Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[PSA] Disable Automatic Updates (Howto included)

OP clrokr

8th January 2013, 02:03 PM   |  #1  
OP Member
Thanks Meter: 53
 
69 posts
Join Date:Joined: Aug 2009
Hi guys!

Microsoft said this to The Verge recently:
Quote:

The scenario outlined is not a security vulnerability and does not pose a threat to Windows RT users. The mechanism described is not something the average user could, or reasonably would, leverage, as it requires local access to a system, local administration rights and a debugger in order to work. In addition, the Windows Store is the only supported method for customers to install applications for Windows RT. There are mechanisms in place to scan for security threats and help ensure apps from the Store are legitimate and can be acquired and used with confidence.

We applaud the ingenuity of the folks who worked this out and the hard work they did to document it. We’ll not guarantee these approaches will be there in future releases.

So fire up regedit, go to
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
and set the DWORD AUOptions to 0x00000000.

Only do this if you want to run unsigned apps!

Stay safe!
clrokr
The Following 10 Users Say Thank You to clrokr For This Useful Post: [ View ]
9th January 2013, 09:32 AM   |  #2  
Recognized Developer
Flag Seattle
Thanks Meter: 2,782
 
5,870 posts
Join Date:Joined: Jan 2011
More
For those who prefer do-it-for-me solutions, with the ability to roll back, have a pair of .REG files. The "Default" one I taken from my Surface before applying this tweak. The "Disabled" one sets the reg value as above.

@clrokr: We gotta get you a RD tag, pronto! You're doing great things.
Attached Files
File Type: zip AutoUpdateSetings.zip - [Click for QR Code] (626 Bytes, 1665 views)
The Following 5 Users Say Thank You to GoodDayToDie For This Useful Post: [ View ]
9th January 2013, 02:55 PM   |  #3  
OP Member
Thanks Meter: 53
 
69 posts
Join Date:Joined: Aug 2009
Quote:
Originally Posted by GoodDayToDie

@clrokr: We gotta get you a RD tag, pronto! You're doing great things.

Wow, I'm flattered. Also, thanks for the reg files!
9th January 2013, 02:58 PM   |  #4  
Recognized Developer
Flag Denver
Thanks Meter: 543
 
868 posts
Join Date:Joined: Jun 2009
Donate to Me
More
Quote:
Originally Posted by GoodDayToDie

@clrokr: We gotta get you a RD tag, pronto! You're doing great things.

Seconded.

As far as MS's quote goes, I'm not 100% sure they will be setting out to patch it, but it's still a good idea to disable Windows Update anyways. They may be able to store some sort of cert blacklist in the UEFI that will block the executables required for this, even after a reinstall.
The Following User Says Thank You to netham45 For This Useful Post: [ View ]
9th January 2013, 05:49 PM   |  #5  
Member
Thanks Meter: 31
 
94 posts
Join Date:Joined: Nov 2012
whats the difference between uefi,efi and firmware?
I find bootmgfw.efi,winload.efi in bcdedit.and I find surfacertuefi.bin in c:\windows\firmware.and every time I reinstall windows,there is a firmware in windows update.so is there anything flash into the surface hardware from window update?I think the uefi is just a file in the filesystem and its recovered when I reinstall windows from usb.
Last edited by windowsrtc; 9th January 2013 at 05:54 PM.
9th January 2013, 06:53 PM   |  #6  
OP Member
Thanks Meter: 53
 
69 posts
Join Date:Joined: Aug 2009
Quote:
Originally Posted by windowsrtc

whats the difference between uefi,efi and firmware?
I find bootmgfw.efi,winload.efi in bcdedit.and I find surfacertuefi.bin in c:\windows\firmware.and every time I reinstall windows,there is a firmware in windows update.so is there anything flash into the surface hardware from window update?I think the uefi is just a file in the filesystem and its recovered when I reinstall windows from usb.

No, the firmware (stored on-chip) is what you find in SurfaceRTUEFI.bin. The .EFI files are executables that can be loaded by this firmware if they are signed correctly.
The Following User Says Thank You to clrokr For This Useful Post: [ View ]
9th January 2013, 09:04 PM   |  #7  
Recognized Developer
Flag Seattle
Thanks Meter: 2,782
 
5,870 posts
Join Date:Joined: Jan 2011
More
Note: just because automatic updates are disabled doesn't mean you should ignore Windows Update. Quite the opposite, in fact, since this hack makes malicious exploits easier too. Just be very careful which patches you install.
The Following User Says Thank You to GoodDayToDie For This Useful Post: [ View ]
10th January 2013, 04:57 AM   |  #8  
Member
Thanks Meter: 31
 
94 posts
Join Date:Joined: Nov 2012
Quote:
Originally Posted by clrokr

No, the firmware (stored on-chip) is what you find in SurfaceRTUEFI.bin. The .EFI files are executables that can be loaded by this firmware if they are signed correctly.

so uefi is checking efi ,but whats checking uefi?what will happen if we flash a modified uefi?
10th January 2013, 05:03 AM   |  #9  
Recognized Developer
Flag Denver
Thanks Meter: 543
 
868 posts
Join Date:Joined: Jun 2009
Donate to Me
More
Quote:
Originally Posted by windowsrtc

so uefi is checking efi ,but whats checking uefi?what will happen if we flash a modified uefi?

The UEFI is currently the only thing capable of flashing a new UEFI, and it checks the signatures on any new UEFIs it flashes.

The only real way you could do it without relying on a signature check would be to open the tablet and solder onto the NAND directly.
The Following 2 Users Say Thank You to netham45 For This Useful Post: [ View ]
10th January 2013, 08:07 AM   |  #10  
Recognized Developer
Flag Seattle
Thanks Meter: 2,782
 
5,870 posts
Join Date:Joined: Jan 2011
More
Oh, there might be a JTAG port you could use... but yeah. Short of opening up the device (which the Surface, at least, is definitely not designed to support) there's not supposed to be any way to flash an unsigned firmware.

Also, the signature keys are probably stored in a TPM, so mucking with them isn't a practical option either if the EFI doesn't have a way to do it (which it doesn't).

The Following User Says Thank You to GoodDayToDie For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes