Zombie Crapware: How the Windows Platform Binary Table Works

lenovo

Few people noticed at the time, but Microsoft added a new feature to Windows 8 that allows manufacturers to infect the UEFI firmware with crapware. Windows will continue installing and resurrecting this junk software even after you perform a clean-install.

This feature continues to be present on Windows 10, and it’s absolutely mystifying why Microsoft would give PC manufacturers so much power. It highlights the importance of buying PCs from the Microsoft Store — even performing a clean install may not get rid of all the preinstalled bloatware.

WPBT 101

Beginning with Windows 8, a PC manufacturer can embed a program — a Windows .exe file, essentially — in the PC’s UEFI firmware. This is stored in the “Windows Platform Binary Table” (WPBT) section of the UEFI firmware. Whenever Windows boots, it looks at the UEFI firmware for this program, copies it from the firmware to the operating system drive, and runs it. Windows itself provides no way to stop this from happening. If the manufacturer’s UEFI firmware offers it up, Windows will run it without question.

Lenovo’s LSE and Its Security Holes

It’s impossible to write about this questionable feature without noting the case that brought it to public attention. Lenovo shipped a variety of PCs with something called the “Lenovo Service Engine” (LSE) enabled. Here’s what Lenovo claims is a complete list of affected PCs.

When the program is automatically run by Windows 8, the Lenovo Service Engine downloads a program called the OneKey Optimizer and reports some amount of data back to Lenovo. Lenovo sets up system services designed to download and update software from the Internet, making it impossible to remove them — they’ll even automatically come back after a clean install of Windows.

Lenovo went even further, extending this shady technique to Windows 7. The UEFI firmware checks the  C:\Windows\system32\autochk.exe file and overwrites it with Lenovo’s own version. This program runs at boot to check the file system on Windows, and this trick allows Lenovo to make this nasty practice work on Windows 7, too. It just goes to show that the WPBT isn’t even necessary — PC manufacturers could just have their firmwares overwrite Windows system files.

Microsoft and Lenovo discovered a major security vulnerability with this that can be exploited, so Lenovo has thankfully stopped shipping PCs with this nasty junk. Lenovo offers an update that will remove LSE from notebook PCs and an update that will remove LSE from desktop PCs. However, these aren’t downloaded and installed automatically, so many — probably most — affected Lenovo PCs will continue to have this junk installed in their UEFI firmware.

This is just another nasty security problem from the PC manufacturer that brought us PCs infected with Superfish. It’s unclear if other PC manufacturers have abused the WPBT in a similar way on some of their PCs.

What Does Microsoft Say About This?

As Lenovo notes:

“Microsoft has recently released updated security guidelines on how to best implement this feature. Lenovo’s use of LSE is not consistent with these guidelines and so Lenovo has stopped shipping desktop models with this utility and recommends customers with this utility enabled run a “clean up” utility that removes the LSE files from the desktop.”

In other words, the Lenovo LSE feature that uses the WPBT to download junkware from the Internet was allowed under Microsoft’s original design and guidelines for the WPBT feature. The guidelines have only now been refined.

Microsoft doesn’t offer much information about this. There’s just a single .docx file — not even a web page — on Microsoft’s website with information about this feature. You can learn all you want to about it by reading the document. It explains Microsoft’s rationale for including this feature, using persistent anti-theft software as an example:

“The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration.  One use case for WPBT is to enable anti-theft software which is required to persist in case a device has been stolen, formatted, and reinstalled. In this scenario WPBT functionality provides the capability for the anti-theft software to reinstall itself into the operating system and continue to work as intended.”

This defense of the feature was only added to the document after Lenovo used it for other purposes.

Does Your PC Include WPBT Software?

On PCs using the WPBT, Windows reads the binary data from the table in the UEFI firmware and copies it to a file named wpbbin.exe at boot.

You can check your own PC to see if the manufacturer has included software in the WPBT. To find out, open the C:\Windows\system32 directory and look for a file named wpbbin.exe. The C:\Windows\system32\wpbbin.exe file only exists if Windows copies it from the UEFI firmware. If it’s not present, your PC manufacturer hasn’t used WPBT to automatically run software on your PC.

Avoiding WPBT and Other Junkware

Microsoft has set up a few more rules for this feature in the wake of Lenovo’s irresponsible security failure. But it’s baffling that this feature even exists in the first place — and especially baffling that Microsoft would provide it to PC manufacturers without any clear security requirements or guidelines on its use.

The revised guidelines instruct OEMs to ensure users can actually disable this feature if they don’t want it, but Microsoft’s guidelines haven’t stopped PC manufacturers from abusing Windows security in the past. Witness Samsung shipping PCs with Windows Update disabled because that was easier than working with Microsoft to ensure the proper drivers were added to Windows Update.

This is yet another example of PC manufacturers not taking Windows security seriously. If you’re planning on purchasing a new Windows PC, we recommend you buy one from the Microsoft Store, Microsoft actually cares about these PCs and ensures they don’t have harmful software like Lenovo’s Superfish, Samsung’s Disable_WindowsUpdate.exe, Lenovo’s LSE feature, and all the other junk a typical PC might come with.

When we wrote this in the past, many readers responded that this was unnecessary because you could always just perform a clean install of Windows to get rid of any bloatware. Well, apparently that’s not true — the only surefire way to get a bloatware-free Windows PC is from the Microsoft Store. It shouldn’t be this way, but it is.


What’s particularly troubling about the WPBT isn’t just Lenovo’s complete failure in using it to bake security vulnerabilities and junkware into clean installs of Windows. What’s especially worrying is Microsoft providing features like this to PC manufacturers in the first place — especially without proper limitations or guidance.

It also took several years before this feature even became noticed among the wider tech world, and that only happened due to a nasty security vulnerability. Who knows what other nasty features are baked into Windows for PC manufacturers to abuse. PC manufacturers are dragging Windows’ reputation through the muck and Microsoft needs to get them under control.

Image Credit: Cory M. Grenier on Flickr

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.