Tuesday, June 23, 2015

Samsung deliberately disabling Windows Update the way the user intends it to

Last updated 6/26/2015 - 4:49 PM EST.

-- Windows Update will be abbreviated as "WU" in text from myself.

First of all, I had this included in my post since the get-go, but it was overlooked as it wasn't at the beginning of the post. With that said, I'm moving it here, and clarifying a bit more. I was not the sole person involved, it was a multiple-person discovery. Here were the people involved:

wavly - The user that had the problem, and the reason we had anything to even discover in the first place.
BrianDrab - Assisted wavly in their Windows Update problem, and investigated with us why it was resetting and disabling the user from keeping it the setting they wanted to.
niemiro - Was largely involved in the discovery by investigating/reverse engineering SW Update.
zcomputerwiz  - Was largely involved in the discovery by suggesting registry auditing.
tom982 - Was largely involved in the discovery by investigating/reverse engineering SW Update.
Tekno Venus -  Was largely involved in the discovery by investigating/reverse engineering SW Update.
Me (Patrick Barker) -  Was involved in the discovery by further reverse engineering and investigating SW Update and its behavior after the above people, and creating the blog post.

I've also seen a few (very few) articles even say I was the individual who was helping with the Windows Update issue(s) wavly was having. For the record, I personally don't know a damn thing about the technicalities of Windows Update, how to fix broken updates, etc. The user that was assisting wavly with the Windows Update issue(s) was BrianDrab, as I had mentioned in this post, just apparently not mentioned enough (or clearly enough). I merely further investigated and reverse engineered SW Update, and brought Disable_Windowsupdate.exe and its silent behavior to light.

Onto the post...

On my home forum Sysnative, a user (wavly) was being assisted with a WU issue, which was going well, aside from the fact that wavly's WU kept getting randomly reset to "Check for updates but let me choose whether to download or install them" after every single reboot of Windows. It was figured out eventually after using auditpol.exe and registry security auditing (shown below later) that the program that was responsible for resetting WU was Disable_Windowsupdate.exe, which is part of Samsung's SW Update software.

SW Update is your typical OEM updating software that will update your Samsung drivers, the bloatware that came on your Samsung machine, etc. The only difference between other OEM updating software is, Samsung's disables WU from working as the user intends it to.

SW Update will install on:

Windows XP (all Service Packs) - Update service will not be installed whatsoever.
Windows Vista (x86/x64)
Windows 7/SP1 (x86/x64)
Windows 8/8.1 (x86/x64)

Do note that it does check for a Samsung environment, and if one is not detected, the program will in general run really buggy. A lot of its features won't drop or work as intended either, which is why a lot of manual work needs to be done to investigate this program.

What devices does SW Update run on?

Samsung notes:
SW Update allows you to download and install the newest drivers, updates, and software for your Windows PC.
So most likely only desktop and laptop type devices that run the Windows OS.

Uninstalling SW Update

UPDATE:  I've received confirmation from a Samsung NP350V5C-A06UK user (Windows 8.1) that uninstalling SW Update via the Programs and Features list does in fact remove all of its installed parts, including the service. With that said, it does indeed stop resetting Windows Update's settings after reboots. So the solution to having SW Update constantly reset your Windows Update settings and disabling it from working as you intended, is to simply uninstall SW Update.

-- Initially today I had this saying it did not stop it from resetting, but wavly got back to me and said they were mistaken.

First off, here's how it was found:

 A registry value was modified.  
 Subject:  
      Security ID:          SYSTEM  
      Account Name:          PURGED  
      Account Domain:          WORKGROUP  
      Logon ID:          0x3E7  
 Object:  
      Object Name:          \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update  
      Object Value Name:     UpdatesAvailableForDownloadLogon  
      Handle ID:          0xecc  
      Operation Type:          Registry value deleted  
 Process Information:  
      Process ID:          0x5c  
      Process Name:          C:\Windows\System32\svchost.exe  
 Change Information:  
      Old Value Type:          REG_DWORD  
      Old Value:          0  
      New Value Type:          -  
      New Value:          -  

And then shortly after...

 A registry value was modified.  
 Subject:  
      Security ID:          SYSTEM  
      Account Name:          PURGED  
      Account Domain:          WORKGROUP  
      Logon ID:          0x3E7  
 Object:  
      Object Name:          \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update  
      Object Value Name:     UpdatesAvailableForDownloadLogon  
      Handle ID:          0x135c  
      Operation Type:          New registry value created  
 Process Information:  
      Process ID:          0x5c  
      Process Name:          C:\Windows\System32\svchost.exe  
 Change Information:  
      Old Value Type:          -  
      Old Value:          -  
      New Value Type:          REG_DWORD  
      New Value:          0  

 Object:  
      Object Server:          Security  
      Object Type:          Key  
      Object Name:          \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update  
      Handle ID:          0x144  
      Resource Attributes:     -  
 Process Information:  
      Process ID:          0x1ae4  
      Process Name:          C:\ProgramData\SAMSUNG\SWUpdate\Temp\Packages\BASW-A0394A05\64\Disable_Windowsupdate.exe  
 Access Request Information:  
      Transaction ID:          {00000000-0000-0000-0000-000000000000}  
      Accesses:          DELETE  
                     READ_CONTROL  
                     WRITE_DAC  
                     WRITE_OWNER  
                     Query key value  
                     Set key value  
                     Create sub-key  
                     Enumerate sub-keys  
                     Notify about changes to keys  
                     Create Link  
      Access Reasons:          -  
      Access Mask:          0xF003F  
      Privileges Used for Access Check:     -  
      Restricted SID Count:     0  

Etc..

