More like this

Software

Arrow

Operating Systems

How Microsoft copied malware techniques to make Get Windows 10 the world's PC pest

Here's how to nuke this persistent menace

Microsoft uses techniques similar to aggressive malware to promote its “Get Windows 10” offer.

As many readers have discovered, the persistent and constantly changing methods Microsoft uses to continually reintroduce its “Get Windows 10” tool, or GWX, onto computers means it’s extremely difficult to avoid.

Windows users who decline to use it find it is repeatedly reintroduced. The language of the counter-malware industry is more appropriate than the language of enterprise IT for GWX.

GWX subverts a channel intended for one purpose (security hotfixes) for another (advertising); it changes its “attack vectors”, it uses “polymorphic” techniques; and it consistently overrides users' actions and permissions.

Much of the attention in the tech press on combatting GWX has been has focused on eliminating the work of one patch, KB3035583, which constantly reappears on users' PCs, even after removal. However, an investigation shows that ‘583 is a symptom, rather than the cause, of recurring GWX infestations.

The ‘583 patch is most commonly reinstalled by another patch, KB2952664. Once ‘664 is on a system, '583 will be requested for download and installation. Getting rid of, and thereby controlling, '664 could be the key to controlling the sophisticated "Get Windows 10" nagware network.

"Current patches do not fully address this situation and I do not believe it ever will, as the author of the GWX patch only addresses the GWX executable plus the '583 update,” writes a reader who conducted a detailed investigation for us.

Studying the behaviour of the ‘664 patch explains why controlling GWX is so difficult. The ‘664 patch constantly “mutates” – it is frequently revised to contain a new payload. Microsoft has not documented its behaviour, and has over the years removed explanations of what KB patches actually do.

The ‘664 patch has changed often, as these logs show:

Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.2.1 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.2.3 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.3.0 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.4.1 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.4.4 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.5.3 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.6.1 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.7.4 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.8.2 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.9.6 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.9.8 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.10.5 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.14.2 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.15.2

Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.1.3 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.2.1 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.2.3 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.3.0 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.4.1 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.4.4 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.5.3 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.6.1 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.7.4 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.8.2 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.9.6 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.9.8 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.10.5 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.14.2 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.15.2

Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.2.1 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.2.3 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.3.0 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.4.1 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.4.4 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.5.3 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.6.1 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.7.4 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.8.2 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.9.6 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.9.8 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.10.5 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.14.2 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.15.2

Windows Update considers each revision to the patch to be a new install instance. So every time Microsoft changes the KB2952664 update nomenclature, all previous attempts by the user to block the update are invalidated.

Many users are unaware that uninstalling either KB3035583 or KB295266 only uninstalls a single revision of the patch; later, the patch can reinstall itself using an alternate revision number due to the fact that KB2952664 is being cached in C:\Windows\SoftwareDistribution\Download. A filtered registry dump on our test machine revealed there were more than 80 registry entries relating to the installation of ‘583 and ‘664, located mostly in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages

Unless the user gets rid of ALL of the "Get Windows 10" system updates and its helpers, the GWX popup will persist. These are:

KB2952664
KB3035583
C:\Windows\System32\GWX
C:\Windows\SoftwareDistribution\Download\*KB2952664*
C:\Windows\SoftwareDistribution\Download\*KB3035583*
ALL registry entries for KB2952664 and
(optionally) KB3035583

The GWX "patch" only hides the "Get Windows 10" reminder from the System Tray; it does not eliminate the actual installation of the assigned Windows 10 updates.

Microsoft has made it exceptionally difficult to remove the reminders in a coherent way. Removal cannot be automated – and if you miss one of the 80 registry entries, the process restarts.

The number of registry entries differs according to which, and how many, previous versions of KB2952664 have been installed. Owner permissions need to be reset to change some of the entries, making it more difficult.

Our resident sysadmin blogger Trevor Pott advises network administrators to take three steps. Firstly, push the registry change via a Group Policy Object (GPO). Secondly, make sure that the GWX patches are not installed. Thirdly, block them in Windows Server Update Services (WSUS).

“The lack of transparency, specifically regarding documetation, creates huge problems for business users. The biggest beef I might have with that s that it’s a 'lie of omission'” says Pott, because for many patches, the documentation doesn't disclose the full extent of their behaviour.

“Microsoft is decreasing the number of versions of windows and removing user options for how they control, delay, prune, filter or throttle patches,” says Pott. "Sysadmins want clarity on what's in patches and control over all aspects of their systems – it's a pack of vague lies, outright lies and misinformation.”

Microsoft’s official position is this. The company told us:

Customers can choose to not install the Windows 10 upgrade or remove the upgrade from Windows Update (WU) by altering the WU settings. The Get Windows 10 app functions within the Windows 7 and Windows 8.1 notification manager control panel and customers can turn off upgrade notifications in the system tray. The Get Windows 10 app icon can also be removed in the system tray.

For IT administrators, it is possible to disable the upgrade using Group Policy settings or by using the DisableUpgrade registry key. All other registry keys are not supported mechanisms for controlling notifications or controlling the upgrade process and are not recommended by Microsoft. Please see KB 3080351 for more information.

But that is far from the full picture. The advice doesn’t address the fact that GWX mutates and removing those updates ultimately fails to prevent GWX reappearing.

Last week corporate IT admins had to pull an IE security patch as it had created a new attack vector for GWX. This forced the Get Windows 10 nagware onto domain-attached PCs. It seems no user inconvenience is too great for us, so Microsoft continues to assault with this promotional scheme.

Microsoft has been keen to stress that cloud computing won’t succeed without the public’s trust. But its use of hyper-aggressive malware techniques in its GWX, and lack of transparency, suggests it needs to do much to clean up its own backyard. ®

(Thanks to reader ‘Snake’ for his sleuthing).

Bootnote

We've withheld full registry logs for reasons of space. But if you want them, just ask (click on the name at the top of the story for the contact form).

Sponsored: 2016 Cyberthreat defense report