Get all security patches without WGA nightmares

Susan bradley By Susan Bradley

If you’re a legitimate Microsoft customer, you can download and install all the Windows updates you need without running Windows Genuine Advantage (WGA) and exposing yourself to the false positives it’s become known for.

In today’s article, I explain how to install Windows XP and upgrade it with every available security fix and many optional updates as well, without ever installing WGA.

In an April 16 Windows Secrets story, contributing editor Ryan Russell argued that WGA poses a risk to the world because Microsoft prevents machines that fail WGA validation from getting some security patches through Windows’ Automatic Updates mechanism. Unpatched machines are vulnerable to remote attacks that enroll them in hackers’ bot armies.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



In today’s Known Issues column, several WS readers report that WGA wrongly disabled software they’d legitimately purchased. (An Ars Technica article back in January 2007 estimated at least 5 million WGA false positives, based on Microsoft’s own numbers.) However, other readers defend the technology.

In the Windows Security Blog last month, Microsoft developer Paul Cooke claimed in a post that “all security updates go to all users,” whether or not their machines have failed WGA validation.

As Ryan pointed out in his article, it’s true that Microsoft posts all security updates to various Web pages, and that an advanced user could find each page in turn and then install each patch manually. Few users are likely to do this, however. The risk to the world arises because:
  • If a machine fails WGA validation, Automatic Updates installs only those security patches Microsoft rates as “Critical,” not those rated “Important” or lower (some of which are just as crucial to a user’s security, in my opinion);

  • Many users turn off Automatic Updates out of fear that their machines will be disabled, which was Microsoft’s policy in the original release of Vista (as explained in a February 2007 article by Adrian Kingsley-Hughes);

  • If WGA has labeled a system as “nongenuine,” Microsoft prevents the user from running Windows Update or the more extensive Microsoft Update, which are the official methods to patch a system on demand.
Because unpatched PCs are a threat to everyone, and because some people fail WGA validation due to false positives, I set out to determine how to fully patch a Windows PC without installing the WGA Notifications tool. Microsoft stated in a recent MSDN blog post that the company is focusing its antipiracy measures on XP, the most-widely used version of Windows. Therefore, my tests focused on XP Service Pack 2 and the more recent XP Service Pack 3.

It’s important to note that in my tests, I entered a valid Windows product key and activated the operating system. I believe every user should legitimately activate a paid-for copy of Windows.

Bear in mind that Windows activation to date has been a completely separate process from WGA validation. This will change with the release of Windows 7 later this year, however. In Windows 7, WGA is being renamed Windows Activation Technologies (WAT).

Microsoft’s Genuine Windows blog indicates that validation will be more streamlined in Windows 7. You’ll need only enter a valid product key during activation. Your system will then be tested by WAT for “genuine” status at that time. Look for more information on WAT in an upcoming Windows Secrets column.

When a legitimate, paid-for XP system is flagged as counterfeit, the PC may require reactivation because significant hardware changes were made. An excellent summary of reactivation can be found in Alex Nichol’s article, “Windows Product Activation (WPA) on Windows XP,” which is posted on the Windows Support Center (AumHa) site.

Let me go on the record: using a counterfeit copy of Windows is asking for trouble. Paying for Microsoft software makes you less likely to end up with malware, according to an IDC whitepaper being distributed by Microsoft’s Download Center. (On this page, you’ll be prompted to register with Microsoft, but you can download the files without registering.) For example, it’s been reported that some BitTorrent versions of the Windows 7 beta have been found to contain Trojan horses.

Regardless of how you obtained Windows, I recommend that you set Automatic Updates to Download but do not install, as I describe below in Step 2. This setting allows you to wait two or three days before installing patches that cause more problems than they prevent.

Two days after Microsoft Patch Tuesday each month, Windows Secrets publishes my Patch Watch column with information about which patches cause incompatibilities. You can then choose which updates to install and which to postpone. That includes the WGA Notifications tool, which Automatic Updates ordinarily installs as though it were a “critical” security patch.

In my tests, I started from scratch by installing XP SP2 and XP SP3 on clean machines. If you’ve already installed WGA on XP but no longer want it, you must remove the so-called patch KB905474. In KB article 921914, Microsoft provides manual removal instructions only for the “pilot” versions of WGA Notifications: 1.5.0527.0 through 1.5.0532.2. The article says higher-numbered “release” versions cannot be uninstalled.