There were other Object Value Names, such as:
  • CachedAUOptions
  • InstallInProgress,
  • UpdatesAvailableForInstallLogon 
  • UpdatesAvailableWithUiLogon 
  • UpdatesAvailableWithUiOrEulaLogon
  • FirmwareUpdatesNotDownloaded
  • FirmwareUpdatesNotInstalled
Anyway, moving on, let's take a look!

 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\AuthorizedCDFPrefix: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Comments: "SW Update Setup"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Contact: "Samsung Electronics CO., LTD."  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\DisplayVersion: "2.2.9"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\HelpLink: "http://www.samsung.com"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\HelpTelephone: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\InstallDate: "20150623"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\InstallLocation: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\InstallSource: "C:\ProgramData\Samsung\SWUpdate\Temp\"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\ModifyPath: "MsiExec.exe /I{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Publisher: "Samsung Electronics CO., LTD."  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Readme: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Size: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\EstimatedSize: 0x00008172  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\UninstallString: "MsiExec.exe /I{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\URLInfoAbout: "http://www.samsung.com"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\URLUpdateInfo: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\VersionMajor: 0x00000002  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\VersionMinor: 0x00000002  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\WindowsInstaller: 0x00000001  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Version: 0x02020009  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Language: 0x00000409  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\DisplayName: "SW Update"  

Here's its basic information from a comparison of registry changes after installation.

 HKLM\SOFTWARE\Samsung\CurrentPath\20000: ""C:\Program Files\Samsung\SW Update\sManager.exe""  
 HKLM\SOFTWARE\Samsung\SW Update\AgentPath: "C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe"  
 HKLM\SOFTWARE\Samsung\SW Update\InstallPath: "C:\Program Files\Samsung\SW Update\sManager.exe"  
 HKLM\SOFTWARE\Samsung\SW Update\TrafficDecentralize: "Y"  
 HKLM\SOFTWARE\Samsung\SW Update\LastORCAServerUpdateDateTime: "2015-06-22T02:28:42"  
 HKLM\SOFTWARE\Samsung\SW Update\AgentSleepSec: "300"  
 HKLM\SOFTWARE\Samsung\SWMCommon\FirstAgentExecDateTime: "2015-06-23T01:47:42"  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\Type: 0x00000110  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\Start: 0x00000002  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\ErrorControl: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\ImagePath: "C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe /SERVICE"  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\DisplayName: "SW Update Service"  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\ObjectName: "LocalSystem"  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\Type: 0x00000110  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\Start: 0x00000002  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\ErrorControl: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\ImagePath: "C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe /SERVICE"  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\DisplayName: "SW Update Service"  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\ObjectName: "LocalSystem"  

Here we can see some more information, such as its agent's sleep is set to 300 seconds, its first execution timestamp, and the creation of the "SW Update" service. I'll break down the service stuff:

Type (0x00000110): As far as I know, this implies it's a Win32 program that can be started by Windows' Service Controller, and that it obeys the service control protocol. This type of Win32 service runs in a process by itself.

Start: (0x00000002): This implies it's set to load or startup automatically for all startups, regardless of the service type. Its loader is the Service Control Manager, where as the 0x0 (boot) would be the kernel, and 0x1 (system) would be the I/O Subsystem.

ErrorControl: (0x00000001): This implies if the driver fails to load or initialize, proceed regardless with startup, however display a warning.

We note that its ImagePath is:

 C:\ProgramData\Samsung  

If you show hidden files & folder and navigate here, you have two folders - "SW Update Service", and "SWUpdate". If you actually have a Samsung machine, you instead have two "SWUpdate" folders, and they both contain XML files. If we take a look at one (BASW-A0394A05_1B33BCEB.xml):

