Microsoft Patches

[Paul]

MS are releasing a dozen patches this week, at least one of which will break some Active-X (browser) applications.
You will also get the insidious "Genuine Advantage" tool, which also does Office now - do not load this one, it is not necessary.

I suggest you set your Windows update to "notify, do not download" and wait for a week to see what they have broken.

http://www.microsoft.com/technet/securi ... vance.mspx

cheers, Paul

[Stephen]

I threw it over to this area as there will be some fun coming with this... NOT

<blockquote>
WGANotify.settings wrote:
--------------------------------------------------------------------------------
Show notification for every 1 logins
DaysBeforeBuyNow Unactivated = 31
DaysBeforeBuyNow Nongenuine = 14
Server DisableAll = false
Server DisableVLKID = true
Server DisableGetSP2 = false
User ReducedReminders = false
User ReducedVLKID = false
User ReducedGetSP2 = false
BalloonInterval = 2 hours
BalloonIntervalVLKID = 24 hours
BalloonIntervalGetSP2 = 720 hours
</blockquote>

With WGA phoning home every day genuine or not I am not very impressed that after it knows that I am a legitimate customer it would like to double check every day and that has yet be explained to my satisfaction as to why I am not going to hack my own legitimate copies of Windows to stop it from phoning home....

[hunter55]

I downloaded the recent patches before I saw this post.
Is there any way of uninstalling the WGA patch or removing it? I agree with Stephen, even tho I am legit, I do not want WGA phoning home everyday
Thanks
Cjris

[Paul]

http://www.google.com.au/search?q=remove+wga

cheers, Paul

[Stephen]

Also worth noting

MS06-028 - Vulnerability in Microsoft PowerPoint Could Allow Remote
Code Execution (916768)

- Affected Software:
- PowerPoint 2003
- PowerPoint 2002
- PowerPoint 2000
- PowerPoint 2004 for Mac
- PowerPoint v.X for Mac

As the lucky Mac users usually don't need to worry about MS Patch Tuesday

[anandasim]

Brian Livingston, long time Windows guru has a well researched article on WGA:

http://windowssecrets.com/comp/060615/#story1

And there I have been alerting people what is the meaning of beta

http://bleedingedge.com.au/blog/archive ... t_win.html

and WGA is beta according to Brian Livingston

[hunter55]

Brian Livingston's article also states WGA is spyware and doesn't recommend removing it if it was (inadvertently) installed.

The idea of MS inserting such potentially nasty software on my pc under what amounts to false pretences only re-enforces the view one has of the arrogance of MS.

The link to the diet coke-menthos experiment towards the end of the article is worth following.

Chris

[anandasim]

Just out, the WGA Notifications removal tool:

http://www.firewallleaktester.com/removewga.htm

Windows Genuine Advantage Notifications is different than Windows Genuine Advantage Validation. RemoveWGA only remove the notification part, phoning home, and does not touch the Validation part.

[Stephen]

I picked up the same site earler from a eWeek article.

[raoul]

Thanks Ananda! Wga notification was really bothering me - but not anymore!

As soon as I used the tool to remove it, up came a message - "windows has updates ready for downloading"... Not this time buddy!

Raoul

[hunter55]

Raoul, where did you ge the removal tool?
I treid to follow the link given by Ananda and the link in eweek but got a page that seemed to say (in French) that the site was not available.
Chris

[anandasim]

The site has been overloaded. There is a Softpedia entry:
http://www.softpedia.com/get/Tweak/Unin ... eWGA.shtml
but they have not mirrored it - it references the original site so download still fails. If you can't wait for the original author to get back online, an aussie has posted his removal instructions:
http://members.optusnet.com.au/~mtahearn/help.htm#WGA

[raoul]

Here: http://www.raoul5.mm.st/

I might take it down after a day or two.

Cheers!

[hunter55]

Thanks all, WGA not phoning home any more I hope
Chris

[Stephen]

ZDNet
Is Microsoft about to release a Windows "kill switch"?
He told me that "in the fall, having the latest WGA will become mandatory and if its not installed, Windows will give a 30 day warning and when the 30 days is up and WGA isn't installed, Windows will stop working, so you might as well install WGA now."

[newman]

So, is that a maybe or a nay-be? Yes or no? I am messing around with a friend's Xp machine - smart man had already set auto update to notify but don't download.

The prompt came up for the WGA, I said no.

