What to do with WGA and wgatray.exe?

Discussion in 'privacy general' started by Devinco, Jul 23, 2006.

Thread Status:
Not open for further replies.
  1. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    If a user has WGA installed, can it be safely removed and still get Automatic Critical Updates and manual MS Updates?
    How do you remove it?

    If it is better to leave WGA installed, what are the recommendations to restrict its behavior?
    In an outbound rules based firewall, should we just block it?
    Should we restrict its access?
    What are the restriction rule recommendations for wgatray.exe?

    In process guard, I've allowed it to execute on one system but it logs about 60 times that it tries to access physical memory.
    Should I allow wgatray.exe to access physical memory?

    I've paid for all licenses from reputable sources and they are legal.
    I've not received any false positives from WGA, but if I don't NEED this garbage, I don't want it on any systems.
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    well WGA is different from the notifications.

    u need WGA to access the windows/microsoft update site and some microsoft downloads. without it u can still use automatic updates tho.

    for the WGA notifications, i just dont install it. plus i think it needs automatic updates for it to work, so if u dont use AU then it wont do anything.

    if u already have teh notifications update installed, u can always use RemoveWGA
     
  3. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks WSFuser. And thanks to gkweb for making the removal tool.
    Fortunately, I set my automatic updates set to notify me but don't download or install them and I never put it on. But lots of other people have auto install critical updates get this "spyware" foisted on them. And now it seems it can't be removed!

    The final release has been installed on many people's computers and now cannot be removed.
    Maybe I can use Process Guard to block it, reboot, then delete the WgaLogon.dll?
    Then from now on whenever there will be new critical updates, the user will need to choose every one except the WGA notifications.

    This is ridiculous, they won't stop piracy with this and they are making their paying customers angry.
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    maybe u can go to safe mode and if necessary use unlocker to delete the offending file?

    im not sure, but good luck.
     
  5. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Have a look at XP-AntiSpy (Freeware). It is able to deactivate the WGA check at logon. If you disable it it _can't_ be enabled again. You have to reinstall it.

    http://www.xp-antispy.org/
     
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    It worked! Thanks Tommy. :)
    After a reboot, I was able to rename the offending WGAlogon.dll and wgatray.exe. No problems.
    Manually visiting MS Updates confirms that WGA Notification wants to install again as a High Priority Update.
    Good riddens WGA notification!
     
  7. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Personally, I haven't bothered disabling or removing WGA. I really can't get too excited about whether it should be removed or not. It really isn't that big a problem in my eyes.
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Well it is an individual choice, of course, but this maybe just the thing that malware authors target for future exploitation. If I have a choice to not be spied on, I will choose what infringes the least on my freedom.
     
  9. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Malware authors are targeting many applications these days, including Excel, Powerpoint etc. that are Microsoft creations. I even heard of a proof-of-concept virus for MS Publisher, which I still use, but it hasn't stopped me from using it. I trust my AV to protect me from such malware, and thankfully, detection for all those I have mentioned exist.

    I wouldn't have thought of the WGA application as being "spied on". There is a danger of being over-sensitive when it comes to applications from trusted sources. Spyware that does phone home for its own ends is a worry, and I applaud anti-spyware companies detecting and eliminating those, but to me, a company like Microsoft trying to protect against piracy is what this is all about. Admittedly, the frequency of WGA "phoning home" on a daily basis was an initial concern, but I believe that has been changed in recent updates to something like once every two weeks. Maybe that should be extended even further, who knows.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    There is not a single positive thing about wga. Soory, there is. Linux.
    Mrk
     
  11. Lamehand

    Lamehand Registered Member

    Joined:
    Mar 2, 2006
    Posts:
    428
    Location:
    the Netherlands,very near to the North sea
    So if the spyware comes from MS it is suddenly a trusted application?
    Spyware is spyware, nothing more.
    Like Mrk said, there is nothing good about WGA
     
  12. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Hi Tony :)

    Ya know, if they had announced and supported the software properly I wouldn't describe it as spyware either. But that's not the whole story. The 'trusted source' did not present the software in an open & honest way. It used its authority as a trusted source to encourage people to load this beta software. This was done under the umbrella of a critical update and then they explained the daily phoning home as being a result of having to closely monitor the software in case it ran amok. Most commentators recognise this was an abuse of trust.

    There will be many people who still don't realise the role of this software. Imagine you are just a family with an honestly licenced PC. 18 months ago you had to take it to the local shop - you'd panicked about an infection and wanted the nice engineer to reformat and put your software back on for you. A not unknown scenario for the casual user.

    What they don't realise is that the nice engineer has accidentally used a different 'XP' disc/Licence No:- the install was successfully activated online at that point and all seems normal to the happy couple when they get their pc back. They carry on, not even noticing the install of this strange thing called WGA and why not ? Microsoft has explained how it's best to go automatic updates, take all that's offered and enjoy a trouble free computing experience.

