Dump Windows Update, use alternatives
By Brian Livingston
The Internet interprets Microsoft as damage and routes around it.
My apologies to John Gilmore for tweaking his famous 1993
quote about censorship. But the above statement just happens to sum up the
alternatives Windows users are adopting ever since Microsoft's "Windows Genuine
Advantage" (WGA) debacle.
It was only a few weeks ago when the Redmond software giant started quietly
auto-installing WGA to Windows machines in the U.S., U.K., and a few other
countries. The code, which qualifies as spyware under any objective definition, was
programmed to contact Microsoft's servers every 24 hours. Now, after
hearing from plenty of outraged customers, the company back-pedaled on June 27, saying it
would release a version that calls home less often.
That's not really a solution, as I'll explain below. Since that's the case, the
entire affair has given enormous momentum to third-party products that render
Microsoft's Windows Update routine completely unnecessary.
I'll explain in today's article exactly how you can best deal with WGA. For
those in a hurry, here's a 4-point elevator summary:
1. Turn off Automatic Updates in the Control Panel. Set it to merely notify you of new patches,
not auto-install them.
2. WindizUpdate.com, an independent patch-download system, which I've been asked
about by many readers, is a flawed alternative to Windows Update that I can't recommend.
3. By contrast, patch-management software that's well-supported, such as Shavlik's NetChkPro,
provides an inexpensive and reliable solution that far exceeds Windows Update's
capabilities.
4. Once your alternative update mechanism is in place, follow the routine
I describe below to uninstall WGA and get it out of your system for good.
What's so bad about Genuine Advantage?
My last article, in the June 15 newsletter, flatly declared that Windows Genuine
Advantage is Microsoft-sponsored spyware. That story received the highest reader
ranking since we started asking our readers last January to vote on our articles
(4.4 out of 5.0). We also
received almost 200 e-mails, far more than we normally get about any single
topic. Windows users are highly agitated.
I've repeatedly heard terms like "furious" and "livid" to describe how people
felt about Microsoft pushing a piece of marketing spyware through the company's
sacred mechanism for distributing critical security updates. Perhaps the most
deeply offended were the outside professionals who have defended Microsoft for
years against charges that it's an "evil empire." Microsoft's abuse of its
auto-update system to install an intrusive sales gimmick caused a lot of these
faithful ones to rail against the idea as though personally betrayed.
Without repeating my June 15 article, I'll summarize the bottom line: No
security-minded company or individual can allow a program to stealthily contact
a distant server and morph its behavior at will. This principle holds just as true
for people who think Microsoft is the world's greatest corporation as it does for those
who deeply distrust the company's motives. (The rule obviously doesn't preclude
trusted programs with specific, known tasks — such as an antivirus utility —
from automatically downloading new signature files.)
Let me emphasize that I'm dead set against the mass piracy of software or any
other creative work. But Windows Genuine Advantage and Windows Product
Activation, which WGA is meant to enforce, have nothing to do with stopping mass
piracy.
As I reported in InfoWorld Magazine way back on
Oct. 22 and
Oct. 29, 2001,
Microsoft deliberately designed Product Activation to be
trivial for pirates to circumvent. Any fly-by-night business can copy a single
file and sell thousands of machines that pass Product Activation (although the
innocent buyers may have trouble validating months or years later).
The purpose of Product Activation has always been to prevent Mom and Dad from
buying a Windows package, installing one copy on the parents' PC and another on
the kid's PC. Frankly, copyright laws for hundreds of years have allowed buyers
of copyrighted works to make a limited number of copies exclusively for
themselves. If you bought an music album you liked, you could legally make a
copy to play in your car. In the U.S., this is known as the "personal use
exemption" of the copyright laws or, more generically, "fair use."
Product Activation isn't
aimed at hard-core pirates. Instead, it's part of a surprisingly powerful,
coordinated effort to
change the basic nature of copyright so people can't make any personal copies whatsoever.
The fact that personal-use copies have traditionally been permitted under
copyright laws is illustrated by, of all things, Microsoft Office. The Product
Activation scheme in Office has always explicitly allowed the buyer to install
copies on two different machines. Furthermore, Office Update —
which uses a patch-download mechanism distinct from that of Windows Update — has
never required Genuine Advantage prior to users downloading security patches for Word,
Excel, and the like.
(Secret: Windows' own flavor of Product Activation does allow anyone to install
Windows XP on a different machine, which will then in most cases successfully validate,
about
once every six months. Microsoft
almost never mentions this fact.)