 <?xml version="1.0" encoding="UTF-8"?>  
 -<MaxList>  
 -<Head>  
 <BOMID/>  
 <CISCode/>  
 <Product/>  
 <Project/>  
 <Model/>  
 <DevStep/>  
 <BaseMRT/>  
 <BaseBOM/>  
 <Region/>  
 <OS/>  
 <Language/>  
 <ROLString/>  
 <Date/>  
 <Time/>  
 <Test>Yes</Test>  
 </Head>  
 -<Item>  
 <CISCode>BASW-A0394A05</CISCode>  
 <ItemType>SOFTWARE</ItemType>  
 <DisplayName>Disable_AutoWindowsUpdate1.0</DisplayName>  
 <Region>DNC</Region>  
 <OS>WBPR64/WBSL64/WBST64</OS>  
 <Lang>DNC</Lang>  
 <ROLString>ALL</ROLString>  
 <InstallType>PSTEXE</InstallType>  
 <InstallPath>BASW-A0394A\BASW-A0394A04.ZIP</InstallPath>  
 <InstallFile>Inst.exe</InstallFile>  
 <InstallPara1>/pbr /na</InstallPara1>  
 <InstallPara2/>  
 <InstallOrgFileSize>4678908</InstallOrgFileSize>  
 <InstallFileSize>2055424</InstallFileSize>  
 <ImageCate>C2P1</ImageCate>  
 <ImageType>GCP</ImageType>  
 <ImageSequence/>  
 <MediaType>SM1</MediaType>  
 <MediaSubCate>ITMOPT</MediaSubCate>  
 <MediaSequence/>  
 <CheckType>NoVerify</CheckType>  
 <CheckRoot/>  
 <VerifyAttribute>1.0</VerifyAttribute>  
 <VerifyPara1/>  
 <VerifyPara2/>  
 <System/>  
 <Selectable>Y</Selectable>  
 <AND/>  
 <XOR/>  
 <DistributionPriority>1</DistributionPriority>  
 <FURL>http://orcaservice.samsungmobile.com/FileDownloader.aspx?Type=PATCH&FILENAME=BASW-A0394A04.ZIP</FURL>  
 -<MultiLangDisplayName>  
 <Default>ENG</Default>  
 -<Value>  
 <Lang>ENG</Lang>  
 <Str>Windows Configuration</Str>  
 </Value>  
 -<Value>  
 <Lang>KOR</Lang>  
 <Str>Windows Configuration</Str>  
 </Value>  
 </MultiLangDisplayName>  
 <Version>1.0</Version>  
 -<DDesc>  
 <Default>ENG</Default>  
 -<Value>  
 <Lang>ENG</Lang>  
 <Str>This program helps your windows configuration settings.</Str>  
 </Value>  
 -<Value>  
 <Lang>KOR</Lang>  
 <Str>이 프로그램은 Windows configuration 프로그램입니다.</Str>  
 </Value>  
 </DDesc>  
 <RemoveFilePath/>  
 <RemovePara1/>  
 <RemovePara2/>  
 -<RemoveComment>  
 <Default>ENG</Default>  
 </RemoveComment>  
 <UpdatePara1/>  
 <UpdatePara2/>  
 <TargetCISCode> </TargetCISCode>  
 <MutualExclusiveCISCode/>  
 <SWCate2>Miscellaneous</SWCate2>  
 <Keyword1>SDR</Keyword1>  
 <Keyword2>SDR</Keyword2>  
 <Keyword3>SDR</Keyword3>  
 <AutoInstall>Y</AutoInstall>  
 <SingleInstall>Y</SingleInstall>  
 -<PatchSequence>  
 -<InstCmd>  
 <InstCmdType>GENERAL_EXECUTION</InstCmdType>  
 -<InstCmdParam>  
 <Name>EXCUTION_FILE_NAME</Name>  
 <Value>64\Disable_Windowsupdate.exe</Value>  
 </InstCmdParam>  
 </InstCmd>  
 </PatchSequence>  
 <FromProductDate/>  
 <ToProductDate/>  
 <BulletineDate>2015-05-12 17:12:43</BulletineDate>  
 -<ProcCondition>  
 -<ProcInfo>  
 <ProcType>REG_VALUE</ProcType>  
 -<ProcParam>  
 <Name>BASE_OP</Name>  
 <Value>AND</Value>  
 </ProcParam>  
 -<ProcParam>  
 <Name>REG_KEY</Name>  
 <Value>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update</Value>  
 </ProcParam>  
 -<ProcParam>  
 <Name>REG_VALUE_NAME</Name>  
 <Value>AUOptions</Value>  
 </ProcParam>  
 -<ProcParam>  
 <Name>REG_VALUE_TYPE</Name>  
 <Value>REG_DWORD</Value>  
 </ProcParam>  
 -<ProcParam>  
 <Name>REG_VALUE</Name>  
 <Value>2</Value>  
 </ProcParam>  
 -<ProcParam>  
 <Name>OP_RELATION</Name>  
 <Value>!=</Value>  
 </ProcParam>  
 </ProcInfo>  
 -<ProcInfo>  
 <ProcType>REG_VALUE</ProcType>  
 -<ProcParam>  
 <Name>BASE_OP</Name>  
 <Value>AND</Value>  
 </ProcParam>  
 -<ProcParam>  
 <Name>REG_KEY</Name>  
 <Value>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update</Value>  
 </ProcParam>  
 -<ProcParam>  
 <Name>REG_VALUE_NAME</Name>  
 <Value>AUOptions</Value>  
 </ProcParam>  
 -<ProcParam>  
 <Name>REG_VALUE_TYPE</Name>  
 <Value>REG_DWORD</Value>  
 </ProcParam>  
 -<ProcParam>  
 <Name>REG_VALUE</Name>  
 <Value>4</Value>  
 </ProcParam>  
 -<ProcParam>  
 <Name>OP_RELATION</Name>  
 <Value>=</Value>  
 </ProcParam>  
 </ProcInfo>  
 </ProcCondition>  
 <Thumbnail/>  
 <Screenshot1/>  
 <Screenshot2/>  
 <Screenshot3/>  
 -<AdURL>  
 <URL/>  
 <FromDate>1900-01-01 오전 12:00:00</FromDate>  
 <ToDate>1900-01-01 오전 12:00:00</ToDate>  
 </AdURL>  
 </Item>  
 </MaxList>  

Note its installer file.

