk audited the Windows registry parser and produced 50 CVEs. The methodology is the story. - [Windows Security Boundaries: The Document That Decides What Gets a CVE](https://paragmali.com/blog/windows-security-boundaries-the-document-that-decides-what-g.md): Microsoft maintains a single public document that decides which Windows vulnerability reports receive a CVE, a Patch Tuesday bulletin, and a bounty payout. Here is how to read it. - [KRBTGT: The Account That Owns Active Directory](https://paragmali.com/blog/krbtgt-the-account-that-owns-active-directory.md): Active Directory ships with one cryptographic key whose disclosure forges valid TGTs for every principal -- and why rotating it is necessary but not sufficient. - [Rust in the Windows Kernel: A Field Guide to the 2024-2026 Memory-Safety Refit](https://paragmali.com/blog/rust-in-the-windows-kernel-a-field-guide-to-the-2024-2026-me.md): Rust ships in the Windows 11 kernel today. A primary-sourced field guide to what actually shipped from BlueHat IL 2019 through 24H2 in 2026, and what did not. - [Who is allowed to log in where? The KDC-side answer to credential theft in Active Directory](https://paragmali.com/blog/who-is-allowed-to-log-in-where-the-kdc-side-answer-to-creden.md): A 28-year arc from Paul Ashton's pass-the-hash demonstration to the 2026 reference deployment of Tiering, Protected Users, and Authentication Policy Silos. - [Windows Downdate: When the Update Itself Is the Attack](https://paragmali.com/blog/windows-downdate-when-the-update-itself-is-the-attack.md): How Alon Leviev turned Windows Update into a downgrade primitive, rolling fully-patched Windows 11 back to vulnerable VBS components while every signature still verified. - [Two Checkmarks and the Keys to the Kingdom: How Active Directory's Replication Protocol Became the Longest-Lived Credential Attack on Windows](https://paragmali.com/blog/two-checkmarks-and-the-keys-to-the-kingdom-how-active-direct.md): MS-DRSR was designed for domain controllers to replicate secrets to each other. Its access check gates on an ACL, not on whether the caller is a DC. Eleven years after Mimikatz proved it, no patch can fix it. - [The Age Gate That Doesn't Know Your Age: How Anonymous Credentials Finally Crossed the Deployment Chasm](https://paragmali.com/blog/the-age-gate-that-doesnt-know-your-age-how-anonymous-credent.md): Forty years after David Chaum's manifesto, anonymous credentials -- Privacy Pass, BBS, SD-JWT, Longfellow-zk -- have shipped into every major browser. - ["The Vault is Solid. The Delivery Truck is Not." -- Microsoft Recall's Two-Year Re-Architecture from Plaintext SQLite to VBS Enclaves](https://paragmali.com/blog/microsoft-recall-2024-2026-re-architecture.md): How Microsoft Recall went from a plaintext SQLite database broken in four weeks to a VBS-Enclave + TPM-sealed + Hello-gated architecture, and what TotalRecall Reloaded still extracts. (Article title borrows Alexander Hagenah's framing, attributed in §8.1.) - [CNG Architecture: BCrypt, NCrypt, KSPs, and How Windows Picks Its Algorithms](https://paragmali.com/blog/cng-architecture-bcrypt-ncrypt-ksps.md): A guided tour of the Cryptography API: Next Generation -- the two-tier API, the Key Storage Provider model, the FIPS toggle, and how PQC slots in. - [eBPF vs ETW: Two Generations of Kernel Observability](https://paragmali.com/blog/ebpf-vs-etw-two-generations-of-kernel-observability.md): Why Windows ETW emits events and Linux eBPF computes them -- and what eBPF-for-Windows reveals about the convergence of two operating systems. - [Two Routes to Code Integrity: Linux IMA + AppArmor vs Windows WDAC + AMSI](https://paragmali.com/blog/two-routes-to-code-integrity-linux-ima--apparmor-vs-windows-.md): Linux and Windows answer one question -- "is this code allowed to run?" -- with very different machinery. Where the verifier lives matters more than how strong it is. - [Apple Secure Enclave vs Microsoft Pluton: Two Roads to Hardware Root of