UPDATE 2009-05-28: You can disable WGA Notifications by removing its entry in Scheduled Tasks using Autoruns, a free program that’s downloadable from Microsoft.com. For details, see the 2009-05-28 Known Issues column.

Note that without WGA, you can’t download Windows Defender, Windows Media Player 11, Network Diagnostics tools, and other Windows extras. Microsoft describes the products that are affected by WGA on its Genuine Microsoft Software page.

How to patch without running WGA validation

The following steps will allow you to install all Windows security patches on a new build of XP, without installing or running WGA on the machine:

  • Step 1: Install and activate XP. For XP SP2 only (not XP SP3), you must also download and install the patch described in KB article 898461, which updates the installer program and ensures that your system will receive future updates.

  • Step 2: In either version of XP, click Start, Control Panel, Security Center, Automatic Updates. Choose Download updates for me, but let me choose when to install them.

  • Step 3: Whenever you see a yellow-shield icon in the notification area (previously known as the system tray), click the icon and then choose Custom install.

  • Step 4: Scroll to the bottom of the patch window and uncheck Windows Genuine Advantage Notification (KB905474), as shown in Figure 1. (For more info, see Microsoft KB article 905474 to read the company’s description of WGA Notification.)

    Uncheck kb 90474
    Figure 1. Uncheck KB905474 to prevent WGA from being installed on the system.

  • Step 5: After you click Install, check Don’t notify me about these updates again in the resulting dialog to prevent WGA from being included in future Windows updates (see Figure 2). Click OK.

    Don't be offered wga in the future
    Figure 2. Check this option to avoid being offered WGA Notifications as part of future updates.
From this point forward, every time you update your system, review the patches being offered to you and deselect those you don’t want before proceeding with the installation.

Microsoft occasionally updates the WGA Notifications tool, so you can count on its being offered to you again, despite your choice in Step 5 above. The explanation Microsoft officials gave me for this decision is that the company feels it’s wise to reinstall WGA periodically to ensure that customers haven’t been the victim of unscrupulous consultants who use illegal media when reinstalling your operating system.

There’s a flaw in this thinking: the reason many of these consultants use the wrong media is that Microsoft doesn’t make it easy to get replacements for your Windows installation discs. It’s also difficult to get up-to-date installation media unless you’re one of Microsoft’s enterprise-level customers.

Microsoft’s recommendation that you set your machine to update automatically as the best way to protect it is also flawed. These days, our PCs aren’t just simple e-mail and Web terminals. They’re crucial to all our work, and if they’re disabled we can’t make a living. For example, if a Windows update causes our Internet connection to break because of a conflict with a third-party security program — as has happened many times in the recent past — we might be unproductive for hours or days.

Also, if you enable Automatic Updates, you may be as dismayed as I was to learn that Microsoft treats legitimate customers like thieves. The WGA Notifications patch described in KB article 905474 automatically installs if Automatic Updates is empowered to act without permission. In that case, you either have to run the WGA tool the next time you reboot or press Cancel every time you start your system. (See Figure 3.) Is that any way to treat a customer?

WGA notifications nag note
Figure 3. If you install WGA Notifications on XP, this dialog box will reappear each time you reboot until you click Next and run the process.

Use a third-party patch testing tool

The WS Security Baseline page is periodically updated to describe a bare-minimum set of defensive tools that home users of Windows should install. The page currently recommends, among other things, that you regularly test for OS and application patches that vendors have released but you haven’t yet installed. Secunia.com’s Online Software Inspector is listed as a third-party service that tests for app patches in addition to Windows updates.

However, I personally prefer the free Shavlik Patch Google Gadget. I’m not thrilled with Shavlik’s use of Google Desktop as the platform for its update checker. But Shavlik’s tool recently informed me about an update to Adobe Flash Player on a test PC, whereas Secunia’s tool had missed this fact.

I’ll bring you a detailed report on the two services in a future article soon. In the meantime, to get Shavlik’s program, visit the company’s download page. For more information on Secunia’s online and downloadable software inspectors, visit the company’s vulnerability scanning page.

To recap: the best way to keep your system up-to-date is to set Windows’ updater to download patches but not to install them automatically, deselect WGA Notifications updates, and run a tool such as the Shavlik Patch Google Gadget at least once a month to verify that your software is fully patched.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
= Paid content

All Windows Secrets articles posted on 2009-05-21:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.