The Admin Prompt

Microsoft blocked a registry hack that unlocks native NVMe on Windows 11. Every tech outlet responded the same way: download an unsigned binary from GitHub and run it as admin. Nobody asked what happens when millions of users are trained to do this.

Updated: March 29, 2026 6 min read By Mr. 0

The Admin Prompt — Audio

Listen to the audio dispatch for this signal.

0:00 0:00

FTRCRP // SIGNALS

The Admin Prompt: How Tech Media Trains You to Run Unsigned Code

Here is what happened last week. Microsoft quietly blocked a registry hack that unlocks native NVMe support on Windows 11, a Server 2025 feature that delivers up to 80% better IOPS and 45% CPU savings on SSD operations. Massive performance gains, locked behind a feature flag

Within hours, every tech outlet from Tom’s Hardware to ITavisen ran the same story. Microsoft blocked the hack, but you can still enable it with ViVeTool

The instructions are always the same:

  1. Download a binary from GitHub
  2. Run it as administrator
  3. Execute commands that flip hidden feature flags in your Windows registry

Nobody, not one of these outlets, paused to ask the obvious question: what happens when millions of users are trained to download unsigned binaries from GitHub and run them with the highest system privileges?

What ViVeTool Actually Does

ViVeTool itself is not malware. It is an open-source command-line utility (thebookisclosed/ViVe on GitHub) that interacts with Microsoft’s internal feature management system. It flips feature flags, the same toggles Microsoft uses internally to gradually roll out new Windows features

The NVMe unlock requires two flags:

vivetool /enable /id:60786016
vivetool /enable /id:48433719

After a reboot, Windows replaces the legacy StorPort/StorNVMe driver with solidnvm.sys, a native NVMe miniport that speaks directly to your SSD instead of wrapping everything in 30-year-old SCSI emulation. The performance gains are real. Benchmarks show up to 85% improvement in random write speeds

So what is the problem?

The Problem Is the Pattern

ViVeTool has 6,700 GitHub stars and 350 forks. Maintained by a single developer. No formal security audit. No code signing. No reproducible builds. The GUI version was archived in December 2025, abandoned but still linked to by dozens of active articles

None of this makes ViVeTool malicious. But all of it makes the ecosystem around it a textbook supply chain attack surface

Typosquatting

An attacker creates ViVeTool-Official, ViVeToolGUI-v2, or ViVeTool-Windows11 on GitHub. They clone the real source, inject a payload into the release binary, and wait. When someone Googles “ViVeTool download”, and millions will after this week’s press coverage, the poisoned repo shows up alongside the real one

This happens constantly. In 2024, researchers found over 100,000 typosquatting repositories on GitHub. PyPI, npm, and NuGet face the same problem. The only defense is knowing the exact canonical source, and most users do not

Fork Poisoning

350 forks of ViVeTool exist right now. Any one of them could contain modified code. GitHub does not distinguish between “legitimate fork by contributor” and “fork by someone who added a keylogger to the release binary.” A well-SEO’d fork with a professional README could easily outrank the original for certain search terms

Account Compromise

Single-maintainer projects are single points of failure. If the maintainer’s GitHub account is compromised, phishing, credential stuffing, session hijacking, one poisoned release ships to every user who downloads it. No review process. No secondary approval. No signing key to forge

This has happened before. The event-stream npm package in 2018 was compromised after its maintainer handed off control. The ua-parser-js package in 2021 had malicious code injected after an account takeover. These were not obscure projects, they had millions of weekly downloads

Perfect Cover

Here is what makes ViVeTool uniquely attractive to an attacker: the tool’s entire purpose is to write to the Windows registry with administrator privileges

A user runs vivetool /enable /id:60786016 and expects registry modifications. If the binary also writes a persistence mechanism, disables a security feature, or phones home, how would anyone notice? The behavior is indistinguishable from the tool’s legitimate function

Compare this to a poisoned image editor. If GIMP suddenly starts modifying registry keys, endpoint detection would flag it immediately. ViVeTool does this by design. The perfect trojan horse

The Media’s Role

A user reads an article titled something like “Windows 11 NVMe Performance Blocked, Here’s How to Get It Back.” The article says:

Download ViVeTool from GitHub, extract it, open an elevated command prompt, and run these commands.

That is the entire security guidance. “Download from GitHub.” Not “verify the SHA256 hash.” Not “check the GPG signature” (there is none). Not “compare the binary against a reproducible build” (there is none). Download and run as admin

This pattern repeats across the tech media ecosystem every time Microsoft locks a feature behind a flag. It happened with the Windows 11 taskbar changes. It happened with unrestricted Copilot features. It happens every Insider preview cycle. The message is always the same: the official way is too slow, here is a GitHub tool, run it as admin

Tech journalists are inadvertently running the most effective social engineering campaign in history, training users that downloading unsigned binaries from GitHub and running them with full system privileges is normal behavior

What Native Actually Means

Microsoft will ship native NVMe support to Windows 11 through Windows Update. It will arrive in versions 25H2 and 26H2, signed by Microsoft, tested against their telemetry data from millions of Insider machines, distributed through the same infrastructure that delivers security patches

Is that slower? Yes. Is it annoying when you know the feature works? Absolutely. But the native path provides:

  • Code signing, the binary is cryptographically verified as coming from Microsoft
  • Tested compatibility, validated against thousands of hardware configurations
  • Rollback capability, Windows Update can undo the change if it causes issues
  • No third-party trust, you are not adding a random GitHub maintainer to your trust chain

ViVeTool provides none of this. You are trusting a single developer’s unsigned binary with administrator access to your machine because Tom’s Hardware told you to

The Uncomfortable Truth

We keep building security frameworks, zero-trust architectures, endpoint detection systems… then telling users to bypass all of it because their SSD could be 80% faster

The problem is not ViVeTool. The developer is probably doing fine work. The problem is an entire ecosystem that treats “download from GitHub and run as admin” as acceptable advice for consumer audiences. An ecosystem where the performance gain gets the headline and the supply chain risk gets buried, if it is mentioned at all

Every article that says “use ViVeTool” without discussing the trust implications is, functionally, a phishing campaign with better production values

What You Can Do

If you absolutely must use tools like ViVeTool:

  1. Verify the source. The canonical repository is github.com/thebookisclosed/ViVe. Bookmark it. Do not Google it
  2. Check the hash. Download the release, then verify the SHA256 hash against the one listed on the GitHub release page. This only helps if GitHub itself is not compromised, but it is better than nothing
  3. Read the source. It is open-source for a reason. If you cannot read C#, find someone who can
  4. Snapshot first. Create a system restore point before running any tool that modifies the registry with admin privileges
  5. Ask yourself: Is an 80% IOPS improvement worth adding an unaudited, unsigned single-maintainer GitHub project to your system’s trust chain?

Or just wait for Windows Update. Your SSD is not going anywhere

The fastest drive in the world does not matter if someone else is reading it.