Trust](https://paragmali.com/blog/apple-secure-enclave-vs-microsoft-pluton-two-roads-to-hardwa.md): How Apple SEP and Microsoft Pluton solve the same problem -- keeping your secrets safe from a compromised OS -- using two very different silicon strategies. - [Hyper-V Enlightenments, VMBus, and the Synthetic Device Model](https://paragmali.com/blog/hyper-v-enlightenments-vmbus-and-the-synthetic-device-model.md): How Hyper-V guests get high-performance device I/O without emulating legacy hardware: enlightenments, the TLFS, VMBus rings, the VSP/VSC pair, and why the host-side parser is the attack surface. - [The Driver That Was Signed and the Driver That Won't Load: Windows Kernel Code Integrity, 2006-2026](https://paragmali.com/blog/windows-kernel-code-integrity-2006-2026.md): A history of Windows kernel code-signing -- KMCS, BYOVD, HVCI, the Vulnerable Driver Block List, and why a 2026 Windows kernel uses five gates to decide what loads. - [Windows Sandbox vs Windows Defender Application Guard: Two Hyper-V Sandboxes, Different Threat Models](https://paragmali.com/blog/windows-sandbox-vs-wdag.md): Two Hyper-V-backed isolation containers shipped in Windows -- one survived, one was retired. The story of why disposable beat persistent, and what each model was actually for. - [From `cmd.exe` to a Kusto Row in 90 Seconds: How Sysmon and Defender for Endpoint Actually Work](https://paragmali.com/blog/from-cmdexe-to-a-kusto-row-in-90-seconds-how-sysmon-and-defe.md): The seven-layer production EDR pipeline -- kernel callback, ETW publisher, MsSense.exe, SenseCncProxy, Kusto, KQL -- traced end to end for Sysmon and Defender for Endpoint. - [Inside Azure Confidential VMs: SEV-SNP, Intel TDX, and the Paravisor that Makes Them a Cloud Product](https://paragmali.com/blog/inside-azure-confidential-vms-sev-snp-intel-tdx-and-the-para.md): Azure Confidential VMs combine AMD SEV-SNP and Intel TDX with the OpenHCL paravisor and MAA policy v1.2. A textbook tour from silicon to relying party. - [Mark of the Web, SmartScreen, and the Catalog of Trust: How Windows Decides Whether to Warn You](https://paragmali.com/blog/mark-of-the-web-smartscreen-catalog-of-trust.md): How Windows stacks three trust layers -- origin, reputation, and signed catalog -- and why the 2022-2024 SmartScreen bypass arc was always a propagation bug, never a cryptography bug. - [AMSI: The Pre-Execution Window Where Defender Catches a Base64 Payload It Has Never Seen Before](https://paragmali.com/blog/amsi-the-pre-execution-window-defender.md): How the Antimalware Scan Interface scans script content after deobfuscation but before execution, the seven runtimes it plugs into, and the nearly seven-year bypass arms race that followed. - [AppContainer and LowBox Tokens: Windows's Capability Sandbox](https://paragmali.com/blog/appcontainer-and-lowbox-tokens-windowss-capability-sandbox.md): How a single bit in Windows's access token, two new SID alphabets, and a per-package namespace partition let the kernel give two co-tenanted apps opposite verdicts. - [Authenticode and Catalog Files: The Crypto Foundation Under WDAC](https://paragmali.com/blog/authenticode-and-catalog-files-the-crypto-foundation-under-w.md): Every Windows trust decision -- UAC, SmartScreen, WDAC, kernel-driver loading -- bottoms out on the same PKCS#7 SignedData envelope shipped in IE 3 in August 1996. Here is the byte-level reason. - [Control Flow Integrity on Windows: CFG, XFG, and the CET Shadow Stack](https://paragmali.com/blog/control-flow-integrity-on-windows-cfg-xfg-and-the-cet-shadow.md): Three generations of control-flow integrity on Windows: the CFG bitmap (2014), the XFG prototype-hash (never fully shipped), and the Intel CET shadow stack (2020). Why each shipped, and what the ~70% memory-safety statistic still leaves open. - [Direct Anonymous Attestation: The Zero-Knowledge Proof Already in Every TPM](https://paragmali.com/blog/direct-anonymous-attestation-the-zero-knowledge-proof-alread.md): TPM 2.0 names a zero-knowledge