By displaying warnings about piracy as often as once a day or even once an hour,
Windows Genuine Advantage has no security benefit but was solely designed to sell more copies of XP to
confused users. WGA was programmed so any actual pirates (and savvy Windows
users) could turn off the nag screens with a few clicks — but novices would be
unlikely to understand that.
Stopping the guys with the high-speed duplicators should be Microsoft's top
concern. Instead, the Redmond corporation inexplicably targets fair-use home
installations. The marketers behind this presumably hope to increase
gross revenue so Microsoft's share price will get out of the doldrums. But most
home users aren't a ripe market to spend the kind of money Microsoft wants.
If the company devoted as much time developing innovative products as it does
cooking up ways to prevent personal-use copies, its stock price wouldn't be
half of what it was six years ago.
WindizUpdate.com is not a recommended solution
Many readers in the past few weeks have asked
me about WindizUpdate.com. This Web site, launched in 2005, scans your computer
for needed Windows patches and then displays links to the relevant download
locations at Microsoft.com.
Unfortunately, as promising as this approach may seem, after investigation I
can't recommend this site. Here are a few reasons why:
1. The site installs an unsigned control, which performs the scanning and
reporting function. Without a digital signature, you can't verify that the
control is really from the same people who manage the site itself.
2. The scan process asks several times to read the Registry. If you know
that WindizUpdate is perfectly legitimate, which I have no reason to doubt, this
might be fine. But it's bothersome, while at the same time it's too risky to
click "Always allow this site," which would permit too many unknown future actions.
3. The site is a part-time hobby with no visible means of support. There are
many fine pieces of software and Web services that are free of charge. But
WindizUpdate is performing a serious security task and doesn't have a team of
programmers that's adequate to develop it, much less provide technical support if the
user base grows.
I called the prime mover behind WindizUpdate, Phil Young, who is based in
Auckland, New Zealand. He's a director of 62nds Solutions Ltd., a consulting
firm with two employees and a few part-time staff on the island.
When asked why WindizUpdate didn't use a digital signature to provide a
verifiable identity for its control, Young replied, "I haven't got the $400 to
spend on the security signing certificate. Because it's a free site, it's not
high on our list of priorities."
I inquired whether the site might become supported by advertising or voluntary
contributions by users. "I have considered putting some ads on," Young said,
"but I dislike sites that have more advertising than content."
Besides having no digitally signed code, WindizUpdate also lacks the ability to
scan for and deploy Microsoft nonsecurity updates, Office updates, or security
updates for products other than Microsoft's, such as RealPlayer.
All of the above nonfeatures cause me to advise readers to hold off on
WindizUpdate. As attractive as the idea of a non-Microsoft patch-management
system may be, other companies do a much better job.
One final strike against WindizUpdate is that it has no apparent uninstall
procedure. If you've ever installed a WindizUpdate control, I recommend removing its
components using the manual procedure described on the site's
page entitled Uninstalling.
Shavlik's patcher joins the Security Baseline
It's hard to find objective ratings published within the last 12 months of
patch-management systems that are appropriate for home users as well as small
and medium-sized businesses. That may be due to the fact that Microsoft has
taken some luster off the category by expanding its own free offerings: Windows Update, the new Microsoft Update (which updates
both Windows and Office apps), Windows Server Update Services, etc.
Based on the reviews by independent test labs shown below, however, I feel the
best home and SMB alternative to Windows Update is currently HFNetChkPro from Shavlik Technologies.
(The name of the product is a contraction of Hotfix Network Checker
Pro.) Effective today, I'm adding Shavlik's software to my Security
Baseline feature, which appears in every issue, and removing Windows Update/Microsoft Update.
NetChkPro isn't free, but its one-time license fee of $25 per machine is very
reasonable. There's also a 25% annual maintenance fee after the first year, Eric
Schultze, Shavlik's chief security architect, told me in a telephone interview.
But this works out to only about $6 a year — a good investment if you like your
software to remain supported.
Shavlik has been in business for 13 years, has developed award-winning products,
and has a financial base that should be strong enough to support the growing
number of users it's
attracting. In addition to patching Windows and Microsoft Office apps, NetChkPro
can auto-deploy patches for Firefox, Adobe Reader, WinZip, RealPlayer, Macromedia Flash, and other
programs.