We can see now how Disable_Windowsupdate.exe begins the process to its "drop", which is downloading the zip its contained in from:

 http://orcaservice.samsungmobile.com/FileDownloader.aspx?Type=PATCH&FILENAME=BASW-A0394A04.ZIP  

I find this string excerpt particularly funny:

 <Str>This program helps your windows configuration settings.</Str>  

Once the zip is dropped, we can inspect its contents as well:


If we check the config file for the installer file:

 ;HowTo : The registry location of the installed language....  
 ;[HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language]  
 ;InstallLanguage=????  
 ;%CD%\ = Current Folder Location Variable  
 ;%WinDir% = Windows Folder               ex) C:\Windows C:\Winnt  
 ;%ProgramFiles% = Program Files Folder     ex) C:\Program Files, C:\Archivo de program, C:\Programme  
 ;%LangID%  
 ;HowTo : The registry location of the installed language....  
 ;[HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language]  
 ;LangID     Lang / Export to  
 ;0412     KOR / KOR  
 ;0409     ENG / UK, HKG  
 ;040C     FRN / FRN  
 ;0407     GER / GER  
 ;0411     JPN / JPN  
 ;0404     CHT / CHT  
 ;0804     CHS / CHS  
 ;0C0A     SPA / SPA  
 ;0816     POR / POR  
 ;0419     RUS / RUS  
 [BaseSettings]  
 OSConditional= TRUE  
 ShowWin = FALSE  
 RunInAuditMode     = TRUE  
 [32Win8]  
 Setup1=xcopy 32\Disable_Windowsupdate.exe "%ALLUSERSPROFILE%\Samsung\" /y  
 Setup2=schtasks /create /XML "%CD%\Dis_AU.xml" /tn "Dis_AU"  
 [64Win8]  
 Setup1=xcopy 64\Disable_Windowsupdate.exe "%ALLUSERSPROFILE%\Samsung\" /y  
 Setup2=schtasks /create /XML "%CD%\Dis_AU.xml" /tn "Dis_AU"  

We can see its using the xcopy command to inevitably "drop" Disable_Windowsupdate.exe in \ProgramData\Samsung. %ALLUSERPROFILE% is an environment variable for \ProgramData on >Vista, and \Documents and Settings\All Users on XP.

We can confirm this by checking ourselves:


Note that the exe is actually signed by Samsung themselves:


So a big thing is the question as to how this persistently resets Windows Update from working after you change it and reboot, and it's actually not SW Update. SW Update is basically just there to genuinely do its job, which is to update Samsung's drivers, software, etc.

What's actually causing Windows Update to persistently become reset and not allow the user to set it the way they want it to, is the fact that Disable_Windowsupdate.exe creates a scheduled task that runs at every logon to ensure that Windows Update is indeed consistently reset to "Check for updates but let me choose whether to download or install them".

We can see the task's contents below:

 <?xml version="1.0" encoding="UTF-16"?>  
 <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">  
  <RegistrationInfo>  
   <Date>2006-12-03T15:11:57.570551</Date>  
   <Author>Administrator</Author>  
  </RegistrationInfo>  
  <Triggers>  
   <LogonTrigger id="145a3a6c-a630-4ec0-985d-1280512f0ba8">  
    <Enabled>true</Enabled>  
   </LogonTrigger>  
  </Triggers>  
  <Principals>  
   <Principal id="Author">  
    <GroupId>S-1-5-32-545</GroupId>  
    <RunLevel>HighestAvailable</RunLevel>  
   </Principal>  
  </Principals>  
  <Settings>  
   <IdleSettings>  
    <Duration>PT10M</Duration>  
    <WaitTimeout>PT1H</WaitTimeout>  
    <StopOnIdleEnd>false</StopOnIdleEnd>  
    <RestartOnIdle>false</RestartOnIdle>  
   </IdleSettings>  
   <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>  
   <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>  
   <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>  
   <AllowHardTerminate>true</AllowHardTerminate>  
   <StartWhenAvailable>false</StartWhenAvailable>  
   <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>  
   <AllowStartOnDemand>true</AllowStartOnDemand>  
   <Enabled>true</Enabled>  
   <Hidden>true</Hidden>  
   <RunOnlyIfIdle>false</RunOnlyIfIdle>  
   <WakeToRun>false</WakeToRun>  
   <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>  
   <Priority>7</Priority>  
  </Settings>  
  <Actions Context="Author">  
   <Exec>  
    <Command>"%ALLUSERSPROFILE%\Samsung\Disable_Windowsupdate.exe"</Command>  
    <WorkingDirectory>%ALLUSERSPROFILE%\Samsung</WorkingDirectory>   
   </Exec>  
  </Actions>  
 </Task>  

Let's see it in action

So first off, as I noted earlier in the post, if you're trying to run the Samsung update software + disabler, etc, on a non-Samsung environment, it's really buggy. My VM was going through convulsions trying to just take screenshot examples after frequent restarts, etc, so there's a few minutes in between each screenshot.

Here's what WU looks like directly after installing SW Update:



Note that it's set to 'Check for updates but let me choose whether to download and install them'.

Let's change it to 'Install updates automatically (recommended)':


Cool, let's restart and check again.


Oh, this doesn't look right. Let's check the settings:


Uh...

There's a bit more to it that I'd like to get to eventually, but I suppose this is enough to get the point across. Anyway, with this known, I decided to try Samsung's chat to see if they knew of it:


You are now chatting with 'Rep'. There will be a brief survey at the end of our chat to share feedback on my performance today.
Your Issue ID for this chat is *purged*.
Rep: Hi, thank you for reaching out to Samsung technical support. How may I assist you?
ringzero: Hi Rep, I have a question regarding your SW Update software.
Rep: Hi Ringzero, please go ahead with your question.
Rep: I'll be glad to assist you.
ringzero: Thanks Rep! My question is, why does this software actively monitor the registry and deliberately cripple Windows Update by forcefully disabling it?
Rep: SW Update tool helps in automatically detecting the hardware on the laptop and installs the supporting drivers for them. I am afraid; this tool has directly no effect on the registry of your laptop or Windows Updates.
ringzero: Rep, I am afraid that you're incorrect. SW Update drops an exe named "Disable_Windowsupdate.exe"
ringzero: When SW Update is installed, Windows Update is always disabled. If it's enabled, or set to a setting of your liking, it'll be re-disabled on reboot.
ringzero: If SW Update is uninstalled, Windows Update stays enabled persistently throughout reboots.
Rep: Thank you for waiting. I'll be with you in just a moment.
ringzero: Sure.
Rep: When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work. For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates.