group-signature primitive in its spec. A billion chips ship it. Almost nobody verifies it. The story of why DAA won every standardization fight and lost every deployment one. - [From /hotpatch to \$1.50 a Core: The Live-Patch Pipeline Microsoft Built and Then Made Public](https://paragmali.com/blog/from-hotpatch-to-150-a-core-the-live-patch-pipeline-microsof.md): How Windows hot patching evolved from a 1990s compiler flag to a Secure-Kernel-mediated, three-layer pipeline shipping in three product waves between 2022 and 2025. - [Inside the Primary Refresh Token: The Cryptographic Seam Between Windows Logon and Microsoft Entra ID](https://paragmali.com/blog/inside-the-primary-refresh-token-the-cryptographic-seam-betw.md): How one TPM-bound JWT issued at first sign-in bridges Windows logon and Microsoft Entra ID -- and how Pass-the-PRT taught Microsoft to bind the derivation to the message. - [Measured Boot: The TCG Event Log from SRTM to PCR-Bound BitLocker](https://paragmali.com/blog/measured-boot-the-tcg-event-log-from-srtm-to-pcr-bound-bitlo.md): How Windows turns every byte of firmware, every signed boot manager, and every loaded driver into a single 32-byte hash that decides whether BitLocker unlocks your disk -- and why patching that chain breaks it. - [Protected Process Light: When the Administrator Isn't Enough](https://paragmali.com/blog/protected-process-light-when-the-administrator-isnt-enough.md): How a single byte in EPROCESS encodes a signer lattice that denies SYSTEM-integrity admins the right to read LSASS -- and why every public bypass since 2018 attacks the same structural seam. - [From Password-in-the-Pipe to Cloud-Issued Session: Twenty-Six Years of RDP Authentication](https://paragmali.com/blog/rdp-authentication-26-years.md): How five generations of Windows RDP authentication -- classic delegation, NLA via CredSSP, Restricted Admin, Remote Credential Guard, and PRT-over-RDP -- retreated from the 1998 design that gave attackers the keys to every target. - [The Day 8.5 Million Devices Couldn't Boot -- and How Microsoft Rebuilt Recovery as a Security Surface](https://paragmali.com/blog/the-day-85-million-devices-couldnt-boot----and-how-microsoft.md): The Windows Recovery Environment worked perfectly on July 19, 2024. That was the problem. How WinRE, Quick Machine Recovery, and the Windows Resiliency Initiative re-priced fleet-scale recovery. - [Windows Filtering Platform: The Kernel-Mode Firewall You Don't See](https://paragmali.com/blog/windows-filtering-platform-the-kernel-mode-firewall-you-dont.md): The Windows Filtering Platform is the kernel-mode engine under wf.msc, IPsec, WinNAT, the Hyper-V vSwitch, and every modern Windows EDR. - [DPAPI and DPAPI-NG: The Credential Vault Under Everything](https://paragmali.com/blog/dpapi-and-dpapi-ng-the-credential-vault-under-everything.md): A 25-year tour of Windows Data Protection API: the four-stage classic chain, the 2012 DPAPI-NG redesign, the KDS root key, and the five structural ceilings the design cannot close. - [Edge's Two Password Cryptographies: A Beautiful PSI on the Wire, and Plaintext RAM by Design](https://paragmali.com/blog/edge-two-password-cryptographies.md): Microsoft Edge ships a homomorphic-encryption PSI for breach checking and decrypts every saved password into process RAM at launch. Both designs are deliberate. They defend different threat models. - [ETW: How Windows 2000's Performance Hack Became the EDR Substrate](https://paragmali.com/blog/etw-how-windows-2000s-performance-hack-became-the-edr-substr.md): Event Tracing for Windows is the kernel-buffered observability bus every modern Windows EDR consumes. This is the architecture, the attacks, and the one provider that survives them. - [Fuzzy Extractors and the One Inequality That Explains Why Windows Hello Doesn't Use One](https://paragmali.com/blog/fuzzy-extractors-windows-hello.md): Fuzzy extractors turn noisy biometrics into stable cryptographic keys. A single 2004 inequality explains why