NetChkPro is "agentless" patch-management software. That means a installation on
a single PC can scan and deploy patches to as many machines across a workgroup
or domain as you have licenses for. No "agent" program needs to be installed on
each machine that's to be scanned. In addition, NetChkPro gives back a license
for any machine you haven't deployed patches to for 45 days. That's handy if one
machine in a home or office is retired and a new one takes its place.
The minimum purchase at Shavlik's site is a 5-user license, which amounts to
$125. In my opinion, that's justified for small offices and home users with
several PCs. For home users with only a single PC, Schultze says a Web service
that scans machines remotely will become available in a couple of months for an
affordable monthly fee.
Here are some of the awards I examined when analyzing potential replacements for Windows Update:
1. Redmond Magazine, a periodical that's independent of Microsoft, stated
flatly, "HFNetChkPro is the best Windows-based agentless product," in a
November
2004 test of seven competing products.
2. SC Magazine, a British publication, in a
June 2004 test suite
of 10 contenders gave HFNetChkPro its Recommended
award. A more recent test in
March 2006 handed
the Recommended title to NetChk Protect, a closely related
Shavlik product with added antispyware capabilities.
3. Computer Business Review Online, in a
March 2006 review, names no winners on points but
includes NetChkPro in a useful
description of 10 competing patch-management solutions.
I'll be looking for additional torture tests of patch-management programs, now
that running Windows Update has become somewhat dangerous to Windows
users. Just as third-party software firewalls and antivirus programs are widely
considered superior to Microsoft's own offerings, I believe patch management
will become a category in which those in the know demand independent solutions.
If test labs start handing Editors' Choice awards to a product other than
Shavlik's, of course, I won't hesitate to include the new winner in the Security
Baseline when that day comes.
Uninstall Genuine Advantage the official way
One of the clear outcomes of the customer
pressures on Microsoft regarding WGA is the written uninstall procedure
MS posted on June 27 in Knowledge Base article
921914. WGA had
previously been difficult to remove, with components regenerating themselves as
soon as one was deleted.
I stated in my June 15 article that it was pointless for home users to try to
uninstall WGA if they'd somehow installed it. Even if the Web rumor mill
provided the right steps, removing WGA would at that time have simply made it
impossible for users to get any downloads from Microsoft, even
critical security updates.
With NetChkPro or any decent patch-management solution installed, however, you
can now remove WGA and never worry about using Windows Update again.
Microsoft reportedly will soon allow all comers to once again receive crucial security patches
— but
whether the company does or not won't matter to you. Shavlik and the other
top-rated PM firms make sure the right patches flow to the right machines
without any reliance on Windows Update.
The WGA uninstall process that's now documented in KB 921914 is the same one that's been
described for the past few weeks in several private blogs and discussion groups
on the Web.
Now that the procedure has a place on Microsoft.com, however, I believe it can
be followed by Windows users with confidence.
There are 11 separate steps in the removal process. These include renaming files, running commands in a
character-mode window, and editing the Registry. (Microsoft could have simply
provided an uninstall utility, of course, but hasn't yet.) I believe even novice
users should be able to follow all 11 steps, if each one is carefully followed.
Note: Two of the three Registry keys that are deleted in step 10 of Microsoft's
procedure are identical, as of this writing. This appears to be a documentation
error — the two relevant lines in the instructions are simply duplicates of each
other.
Watch out for downloads in the night
The change of tone from Microsoft about WGA doesn't mean you can let your guard
down. In a June 8
statement, the company said WGA would be changed to call home every 14 days
instead of every 24 hours. A subsequent June 27
press release is unclear on this point but emphasizes that
the new WGA will
still operate, just not as frequently:
-
"It is important to note that WGA Validation still periodically checks to determine whether the version of Windows is genuine."
Microsoft's statements imply that everything is fine and all of this is in the best interests of users. What customers around the world want to hear instead is, "We've canned the people who were responsible for misusing our critical security mechanism, and we've appointed an independent board to make sure it can never happen again."
Until then, make sure you don't allow patches 892130 and 905474 — the two components of WGA — to install themselves. And use the third-party software listed below in the Security Baseline to ensure you won't wake up to any unpleasant surprises one day.
I'd like to thank readers John Holden and David Speck, M.D., for being the first among scores of readers who sent in valuable tips on this topic. (These two gentlemen are in no way responsible for the views I express above.) They'll receive gift certificates for a book, CD, or DVD of their choice for sending us their research.
To submit more information about WGA, or to send us a tip on any other subject, visit WindowsSecrets.com/contact.
Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.
Digg
Del.icio.us
Reddit
StumbleUpon
Other
Permalink
(
