Microsoft Misrepresenting WGA's Functionality?

Legal Ethics writes "According to an article on Groklaw, Microsoft is misrepresenting what the Windows Genuine Advantage (WGA) tool is to pressure people into installing it. It comes with no uninstall, it fails to disclose many pieces of information it provides to Microsoft, and it misrepresents itself as a 'critical update' when it does not address any security vulnerability, although it remains to be seen if it can create one. ZDNet has a series of screenshots so that you can see exactly how badly it misrepresents itself. Oh, and it also checks for updates, so Microsoft can presumably execute arbitrary code on any machine with it installed, merely by making that code part of a WGA update."

Un-American

This is a very UnAmerican story. We know that [shelleytherepublican.com]

"P.J.": Runs the pro-Linux hate-site "Groklaw". His true identity is a secret, known only to the inner-circle of Linux hackers. His contributions to the Linux computer program are also a secret.

.

We also know that Linux is a European consipracy to attack our computers [shelleytherepublican.com].

This story was probably planted by GOOGLE [shelleytherepublican.com], the America-hating empire.

Bill Gates is a true patriot who has spread the American Way of Freedom and Capitalism around the world, and he is clearly far cleverer than this mysterious "P" "J". Friends, don't let the democ-rat lies stop you from getting the facts ;-)

Re:Un-American

I built a combustion engine that runs on water. I call it a motor boat.

Re:Un-American

You know that http://www.shelleytherepublican.com/ [shelleytherepublican.com] is satire? If not, you should have read the "meaning and purpose" page. It is gone now, but you can still find a lot of references here [google.com].

Why punish legit users?

And what can us consumers do about it? If we refuse it, we don't get updates. This is punishing us the legit users, while pirates will still be laughing at M$'s latest attempt at stamping them out!

Re:Why punish legit users?

RE:"And what can us consumers do about it?"

swich to something better, nobody is forceing you to use microsoft's product http://linux.com/ [linux.com]

Re:Better...

I wish people would quit acting as if anything was unqualifiably better. Life consists of trade-offs but to hear some people talk, life would just be a bowl of cherries if one were to just do this or that... Sheesh... Yes, Linux is better in some ways, but there's that trade-off thing at work there.

Re:Trade-offs

Sure there are programs only for Windows for which there's no exact linux replica.

The same is true the other way though. I'm currently for practical reasons running Windows on my laptop (because current employer runs that, and it just ends up being easier overall getting the job done.)

Privately, it drives me nuts, I regret not having made the thing dualboot.

There's no Kphotoalbum, picasa is available from Google, and tries to solve sorta the same problem, but frankly it doesn't measure up. It has lots more eyecandy but much less funcionality. I'm not aware of any other sub-$1000 program even playing in the same ballpark.

Mail clients is a hassle. Thunderbird is barely acceptable, yet fails to manage a lot of stuff I've been taking for granted for years. Simple stuff that mutt, pine and kmail all manage. Yes, it's possible it can be convinced to do something similar, but atleast it's not equally trivial.

Development-tools all have to be installed manually. And they tend to be more opaque than I'm used to. When they fail, they do so with much less information that migth help. Frequently the best advice amounts to "reinstall".

One can install CygWin, but the tools under cygwin are a lot less polished than under a real *nix.

Re:Better...

Yes. You trade off some functionality and eye candy for freedom. Any takers?

Re:Why punish legit users?

I am stunned at the amount of work it would take to make the move.

1. Download Knoppix iso
2. Burn iso to CD
3. Reboot computer with CD in drive
4. Use Linux
5. If you like it, open a shell and type "knoppix-installer" to make it permanent
6. ???
7. Profit

Baby steps -- not cold turkey

First, try a live-CD distro (like Knoppix). Mess around with it a few times, just to see how it goes. See if your hardware is compatible. If you're missing a few linux-friendly things, treat yourself to an upgrade with linux in mind. :) Worst case, assuming you ditch the penguin forever, is you have a nicer rig to use.

Next, once you're comfortable with configuring a live-CD, back up your data and do a dual-boot install. Use linux as much as you can stand it, then switch back to Winderz for the few must-have apps. If you hate it, dump linux and you'll have a fresh Windows install that may run well for a few months. ;-)

Once you convert to OSS versions of most of your apps, and are comfortable with linux being your primary environment, back up your data then install a 100% linux install. Then, for those few clingy win32 apps, try using Wine (a mostly bitter pill, but it does some stuff well) to run the apps. Failing that, try Qemu. If *that* fails, try VMWare or Win4Lin.

