Zombie Crapware: Understanding the Windows Platform Binary Table

UEFI Firmware Vulnerability in Windows

A relatively unnoticed addition to Windows 8 introduced a capability that permits PC manufacturers to install unwanted software, often termed crapware, directly into the UEFI firmware.

This means that even after a user undertakes a complete clean installation of the operating system, this undesirable software can persist and reinstall itself.

Persistence Across Clean Installs

The functionality remains present in Windows 10, raising significant questions about Microsoft’s design choices.

Granting such extensive control to PC manufacturers is perplexing and potentially detrimental to the user experience.

Mitigation Strategies

The situation underscores the benefits of purchasing computers directly from the Microsoft Store.

Even with a clean install, pre-installed bloatware may remain on systems acquired from other vendors due to this firmware-level installation capability.

Therefore, careful consideration should be given to the source of the PC to minimize the risk of unwanted software persistence.

WPBT 101

Starting with the release of Windows 8, computer manufacturers gained the capability to integrate a program directly into a PC’s UEFI firmware. This program, fundamentally a Windows executable file (.exe), is housed within the “Windows Platform Binary Table” (WPBT) portion of the UEFI.

During the Windows boot process, the operating system scans the UEFI firmware for this embedded program. Upon detection, it is copied from the firmware to the system’s primary drive and subsequently executed.

How WPBT Functions

It’s important to note that Windows does not provide a built-in mechanism to disable this functionality. If a manufacturer configures their UEFI firmware to include a WPBT entry, Windows will execute the associated program automatically.

This process occurs without prompting the user or offering an option to decline execution. The system simply loads and runs the program as part of the boot sequence.

Implications of WPBT

• Automatic Execution: Programs within the WPBT are launched automatically during startup.
• Firmware Integration: The program resides within the UEFI firmware, making it persistent across operating system reinstalls.
• Limited User Control: Users have no direct control over whether these programs are executed.

The WPBT represents a significant aspect of the modern boot process, offering manufacturers a method for pre-installing and running software at system startup. Understanding this mechanism is crucial for comprehending system behavior and potential security implications.

Lenovo Service Engine (LSE) and Associated Security Concerns

The discussion of pre-installed software vulnerabilities necessitates a review of a prominent case involving Lenovo. Several personal computers were shipped with a component known as the Lenovo Service Engine (LSE) already enabled.

Functionality and Data Reporting

Upon activation by Windows 8, the LSE initiates the download of a program called OneKey Optimizer. Subsequently, it transmits a degree of system data back to Lenovo’s servers.

Lenovo implemented system services specifically designed for downloading and updating software via the internet. These services proved resistant to removal, even persisting after a complete reinstallation of the Windows operating system.

Expansion to Windows 7

The practice was further extended to systems running Windows 7. The UEFI firmware was modified to examine the C:\Windows\system32\autochk.exe file.

If present, this file was replaced with a Lenovo-authored version. This manipulation allowed Lenovo to continue the practice on Windows 7, as autochk.exe is a crucial component for file system checks during boot.

This demonstrates that utilizing the Windows Platform Binary Table (WPBT) isn't a prerequisite for such actions; manufacturers can directly modify system files through firmware alterations.

Security Vulnerability and Remediation

A significant security flaw was identified within this system, creating a potential avenue for exploitation. Consequently, Lenovo has ceased shipping new PCs with the LSE pre-installed.

Updates are available to remove LSE from both notebook and desktop PCs. However, these updates are not automatically applied, meaning a substantial number of affected systems likely retain the vulnerable component within their UEFI firmware.

Historical Context

This incident represents another security issue originating from the same manufacturer previously associated with the distribution of PCs infected with Superfish adware. The extent to which other PC manufacturers have engaged in similar practices remains unclear.

It is important to note that the WPBT is not the only method available to manufacturers for persisting software across reinstalls.

The ability to modify firmware allows for the reintroduction of unwanted software even after a fresh operating system installation.

Ongoing vigilance and proactive security measures are essential for users to mitigate these risks.