    Until of course the nag screen comes up telling them they're operating illegally - 'We know what you've done' comes the Microsoft message from their PC. What is the chance they're gonna immediately relate this to what they considered a successful reformat 18 months ago ? Not to worry, it's only a nag screen, must be a mistake - it'll go away. Only now they're trying to update their Windows Defender or download IE7. No go - 'you've been identified as dodgy geezers - satisfy us first that you're honest, then we'll talk '(I believe this level of denial will be the worst of it - I don't think they will prevent critical updates for XP users - to add more unpatched machines to the .net wouldn't make anysense and would raise the degree of harm).

    Sure, in this scenario it was the engineers fault and I don't doubt that eventually the situation will eventually be remedied for these kinda folks. But the worry and possible expense will already have impacted. So with Microsoft aware that this kind of scenario amongst many others, is ahead for some people - how would they make a decision to misrepresent the software that polices the installation. Why not simply have been upfront?

    One simple answer is that it was never for the user - it was always for Microsoft. It certainly doesn't want to cause extra work amongst their big volume buyers - so rather than make life more difficult for them by controlling the way volume licences work at the point of sale - they have concentrated at the end of the line - the home user.

    In order for us to resolve problems, Microsoft may then ask us to identify the engineers & shops that provided the OS/machine - as part of our explanation as to why we've been flagged.

    Now, not only is the software policing us - it's recruited us to gain additional information about suppliers. If it wasn't for the lousy way they introduced it, it could almost have been a stroke of genius.

    At this point as far as I understand it - Microsoft are generally understood to have played this hand really badly. However as long as they balance the 'harm & remedy' formula, it's felt unlikely that they will lose the court cases being brought against them.

    Notwithstanding the likelihood of Microsoft being judged as being within their legal rights. Without going down the 'evil M$ ate my baby' route - now more than ever, I find it difficult to attribute the term 'trusted' source to Microsoft.

    Apologies to Devinco for taking your thread further into this direction - you seem to have successfully resolved your OP.:thumb: :)

    eyes-open - falling off my podium and running back to 10F where we use fewer words & pretty pictures......
     
    Last edited: Jul 24, 2006
  13. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you eyes-open.
    You (and TonyW) helped bring this cloudy issue into sharp focus.
    It is an issue about trust and the betrayal of it.
    It is certainly not as bad as the Sony Rootkit, but do we really need to wait for the WGA Rootkit release before we raise any objection?
    Legally, I'm sure their EULA would protect them even if their OS caused people's computers to go up in smoke and flames.
    Whether you are for it, against it, or just don't care, it is not one of their better "Trustworthy Computing" moments. :D
     
  14. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Hehe - it is strangely familiar tho' - anybody got a spare towel ?
    Extract from Hitchhikers Guide to the Galaxy by Douglas Adams.......(as was the towel reference)
     
  15. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    I wanted to comment this quote :

    RemoveWGA can automatically remove the pilot version with a simple reboot, no need for manual tricks.
    It can also remove the final version dynamically, which means that it removes the WGA notification tool in live, before the reboot. The drawback is that once done, you have to push your reset button to avoid the BSOD.

    I went the "brutal" way of unloading WGA directly before the reboot, to avoid the game of the cat and the mouse. The pilot version was removable using a Windows API to mark files for deletion at next reboot. The final version look at this API and purposefully blocks it (I don't think MS hooks it, but simply refuses to write the registry with the WGA files marked for deletion).

    I could have done it another way (without the need to reset), but again may be the next WGA version will block it, etc... Also, from what I have noticed, for now the final version is not installed first if you don't have the WGA notification installed. Apparently the pilot version is first installed, and then only, the final version (which seems to be an upgrade from the pilot) is installed.

    Finally, if RemoveWGA sees that it is blocked from deleting WGA notification normally, it will display a warning asking your choice about brutally removing it or not, it won't take any risk without your acknowledgement.

    About setting up the automatic update to get rid of the periodic ask about the WGA tool, I made a small guide :
    http://www.firewallleaktester.com/tweak_automatic_update.htm

    Regards,
    gkweb.

    EDIT : I've uploaded RemoveWGA v1.2 (beta) at the following url :
    http://www.firewallleaktester.com/tools/beta/RemoveWGA.exe

    I have successfully tested it against the pilot and final WGA notification version on a Windows XP SP2 Home Edition (clean removal).
    This version does not requires a BSOD anymore to remove the final version, but still will offer you this brutal way if everything else fails.
    This way, it should be able (theoretically) to remove futur WGA versions as well, without playing the cat and mouse.
     
    Last edited: Jul 25, 2006
  16. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you gkweb!
    It worked very well and cleanly on 2 different XP Pro SP2 fully patched systems with the full version WGA notifications (variant KB905474) installed. No Problems.
    One system had Process Guard blocking wgatray.exe and the other had no Process Guard. Perfect removal.

    And thanks for all the other excellent security tools and services you provide. :cool:
     
  17. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Thanks for your words Devinco, and for letting me know about your tests, I'm glad it worked at the first time :)
    I'll continue to test it, and if no problem occurs, I will make it as the official version.

    Regards,
    gkweb.
     
  18. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, gkweb

    Thank you very much.

    The Alpha Worked fine on two copies of XP Pro.



    Take Care,
    TheQuest :cool:
     
Loading...
Thread Status:
Not open for further replies.