[Stephen]

This is not a given and the article at ZDNet is worth reading in full.

If Microsoft try and do this hackers are going to go off the rails until they get this blocked and stopped.

This is far from an approach that many will be happy with and I would hate for my new Vista system to be doing this constantly and if Microsoft decide that this is an essential part of the operating system to 'phone home' they need to openly tell us what it is doing and why.

People will start running packet analysers such as Ethereal and pick up these packets and reverse engineer the data until we can work out what it is doing. If there is anything suspect in the process Microsoft may end up having the worst PR they have ever had and could seriously affect sales of Windows Vista and let alone the sheer number of people who will jump from XP to Linux instead of XP to Vista. Microsoft need to get this sorted out and disclosed publicly very quickly.

[Stephen]

I would love to know what Microsoft Australia's official position is on this and if Australian users are being targeted in one of the 'select markets' mentioned in Ed's post.

[newman]

Maybe a stop gap method is to install the damn thing, but set your firewall to stop it phoning home? So, as far as the OS cares, it's installed, but the "let's gather for Microsoft all the marketing data we can get on who is using their systems where" bit falls over?

[Stephen]

That was quick, Microsoft have replied....

http://www.microsoft.com/presspass/feat ... 27WGA.mspx

Microsoft is committed to protecting consumers and software resellers from counterfeit software and other forms of software piracy. The company recently announced an expanded focus on those efforts through creation of the Genuine Software Initiative (GSI). As part of the Genuine Software Initiative, Windows Genuine Advantage (WGA) has played a critical role in Microsoft’s efforts to help consumers learn whether or not they have a genuine copy of Windows and counter the growth of software piracy.

Today, Microsoft released an updated WGA Notifications package. With this update, the pilot phase of WGA Notifications is complete, and the program will continue with a phased roll-out to Windows XP users worldwide. All English, Spanish, French, German, Italian, Dutch and Brazilian Portuguese users of Windows XP running Automatic Updates will soon be offered an updated package with a new version of WGA Notifications.

The updated package includes some notable changes to the software based on customer feedback from the previous

- No daily configuration check
In the pilot phase, a PC that had installed WGA Notifications checked a server-side configuration setting upon each login, to determine if WGA Notifications should run or not. This configuration file check has been removed in the updated WGA Notifications package released today. It is important to note that WGA Validation still periodically checks to determine whether the version of Windows is genuine.

- Clearer EULA and instructions to opt-in.
The End User License Agreement (EULA) has been replaced with a standard, General Availability EULA that more clearly explains the purpose of the software and details about WGA Notifications. For customers who choose not to install the updated package, and wish to remove an installed previous version, Microsoft has made available a set of instructions for removing previous versions of WGA Notifications from their PC's.

Screenshots for the Opt-In
http://www.microsoft.com/genuine/AboutN ... laylang=en

Description of the Windows Genuine Advantage Notifications
http://support.microsoft.com/kb/905474

How to disable or uninstall the pilot version of Microsoft Windows Genuine Advantage Notifications http://support.microsoft.com/kb/921914
MS have actual links to everything there except this one, you must manually find 921914 yourself NOT)

Q: Will a consumer who accepted WGA Notifications during the pilot now be re-offered this new version?

A: Customers who have already installed WGA Notifications will be offered the option to accept the updated package. Participation remains completely optional, and all users can continue to receive critical security updates

Q: Will PCs still check back with Microsoft every day?

A: As soon as a customer installs the updated package of WGA Notifications, the computer will no longer perform the server-side configuration check upon each login. It is important to note that WGA Validation still collects information that is used to determine whether the version of Windows is genuine. Microsoft will not use this information to identify customers or contact them.More information on this can be found in the privacy statement located here http://www.microsoft.com/genuine/downlo ... yInfo.aspx and at http://www.microsoft.com/genuine/downlo ... laylang=en. From time to time Microsoft will make available a new version of the WGA Validation tool. When this occurs, a PC will run the validation check again.

