WGA notification tool uninstaller (RemoveWGA.exe)

Discussion in 'privacy technology' started by gkweb, Jun 13, 2006.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    All security Microsoft updates can be downloaded from:

    http://www.microsoft.com/technet/security/current.aspx

    Go a little toward the middle / bottom of the page, choose your product, choose the patches (critical, moderate etc.), choose the time period (last 1-2 years...), and then download them one by one.
    Mrk
     
  2. swsnydert

    swsnydert Registered Member

    Joined:
    Jun 14, 2006
    Posts:
    3
    It seems that Microsoft is not deploying WGA notification on Win2K. With all Critical updates having been applied to 2 Win2K/SP4 systems via Windows Update there is no indication of WGA activity.

    I assumed that since WGA installation wasn't pending with the other updates on Tuesday that these 2 systems already had it installed. I guess not.

    Apparently Win2K is too old for the "Advantage" that WGA provides.

    FYI.
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    @swsnydert
    You said that there is no sign of WGA notification on Windows 2000, is there at least the WGA Validation part ?
    One possibility, since MS said that it was a kind of "beta" stage for now, is that it will be deployed later on other platforms (just an idea).

    @all
    Besides this, I've done a dedicated page for the RemoveWGA tool :
    http://www.firewallleaktester.com/removewga.htm
    http://www.firewallleaktester.com/tools_list.htm

    You can access the changelog by clicking the link at the bottom of the page.

    Regards,
    gkweb.
     
  4. swsnydert

    swsnydert Registered Member

    Joined:
    Jun 14, 2006
    Posts:
    3
    Yes, the WGA validation is in place. It was rolled out to Win2K at the same time WinXP and is checked in the course of getting updates every month. It's just the notifier that is absent on my 2 Win2K systems.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I don´t get it, the WGA notification tool does not seem to be active on my machine according to this tool, but I do have WGA installed, any comments? o_O
     
  6. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    did u check add/remove programs for the WGA notification tool?

    the KB number is KB892130 or KB905474, or both. im not sure.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, then I guess I misunderstood the whole issue or something, the only that I have installed is the Windows Genuine Advantage tool, this tool is required for certain downloads. But no sign of the WGA notification tool, I guess it came with one of last months patches? I have to admit that I´m not fully patched yet so that would explain it. :ninja:
     
  8. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    yes the WGA notification tool is a newer download.

    also the WGA notification tool is different from the WGA validation used for accessing microsoft downloads and stuff.
     
  9. krick

    krick Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    1

    Not sure if you've solved this one yet or not but I had the same problem and downloading and installing the update manually fixed it for me...

    http://www.download.windowsupdate.c..._4bafa8793e8cdcaf4ba4ffc494df32d496154544.exe
     
  10. maddawgz

    maddawgz Registered Member

    Joined:
    Aug 13, 2004
    Posts:
    1,316
    Location:
    Earth
    not currently active on my system? so guess i dont need to remove it? :D
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    If you did install it then it is active. It's just that the tool could not find it, like gkweb said. At worst, the tool won't work. So you need to try other other methods of removing the ****.
    Mrk
     
  12. redmaledeer

    redmaledeer Registered Member

    Joined:
    Sep 6, 2004
    Posts:
    8
    Your problem with multiple installs of the same update would be helped by NOT using Auto-Updates. That way YOU would decide which updates are applied, not Micro$oft and its vagaries. I have never had Auto-Update turned on simply because I want to know what is being put on to my computer. I don't even have notifications turned on because they nag me too much.
     
  13. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    I have auto updates "on". But just to notifty me there are updates available. But it's set NOT to download them. Very convenient. Thanks M$.:D
     
  14. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    If it says it is not active on your system, it is because the WgaLogon.dll is not loaded into winlogon.exe, hence it is not active, simply.
    Why, is another question. If the tool should fail, it wouldn't say it is not active (which is a successfull answer), it would popup an error dialog with a white cross inside a red circle, such as :
    That is what I am talking about when I say it might fail, because I've tested it only on XP SP2. Reports confirm that it works on XP SP1 as well, and that both Win2K and Win2K3 have not the update offered or installed.

    maddawgz, are sure you do not confuse with the WGA Validation ? Installing the Validation part does not install the Notification part.
    The tool only remove the Notifcation part.

    BTW which OS have you ?

    Regards,
    gkweb.
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    Interesting point. I tried your tool on one of my pc - where it said that the tool is not active. However, if I check HJT, I get 020 Winlogon Notify - wgalogon.dll.
    So loaded or not? And why not, if supposedly the download and install succeeded?
    Mrk
     
  16. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    Then, you should report it to me with most details to get it fixed for others :)

    1 - what is your OS + Service Pack ?
    2 - have you any security programs (e.g ProcessGuard) blocking READ access ?
    3 - Did you installed the WGA notification and does the install was successfull ?
    4 - Did you modify manually the NTFS permissions of the WgaLogon.dll ?
    5 - Did you run the RemoveWGA from an account with admin privileges ?
    6 - What is your system32 path ?