So thanks to Rep over at Samsung, we now know Samsung's motive to disabling WU.


OEMs, come on... has Superfish taught us nothing?

Upload/report this as malware to Microsoft/MSRC, etc, because that's exactly what it is. Why would you ever tamper with WU in such a fashion (or in general), in a way a generic user cannot control, leaving them vulnerable?

x86 MD5

 3727acd09814c0d5ce8fd3d6be705254  

x64 MD5

 d0a3a1c266845ef1e2cdf65c226facae  

x86 SHA-256

 61da7461e8a60a20e9d2b595edff89a0898c8f2d47d2be847c8a7ceff0fc4bd4  

x64 SHA-256

 7b9547acf8b3792b48fe5a02f7d5f3e0dfba8e57055d60f479bb8adfed99871c  

Small edit: I edited out the Samsung rep's real name to just 'Rep'. It was clearly a tier 1/2 support just doing their job, and I of course don't want them getting in any trouble since this appears to be blowing up. After all, as I said, this isn't their fault at all.

Update

According to a few news articles, here's Samsung's latest statement:
"It is not true that we are blocking a Windows 8.1 operating system update on our computers. As part of our commitment to consumer satisfaction, we are providing our users with the option to choose if and when they want to update the Windows software on their products," said Samsung.
"We take product security very seriously and we encourage any Samsung customer with product questions or concerns to contact us directly at 1-800-SAMSUNG."
I don't understand what this statement is implying, and it may have been a loss in translation between whichever article reporter/editor got the statement from Samsung, because I never implied it specifically blocked a "Windows 8.1 OS system update", just that their SW Update software is preventing Windows Update from automatically installing updates, and forcing the user to have it set to "let me choose whether to download and install". If you attempt to change it, it'll switch right back on a reboot. Microsoft has openly stated that they do not like the fact that it's persistently changing, or even existing in the first place without the user's consent. It's disabling Windows Update from working as the user intends it to.

However you look at this, Samsung's solution to what we can guess is a device driver workaround was not done in the best way, or a safe way. I mean, come on, the exe is named Disable_Windowsupdate.exe. In any case, if it appears I am acting as an enemy to Samsung, I'm not. I'm just a 22 year old cashier with a love for Windows internals that found a security risk for Windows' Samsung users with a few others. That's it.

Update #2

According to a few news articles, here's Samsung's latest statement:
“Samsung has a commitment to security and we continue to value our partnership with Microsoft. We will be issuing a patch through the Samsung Software Update notification process to revert back to the recommended automatic Windows Update settings within a few days."
I'm very glad Samsung is committed to implementing a resolution to this issue so soon. Ultimately, in a perfect world, I hope OEMs will learn from Superfish/SW Update, as it would be disheartening to see a similar issue occur in the future. I feel OEMs need to disclose whatever they intend with their users with their software, and if possible, giving them a choice.

If this is done, it's not "under the table" anymore so to speak. If Samsung's users were notified in the first place that their Windows Update settings were being actively modified, then even though it still potentially may have been a question of poor implementation/methods, it probably wouldn't have been seen as malicious or questionable behavior in the first place as it would have at least been known.

106 comments:

  1. I've reported this to the Microsoft security team. Hopefully they'll take action.

    ReplyDelete
    Replies
    1. Reported it??? lol..... While many of us Samsung users love the way they are taking back control for us. Forced Updates coming from Microsoft are a tragic mistake, like Music Rights Holders Suing their own customers. Besides ...... the fact that Windows 8.1 forced updates are also blocked by HP!

      But tell all you Samsung haters that..... because all they really want is to hate on Samsung for any possible reason. I have not been using MS updates just because of the forced update from 8.0 to 8.1 because #1 you can never go back to 8.0 or 7.x anything. I'm also sure that they'll strand 8.1 users where they're at if they simply choose not to update to Windows 10 in the future. It's the whole being forced to reboot after most every update that still makes people's blood boil. Especially when it's over some stupid update people don't even want!

      You're right in the middle of some important work and step away from your computer. When you come back it's updated and rebooted on it's own losing all your work and deleting your former setup! .......so it's Microsoft that needs to change how they update, not Samsung or HP and the rest of hardware makers living slaves to Microsoft's whims and mistakes!!!

      Delete
    2. The Windows Update system gives you a range of options for downloading and installing updates. On my home computers I have it configured to automatically download the updates, but not deploy them until a time that suits me. Therefore, the issue of my computer restarting without warning doesn't arise.

      This comes from someone who is neither a Samsung-hater (at least, not of their computers) nor a Microsoft employee. I am merely a user of Microsoft Windows in both my home and work environments. Although I have no control over update deployments in my work environment, I (as the owner of one desktop and one laptop) don't think it unreasonable that I should have full control over when updates are downloaded, and when they are deployed.

      By including this application in their systems, and then being very cagey about its existence AND making it so difficult to get rid of, Samsung are employing tactics that are not consistent with good customer-service. And more importantly, they've been rumbled.

      Delete
  2. Feeling more sane now, thanks for this. SW Update has been competing with my Windows Updates on video card related updates for a couple years now (among other updates), and now I know what I will be disabling. Ugh.