[Smitty]

Interesting this.....
coz i think MS are telling porkies

I went to http://support.microsoft.com/kb/921914
and saw-
Click Start, and then click Control Panel.
b. Double-click Add or uninstall Programs, locate and then click Windows Genuine Advantage Notifications, and then click Click here for support information.
c. In the Support Info dialog box, verify the version number, and then click Close.
3. Rename the following files by changing the extension to .old:
• Rename %Windir%\system32\WgaLogon.dll to %Windir%\system32\WgaLogon.old
• Rename %Windir%\system32\WgaTray.exe to %Windir%\system32\WgaTray.old
4. Restart the computer.

but
did b..... and WGA Notifications is not listed
so I did a search on 'WGA" on my PC
and
guess what
I found.... a WGA.log (amongst about 30 files)
that (an example) has in it-
Copied file: C:\WINDOWS\system32\LegitCheckControl.dll
29.000: Copied file (delayed): C:\WINDOWS\system32\SET94.tmp
29.062: Copied file: C:\WINDOWS\system32\WgaLogon.dll
29.140: Copied file (delayed): C:\WINDOWS\system32\SET95.tmp
29.218: Copied file: C:\WINDOWS\system32\WgaTray.exe
29.281: Copied file: C:\WINDOWS\system32\DllCache\WgaLogon.dll
29.359: Copied file: C:\WINDOWS\system32\DllCache\WgaTray.exe
29.406: Copied file: C:\WINDOWS\system32\LegitCheckControl.dll
29.437: Copied file (delayed): C:\WINDOWS\system32\SET99.tmp
29.453: Copied file: C:\WINDOWS\system32\WgaLogon.dll
29.484: Copied file (delayed): C:\WINDOWS\system32\SET9A.tmp
29.500: Copied file: C:\WINDOWS\system32\WgaTray.exe
29.531: Copied file: C:\WINDOWS\system32\DllCache\WgaLogon.dll
29.578: Copied file: C:\WINDOWS\system32\DllCache\WgaTray.exe

now do I have it or not?
do I follow the MS solution? me thinks not
do I use the solution here? http://www.firewallleaktester.com/removewga.htm

I must admit I am confooozed

btw
my version of XP is legit ...and registered or verified
or whatever when i installed it


cheers

[Stephen]

The Wgalogon.dll and Wgatray.exe and LegitCheckControl.dll files may be hidden files that you would need to open up explorer and.

Click "Tools' -> 'Folder Options' -> "View Tab' and then check the box 'Show Hidden Files and Folders' and remove the check mark against 'Hide Protected operating system files'

You should then be able to see the files.

It would also appear that there are some log files and such as the WGA.Log, WGANotify.settings and WGANotify.log files can allso be deleted. I am presuming these are just log files and won't effect the core removal procedures.

Microsoft should also have instructions to remove ALL traces of this seeing as for the fact they are publicly showing people how to remove it, they should supply COMPLETE instructions and a tool to help the novice be able to perform this action.

It is bad enough they didn't put a hyperlink to this document and this shows that it is a reactionary statement from Microsoft that they have had to rush through to appease the techies and have done nothing for the average consumer or made it a simple process.

The site that they refer to microsoft.com/genuine I could not see an easy way to find this information that they so clearly talk about on the Press Release. It should be in BIG BOLD RED INK on that page.

Many people it would appear have trusted the Firewall Leak Tester application and it would be nice if they released the source code so that people can verify the legitimacy of the tool. Just as was done with the WPF Exploit patch released late last year by Ilfak Guilfanov on his Blog, Hexblog

Don't forget next time you visit the Windows Update/Microsoft Update or Auto Update checks at Microsoft it will prompt you to to install the new tool.

[newman]

I found this: http://www.theinquirer.net/default.aspx?article=32693

and this: http://www.theinquirer.net/default.aspx?article=32607

Please, comment at will.

[Smitty]

The Wgalogon.dll and Wgatray.exe and LegitCheckControl.dll files may be hidden files that you would need to open up explorer and.

Click "Tools' -> 'Folder Options' -> "View Tab' and then check the box 'Show Hidden Files and Folders' and remove the check mark against 'Hide Protected operating system files'

You should then be able to see the files.

thanks for the suggestion
but
one of the first things I do on my systems...is to enable
viewing of hidden files and OS files
so
I expected to see WGA listed when I went to Control Panel-
Add or uninstall Programs
but nup..no show
so the Microsoft instructions are a crock of bull

..might even tell 'em that


cheers

[anandasim]

Hi Smitty,
There could be some things that are causing confusion.

1. The MSKB webpage does not explain enough. That's a problem.

2. In Add/Remove, there is a checkbox at the top. Show Updates - this must be checked on. Otherwise you see other software programs but not Windows Patches. Nothing to do with Folder Options in Windows Explorer. This has to do with Control Panel items only.