    The Question 4 could be the cause. The tool doesn't care if there is a registry entry or not, it checks if the DLL is actually loaded and alive in memory.
    If the system cannot execute the file, then althought the reg entry is there, it cannot load it.

    If you want to check manually if the WgaLogon.dll is loaded, please use the following tool (it's a process viewer) :
    http://www.firewallleaktester.com/tools/ProcX.exe

    Run it, go into the "View" menu, check the "DLL pane" option. Then left click on "winlogon.exe", and scroll down the bottom list to check if "wgalogon.dll" is
    listed.

    Please keep us informed. Thank you very much in advance :)

    Regards,
    gkweb.

    EDIT : added two questions

    EDIT : I've added few error checking in the following version, if you can tell us how it behaves if you please :
    http://www.firewallleaktester.com/tools/RemoveWGA1.02.exe
     
    Last edited: Jun 18, 2006
  17. Mudd

    Mudd Registered Member

    Joined:
    Aug 20, 2003
    Posts:
    38
    Location:
    Howard Co, TX
    Thanks gkweb. Tried it and after reboot offered to remove it just as you said.
     
  18. RuyLopez

    RuyLopez Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    44
    Location:
    USA
    I tried the tool for removing WGA Notification Tool. The WGA notification tool was initially active on my system (XP SP2). I ran the tool according to the instructions and rebooted on the prompt. At startup, SpySweeper gave an alert on the removal tool as expected and I allowed it, but I never did see any indication that it had functioned—that is the final window never opened. I manually ran the removal tool again and at that time it indicated that WGA was not active on my computer. Out of pure curiosity, I then ran a search for “WGA” and found the following:

    WGAErrLog.txt C:\windows\Temp 1KB
    WgaLogon.dll C:\windows\system32\dllcache 349KB
    WgaTray.exe C:\windows\system32\dllcache 280KB
    WGA.cat C:\windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} 7KB
    WgaNotify.cat C:\windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} 7KB

    HJT gives:

    O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

    There is no indication of WGA Notification Tool in the Add/Remove control Panel.

    Perhaps you can help me to understand this apparent discrepancy. Something does not seem quite right here and I would very much like to get this off my computer.
     
  19. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    The tool having been intercepted in the middle of it's process, it could have prevented it to normally finish.

    Those files should have been deleted, hence what I say above.

    Then you can be sure that WGA notification is inactive on your system.
    WgaLogon.dll must be present in order to load, and then to launch WgaTray.exe. Given the case that both WgaLogon.dll and WgaTray.exe are not present on your system, the WGA notification is not enabled or active.

    Few traces are left, if not intercepted nothing should left except may be the other DLL I do not know, may be related to the Validation part.

    Regards,
    gkweb.
     
  20. RuyLopez

    RuyLopez Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    44
    Location:
    USA
    Greetings gkweb,

    Thanks for the prompt reply!

    So let us assume that the SpySweeper startup shields interfered with the tool completing its task. Also, that WGA Notification Tool is truly not active on my computer. Would you recommend my manually deleting the files listed below?

    WgaLogon.dll C:\windows\system32\dllcache 349KB
    WgaTray.exe C:\windows\system32\dllcache 280KB

    Or just leaving things alone at this stage?

    Best regards,
    RL
     
  21. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    You are welcome ;)

    Better than assumming, I will test SpySweeper and see what happens, and will double check the deletion operation at start.

    You can do it indeed. Check after that they are definitely deleted (just in case).

    Regards,
    gkweb
     
  22. RuyLopez

    RuyLopez Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    44
    Location:
    USA
    Greetings gkweb,

    I like your style--why indeed assume.

    I will go ahead and delete the remnants and then check with both Search and HJT.

    Thanks again!

    Best regards,
    RL
     
  23. RuyLopez

    RuyLopez Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    44
    Location:
    USA
    Greetings gkweb,

    All remnants securely erased without problems! Search shows nothing.

    Thanks!

    Best regards,
    RL
     
  24. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I have tested SpySweeper, and the symptoms you described are what happens when you block the tool from setting it's registry entry to start at next reboot.
    When doing so, after the reboot it is not launched, and does not delete the registry entry and the remaining files (only WgaLogon.dll and WgaTray.exe are deleted from the system32 folder).

    To avoid this, I have modified the tool to set all files to be deleted at next startup (it's Windows which deletes them) so if at worst RemoveWGA was prevented to start, all the files will be anyway deleted. Only the registry entry would remain.

    http://www.firewallleaktester.com/removewga_changelog.htm
    The modifications added will also check the issue where the tool is blocked
    by another security program to read the processes or to access Winlogon.

    I have also tried to unload the WgaLogon.dll alive from Winlogon.exe, and to remove all without a reboot.
    It works on the moment, but the next time you reboot, you have a nice BSOD from winlogon. So it's not really
    a success, and I didn't add the option in the tool to do it.

    Regards,
    gwkeb.
     
  25. RuyLopez

    RuyLopez Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    44
    Location:
    USA
    Greetings gkweb,

    Nicely done and thank you yet again.

    I will take the liberty of quoting your entire last post over at CastleCops where there is a thread on this as well.

    Best regards,
    RL
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.