Can Hackers Disable Your Antivirus on Windows 11 24H2 Using WerFaultSecure.exe?

Is Your Windows 11 PC at Risk? How a System File Could Be Used to Steal Passwords

A potential security weakness has been found in Windows 11 24H2. This issue involves a normal system file called WerFaultSecure.exe. Security experts discovered that this file, which is supposed to help when programs crash, can be misused in two concerning ways. Attackers could potentially use it to stop your security software from working or to take secret login information from your computer’s memory.

This information can feel complicated, but understanding it is the first step to staying safe. We will walk through what this file is, how it can be misused, and what you can do to protect your computer.

What is WerFaultSecure.exe?

Every computer has many files that help it run smoothly. WerFaultSecure.exe is one of those files. It is a key part of the Windows Error Reporting system. Think of it as a first responder for your software. When a program on your computer crashes or runs into a serious error, Windows calls on this tool. Its job is to safely collect information about the crash. It creates a small report, called a “minidump,” that details what was happening in the program’s memory right before it failed.

This report is then sent to Microsoft. Engineers at Microsoft can look at these reports from many users to find patterns. These patterns help them identify bugs in Windows or other software. By fixing these bugs, they can release updates that make the system more stable and secure for everyone. The “Secure” part of its name indicates that it is designed to perform this task without causing more problems for the system. It runs with special permissions to make sure it can do its job even when other parts of the system are unstable. In short, WerFaultSecure.exe is a helpful tool designed to make Windows better.

Problem One: Freezing Your Security Software

The first way attackers can misuse this file is by putting your computer’s security guards to sleep. Your computer has security software to protect you from harm. This includes antivirus programs and more advanced tools called Endpoint Detection and Response (EDR) systems. Their job is to constantly watch for and stop malicious activity. These security programs are very important, so Windows gives them a special protective shield.

This shield is a feature called Protected Process Light (PPL). PPL prevents other programs, especially unauthorized or malicious ones, from tampering with or shutting down these critical security processes. It’s like putting a special lock on the door of the security office that only other trusted guards can open.

Here is where the problem begins. The WerFaultSecure.exe file also runs with this PPL shield. Because it is a trusted system process, Windows allows it to interact with other protected processes. Security researchers at a group called Zero Solarium found a way to abuse this trust. They created a proof-of-concept tool named “EDR-Freeze.”

This tool tricks WerFaultSecure.exe into using its special permissions to target security software. It sends a command to the antivirus or EDR process, telling it to “suspend” or “freeze.” When a process is suspended, it stops running completely. It doesn’t crash or close; it just pauses indefinitely. While the security software is frozen, it cannot detect or block any threats. An attacker could use this window of time, even if it is just for a few seconds, to run a malicious program, steal data, or do other harm without being noticed. The attack happens in the background, so the user might not see anything unusual on their screen.

The EDR-Freeze tool works without needing to install any risky drivers, a common method attackers use called “Bring Your Own Vulnerable Driver” (BYOVD). It functions entirely within the user space of Windows, making it harder to detect based on system-level changes. Although Microsoft’s own security tool, Microsoft Defender, has been updated to detect this freezing attempt, the technique shows how a tool designed for good can be turned into one that aids an attack.

Problem Two: Stealing Login Information

The second problem is more direct and involves stealing your passwords. Your computer’s memory holds a lot of temporary information to help it run faster. One of the most sensitive locations in memory is a process called the Local Security Authority Subsystem Service (LSASS). LSASS stores the login credentials (like usernames and hashed passwords) of users who have recently logged into the computer. It keeps this information cached so you don’t have to re-enter your password for every single action.

For attackers who have already gained initial access to a computer, LSASS is a primary target. If they can get a copy of the information inside LSASS, they can use tools to extract the credentials. With these credentials, they can gain higher privileges on the current machine or move “laterally” across a network to compromise other computers.

Windows knows that LSASS is a sensitive target. To protect it, modern versions of Windows encrypt the memory dump of LSASS. If an attacker tries to copy its contents, they get a scrambled, unreadable file. This is a strong security measure.

However, the researchers at Zero Solarium found a clever way around this protection by looking into the past. They discovered that an older version of WerFaultSecure.exe from Windows 8.1 did not enforce this encryption. That older version would create a “raw” or unencrypted memory dump if requested.

The attack works like this:

1. An attacker first gains some level of access to a Windows 11 24H2 computer.
2. They copy the old WerFaultSecure.exe file from a Windows 8.1 system onto the target computer. Because this old file is still digitally signed by Microsoft, the system may not immediately flag it as dangerous.
3. The attacker then runs their own tool. This tool uses the old, copied WerFaultSecure.exe to request a memory dump of the LSASS process.
4. The outdated error reporting file does its job as programmed, creating an unencrypted dump file containing all the sensitive information from LSASS.
5. To hide the file, the attackers can even disguise it, for example, by making it look like a simple image file (like a .PNG).
6. Once they have this raw dump file, they can use well-known password-cracking tools, such as Mimikatz, to easily extract the cached usernames and passwords.

This attack is like using an old master key that was never retired. While all the new keys are designed with modern security features, the old key still works and bypasses them completely.

How You Can Stay Protected

Hearing about these issues can be unsettling, but it is important to know that these are not attacks that can happen to you just from browsing the internet. An attacker must already have a foothold on your system to carry them out. Furthermore, there are clear and simple steps you can take to ensure your computer remains secure.

Keep Your System Updated

This is the most critical step. Microsoft is aware of these findings. The company will release security updates through Windows Update to close these loopholes. Always install updates as soon as they become available to ensure you have the latest protections.

Use a Reliable Security Program

Make sure your antivirus and antimalware software is running and up to date. Microsoft Defender, the security tool built into Windows, is designed to detect and block these specific techniques. If you use a third-party security solution, ensure its definitions are updated regularly.

Practice Safe Computing Habits

These attacks rely on an attacker first getting a malicious file onto your computer. Be cautious about opening email attachments from unknown senders, clicking on suspicious links, or downloading software from untrusted websites.

For System Administrators

In a business environment, there are more advanced measures. IT professionals can use tools like AppLocker or Software Restriction Policies (SRP). These can be configured to create a “whitelist” of approved applications. For instance, an administrator could set a rule that only allows the official version of WerFaultSecure.exe located in the correct Windows system folder to run. This would effectively block the password-stealing attack, as the copied, outdated version of the file would be prevented from executing.

Security is an ongoing process. Researchers find weaknesses, and developers build fixes. By staying informed and following basic security hygiene, you are doing your part to keep your digital life safe. These discoveries do not mean your computer is immediately vulnerable, but they serve as a valuable reminder of the importance of maintaining your system’s defenses.