    ReplyDelete
  3. Is it really downloading that .exe over non-https? Would be lovely if that cert got compromised, but Samsung users wouldn't get the revocation because they're not getting Windows updates...

    ReplyDelete
  4. Surface pro for the win(given its MS ,no more problem reporting what innard is for and what it does

    ReplyDelete
  5. Can you provide an MD5 of the .exe so it can be reported to the AV vendors?

    ReplyDelete
    Replies
    1. Added MD5's for its x86 and x64 variants.

      Delete
    2. Can you provide a SHA-2 hash of the file so it cannot be trivially collided?

      Delete
    3. @H110Hawk: The weaknesses in MD5 are collision attacks not pre-image attacks. This means that it's easy enough to generate a pair of files which hash collide, but that it's not at all easy to generate a second file which hash collides with a pre-existing first as we'd need here. MD5 is a hashing algorithm we should be phasing out, especially for password hashing usage where it's far too fast and memory light, but in general it's still reasonably secure for file integrity verification.

      Delete
    4. I've added SHA-256 for both x86 and x64.

      Delete
  6. Have been using three Samsung Monitors, for several years now, without using any Samsung Software, at all, and with no problems at all either?

    Think you are inventing problems, that do not exist?

    ReplyDelete
  7. Good to know. I will be advising all of our customers to stay well away from Samsung's PC products.

    ReplyDelete
  8. I can confirmation the existence of the xml configuration file as my SWUpdate (version 2.2.4 previously) pulled from Samsung's server. However, there is no indication that it has downloaded the actual package and has modified mine Windows Update configuration. There is no executable file at all on my ProgramData\Samsung folder. And it looked like the software has just recently been developed as in the version 1.0 so they might have thought about something when they were doing this.

    I am not sure if we can consider this is a type of malware or something, even though I know it modifies the registry. For most of Samsung laptops, you must have this in order to download and update drivers and software, for majority of consumers. However, I think we need to tell Samsung about this behavior and other vendors so they need to stay away from this.

    ReplyDelete
  9. what happened to switching your computer on, do your work, then switch the sodding thing off and going home and doing something more interesting..... I came here from the BBC tech page, and computer debates like this are like golf but just not as interesting ..... thfra......

    ReplyDelete
  10. I have to agree with Paul. While curious, I don't think this is all that much outside the industry process (HP does much the same and maybe others as well).
    As it said in the original article that brought me here, the article is "...affected by the exuberance of youth..." (okay, they said mildly but personally that's a mild understatement).
    Did you discover something? Yup
    Did you get the canned answer from a T1 phone rep? Yup
    Is it the malware to end all malware that is insinuated in the blog txt? (mild exaggeration on my part here). Still, Nope
    At worst, Samsung (and HP and others?) are guilty of poor communication (just as users are guilty of not paying enough attention to checking for updates and security in general). Maybe it's stated in the manual/EULA that I'm sure everyone read to the end right?
    I find too many of your assumptions are based on testing in a non-native environment (and no, verification from one user is not proper validation) and logic leaps that don't stand up by themselves.
    Did anyone try using MSConfig to simply disable "Disable_Windowsupdate" at boot?
    A good start but too many questions at this point left to be answered

    ReplyDelete
    Replies
    1. I have used NVidia "Experience" for all my Samsung Drivers, due to using their Video Cards, and those drivers (353.xx Currenr) work, and have never caused me any problems, what else can hope for.

      Delete
  11. I like this tool!
    It helps me keeping my data usage low while on the go. Would be pretty annoying having a Windows update downloaded in the background through LTE.

    ReplyDelete
  12. So huge non-event really, now you know the issue (Samsung sets WU to "let me choose whether to download and install updates"). If you are already using this WU setting you would never notice even if you are a Samsung PC user (VDU Monitors don't count), but if you are using "let Windows download and install updates automatically" setting it is annoying for this WU setting to be changed without asking. A full disclosure from Samsung up-front would have been better than having to squeeze the truth out after some detailed investigation, but this is no great conspiracy. Not sure which is worse: WU overwriting Samsung drivers and creating problems in some cases or Samsung changing WU settings to prevent this without telling anyone. Samsung why not issue a popup explaining the situation, giving the user a choice and remember their response? Then there would be nothing to discuss here.

    ReplyDelete
    Replies
    1. This issue doesn't affect *me*, but it does bring to mind a problem that I've dealt with many times on behalf of my clients. For several years now, I've advised my clients to avoid using Windows Updates for driver-updates because Microsoft tends to be really slow about vetting the newest fixed-builds to come out of the OEMs for integration into WU.

      I think you've nailed it though in your answer... this isn't some kind of conspiracy against Microsoft. It's more than likely just something stemming from a knee-jerk reaction of someone inside of Samsung that had dealt with Microsoft's malfunctioning driver-distributions one time too many. This problem has particularly plagued certain network adapters (a few of the Realtek driver-updates from Microsoft's WHQL would cause the card to stop functioning). Realtek's network chipsets are among the top 5 OEM chips used for this purpose, so it's reasonable to assume that that particular driver issue I mentioned had also affected Samsung's products.

      The real problem, as I see it, isn't what one OEM or another is doing, but rather what the users of said OEM's products expect.... for whatever reason that may be. I suppose it's reasonable to expect an OEM system to update itself as it's supposed to, across the board. I also suppose it's reasonable to not expect OEM system owners to be on average 'technically savvy enough' to adjust their environment either upon installation, or on initial setup, and to followup on that anytime a major system update (such as a service pack) occurs that might bring a few configurations settings into need of review.

