June 1st, 2006, 07:26 PM
WgaTray.exe (Windows Genuine Validation)
Apparently Winpatrol does not list this file at startup:
Wednesday, May 31, 2006
WgaTray.exe opens security hole
It’s called Windows Genuine Advantage. I’ve received a couple Emails about the file WgaTray.exe which was part of this weeks Windows Update. Some questioned how this file was able to run on startup but isn’t listed by WinPatrol or other programs as an AutoStartup program.
Well, the answer is simple; this program is part of the Windows Operating system. After Windows starts it looks for this file in the system32 folder and runs it. Unfortunately, there’s a serious problem in with the way how Microsoft has implemented their anti-piracy system. The way Windows handles this file opens up a big security hole that most programs won’t plug. Any malicious program can delete the WgaTray.exe and replace it with its own malware using the same name. Windows does nothing to verify this program before running it the next time you reboot.
Microsoft describes this program as follows: "By using genuine Microsoft software, you can be confident that your software is legitimate and fully supported by Microsoft.” As if “you” didn’t already know. More information can be found at http://www.microsoft.com/genuine/default.mspx
You can also find a discussion at Broadband Reports.com http://www.dslreports.com/forum/remark,15963038
The topic of the discussion is more about flaws in Windows piracy then security. If you have your system set for auto-updates the newest version of WgaTray.exe will have been downloaded this week.
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
June 1st, 2006, 07:55 PM
This is *almost* as good as Sony BMG's anti-piracy "rootkit".
Way to go m$!
Does anyone know under which account the program is run? Logged on user? System?
I don't have a machine to play around with at the moment.
Or, should I more accurately say, I don't have a machine I've let this program get installed onto at the moment.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
June 1st, 2006, 10:11 PM
I saw it when I installed, didn't think much of it. It wants to connect to the internet every time you boot you machine. Sygate picks it up. I beleive it runs as a system. I'm not sure though. I don't use user accounts just admin. I know big fault :P
June 1st, 2006, 11:09 PM
AFAIK it runs as "system" which is what makes it a relatively "dangerous" vulnerability, given that it is apparently not protected in any way.
I must admit that I am rather confused and disappointed by Microsoft with their latest WGA/DRM activities. Please do not misunderstand me; I have no objection to a corporation defending its commercial/intellectual rights or whatever, so long as they do it PROFESSIONALLY.
What irritates me is that this is being done at the expense of legitimate, honest, bona fide customers.
What is the merit in telling me that my version is "pirate" just because my CMOS battery is flat, or I happen to be testing month end or year end processes/applications...........like you are SUPPOSED TO DO before rolling them out?
Most AV and anti-malware vendors attempt to provide some protection against their software being crippled or taken over................MS don't even seem to have given this a second thought?
As I see it, there are so many pirate copies of XP out there, MS are p1$$ing into the wind at this stage. Whatever they do is bound to get circumvented because the pirates are well ahead in the game.
I would have thought that they would be far better occupied in channeling this resource into Vista, and getting their DRM to work so that it does not inconvenience genuine customers.
Hey, hands up, I have designed a fair bit of crap in my time, but this is starting to look sloppy and out of control?
Just my thoughts
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
June 1st, 2006, 11:49 PM
i second that Nihil
work it harder, make it better, do it faster, makes us stronger
June 2nd, 2006, 02:59 AM
I found when it was installing after downloading the update, that it wanted to call home during the install.
I figured that it wanted to download more necessary files, so i allowed it.
Now i've noticed that the one machine i allowed it to install on, takes a hell of a long time to shut down or boot up.
And before it was installed, it was quick to boot up, and shut down.
I wonder if Ms can get in trouble as this would come under antitrust or something like that.?
June 2nd, 2006, 04:43 AM
Not antitrust, nothing really infringing on privacy of the user or anything, there may exist some risk of getting a bootlegged copy of the OS without knowing it. I don't know. Certainly kind of a wierd grey, um, gray area.
June 2nd, 2006, 04:53 AM
"I wonder if Ms can get in trouble as this would come under antitrust or something like that.?" -front2back
M$ looks out for itself pretty good in the EULA...Unknowing to most users, after they agree to the terms in that harmless looking little dialog box, M$ has the legal authority to do just about anything they please; patch deployments, "feature enhancments", bug fixes, data collection, ...ect
I mean come on now...Who has the time and legal knowledge to read such things. Just like in running unaudited binary code, there's certain legal and privacy risks when agreeing to the terms...Legal voodoo sentences like:
"Microsoft reserves the right to change the terms and conditions without prior consent and knowledge at any time without notice."...
I mean you cant really blame M$ for wanting to protect their products and make a buck. After all thats what it's all about. Who cares about quality software anywayz?...
By the time everyone realises they werent kidding when they said, "Total Information Awareness" it will be too late.
[ oh right, the Windows Genuine Advantage thing ]
Wouldnt this have not been an issue if Windows File Protection was enabled by default?
We are a generation without a middle. We have no great war or depression. Our war is a spiritual one, our depression is our lives. We were all raised to believe that we\'ll all be millionaires and rockstars - But we won\'t.
And we are slowly learning this fact...And we are VERY pissed off about it!
June 3rd, 2006, 07:02 PM
Here's another thought I have about this whole thing. MS constantly says that what it wants to do with this is to stop casual piracy, not the dedicated pirates. I think this last effort pretty is their last ditch attempt to stop casual piracy, because to crack this one, you have to commit a deliberate action. Just re-installing Windows with a different key doesn't work anymore. Therefore, anyone still having a pirate copy of Windows XP after a few months of rolling out this patch is an active pirate and can be prosecuted without arousing sympathy. MS's way of getting out of the way the record labels got blackballed by the internet community maybe?
June 5th, 2006, 08:46 PM
I mentioned something not too long ago about WGA... and how much of a headache it can be.
Not sure if any of you have had a similar experience as mine, (in a nutshell story) I was doing some work on a server, and each time I replaced some hardware on it, WGA kept asking me to reauthenticate my copy of Windows. Even though my copy was legitimate, it locked me out of my production server saying I had reauthenticated too many times. M$ would not assist me in resolving the issue. They wanted me to pay something like $35 a call to their Tech support to resolve a problem I did not create!
Anyway... some google searches led to several other frustrated people.... and I remember reading something about a file called "AntiWGA" *cough cough buuurp*