3. When it is checked on, Windows Genuine Advantage Notifications (KB905474 ) is not listed as a standalone item. it is a subitem filed under Windows XP - Software Updates. So look for this parent item first and then under this parent item are the subitems, not listed alphabetically even if Sort by: Name is requested.



4. Note that my wganotify version does not tally with the MSKB article. My version is 1.5.0526 which precedes the "pilot version" mentioned in the article.

5. This item is flagged No Uninstall and additionally there is no uninstaller even if you do managed to flag it as the reverse. So you manually have to remove it.

6. Unfortunately, I have run that independent removal tool so I can't replicate the article's instructions.

7. In the many files that you found, only a few are vital WGANotify files. The others are temp files or logs. Additionally, you will see duplicates of each file in the subfolder dllcache. This is standard Windows behaviour, protecting system files from being trashed.

wgalogon.dll
wgatray.exe

are the miscreants.
So Microsoft says to delete them. Unfortunately, the way that wganotify performs, these two files are running all the time.

So they ask you to rename these files to .old (you can do such things but you can't delete them yet.). Then there is a third file

LegitCheckControl.DLL

This is also running and I think it is not only used by WGANotify, it is also used by WGA (which is a different program, different intent).

So you have to unregister LegitCheckControl.

Next comes the reboot - at which time, all three files are now not running because two of them can't be found as they have been renamed.

So then the idea is you now have a chance to delete all three.

Then you clean up some registry settings.

However, the article does not mention that the Uninstall icon in Control Panel is also a registry setting and they don't ask you do kill that off.

As I said above, I can't emulate these procedures because I have already used another tool.

8. Finally I go to Windows Update website with IE and ah, WGA is now upset because it depends on LegitCheck and what did we do with LegitCheck? So Windows Update won't update until you let WGA install again.

9. After WGA installed, it offered me WGANotify and the Commonwealth Games Daylight Savings Timezone resets.

[Smitty]

Hi Smitty,
There could be some things that are causing confusion.

1. The MSKB webpage does not explain enough. That's a problem.

2. In Add/Remove, there is a checkbox at the top. Show Updates - this must be checked on. Otherwise you see other software programs but not Windows Patches. Nothing to do with Folder Options in Windows Explorer. This has to do with Control Panel items only.

3. When it is checked on, Windows Genuine Advantage Notifications (KB905474 ) is not listed as a standalone item. it is a subitem filed under Windows XP - Software Updates. So look for this parent item first and then under this parent item are the subitems, not listed alphabetically even if Sort by: Name is requested.
...snip...

9. After WGA installed, it offered me WGANotify and the Commonwealth Games Daylight Savings Timezone resets.

ta mate

1,2 and 3 ..I will check tonite when i get in

and 9?
someone has sense of humour

[EDIT] checked tonite
the checkbox was not ticked..is now
and lo and behold..there it is
but guess what?
Microsloths instructions in that item
..don't work [EDIT]



cheers

[holtom]

The wga version on my machine says it is 1.5.0540.0 (KB05474)

This seems to be one that cannot be uninstalled easily (without crashing system) reading through the above.

is there a prosgram to remove this version.

[anandasim]

From a google search, 1.5.0540.0 appears to be the production version of wga.

1. Microsoft didn't provide an uninstall utility to remove the pilot version. I would guess they wouldn't be keen to let the the production version be removed either.

2. Lauren Weinstein has had contact with Microsoft. She documents her findings here - http://lauren.vortex.com/archive/000184.html

3. A Google search for wga currently shows all kinds of ways (at least 15?) of suppressing wganotify some of them more successful than others. Which implies that the keen hacker will easily overcome the hurdle while normal users will be put off by the rigmarole. Of course none of these techniques would be sanctioned by Microsoft.

[MightyFrosty]

It's quite easy really goto http://www.isohunt.com and search wga, you will find: WGA.Validation.v1.5.540.0 [tracker.chilebits.org].rar, follow the simple instructions and voila. Please make sure you set auto-updates to off or at the very least notify.

P.S. please note that this is to remove version 1.5.540.0 only, but the same easy method is available at http://www.zor.org/desperate for previous version.

Enjoy!
MightyFrosty

[anandasim]

If the above was a valid posting, a case of the cure potentially being worse than the disease. You go to a bittorrent download that is unvettted with no ability to check whether it is a kosher util or malware before you download, or a website which is a software cracking site.