Henrik Falk January 29, 2026
Decrypting View State Messages
In this post, I'll be covering: How the autogen keys are generated, How the master machine keys are derived from the autogen keys, How the final machine keys are derived from the master machine keys, How the final keys can be used to decrypt view state messages. And this time, I'll be covering all this for both the legacy and the modern crypto configurations.
zeroed.tech/blog/decrypting-viewstate-messages
Bypassing Windows Administrator Protection
A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary. This blog post will give a brief overview of the new feature, how it works and how it’s different from UAC. I'll then describe some of the security research I undertook while it was in the insider preview builds on Windows 11. Finally I'll detail one of the nine separate vulnerabilities that I found to bypass the feature to silently gain full administrator privileges. All the issues that I reported to Microsoft have been fixed.
projectzero.google/2026/26/windows-administrator-protection.html
Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals
Eventually after you write a tool, the time comes to make it public. That time has come for Swarmer, a tool for stealthy modification of the Windows Registry as a low privilege user. It’s been almost a year since we first deployed this technique in the wild, and given enough time has passed, it seems appropriate to share what we’ve learned about one of Windows’ dustier corners regarding mandatory user profiles.
www.praetorian.com/blog/corrupting-the-hive-mind-persistence-through-forgotten-windows-internals