Eventually, a few months down the road (or a couple of years, even), you may decide that the stability and reliability of Linux outweighs the win32 baggage and you either find linux equivalents you really like or you "settle" for something not 100% what you'd prefer.

I began the above transition about 7 years ago (except live-CDs weren't around). Took about 2 years. Games kept me dual-booting for about a year... until a wife and kids took more of my time and I decided that silly free games (nethack and xmame) were enough for the occasional video game fix. Then Quicken and Turbo Tax kept me using VMWare for about a year. I replaced Quicken with GnuCash for a year or so, then I ditched it for a simple spreadsheet checkbook balance sheet. By that time, I was beyond the simple tax returns, and I decided that $200 yearly H&R Block trip was less painfull than the $50 TurboTax and several hours of punching in stuff. (Also, the whole anti-piracy FUBAR for Turbo Tax in the late 90s turned me off Intuit.)

So I've been 100% Winderz free for 5 years, and I'll never go back. I don't put up with DRM or anti-piracy shit any more. If I doesn't run on Linux (now, FreeBSD/amd64), I find something else to use.

Freedom... indeed!

Re:Baby steps -- not cold turkey

Personally, I highly suggest that it's not a good idea for your average linux newbie to go about trying to dual boot with Windows. You can go to a used computer store in any metro area and pickup a secondhand machine that will most likely be 100% compatible with Linux for less than $150, and it will still be more than powerful enough for anybody interested in Linux to screw around with, and actually do useful stuff with it, too... Heck, if said linux newbie is experienced with building computers for his gaming habit, then he's likely got nearly everthing he needs to build a whole 'nother box to mess with. Furthermore it's not like Linux or X11 or the shells that run on top of those bits can tolerate older and slower computers with less memory and less storage than Windows, now is it? For example, I have everything I need to build a decent machine that would do well with linux just laying around including an 800Mhz Duron with motherboard and 512MB RAM, a Geforce2 GTX and a 40 GB drive, 17" monitor, and an old CD drive. The only thing I'm missing is a case with a cheap power supply, and I can get that at MicroCenter or CompUSA for $40.

The bonus is:

1) He still has his Windows machine to fall back on in case he needs to go and read documentation when he biffs his linux installation, play games, or do other windows specific stuff without having to shut down and start up and shut down and etc.
2) There is no need to fret about screwing up everthing on his Windows machine because there's no need to format or partition or anything.
3) He can experiment with using a network to make his two computers get along and do stuff that he just couldn't do before, and learn tons about both operating systems in the process.

With the crap most geeks keep around another computer could be had or built for little to nothing... It's stupid to dual boot unless you're trapped on Antartica where you can't get a few measly parts in the time available (?), or you're so desperately poor that $50 means the difference between having a roof over your head or not.

Re:Why punish monopolies?

you will not find Quake 4 or World of Warcraft on Linux. Gimp is no paintshop killer, and WINE is nowhere near as robust as a real Windows system

I find your remarks a little odd considering:

1. As a previous poster mentioned, Quake 4 runs on Linux natively.
2. World of Warcraft runs on Cedega.
3. Photoshop not only runs on Wine but is actually used with Wine by none other than Disney, who actually contributed to Wine to get that to happen.

If those are actually representative of your needs as a Windows user than you wouldn't have a problem moving over to Linux. If they aren't representative of your needs then get better examples and ask yourself why you chose those examples in the first place.

Re:Why punish monopolies?

World of Warcraft runs on Cedega.

Better yet, it runs on straight Wine [winehq.org] with a few patches.

Re:Why punish legit users?

install it
disconnect from the internet
open task manager
kill the process 'wgatray'
rename the file c:\windows\system32\wgatray.exe to something else (wgatray.exe.bastard, for example)

There is also a file called wga.dll, or similar, but i didn't do anything with that, if anybody could shed some light on that, it'd be nice. I did the above on a machine that was wrongly reporting as 'pirated', and it worked fine.

A link for the rest of us.

This "genuine advantage" notifier is remarkably easy to disable. Here's a link that documents numerous ways to defeat it. http://labnol.blogspot.com/2006/04/workarounds-to- disable-non-genuine.html [blogspot.com]

Re:Why punish legit users?

no MSFT bypasses windows hosts file when calling home. This is known. On one side it's a good thing, as windows update will always point to a MSFT based server allowing for clean updates. (can you imagine the problems if every infected windows machine couldn't get a patch)

On the other side is that MSFT could solve a lot of their problems just be creating an easy, basic way to enforce security. Unix did that years ago on Unix you have basic file system level defaults seperating users. Then you can use other programs to create an ultra fine grained control.

Under Windows all you have is a very complicated fine grain control system that a massive percentage of the apps break if you use it.

