[PSA] Disable Automatic Updates (Howto included)

Search This thread
By:
Advanced…
C

clrokr

Senior Member
Aug 2, 2009
69
54
Hi guys!

Microsoft said this to The Verge recently:
The scenario outlined is not a security vulnerability and does not pose a threat to Windows RT users. The mechanism described is not something the average user could, or reasonably would, leverage, as it requires local access to a system, local administration rights and a debugger in order to work. In addition, the Windows Store is the only supported method for customers to install applications for Windows RT. There are mechanisms in place to scan for security threats and help ensure apps from the Store are legitimate and can be acquired and used with confidence.

We applaud the ingenuity of the folks who worked this out and the hard work they did to document it. We’ll not guarantee these approaches will be there in future releases.
Click to expand...
Click to collapse

So fire up regedit, go to
Code: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
and set the DWORD AUOptions to 0x00000000.

Only do this if you want to run unsigned apps!

Stay safe!
clrokr
 
  • Like
Reactions: filfat, JakeyPie, bouod and 7 others
G

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,933
Seattle
For those who prefer do-it-for-me solutions, with the ability to roll back, have a pair of .REG files. The "Default" one I taken from my Surface before applying this tweak. The "Disabled" one sets the reg value as above.

@clrokr: We gotta get you a RD tag, pronto! You're doing great things.
 

Attachments

  • AutoUpdateSetings.zip
    626 bytes · Views: 2,174
  • Like
Reactions: terra.ce Jones, filfat, josephandrews222 and 3 others
N

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
GoodDayToDie said:
@clrokr: We gotta get you a RD tag, pronto! You're doing great things.
Click to expand...
Click to collapse

Seconded.

As far as MS's quote goes, I'm not 100% sure they will be setting out to patch it, but it's still a good idea to disable Windows Update anyways. They may be able to store some sort of cert blacklist in the UEFI that will block the executables required for this, even after a reinstall.
 
  • Like
Reactions: JakeyPie
W

windowsrtc

Senior Member
Nov 21, 2012
94
35
whats the difference between uefi,efi and firmware?
I find bootmgfw.efi,winload.efi in bcdedit.and I find surfacertuefi.bin in c:\windows\firmware.and every time I reinstall windows,there is a firmware in windows update.so is there anything flash into the surface hardware from window update?I think the uefi is just a file in the filesystem and its recovered when I reinstall windows from usb.
 
Last edited:
C

clrokr

Senior Member
Aug 2, 2009
69
54
windowsrtc said:
whats the difference between uefi,efi and firmware?
I find bootmgfw.efi,winload.efi in bcdedit.and I find surfacertuefi.bin in c:\windows\firmware.and every time I reinstall windows,there is a firmware in windows update.so is there anything flash into the surface hardware from window update?I think the uefi is just a file in the filesystem and its recovered when I reinstall windows from usb.
Click to expand...
Click to collapse

No, the firmware (stored on-chip) is what you find in SurfaceRTUEFI.bin. The .EFI files are executables that can be loaded by this firmware if they are signed correctly.
 
  • Like
Reactions: JakeyPie
G

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,933
Seattle
Note: just because automatic updates are disabled doesn't mean you should ignore Windows Update. Quite the opposite, in fact, since this hack makes malicious exploits easier too. Just be very careful which patches you install.
 
  • Like
Reactions: JakeyPie
N

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
windowsrtc said:
so uefi is checking efi ,but whats checking uefi?what will happen if we flash a modified uefi?
Click to expand...
Click to collapse

The UEFI is currently the only thing capable of flashing a new UEFI, and it checks the signatures on any new UEFIs it flashes.

The only real way you could do it without relying on a signature check would be to open the tablet and solder onto the NAND directly.
 
  • Like
Reactions: terra.ce Jones, xSum1x and JakeyPie
G

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,933
Seattle
Oh, there might be a JTAG port you could use... but yeah. Short of opening up the device (which the Surface, at least, is definitely not designed to support) there's not supposed to be any way to flash an unsigned firmware.

Also, the signature keys are probably stored in a TPM, so mucking with them isn't a practical option either if the EFI doesn't have a way to do it (which it doesn't).
 
  • Like
Reactions: JakeyPie
N

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
GoodDayToDie said:
Oh, there might be a JTAG port you could use... but yeah. Short of opening up the device (which the Surface, at least, is definitely not designed to support) there's not supposed to be any way to flash an unsigned firmware.

Also, the signature keys are probably stored in a TPM, so mucking with them isn't a practical option either if the EFI doesn't have a way to do it (which it doesn't).
Click to expand...
Click to collapse

You can reset the TPM from Windows (change the owner password w/o knowing the previous one) and it doesn't break, I don't think they're stored in the TPM.

I have no idea what the TPM is used for.
 
