The Internet interprets Microsoft as damage and routes around it.
My apologies to John Gilmore for tweaking his famous 1993 quote about censorship. But the above statement just happens to sum up the alternatives Windows users are adopting ever since Microsoft’s “Windows Genuine Advantage” (WGA) debacle.
It was only a few weeks ago when the Redmond software giant started quietly auto-installing WGA to Windows machines in the U.S., U.K., and a few other countries. The code, which qualifies as spyware under any objective definition, was programmed to contact Microsoft’s servers every 24 hours. Now, after hearing from plenty of outraged customers, the company back-pedaled on June 27, saying it would release a version that calls home less often.
That’s not really a solution, as I’ll explain below. Since that’s the case, the entire affair has given enormous momentum to third-party products that render Microsoft’s Windows Update routine completely unnecessary.
I’ll explain in today’s article exactly how you can best deal with WGA. For those in a hurry, here’s a 4-point elevator summary:
1. Turn off Automatic Updates in the Control Panel. Set it to merely notify you of new patches, not auto-install them.
2. WindizUpdate.com, an independent patch-download system, which I’ve been asked about by many readers, is a flawed alternative to Windows Update that I can’t recommend.
3. By contrast, patch-management software that’s well-supported, such as Shavlik’s NetChkPro, provides an inexpensive and reliable solution that far exceeds Windows Update’s capabilities.
4. Once your alternative update mechanism is in place, follow the routine I describe below to uninstall WGA and get it out of your system for good.
What’s so bad about Genuine Advantage?
My last article, in the June 15 newsletter, flatly declared that Windows Genuine Advantage is Microsoft-sponsored spyware. That story received the highest reader ranking since we started asking our readers last January to vote on our articles (4.4 out of 5.0). We also received almost 200 e-mails, far more than we normally get about any single topic. Windows users are highly agitated.
I’ve repeatedly heard terms like "furious" and "livid" to describe how people felt about Microsoft pushing a piece of marketing spyware through the company’s sacred mechanism for distributing critical security updates. Perhaps the most deeply offended were the outside professionals who have defended Microsoft for years against charges that it’s an "evil empire." Microsoft’s abuse of its auto-update system to install an intrusive sales gimmick caused a lot of these faithful ones to rail against the idea as though personally betrayed.
Without repeating my June 15 article, I’ll summarize the bottom line: No security-minded company or individual can allow a program to stealthily contact a distant server and morph its behavior at will. This principle holds just as true for people who think Microsoft is the world’s greatest corporation as it does for those who deeply distrust the company’s motives. (The rule obviously doesn’t preclude trusted programs with specific, known tasks — such as an antivirus utility — from automatically downloading new signature files.)
Let me emphasize that I’m dead set against the mass piracy of software or any other creative work. But Windows Genuine Advantage and Windows Product Activation, which WGA is meant to enforce, have nothing to do with stopping mass piracy.
As I reported in InfoWorld Magazine way back on Oct. 22 and Oct. 29, 2001, Microsoft deliberately designed Product Activation to be trivial for pirates to circumvent. Any fly-by-night business can copy a single file and sell thousands of machines that pass Product Activation (although the innocent buyers may have trouble validating months or years later).
The purpose of Product Activation has always been to prevent Mom and Dad from buying a Windows package, installing one copy on the parents’ PC and another on the kid’s PC. Frankly, copyright laws for hundreds of years have allowed buyers of copyrighted works to make a limited number of copies exclusively for themselves. If you bought an music album you liked, you could legally make a copy to play in your car. In the U.S., this is known as the “personal use exemption” of the copyright laws or, more generically, “fair use.”
Product Activation isn’t aimed at hard-core pirates. Instead, it’s part of a surprisingly powerful, coordinated effort to change the basic nature of copyright so people can’t make any personal copies whatsoever.
The fact that personal-use copies have traditionally been permitted under copyright laws is illustrated by, of all things, Microsoft Office. The Product Activation scheme in Office has always explicitly allowed the buyer to install copies on two different machines. Furthermore, Office Update — which uses a patch-download mechanism distinct from that of Windows Update — has never required Genuine Advantage prior to users downloading security patches for Word, Excel, and the like.
(Secret: Windows’ own flavor of Product Activation does allow anyone to install Windows XP on a different machine, which will then in most cases successfully validate, about once every six months. Microsoft almost never mentions this fact.)
