In association with heise online

06 March 2007, 17:00

WGA notification just doesn't stop

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

As announced, Microsoft has updated its Windows Genuine Advantage Notification. Microsoft uses the tool to "convince" users to buy original software if the WGA check finds that a stolen Windows activation key is being used. But the tool also calls Redmond if the user cancels installation.

In addition to the Windows update site, the automatic Windows Update finds the new software version and tries to install it. During installation, the program requests the user's consent once again. If you then cancel, your desktop firewall may set off an alarm because an update program is trying to connect to the internet.

image 1 [400 x 177 Pixel @ 66,1 KB]
Zoom A packet sniffer provides detailed information: the cancelled WGA notification installation tries to send data to Microsoft.

Network sniffer Wireshark casts some light on the matter: the update rats on users who do not want to install the software to the server at Users are not informed of this on a standard Windows installation, however.

image 2 [250 x 210 Pixel @ 28,1 KB]
Zoom The data transmitted are partially encrypted, while other values are found in the registry.

In addition to some confusing, apparently encrypted data, the WGA Update Installer also uses the XML tag UGD to transmit the value stored in the registry as a string for SusClientID under the Windows Update branch. In addition, the data transmitted contain information about the version of the WGA Notification Tool, Windows, and the language of the operating system. Furthermore, a cookie containing a GUID is also used to contact the server. It may be possible to identify individual computers by these means.

When asked by heise Security, Microsoft merely stated that it collected data to improve the quality of the WGA for users. Part of that process, the vendor said, was knowing where the user cancelled setup. To count reliably, the GUID is used, though Microsoft says the user is not identified. Microsoft says that the other data transmitted to Redmond contain information about the version of Windows used and the language and whether the machine is registered in a domain.

Microsoft did not explain why setup does not inform the user that data are being sent, much less get the user's consent. It is also not clear whether there will be a future update after this one that does without communication with Microsoft concerning cancellations. Those who want to protect themselves from unsolicited data transfers can do so, for instance, by using an application-based firewall that detects and blocks the attempted contact.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit