Windows Genuine Advantage — the controversial program Microsoft auto-installed as a "critical security update" on many PCs starting on Apr. 25 — not only causes problems for many users but has now been proven to send personally identifiable information back to Redmond every 24 hours.
This behavior clearly fits any plausible definition of "spyware." Some tech writers have said categorizing WGA as spyware is arguable. But I have no hesitation in calling the program a security nightmare that Microsoft should never have distributed in its present form.
In my May 25 newsletter, I called Microsoft’s WGA download a "severe blunder." It causes serious problems for some legitimate Windows users and was sprung on customers with no notice other than a press release the day before.
No PC-using company that values security and reliability can allow a program like WGA to send data to a distant server, download additional software, morph its behavior, or remotely change the functionality of Windows (as I describe below). I don’t believe individuals should put up with this, either.
Today, I’ll explain the problems and let you know what you can do to fix them.
If the spyware label fits, wear it
In a statement released on June 8, Microsoft officially denies that WGA is spyware. Let’s settle this question right off the bat so we can quickly move on to more important things.
Microsoft’s denial is based on its own definition of spyware:
- “Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware.”
What makes a program spyware, among other things, is that it operates in ways that aren’t clearly disclosed before installation and it reports data back to a central server. Furthermore, this activity needn’t be malicious. Many spyware programs do nothing more than serving up targeted advertising or tracking anonymous marketing behavior. If a user wants such tracking functions, they might be fine. But if the user wasn’t clearly made aware of this, whether or not such software has a malicious purpose, it’s still spyware.
The majority of published definitions of spyware focus the fact on that a program quietly gathers and transmits data. For example, here’s an excerpt from the first definition returned by Google when define spyware is entered:
- “Any software that covertly gathers user information through the user’s Internet connection without his or her knowledge, usually for advertising purposes.”
What Genuine Advantage actually does
What we’ve found about WGA fits neatly into four behaviors that are typical of all spyware:
1. Lack of disclosure before installation. Windows users in the affected countries (U.S., U.K., Australia, etc.) who had Automatic Updates set to "auto-install" received WGA without user action, as though it was a critical security update — which it clearly was not. Even those users who ran Windows Update or Microsoft Update manually, however, were misinformed about what WGA would do. In 17 pages of screen shots, ZDNet blogger David Berlind demonstrates this, concluding:
- “I was not asked for consent when the WGA Validation Tool — the one that, like spyware, phones home — installed itself. In fact, as can be seen from this screenshot which immediately preceded the automatic download and installation of the WGA Validation Tool, I could easily argue that I was misled into thinking I was going to download and install something else when in fact, I was downloading and installing, without my consent, software that apparently phones home.”
2. Transmits data to a central computer. The WGA Validation Tool contacts a Microsoft server every time a PC is booted up and every 24 hours after that. (Some of the earliest alarms about this were sounded by Lauren Weinstein, a co-founder of People for Internet Responsibility, in postings June 5 through 13.) WGA’s "phone home" events, like all Internet packets, contain the IP address of the affected PC and the date and time, indicating when it booted up or had run for 24 hours. In addition, Microsoft’s WGA director, David Lazar, told the Associated Press in a June 7 interview that the program also:
- “…gathers information such as the computer’s manufacturer and the language and locale it is set for.”
3. Downloads other software and morphs itself. WGA’s daily contact with Microsoft’s servers is specifically designed to allow the company to download new instructions. According to Microsoft’s June 8 statement and Lazar’s interview, this includes:
• Changing how often WGA contacts Microsoft’s servers;
• Disabling features of WGA or disabling the WGA software entirely;
• Adding to the license keys that WGA treats as invalid; etc.
4. Cannot easily be uninstalled. No entry appears in the Add/Remove Software control panel for patches 892130 or 905474 — the Validation Tool and the Notification Tool. If you manually delete WGA’s executable file, Windows regenerates it. (I’ll discuss remedies for this below.)
