About

Aaron Margosis is a world-class Windows nerd/expert, focusing primarily on cybersecurity.

• Co-author with Mark Russinovich of Troubleshooting with the Windows Sysinternals Tools (MS Press, 2016) and its earlier edition, Windows Sysinternals Administrator's Reference (MS Press, 2011).

• Primary member of the Microsoft team that built Microsoft's security configuration guidance, and created the tools that ship with Microsoft's Security Compliance Toolkit (LGPO.exe, Policy Analyzer, and SetObjectSecurity).

• Developed the original "AaronLocker" concept, and now its new successor (AaronLockerV2).

• 21 years at Microsoft, 5+ at Tanium.

Free Software

• The SysNocturnals Tools for Windows
  A set of troubleshooting, diagnostic, and information utilities (and useful scripts) for Windows

• AaronLockerV2
  Robust and practical allowlisting rules for Windows using AppLocker, Office macro controls, and some WDAC to close a couple of known gaps.

• The SysNocturnals Extras
  Restoring some of my older tools to the web: LUA Buglight, App Install Recorder, and IEZoneAnalyzer.

Recent presentations

• SysNocturnals ZombieFinder (video)
  Detecting zombie processes on Windows and the Things keeping them [un]dead.
  Oct 21, 2024

Recent technical writing

• Corrections to Microsoft documentation about the Registry Policy (registry.pol) File Format
  Corrections and clarifications regarding the registry.pol file format
  Aug 28, 2025

• Enable Certificate Padding Check: REG_SZ or REG_DWORD?
  Does the mitigation for CVE-2013–3900 require a REG_SZ or a REG_DWORD? Answer: either will work, but REG_DWORD is better.
  Dec 23, 2024

• Task Manager’s CPU numbers are all but meaningless
  When Task Manager tells you that overall CPU is 100%, you’d be led to believe that the system is working as hard as it can...
  Mar 22, 2021

• Clarifying CVE-2020–1472 (“Zerologon”)
  There’s been confusion regarding Microsoft’s patch for CVE-2020–1472 (mitigating the so-called “Zerologon” attack), what you need to do...
  Oct 8, 2020

Some older "classics"

• Sticking with Well-Known and Proven Solutions
  Oft-referenced and highly regarded. @SwiftOnSecurity said, "It has shaped everything about what I do. ... I think about that post Every. Fucking. Day."
  Oct 5, 2010

• Unintended Consequences of Security Lockdowns
  from TechEd North America 2011

• AaronLocker (original PowerShell-based version)
  (with WDAC parts later added by others at Microsoft)

• My old "Non-Admin, App-Compat and Sysinternals Weblog"
  From 2004-2019

Recent non-technical writing

• Spoiler-free listing of all the food and drink that appears in The Godfather
  Feb 16, 2024

Contact

• LinkedIn: https://www.linkedin.com/in/aaron-margosis-9a06a786/