Kill off Active X and add a simple yet effective file seperating on the Filesystem layer and the majority of windows viruses problem will vanish. It won't solve all things. it won't solve stupid users installing things they shouldn't, but It would stop most of those problems instantly.

It's also the one thing MSFT won't do. Not even with Vista. They are keeping activeX and while they are trying to use their fine grained permissions control as a basic level they are finding that it doesn't work well. (just look at all the reviews on the vista Beta, 7 steps to delete an icon?)

Re:Why punish legit users?

There's many ways to get rid of WGA. Here are the two easiest;

Option one:
Start in safe mode and find the file /WINDOWS/System32/WgaLogon.dll. Edit the
file properties and remove the execute and write permissions for all users
including System. The daily checkin and the WGA System Tray tool are both
started from this DLL so making it non-executable kills the whole WGA
Notification system. Making it read-only stops windows update from 'repairing
it' and installing future versions.

Option two:
Download and burn Ubuntu Dapper Drake or order a FREE CD from
shipit.ubuntu.com (downloading is quicker). Back up your important documents and
completely replace Windows.

Personally I chose option two many years ago, but I continue to watch Microsoft's antics with a degree of detatched amusement.

Re:Why punish legit users?

Why punish legit users?

Because Microsoft has never been punished for doing so.

Somewhat obvious.

I gave it some thought before I installed it earlier. I knew all it did was report to MS that I had a legal copy of Windows, but the bad part about it was that it seemed I had to install it before I could download any other critical updates.

It's a damned-if-you-do and damned-if-you-don't situation...

Re:Somewhat obvious.

It's not entirely true that you have to install it.

If you choose the 'Expert' installation option, you have the option of not installing the WGA update, Windows Update then asks if you'd like to turn off notification of that particular update.

That is, of course, what I did.

Of course, for all I know, WU goes ahead and installs it anyway.

That's interesting

I had never thought of that. I just assumed that it's within a company's power to give people updates to ensure they've paid for the software, but come to think of it, the ones who have paid for it shouldn't have to put up with anything they don't want to, and the ones that haven't, well, they're probably not going to.

Isn't this a violation of spyware laws?

well?... last time some software package was reported doing this it was labelled spyware and the company was prosecuted..

Re:Isn't this a violation of spyware laws?

You're right, a company can be prosecuted for this.

Microsoft is not a company, go to any state building or federal building in the nation, and find out what they're running. You're talking about a corporation that has settled antitrust lawsuits with licenses and lockin [com.com].

If Sony doesn't get it's ass handed to them for rootkits, why would you think Microsoft would receive any punishment at all?

huh

do we really need a play-by-play commentary of some jackass installing an update? 17 pages of ads and shit.

Re:huh

do we really need a play-by-play commentary of some jackass installing an update? 17 pages of ads and shit.

Agreed. I won't even read content from ZDNet at all anymore. 17 pages is insane (thanks for letting me know how many I avoided). Even with blocking the ads and repaginating the article into one page, ZDNet assumes that the format is acceptable to users because the article generates hits. They won't change it when they think "it's still working". I've tried to complain to them as a (now former) print customer of their periodicals for years and a web user. They don't respond, so I assume they don't care. Calling them just leads to the phone-forward-runaround of "I'll connect you to...". They used to be a good company with good content, but now they are just ad whores (like most consumer computing sites - TOM!). /rant

It's Spyware by any definition

the question is when are the anti-malware community going to step up to the plate and provide protection from this software

the fact its made by Microsoft should be irellavent, just analyse the behaviour of the application and judge it on that

communicates unique information at any time to an American based advertising company (msn anybody?) with you the user having no idea of what data and what the implications are of giving this company that data

can your business really risk an application like this on your systems ? are you prepared for the consequences of letting this program run unchallenged inside your companies infrastructure ?

How to Disable the WGA Add-on

If you want to be able to disable the Genuine Windows Advantage Add-on for IE (accessible via Tools|Manage Add-ons... in IE), you might be surprised (or not) to see that Microsoft will not let you do so. It gives you some sort of stupid "disabled by Administrator" message, even when you're logged on as Administrator (I guess MS thinks it's the administrator for your computer).

To enable the radio button that allows you to disable this worthless add-on, follow these instructions I found:

1. Open Group Policy Editor (gpedit.msc) go to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management.
2. Double click Add-on List and select enabled.
3. Click on Show then on Add.
4. In enter name put {17492023-C23A-453E-A040-C7C580BBF700} .
5. In enter value put 2.
6. OK, Apply, OK.
7. Now you can disable/enable the add-on.