Perhaps most shocking is a trait of WGA that most other spyware doesn’t suffer from. WGA is beta software that even Microsoft doesn’t consider ready for release.
Section 4 of the WGA Validation Tool EULA (End User License Agreement) states:
- “4. PRE-RELEASE SOFTWARE. This software is a pre-release version. It may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version.”
At least that explains some of the many problems that Windows users are having with WGA.
Problems with WGA — and some solutions
It’s important to remember that Windows Genuine Advantage is not an omnipotent, do-everything program. Its stated goals are simple. If an instance of Windows doesn’t seem to have a valid license, (1) display notices to the user and (2) prevent any updates being downloaded from Microsoft.com except security upgrades that are rated “Critical.”
Despite these limited tasks, WGA seems to cause a wide variety of headaches. Since my May 25 article appeared, I’ve collected reports from the field and from readers describing the following categories of issues:
1. False positives of legitimate copies of Windows. Numerous users report that WGA refuses to validate licensed copies of Windows that are unquestionably genuine. At Microsoft’s official online forum called WGA Validation Problems, many people report problems even with packaged copies of Windows that were purchased directly from Microsoft.
2. No updates at all unless WGA is accepted. Although a WGA failure is supposed to only prevent affected users from downloading nonsecurity updates, many Windows Secrets readers report that legitimate copies of Windows refuse to display any updates except the WGA download — until the Validation and Notification Tools are installed. Phillip "Skip" Lehrfeld writes:
- “I chose to download the Windows Genuine Advantage Validation Tool (KB 892130) on March 6, 2006. I followed this with Windows Genuine Advantage Notification (KB 905474) on May 4, 2006.
“On June 2, 2006, I was checking the Update site as I was informed that there was a new Critical update to be downloaded. I checked the site and it told me I could not get my update as I was missing a critical tool. I checked it out and it told me I was missing the Windows Genuine Advantage Validation Tool. I checked my history and sure enough I had installed it on March 6.
“OK, I will bite, and I downloaded it again. Yes, the number was KB 892130, the same as before. Then it wanted me to install the second one again. I installed Windows Genuine Advantage Notification, KB 905474, for the second time. Having installed the two for the second time, there were no new updates to install. Those were the updates to be installed. …
“After the reinstallation, I checked the history section of the site and now I have the two updates installed twice successfully.
“I have an authorized copy of Windows XP and had no problems with the above events; but it leaves me to wonder what is going on and are they now doing something else to my system without revealing what is going on.”
Numerous other readers say that Microsoft’s update site also reported to them that there were no patches except WGA, although important updates were, in fact, available.
3. “Notify only” options disabled. We have some reports that the "notify only" options in Automatic Updates are greyed out and can’t be selected. G. Allen Taylor, M.D., writes:
- “With regard to the OS updates, which I have so faithfully and obediently installed, I now suspect that one of them has ‘grayed out’ the Options menu in Windows Update on both my computers. “While formerly I could choose to automatically or manually download and/or install the periodic updates, I now have no choice on either of my computers. Whether I want them or not, all updates are downloaded when I’m online and installed then or the next time I reboot.”
The solution requires a change to Group Policy or the Registry. The procedures are described at the Windows XP MVPs site.
4. Reinstalls from valid CDs fail the Genuine Advantage test. By far the most serious side-effect of WGA is that it doesn’t validate instances of Windows that are reinstalled, even when a genuine CD-ROM from a major computer maker is used. Lauren Weinstein writes:
- “It appears that it is exceedingly common for repair operations to reinstall based on “cloned” or otherwise duplicated copies of the Microsoft OS, rather than try to restore or reauthenticate based on the original users’ OS serial numbers or authentication codes. Original restore disks and key information cards/labels are frequently missing, making it difficult to duplicate the original authentication environment.”
Despite all of the reported problems, Microsoft officials aren’t very forthcoming on the subject of WGA. On June 9, I asked to interview David Lazar in Redmond and submitted a few questions in writing. Five days later, a spokesman replied, "Unfortunately, we will not be able to participate in this opportunity."