      "Or quite simply put... People are a problem" -- Douglas Adams, THHGTTG

      Delete
  13. I only like to update when connected to wifi, these updated take long time without user even need it. Thanks JP

    ReplyDelete
  14. I upgraded on Friday from windows 8.1 to windows 10
    Since then the fan seems to be continuous - neither sleep nor shutdown buttons/clicks work - I have to switch the button off/on each time it go to sleep
    this is the image of the chat I had with Samsung today - https://drive.google.com/file/d/0B8u2AsQfH8MaNGpScGlwQlA1SUk/view?usp=sharing

    I appreciate your advice

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. update- Uninstalling SW Upda
    I ran SW Update trying to solve the problem - it vanished and I no longer can uninstall SW Update. The directory is no longer there

    ReplyDelete
  17. Fascinating as well as educative post, I’m Glad that I enjoyed this post having read….. touch screen universal remote

    ReplyDelete

  18. if you need genuine office you can try this link, my office got here and works well,strongly recommend you, it is brilliant www.acyberkey.com

    ReplyDelete
  19. Thanks for writing this post about technology. I see this is very informative article and i hope that's useful for many people. essay revisor

    ReplyDelete
  20. I'd love to share my experience with you, this site's keys really are working so well, click here: www.cdekey.com.

    ReplyDelete
  21. This comment has been removed by the author.

    ReplyDelete
  22. Might be difficulty for the visitors to not get actually what you wants from them and in accordance with mentioned principles anything more to it will get us actually to this way. cheap translation service

    ReplyDelete

  23. Sharing my experience to say,if someone need windows product keys,you can go to www.mororless.com to got.I'm here to buy a key, a hundred percent genuine and I spent very little money.

    ReplyDelete
  24. if you need genuine office you can try this link, my office got here and works well,strongly recommend you, it is brilliant www.instructables.com/id/How-to-Activate-Windows-7

    ReplyDelete
  25. http://goo.gl/xjU3jn

    As far as I know, you can buy it from the authorized vendor online http://goo.gl/xjU3jn . You can count on them 100% as this site is the partner vendor of Microsoft. This is the biggest competitive point.

    http://goo.gl/xjU3jn

    ReplyDelete
  26. Windows10KeySale.com

    Visit the site Windows10KeySale.com . I believe you will get what you want on the site. Besides, keep in mind that you also can communicate with them about the technicalproblem. They can help you with patient explanation and warm service.

    Windows10KeySale.com

    ReplyDelete
  27. Your mobile blog is very good so carry on work but also post informative article too. Galaxy S7 Edge

    ReplyDelete
  28. Having been used for several years, your computer may get crashed often? Every time when it goes crashed, you can just stand by anxiously? Or even want to buy a new and let this old one abandoned directly? Actually, it's not necessary at all! You can just upgrade your operating system by ordering a product key from the professional online site http://www.Microsoftkeysales.com you will feel like your PC is totally a new one. Also, you can chat with the guy on this site about your computer issue. You must get helpful answer and instruction ASAP.

    ReplyDelete
  29. Windows 10 Key Sale Store (http://www.windows10keysale.com)


    I recommend you to visit Windows 10 Key Sale Store (http://www.windows10keysale.com) . Yesterday was my 5th purchase from their site.
    Everytime I am amazed at the prices and customer service.
    I have recommended this site to many friends. the fact will prove my words.

    Windows 10 Key Sale Store (http://www.windows10keysale.com)

    ReplyDelete
  30. "This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic..
    hoa lan ho diep | civil engineering outsourcing | Civil engineering services | Outsourcing land development services | Civil engineering services | Outsource Structural Drafting Services | Outsource CAD drafting services "

    ReplyDelete
  31. This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic.
    -------------------------------------------------------------------
    Civil engineering outsourcing services | hoa lan ho diep | Civil engineering services | Outsource Structural Drafting Services | Outsource CAD drafting services

    ReplyDelete
  32. NIce Blog! Thanks for sharing with me this Blog and this blog is very helpful. This blog is giving information of "Samsung deliberately disabling Windows Update". If customer have got some technical issue in our Antivirus so don't worry quick consult at best toll free 0800-090-3242 McAfee contact number UK and get solution of all these Antivirus issues.

    ReplyDelete
  33. Nice information...you blog...
    Today, mostly people need Microsoft technical support to troubleshoot their Windows operating system problems. Because, most of people use Microsoft™ windows® product. Dial 1-800-723-4210 at windows tech support for Microsoft windows 10 support from online technical experts by 24/7


    Microsoft Tech Support

    ReplyDelete
  34. Getting complications in registering the Microsoft antivirus, at this time you should talk to the technical assistance to remove the complications in a less time and for that contact us. Microsoft Helpline Number UK

    ReplyDelete
  35. for beginners like me need a lot of reading and searching for information on various blogs. and articles that you share a very nice and inspires me . cara menggugurkan kandungan

    ReplyDelete
  36. This is my first time i visit here. I found so many entertaining stuff in your blog, especial ITS Discussion. From the tons of comments on your blog, I guess I am not the only one having all the leisure here! Keep up the good work. We Provide you online help and support related to Hotmail issues.Call us at 0800-098-8343 Our helpline Hotmail contact number UK.

    ReplyDelete
  37. yeah it`s my favorite movie
    If you want any information regarding MP board 10th class result then click here MP board 10th class results

    ReplyDelete

  38. MSofficialstore.com
    Hi, there, as for your question, you definitely need to buy a product key to activate your Windows 10 Product Key . But don't need to worry about how and where to buy the genuine product key. You can go to the professional site http://www.MSofficialstore.com/. Choose the target product and order it online. The support email will be sent to you at the first time. If you have any other technical questions, you can also communicate with their support team.