By displaying warnings about piracy as often as once a day or even once an hour, Windows Genuine Advantage has no security benefit but was solely designed to sell more copies of XP to confused users. WGA was programmed so any actual pirates (and savvy Windows users) could turn off the nag screens with a few clicks — but novices would be unlikely to understand that.
Stopping the guys with the high-speed duplicators should be Microsoft’s top concern. Instead, the Redmond corporation inexplicably targets fair-use home installations. The marketers behind this presumably hope to increase gross revenue so Microsoft’s share price will get out of the doldrums. But most home users aren’t a ripe market to spend the kind of money Microsoft wants.
If the company devoted as much time developing innovative products as it does cooking up ways to prevent personal-use copies, its stock price wouldn’t be half of what it was six years ago.
WindizUpdate.com is not a recommended solution
Many readers in the past few weeks have asked me about WindizUpdate.com. This Web site, launched in 2005, scans your computer for needed Windows patches and then displays links to the relevant download locations at Microsoft.com.
Unfortunately, as promising as this approach may seem, after investigation I can’t recommend this site. Here are a few reasons why:
1. The site installs an unsigned control, which performs the scanning and reporting function. Without a digital signature, you can’t verify that the control is really from the same people who manage the site itself.
2. The scan process asks several times to read the Registry. If you know that WindizUpdate is perfectly legitimate, which I have no reason to doubt, this might be fine. But it’s bothersome, while at the same time it’s too risky to click "Always allow this site," which would permit too many unknown future actions.
3. The site is a part-time hobby with no visible means of support. There are many fine pieces of software and Web services that are free of charge. But WindizUpdate is performing a serious security task and doesn’t have a team of programmers that’s adequate to develop it, much less provide technical support if the user base grows.
I called the prime mover behind WindizUpdate, Phil Young, who is based in Auckland, New Zealand. He’s a director of 62nds Solutions Ltd., a consulting firm with two employees and a few part-time staff on the island.
When asked why WindizUpdate didn’t use a digital signature to provide a verifiable identity for its control, Young replied, "I haven’t got the $400 to spend on the security signing certificate. Because it’s a free site, it’s not high on our list of priorities."
I inquired whether the site might become supported by advertising or voluntary contributions by users. "I have considered putting some ads on," Young said, "but I dislike sites that have more advertising than content."
Besides having no digitally signed code, WindizUpdate also lacks the ability to scan for and deploy Microsoft nonsecurity updates, Office updates, or security updates for products other than Microsoft’s, such as RealPlayer.
All of the above nonfeatures cause me to advise readers to hold off on WindizUpdate. As attractive as the idea of a non-Microsoft patch-management system may be, other companies do a much better job.
One final strike against WindizUpdate is that it has no apparent uninstall procedure. If you’ve ever installed a WindizUpdate control, I recommend removing its components using the manual procedure described on the site’s page entitled Uninstalling.
Shavlik’s patcher joins the Security Baseline
It’s hard to find objective ratings published within the last 12 months of patch-management systems that are appropriate for home users as well as small and medium-sized businesses. That may be due to the fact that Microsoft has taken some luster off the category by expanding its own free offerings: Windows Update, the new Microsoft Update (which updates both Windows and Office apps), Windows Server Update Services, etc.
Based on the reviews by independent test labs shown below, however, I feel the best home and SMB alternative to Windows Update is currently HFNetChkPro from Shavlik Technologies. (The name of the product is a contraction of Hotfix Network Checker Pro.) Effective today, I’m adding Shavlik’s software to my Security Baseline feature, which appears in every issue, and removing Windows Update/Microsoft Update.
NetChkPro isn’t free, but its one-time license fee of $25 per machine is very reasonable. There’s also a 25% annual maintenance fee after the first year, Eric Schultze, Shavlik’s chief security architect, told me in a telephone interview. But this works out to only about $6 a year — a good investment if you like your software to remain supported.
Shavlik has been in business for 13 years, has developed award-winning products, and has a financial base that should be strong enough to support the growing number of users it’s attracting. In addition to patching Windows and Microsoft Office apps, NetChkPro can auto-deploy patches for Firefox, Adobe Reader, WinZip, RealPlayer, Macromedia Flash, and other programs.
NetChkPro is "agentless" patch-management software. That means a installation on a single PC can scan and deploy patches to as many machines across a workgroup or domain as you have licenses for. No "agent" program needs to be installed on each machine that’s to be scanned. In addition, NetChkPro gives back a license for any machine you haven’t deployed patches to for 45 days. That’s handy if one machine in a home or office is retired and a new one takes its place.
The minimum purchase at Shavlik’s site is a 5-user license, which amounts to $125. In my opinion, that’s justified for small offices and home users with several PCs. For home users with only a single PC, Schultze says a Web service that scans machines remotely will become available in a couple of months for an affordable monthly fee.
Here are some of the awards I examined when analyzing potential replacements for Windows Update:
1. Redmond Magazine, a periodical that’s independent of Microsoft, stated flatly, "HFNetChkPro is the best Windows-based agentless product," in a November 2004 test of seven competing products.
2. SC Magazine, a British publication, in a June 2004 test suite of 10 contenders gave HFNetChkPro its Recommended award. A more recent test in March 2006 handed the Recommended title to NetChk Protect, a closely related Shavlik product with added antispyware capabilities.
3. Computer Business Review Online, in a March 2006 review, names no winners on points but includes NetChkPro in a useful description of 10 competing patch-management solutions.
I’ll be looking for additional torture tests of patch-management programs, now that running Windows Update has become somewhat dangerous to Windows users. Just as third-party software firewalls and antivirus programs are widely considered superior to Microsoft’s own offerings, I believe patch management will become a category in which those in the know demand independent solutions.
If test labs start handing Editors’ Choice awards to a product other than Shavlik’s, of course, I won’t hesitate to include the new winner in the Security Baseline when that day comes.
Uninstall Genuine Advantage the official way
One of the clear outcomes of the customer pressures on Microsoft regarding WGA is the written uninstall procedure MS posted on June 27 in Knowledge Base article 921914. WGA had previously been difficult to remove, with components regenerating themselves as soon as one was deleted.
I stated in my June 15 article that it was pointless for home users to try to uninstall WGA if they’d somehow installed it. Even if the Web rumor mill provided the right steps, removing WGA would at that time have simply made it impossible for users to get any downloads from Microsoft, even critical security updates.
With NetChkPro or any decent patch-management solution installed, however, you can now remove WGA and never worry about using Windows Update again. Microsoft reportedly will soon allow all comers to once again receive crucial security patches — but whether the company does or not won’t matter to you. Shavlik and the other top-rated PM firms make sure the right patches flow to the right machines without any reliance on Windows Update.
The WGA uninstall process that’s now documented in KB 921914 is the same one that’s been described for the past few weeks in several private blogs and discussion groups on the Web. Now that the procedure has a place on Microsoft.com, however, I believe it can be followed by Windows users with confidence.
There are 11 separate steps in the removal process. These include renaming files, running commands in a character-mode window, and editing the Registry. (Microsoft could have simply provided an uninstall utility, of course, but hasn’t yet.) I believe even novice users should be able to follow all 11 steps, if each one is carefully followed.
Note: Two of the three Registry keys that are deleted in step 10 of Microsoft’s procedure are identical, as of this writing. This appears to be a documentation error — the two relevant lines in the instructions are simply duplicates of each other.
Watch out for downloads in the night
The change of tone from Microsoft about WGA doesn’t mean you can let your guard down. In a June 8 statement, the company said WGA would be changed to call home every 14 days instead of every 24 hours. A subsequent June 27 press release is unclear on this point but emphasizes that the new WGA will still operate, just not as frequently:
- “It is important to note that WGA Validation still periodically checks to determine whether the version of Windows is genuine.”
Microsoft’s statements imply that everything is fine and all of this is in the best interests of users. What customers around the world want to hear instead is, “We’ve canned the people who were responsible for misusing our critical security mechanism, and we’ve appointed an independent board to make sure it can never happen again.”
Until then, make sure you don’t allow patches 892130 and 905474 — the two components of WGA — to install themselves. And use the third-party software listed below in the Security Baseline to ensure you won’t wake up to any unpleasant surprises one day.
I’d like to thank readers John Holden and David Speck, M.D., for being the first among scores of readers who sent in valuable tips on this topic. (These two gentlemen are in no way responsible for the views I express above.) They’ll receive gift certificates for a book, CD, or DVD of their choice for sending us their research.
To submit more information about WGA, or to send us a tip on any other subject, visit WindowsSecrets.com/contact.
Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.