Many Windows users seem to be in denial that WGA could be spyware, because Microsoft is such a big, well-known company. Unfortunately, that was what people thought of the Sony BMG recording label before it started distributing music CDs last year with rootkit software that infected PCs.
I don’t feel that Microsoft or Sony BMG are evil incarnate. But we must recognize that Microsoft is now just one more spyware distributor among the many we have to watch out for.
How to make sure WGA doesn’t bite you
It’s important not to panic about Windows Genuine Advantage. At this point, its worst side-effect is interfering with the normal patch process — but far more common is that it merely displays annoying warning messages for no apparent reason.
If you’ve already allowed WGA to install, I can’t recommend that you try to uninstall it. That’s because Microsoft has made a passing grade on Genuine Advantage a requirement for almost every kind of download you might want from Redmond. Without passing a Genuine Advantage checkup, most Windows users now can’t get Internet Explorer beta 7, for example, although you might not care. But you just might have a good reason to install a newer, more secure version of Windows Media Player or any of dozens of other official updates.
If you insist on trying to uninstall WGA, the My Digital Life site has posted no fewer than 15 proposed hacks that attempt to circumvent Microsoft’s anti-uninstall measures. Most of these methods no longer work, due to recent Microsoft code changes. Even if you did disable the app, it’s pointless to have done so if you ever need to download any Microsoft widget some day that requires WGA. Again, I don’t recommend that you bother trying to remove WGA if it’s installed.
Instead, I strongly advise that you simply suppress WGA’s negative side-effects:
Step 1. Stop the misleading installation of possibly unwanted programs. If you really don’t need to download anything from Microsoft for a while, set the Automatic Updates control panel to Notify but don’t download or install. When you’re notified of new security updates, first read the free and paid versions of the Windows Secrets Newsletter for our reviews. Then manually run Microsoft Update and select only the patches that have no reported conflicts.
If Microsoft Update subsequently refuses to download patches you need, go ahead and accept the WGA installs, then take steps 2 and 3. Be aware that some programs, such as Microsoft’s Windows Defender (formerly MS Antispyware Beta), won’t update themselves unless Windows’ auto-update is on. (Thanks to reader Raymond Combs for his research into this.)
Step 2. Disable WGA’s incessant notifications. If WGA guesses, correctly or incorrectly, that your copy of Windows is unlicensed, it displays a warning at least once a day for 14 days, then once an hour after that. Fortunately, Microsoft has made it easy to disable all such warnings. Right-click the WGA logo in the system tray, then select Change notification settings. Turn off the display of notifications, click Save Settings, select I understand, and finally click Yes I’m Sure. Reboot the PC. The WGA logo will remain in the tray but notifications will no longer appear. The notices will come back, however, if you happen to install a future version of WGA from Microsoft.
Step 3. Prevent WGA from phoning home to Microsoft servers. The WGA process that calls out to its remote masters can be blocked by 2-way software firewalls such as ZoneAlarm and McAfee. To do so, simply deny the connection when your firewall pops up an alert about Windows Genuine Advantage trying to use the Internet. Alternately, hard-code a denial via the firewall’s user interface. No ill effects of preventing WGA from establishing a connection have been reported.
This story has legs
I’m afraid I’ll have more tales to tell in future weeks as the fallout expands. Microsoft executives seem totally oblivious to how much public trust they’ve squandered by installing WGA in a sneaky way. Microsoft has repeatedly assured users that Automatic Updates would only be used to download critical security fixes. "Delivering security updates right to your computer automatically," they said.
Abusing PC users’ need for security patches is a betrayal that Microsoft can ill afford. Whoever the marketing geniuses are who’ve seized Microsoft’s security infrastructure to push out spyware, they need to be fired.
I’m not holding my breath waiting for that. Instead, I’m researching a totally independent way for Windows users to keep their PCs tuned without depending on Microsoft Update at all. Stay tuned.
To send us more information about WGA, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.
Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.