M

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
228
mamaich-eng.blogspot.ru
GoodDayToDie said:
Also, the signature keys are probably stored in a TPM
Click to expand...
Click to collapse

No. There are lots of info on TPM, and it is not used to store CA keys.
A “Debug System” is will initially be identified by the presence of the Microsoft Test Signing CA in the UEFI signature database (“db”). The mechanism to identify debug machines may change, but the exclusion path logic should remain unchanged.
OEMs will need to work with their SOC supplier to provide the tools and process to implement “Debug Systems”.
To enable debug systems the db will need to contain the “Microsoft Testing Root Certificate Authority 2010”
....
Note: If there is a need to run unsigned tools, the system can be configured as a “Debug System” during manufacturing but there must be a step in the production process that removes the Microsoft Test CA. Production machines must not ship with the Microsoft Test CA in the db .
Click to expand...
Click to collapse
The last line explains the behavior I've seen on a just-bought VivoTab - I've seen lines about running unsigned files in CodeIntegrity eventlog. Seems that the device was provisioned with the unsigned tools, one of which deleted the certificate from uefi DB.
By the way, it should be theoretically possible to recover those tools on a just-bought device, if you would not go through the initial setup process but immediately press shift+f10 to run CMD and run a deleted-file recovery tool from there, or make a sector-by clone of disk C: to an SD card for later analysis. But, sadly, currently there are no such tools, and even if they are - they need to be signed by ms :(
 
Last edited:
anazhd

anazhd

Senior Member
Jun 30, 2012
1,371
417
Los Santos
www.droidagency.com
Im using genuine Windows 8 Pro, and I dont see any benefits of this. But hey, I installed the "free" one on my friends computer. So this would be pretty handy for them, in case microsoft release an unfriendly patch :)
 
S

save_jeff

Member
Jan 12, 2013
44
28
clrokr said:
So fire up regedit, go to
Code: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
and set the DWORD AUOptions to 0x00000000.

Only do this if you want to run unsigned apps!
[/QUOTE]

I navigated to this position in regedit and the key was already setted to 0x00000000
Might that be caused by the jailbreak tool published by netham45?
Click to expand...
Click to collapse
 
B

bfosterjr

Senior Member
Jan 13, 2013
167
192
Just wondering why the registry hack is needed when you can simply disable the service? Seems like a more straightforward approach to me ;)
 
You must log in or register to reply here.

Similar threads

Myriachan
Android for Surface RT - how difficult?
Replies
36
Views
190K
justmpm
justmpm
T
[RT] Windows RT 8.1 Jailbreak Discussion
Replies
230
Views
286K
N
nar001
R
installing different OS on surface RT
Replies
64
Views
137K
itsmemario
itsmemario
jessenic
Make your Surface RT faster by disabling Windows Defender!
Replies
44
Views
92K
derausgewanderte
derausgewanderte
X
[UPDATE] Secure boot unlocked!
Replies
28
Views
73K
yogi72cj
yogi72cj

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 10
    C
    clrokr
    Hi guys!

    Microsoft said this to The Verge recently:
    The scenario outlined is not a security vulnerability and does not pose a threat to Windows RT users. The mechanism described is not something the average user could, or reasonably would, leverage, as it requires local access to a system, local administration rights and a debugger in order to work. In addition, the Windows Store is the only supported method for customers to install applications for Windows RT. There are mechanisms in place to scan for security threats and help ensure apps from the Store are legitimate and can be acquired and used with confidence.

    We applaud the ingenuity of the folks who worked this out and the hard work they did to document it. We’ll not guarantee these approaches will be there in future releases.
    Click to expand...
    Click to collapse

    So fire up regedit, go to
    Code: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
    and set the DWORD AUOptions to 0x00000000.

    Only do this if you want to run unsigned apps!

    Stay safe!
    clrokr
    View
    6
    G
    GoodDayToDie
    For those who prefer do-it-for-me solutions, with the ability to roll back, have a pair of .REG files. The "Default" one I taken from my Surface before applying this tweak. The "Disabled" one sets the reg value as above.

    @clrokr: We gotta get you a RD tag, pronto! You're doing great things.
    View
    3
    N
    netham45
    windowsrtc said:
    so uefi is checking efi ,but whats checking uefi?what will happen if we flash a modified uefi?
    Click to expand...
    Click to collapse

    The UEFI is currently the only thing capable of flashing a new UEFI, and it checks the signatures on any new UEFIs it flashes.

    The only real way you could do it without relying on a signature check would be to open the tablet and solder onto the NAND directly.
    View
    1
    N
    netham45
    GoodDayToDie said:
    @clrokr: We gotta get you a RD tag, pronto! You're doing great things.
    Click to expand...
    Click to collapse

    Seconded.

    As far as MS's quote goes, I'm not 100% sure they will be setting out to patch it, but it's still a good idea to disable Windows Update anyways. They may be able to store some sort of cert blacklist in the UEFI that will block the executables required for this, even after a reinstall.
    View
    1
    C
    clrokr
    windowsrtc said:
    whats the difference between uefi,efi and firmware?
    I find bootmgfw.efi,winload.efi in bcdedit.and I find surfacertuefi.bin in c:\windows\firmware.and every time I reinstall windows,there is a firmware in windows update.so is there anything flash into the surface hardware from window update?I think the uefi is just a file in the filesystem and its recovered when I reinstall windows from usb.
    Click to expand...
    Click to collapse

    No, the firmware (stored on-chip) is what you find in SurfaceRTUEFI.bin. The .EFI files are executables that can be loaded by this firmware if they are signed correctly.
    View

New posts