Windows Hello deliberately does not use one. - [Kerberos in Windows: The Other Half of NTLMless](https://paragmali.com/blog/kerberos-in-windows-the-other-half-of-ntlmless.md): After NTLM, Kerberos becomes the load-bearing authentication protocol for Windows. Eight years of attacks, the December 2025 Beyond-RC4 cadence, and the H2 2026 IAKerb / Local KDC broad enable. - [Plug and Trust: How Windows Decides What to Do When You Plug In a USB Device](https://paragmali.com/blog/plug-and-trust-how-windows-decides-what-to-do-when-you-plug-.md): In the 250 ms between physical insertion and class-driver attach, Windows executes ten or eleven kernel-mode operations (eleven for composite devices) and trusts ~256 bytes of self-described descriptors. - [Post-Quantum Cryptography on Windows: The Thirty-Year Migration That Just Arrived](https://paragmali.com/blog/post-quantum-cryptography-on-windows-the-thirty-year-migrati.md): How NIST FIPS 203/204/205 reaches the Windows platform via SymCrypt, CNG, Schannel, and .NET 10 -- the algorithm internals, the wire format, the migration timeline, and the honest accounting. - [Process Mitigation Policies: CFG, ACG, CIG, and the Layer Between App Identity and the Kernel](https://paragmali.com/blog/process-mitigation-policies-cfg-acg-cig-and-the-layer-betwee.md): A thirty-year history of Windows process mitigation policies -- DEP, ASLR, CFG, XFG, CET, ACG, CIG -- and the structural reason each one exists. - [The ACPI Tables That Quietly Secure Your Windows Machine](https://paragmali.com/blog/the-acpi-tables-that-quietly-secure-your-windows-machine.md): Five small ACPI tables -- DMAR, IORT, WSMT, SDEV, WPBT -- form the firmware-OS contract behind VBS, Credential Guard, Kernel DMA Protection, and BitLocker. - [The Empty Hash: Credential Guard, the LsaIso Trustlet, and the Eleven-Year LSASS Extraction Tradition](https://paragmali.com/blog/the-empty-hash-credential-guard-the-lsaiso-trustlet-and-the-.md): Why a 2026 Mimikatz dump returns [LSA Isolated Data] instead of an NTLM hash, what LsaIso.exe really computes, and the five things Credential Guard was never going to close. - [The Object Manager Namespace: The Hierarchical Filesystem Underneath Every Windows Security Boundary](https://paragmali.com/blog/the-object-manager-namespace.md): A bottom-up tour of the Windows Object Manager namespace, the 1993 Cutler-era kernel data structure that every Windows security boundary quietly assumes. - [WDAC + HVCI: Code Integrity at Every Layer in Windows](https://paragmali.com/blog/wdac--hvci-code-integrity-at-every-layer-in-windows.md): How Windows decides which code is allowed to run, end-to-end: WDAC policy schema, HVCI per-VTL SLAT enforcement, the audit-to-enforce loop, and the residual attack surface neither feature can close. - [WebAuthn and Passkeys on Windows: From CTAP to the Credential Provider Model](https://paragmali.com/blog/webauthn-and-passkeys-on-windows-from-ctap-to-the-credential.md): The know/have/are taxonomy collapses against modern phishing kits. Passkeys, WebAuthn Level 3, CTAP 2.x, and Windows 11 24H2 third-party providers score against the criteria that actually matter -- and recovery is the load-bearing column. - [Above Ring Zero: How the Windows Hypervisor Became a Security Primitive](https://paragmali.com/blog/above-ring-zero-how-the-windows-hypervisor-became-a-security.md): A deep tour of the Windows hypervisor as the substrate of VBS, HVCI, Credential Guard, and Secure Launch -- its five primitives, the boundary it commits to, and the public failures that calibrate it. - [Adminless: How Windows Finally Made Elevation a Security Boundary](https://paragmali.com/blog/adminless-how-windows-finally-made-elevation-a-security-boun.md): Administrator Protection replaces UAC with a system-managed admin account created per elevation, gated by Windows Hello, and destroyed when the job is done. - [NTLMless: The Death of NTLM in Windows](https://paragmali.com/blog/ntlmless-the-death-of-ntlm-in-windows.md): Thirty