    ReplyDelete
  39. This comment has been removed by the author.

    ReplyDelete
  40. This comment has been removed by the author.

    ReplyDelete
  41. MSofficialstore.com
    To buy a genuine product key, go to the site http://www.MSofficialstore.com/. This is definitely not like some sites which will make you worry about the purchasing safety. The payment process is confidential and guaranteed. More importantly, Windows 10 Product Key is genuine and with attractive price.

    ReplyDelete
  42. Share with you a good site that you can get cheap product keys from there: www.vanskeys.com, all versions of windows keys and office keys can be found in that site.

    ReplyDelete
  43. Great blog! I really love how it is easy on my eyes and the information are well written. I am wondering how I might be notified whenever a new post has been made! We are providing best technical support related to "Mail Account" and online help.Call us at Our helpline toll free 08000903242 Gmail contact number UK.

    ReplyDelete
  44. This comment has been removed by the author.

    ReplyDelete
  45. Your blog is providing lot of information thanks
    http://www.wschyderabad.com/samsung-service-center-in-hyderabad

    ReplyDelete
  46. Replies
    1. I just bought the book and absolutely love it. However, I made the bread every day and it turned out like a rock or maybe a door stop. Could the temperature possibly be wrong? 450 looks high.

      GTA 4 Torrent Download
      FIFA 15 torrent download
      GTA San Andreas Torrent download

      Delete
  47. Hotmail Helpline Number UK
    If you facing this problem while using the account and the best way to resolve this problem is to contact the technicians at 08000903883 toll-free number.
    Hotmail Customer care Number UK

    ReplyDelete
  48. This comment has been removed by the author.

    ReplyDelete
  49. Now, thanks to the latest cracking software called windows xp activator tool  you can finally get any version of Windows on your computer and make it work perfectly without any errors or slowdowns pdf architect 4 full crack .

    ReplyDelete
  50. This comment has been removed by the author.

    ReplyDelete
  51. t is a picture perfect representation of these folks, anyway. The gloves are off; if they want to act like children they must eat their words.
    gta san andreas download
    download gta san andreas kickass
    crack gta san andreas download
    gta san andreas torrentes
    gta san andreas apk free download full version

    ReplyDelete
  52. This comment has been removed by the author.

    ReplyDelete
  53. Your blog is providing lot of information thanks
    http://www.wschyderabad.com/samsung-service-center-in-hyderabad/

    ReplyDelete
  54. Thank you for providing a good information on this. I hope you will post again soon
    download mafia 2 crack
    coreldraw x5 torrent

    ReplyDelete
  55. Thanks for your information
    http://www.goodservicecenter.com/tv-service-center-vijayawada-2/

    ReplyDelete
  56. This is a very good article material and it is very useful for us all. thank you . cara menggugurkan kandungan

    ReplyDelete
  57. Thanks For Your Information
    http://www.greenelectronics.co.in/kenstar-ac-service-centre-in-hyderabad.html

    ReplyDelete
  58. Hello guy
    I Like this page
    If u want play casino online all games
    Please Click Here this post
    Wish all u Good Luck
    thanks you!!!
    บาคาร่าออนไลน์
    บาคาร่า
    จีคลับ

    ReplyDelete
  59. Hi, It‘s actually a nice and useful piece of information.
    Norton Support Number UK

    ReplyDelete
  60. Windows 10 Product Keys

    Visit the site http://www.windows10keysale.com . I believe you will get what you want on the site. Besides, keep in mind that you also can communicate with them about the technicalproblem. They can help you with patient explanation and warm service.

    Windows 10 Product Keys

    ReplyDelete
  61. This is my first time i visit here. I found so many entertaining stuff in your blog.thanks for post and share
    บาคาร่าออนไลน์
    GCLUB
    GCLUB Casino
    GClub online

    ReplyDelete
  62. Nice Blog and Thanks for sharing this Blog. This Blog is very helpful about "Windows Update". We are a company in UK providing you the right way to resolve your McAfee Antivirus issues. By contacting our toll-free McAfee help number UK 0800-756-3354 McAfee contact number UK. You can get the right assistance by the experienced and expert techs, who are 24x7 ready to help and support you.

    ReplyDelete
  63. Thanks for giving a lot of information
    http://www.greenelectronics.co.in/lg-service-centre-in-hyderabad.html

    ReplyDelete
  64. Facing trouble while using windows on your system like compatibility issue or slow running, then you must get in touch with us at 0800-090-3220 to achieve proper solution. Windows Customer Care Number UK

    ReplyDelete
  65. Thanks for sharing nice information with us. We provide the best customer support for Adobe Phone Number UK and Adobe Customer Care Number UK.

    ReplyDelete
  66. Hotmail is the best emailing client that has been giving the correct emailing experience but technical issue do not let the users get that and to fix that you should talk to the technical experts at 0800-090-3240. Hotmail Support Number UK

    ReplyDelete
  67. I have been through your blog and being a technical expert, I found it quite information giving. Here, you forgot to tell about the correct to counter the issue which is to contact the technicians. If one facing any tech problem, then contact us at keyword and for more information follow the link. Hotmail Helpline Number UK

    ReplyDelete
  68. Awesome Blog!!
    Really i appreciate the effort you made to share the knowledge Microsoft Phone Number UK @808-238-7544

    ReplyDelete