Persistent Windows Platform Binary Table Threat

Lenovo's persistent Windows Platform Binary Table Threat

UEFI firmware was supposed to be the ultimate in boot-time security for PC’s. Then Microsoft added a ‘feature’ that blows a hole in it. Welcome to the Windows Platform Binary Table.Microsoft added a ‘feature’ to Windows 8 allowing manufacturers to inject the UEFI firmware with a bloatware (polite term for it) installer. Windows continues installing and resurrecting manufacturers’ junk software even after you perform a clean install.

This feature continues in Windows 10. Presumably part of the sweetener to persuade manufactuers to keep pre-installing Windows under licence

Windows Platform Binary What?

“The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration.  One use case for WPBT is to enable anti-theft software which is required to persist in case a device has been stolen, formatted, and reinstalled. In this scenario WPBT functionality provides the capability for the anti-theft software to reinstall itself into the operating system and continue to work as intended.” (Microsoft)

So that’s okay, then. It’s for persistent anti-theft software. Except that’s not how it’s used.

A PC manufacturer can embed an executable program file in the PC’s UEFI firmware. This is stored in the “Windows Platform Binary Table” (WPBT) section of the UEFI firmware. Whenever Windows boots, it automatically loads up this program, copies it from the UEFI firmware to the operating system drive then runs it. Windows itself trusts anything from UEFI (because it’s ‘secure’) and provides no way to stop it. No questions asked.

Lenovos LSE Breaks Security

Lenovo shipped a number of PCs with the “Lenovo Service Engine” (LSE) under the guise of on-board service and maintenance. Starting with Windows 8, the program automatically runs and the Lenovo Service Engine downloads a program called the OneKey Optimizer, incidentally transmitting machine data back to Lenovo. Thanks to LSE, Lenovo’s system services download and update software from the Internet, making it impossible to remove them. With UEFI as the source, they automatically come back even after a clean install of Windows.

The UEFI firmware checks the  C:\Windows\system32\autochk.exe file and overwrites it with Lenovo’s own version. This program runs on boot to check the Windoes file system on Windows, and this trick allows Lenovo to make this nasty practice work on Windows 7, too. So they backported it to 7.

It turns out that the WPBT isn’t even necessary – PC manufacturers can have their firmwares overwrite Windows system files without question.

After Microsoft and Lenovo discovered a major security vulnerability with LSE, Lenovo stopped shipping PC’s with this and Lenovo offered an update to remove LSE from notebook PC’s and another update that will remove LSE from desktop PC’s. However, both of these are manual rather than  automatic, so expect the majority of affected Lenovo PCs still to have this junk installed in their UEFI firmware.

Lenovo almost certainly isn’t along among PC manufacturersto  have abused the WPBT in a similar way on some or all of their PC’s.

The Party Line

After Microsoft  released updated security guidelines, Lenovo queitly admitted their use of LSE is not consistent with these guidelines and so stopped shipping desktop models with this ‘utility’,  recommending customers “clean up” utility that removes the LSE files from the desktop.

In other words, Microsoft ran scared when people found out and pressured the manufacturers to stop using the WPBT to download junkware from the Internet.

Microsoft has a single .docx file (not even a web page or knowledge base article) – on its website with information about this feature.

Does Your Device Include WPBT Software?

On PC’s using WPBT, Windows reads the binary data from the table in the UEFI firmware and copies it to a file named wpbbin.exe at boot time.

If you open the C:\Windows\system32 directory and look for a file named wpbbin.exe,  you can check your own PC to see if the manufacturer has included software in the WPBT. That C:\Windows\system32\wpbbin.exe file only exists if Windows copies it from the UEFI firmware.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s