Microsoft's Perspective on the Matter

According to Lenovo, Microsoft has recently issued revised security recommendations concerning the implementation of this particular functionality.

"Lenovo’s implementation of LSE does not align with these updated guidelines, leading to the discontinuation of shipping desktop models equipped with this utility. Furthermore, Lenovo advises users currently utilizing this feature to execute a cleanup tool designed to remove the LSE files from their systems."

Essentially, Lenovo's LSE implementation, which leveraged the WPBT for downloading additional software, was initially permissible under Microsoft’s initial specifications and guidance for the WPBT feature.

However, these guidelines have since undergone refinement.

Microsoft itself provides limited public information regarding this issue.

The available details are contained within a single .docx document – not even a dedicated webpage – hosted on Microsoft’s website.

Comprehensive understanding of the feature can be gained by reviewing this document, which outlines Microsoft’s reasoning for its inclusion.

The rationale utilizes the example of enduring anti-theft software:

"WPBT’s core function is to ensure the persistence of crucial software, even after operating system changes or clean reinstalls.

A key application of WPBT is enabling anti-theft software to remain functional even if a device is stolen, reformatted, and reinstalled.

In such cases, WPBT allows the anti-theft software to reinstall itself and continue operating as intended."

It is important to note that this justification for the feature was incorporated into the document following Lenovo’s utilization of it for alternative purposes.

Understanding the Windows Platform Binary Table (WPBT)

Computers utilizing the WPBT have a process where Windows accesses binary data stored within the UEFI firmware table during startup.

This data is then duplicated and saved as a file called wpbbin.exe during the boot sequence.

How to Determine if Your PC Uses WPBT

It is possible to verify whether your computer’s manufacturer has incorporated software through the WPBT.

Begin by navigating to the C:\Windows\system32 directory on your system.

Specifically, search for the presence of the file wpbbin.exe.

The existence of C:\Windows\system32\wpbbin.exe indicates that Windows successfully copied it from the UEFI firmware.

Conversely, if this file is absent, it signifies that your PC manufacturer did not employ WPBT for the automatic execution of software.

Important Note: The presence of this file doesn't necessarily indicate malicious software, but it does show the manufacturer utilized this method.

This method allows software to potentially persist even after a clean operating system installation.

Preventing WPBT and Unwanted Software

Following a security lapse by Lenovo, Microsoft has implemented additional regulations concerning this functionality. However, the very existence of this feature remains perplexing. It is particularly concerning that Microsoft would offer it to PC manufacturers without establishing clear security protocols or usage recommendations.

The updated guidelines now require OEMs to guarantee users can deactivate this feature if desired. Nevertheless, Microsoft’s guidelines have not prevented PC manufacturers from compromising Windows security previously. Samsung, for instance, shipped computers with Windows Update disabled, deeming it simpler than collaborating with Microsoft to integrate the necessary drivers.

The Microsoft Store: A Safer Option

This situation highlights a recurring issue: PC manufacturers often prioritize convenience over robust Windows security. If you intend to purchase a new Windows PC, we strongly advise buying directly from the Microsoft Store. Microsoft demonstrates a commitment to these systems, ensuring they are free from potentially harmful software.

Previously, many suggested a clean Windows installation could eliminate bloatware. However, this is no longer a reliable solution. The only guaranteed method for obtaining a bloatware-free Windows PC is through the Microsoft Store. This shouldn't be the case, but it currently is.

The concern surrounding WPBT extends beyond Lenovo’s security failings and the inclusion of unwanted software. The provision of such features to PC manufacturers by Microsoft itself is deeply problematic, especially without adequate safeguards or direction.

This feature remained undetected for years within the tech community, only coming to light due to a significant security flaw. It raises questions about other potentially harmful features embedded within Windows, available for exploitation by manufacturers. PC manufacturers are damaging Windows’ standing, and Microsoft must exert greater control.

It is crucial to prioritize security when selecting a new Windows PC.

Image Credit: Cory M. Grenier on Flickr