Bypass & Disable Genuine Windows Validation Ch

How to bypass and disable the Genuine Windows Validation Check (from http://www.mydigitallife.info/2006/03/07/bypass-an d-disable-genuine-windows-validation-check/ [mydigitallife.info]):

1. Open Windows Explorer by clicking Start -> All Programs -> Accessories -> Windows Explorer.
2. Browse to C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage\data folder.
3. Delete (or backup or move to another folder, if you want) data.dat file.
4. Create a new empty data.dat: You can create a new text file by (make sure you are at the right folder at above) clicking File -> New -> Text Document or right clicking on Windows Explorer window then click New -> Text Document. Then, either rename the file to data.dat. The original .txt extention of the text file need to be changed too. You can disable the hiding of extension of known file types, or follow the following steps to create a new file out of the text file:
   • Open the text document you just created.
   • Click on File -> Save As.
   • Change the Save as type to "All Files".
   • In the File name, type data.dat
   • Click Save.
   • Go back to the Windows Explorer, at folder C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage\data, check that data.dat exists.
   • Delete the text file you created previously.
5. Set the attributes of data.dat to Hidden and Read-Only. Attributes can be set by right click on the data.dat file, and then click on Properties.
6. Windows Genuine Advantage (WGA) validation check has been disabled.

Note: The data.dat that are replacing the original data.dat can be blank text file or empty, or you may type whatever you want there.

With this hack (or crack if you want), Windows WGA piracy check will be bypassed and you can now download software from Download Center or apply updates from Microsoft/Windows Updates.

Re:Bypass & Disable Genuine Windows Validation

As of, I don't know when, the above hack is no longer working. I found this out by trying it before following the link to mydigitallife.info, which says, well, what I've just said:

Latest Update: The patch no longer working. For complete listing of more ways to bypass the new WGA update, check it out here [mydigitallife.info].

The stuff about renaming/disabling wgatray also seems to be redundant now.

That, OR

That method sounds good for widescale, corporate deployment, but here's a simpler method:

• Use Autoruns [sysinternals.com] (everybody should have it already) to disable wgalogon.exe on the winlogon page.
  

Damn that stupid icon.

That stupid icon has been bitching at me to install the new WGA Tool for days now. Considering I ALREADY installed it and verified my installation, I figured the reboot wasn't worth it and have not installed it yet. Guess that was a good thing.

Why would I need to re-verify my installation anyway?

Critical Security Vulnderability Reported...

A Critical Security Vulnerability has been reported for all x86-platform PCs.

Short description: By retailing a piece of software called an "Operating System" to a computer user, and then using social engineering to promote the installation of this software, a so-called "Operating System Vendor" may be able to execute ARBITRARY CODE on a user's computer.

Severity:

Severe. The exploit allows an entity to execute arbitrary code on a machine so compromised.

Challenge Vector:

Remote or local installation of components, either onto a pre-existing Operating System or onto an otherwise bare x86 PC.

Mechanism:

A package of executable software, called an "Operating System" is distributed by "Operating System Vendors." These Operating Systems have declared purposes which they fufill with wildly-varied results. These operating systems posess code which may not be fully understood by the user, often these Operating Systems enforce systems of privilege and resource maganement which place the Operating System in a position of "arbitrating" between the PC hardware platform and the user. When the Operating System has been so installed, it is capable of executing arbitrary code on the host system.

I don't understand...

...why they have to install a piece of software to determine whether your copy of Windows is legit or not. Why not just run a check online when you're doing updates? There's GOTTA be more to this...

Windows not HIPAA compliant? 1234567890

Since Windows is sending information home, and the user has no control over that messaging with regard to timing or content, it seems to me HIPAA-compliant systems (and other systems requiring security) cannot be built on Windows.

What an opportunity for the open source world!

Re:So, Does it work yet?

Yeah, it does. One known-pirated computer that I know of (I used to work at a computer store) used to have WGA report as valid. A few months later, it reported as pirated (which was true.) So yeah, it does a better job of checking now. How good? I dunno.

Plus it does not work correctly...

Non-admins may get the euphemistic warning of possessing pilferred software,
http://forums.microsoft.com/Genuine/ShowPost.aspx? PostID=370244&SiteID=25/ [microsoft.com]
Notice the MS solution, delete this, open up all permissions on that (good idea?), read, write, execute, delete for everyone! Or pay-up to get your copy of MS Winders to shut up.

Nothing like family (non-admins) and employees (non-admins) thinking they have purloined software. Isn't an unfounded accusation called, "Libel" http://dictionary.reference.com/search?q=Libel/ [reference.com]?

(My SuSE never accuses me with false accusations.)