years of pass-the-hash, NTLM relay, PetitPotam, and ESC8 -- and the Kerberos engineering that finally lets Microsoft turn NTLM off by default. - [VBS Trustlets: What Actually Runs in the Secure Kernel](https://paragmali.com/blog/vbs-trustlets-what-actually-runs-in-the-secure-kernel.md): A field guide to Virtualization-Based Security trustlets on Windows 11: the five gates a binary passes to become one, the inbox roster, and where the model ends. - ["Can This Code Do This?" -- Twenty-Five Years of Attacks on the Windows Access-Control Model](https://paragmali.com/blog/windows-access-control-25-years-of-attacks.md): How a single kernel function, SeAccessCheck, decides every Windows operation -- and how Mimikatz, the Potato lineage, and seventy UAC bypasses each attack one of its inputs. - [Pluton: A TPM On Silicon Microsoft Can Patch](https://paragmali.com/blog/pluton-a-tpm-on-silicon-microsoft-can-patch.md): How Microsoft moved the TPM onto the SoC die, ran it on Rust firmware, and patched it through Windows Update -- and what that cost in trust centralisation. - [Secure Boot in Windows: The Chain From Sector Zero to Userinit, and Every Place It Has Broken](https://paragmali.com/blog/secure-boot-in-windows-the-chain-from-sector-zero-to-userini.md): How Windows verifies and measures itself from CPU reset to logon, every rung of the boot chain, every public break, and what Pluton is being built to fix. - [The TPM in Windows: One Primitive, Twenty-Five Years, and the Chip Microsoft Bet On Twice](https://paragmali.com/blog/the-tpm-in-windows-one-primitive-twenty-five-years-and-the-c.md): How a passive 1999 cryptoprocessor became the load-bearing pillar of Windows security, and what twenty-five years of attacks taught us about its limits. - ["Who Is This Code?" -- The Quiet 33-Year Reinvention of App Identity in Windows](https://paragmali.com/blog/windows-app-identity-33-year-reinvention.md): NT 3.1 could prove which user typed at the keyboard but had no answer to which code was running. Eight successive primitives later, Windows is still answering the same question. - [When Your Password Manager Attacks You: Inside the Bitwarden CLI Supply Chain Compromise](https://paragmali.com/blog/when-your-password-manager-attacks-you-inside-the-bitwarden-.md): How the @bitwarden/cli npm package was hijacked for 93 minutes on April 22, 2026, subverting trusted publishing to steal AWS, GitHub, and SSH credentials from 334 installs. - [The Defender's Dilemma: How Microsoft Won the Antivirus War It Can Never Finish](https://paragmali.com/blog/the-defenders-dilemma-microsoft-antivirus.md): From scoring 0.5/6 in AV-TEST to 100% MITRE detection with zero false positives -- the 20-year transformation of Windows Defender. - [When SYSTEM Isn't Enough: The Windows Secure Kernel and the End of Total Kernel Trust](https://paragmali.com/blog/the-windows-secure-kernel.md): How Windows built a hardware-isolated kernel above Ring 0 using Hyper-V, protecting credentials and code integrity even after full NT kernel compromise. - [No Secrets to Steal: How Windows Hello Eliminated the Shared Secret](https://paragmali.com/blog/your-face-is-not-your-password-inside-windows-hellos-hardwar.md): How Windows Hello replaced passwords with TPM-backed biometrics, survived a decade of attacks, and helped make passwordless the default. - [BitLocker on Windows: Architecture, Attacks, and the Limits of Full-Disk Encryption](https://paragmali.com/blog/bitlocker-on-windows-architecture-attacks-and-the-limits-of-.md): How BitLocker evolved from an optional enterprise feature to encryption-by-default, its cryptographic architecture, every known attack, and what FDE still cannot protect against. ## About - [About Parag](https://paragmali.com/about) ## Feeds - [Everything (RSS)](https://paragmali.com/rss.xml) - [Blog only (RSS)](https://paragmali.com/blog/rss.xml) - [Full content](https://paragmali.com/llms-full.txt) - [Sitemap](https://paragmali.com/sitemap-index.xml)