Certain Asus motherboards installing software from their UEFI/BIOS

Started Oct 29, 2019 | Discussions
Billiam29 Senior Member • Posts: 2,134
Certain Asus motherboards installing software from their UEFI/BIOS
2

Apologies if this has been discussed before. I searched for some of the key terms and didn’t find them here. This news is about a year old but today was the first I’ve heard of it.

The UEFI on some Asus motherboards uses a Windows mechanism to install software directly from the BIOS into your Windows OS. Even if you don’t use ASUS motherboards, the Windows mechanism that ASUS is utilizing is potentially a pretty serious security concern and probably a good thing to be aware of.

The ASUS UEFI firmware exposes an ACPI table to Windows 10, called "WPBT" or "Windows Platform Binary Table". WPBT is used in the pre-built OEM industry, and is referred to as "the Vendor's Rootkit." Put simply, it is a script that makes Windows copy data from the BIOS to the System32 folder on the machine and execute it during Windows startup - every single time the system is booted. According to the Microsoft WPBT reference, which describes this feature as useful for "anti-theft software", this binary is a "native, user-mode application that is executed by the Windows Session Manager during operating system initialization.", which means "before all other programs, with administrative privileges". This gives pretty much full control over everything, including protected folders and the registry.

via https://www.techpowerup.com/248827/asus-z390-motherboards-automatically-push-software-into-your-windows-installation

Austinian
MOD Austinian Forum Pro • Posts: 11,710
Re: Certain Asus motherboards installing software from their UEFI/BIOS

Billiam29 wrote:

Apologies if this has been discussed before. I searched for some of the key terms and didn’t find them here. This news is about a year old but today was the first I’ve heard of it.

The UEFI on some Asus motherboards uses a Windows mechanism to install software directly from the BIOS into your Windows OS. Even if you don’t use ASUS motherboards, the Windows mechanism that ASUS is utilizing is potentially a pretty serious security concern and probably a good thing to be aware of.

The ASUS UEFI firmware exposes an ACPI table to Windows 10, called "WPBT" or "Windows Platform Binary Table". WPBT is used in the pre-built OEM industry, and is referred to as "the Vendor's Rootkit." Put simply, it is a script that makes Windows copy data from the BIOS to the System32 folder on the machine and execute it during Windows startup - every single time the system is booted. According to the Microsoft WPBT reference, which describes this feature as useful for "anti-theft software", this binary is a "native, user-mode application that is executed by the Windows Session Manager during operating system initialization.", which means "before all other programs, with administrative privileges". This gives pretty much full control over everything, including protected folders and the registry.

via https://www.techpowerup.com/248827/asus-z390-motherboards-automatically-push-software-into-your-windows-installation

Very interesting! I haven't noticed anything similar on my Gigabyte mobo, or found online references to WPBT issues with it, but I'll be checking our laptops to see what their various OEMs may have done.

Looks like a way to check is this:

"You can check your own PC to see if the manufacturer has included software in the WPBT. To find out, open the C:\Windows\system32 directory and look for a file named wpbbin.exe. The C:\Windows\system32\wpbbin.exe file only exists if Windows copies it from the UEFI firmware. If it’s not present, your PC manufacturer hasn’t used WPBT to automatically run software on your PC."

https://www.howtogeek.com/226308/the-windows-platform-binary-table-why-crapware-can-come-back-after-a-clean-install/

 Austinian's gear list:Austinian's gear list
Sony a7R III Sony a7R IV Panasonic Lumix DC-G9 Sony FE 50mm F2.8 Macro Sony FE 24-105mm F4 +4 more
Robert Zanatta Senior Member • Posts: 2,190
Re: Certain Asus motherboards installing software from their UEFI/BIOS
2

The mechanism is fine as its been around for a few years and is fine.  If you don't trust it, then you can't trust the BIOS or Windows.

 Robert Zanatta's gear list:Robert Zanatta's gear list
Canon EOS 5D Mark IV
Robert Zanatta Senior Member • Posts: 2,190
Re: Certain Asus motherboards installing software from their UEFI/BIOS

There's a decent chance that something similar exists on your laptop.

 Robert Zanatta's gear list:Robert Zanatta's gear list
Canon EOS 5D Mark IV
Austinian
MOD Austinian Forum Pro • Posts: 11,710
Re: Certain Asus motherboards installing software from their UEFI/BIOS

Robert Zanatta wrote:

There's a decent chance that something similar exists on your laptop.

There's no C:\Windows\system32\wpbbin.exe on the Dell XPS 15, the Asus ultrabook or the Surface Pro. That may be due to them having had clean Windows installs; I've been annoyed by OEM utilities too many times in the past.

Also, FWIW none of my PCs have any entry in their UEFI BIOS that looked like the Asus motherboard's.

 Austinian's gear list:Austinian's gear list
Sony a7R III Sony a7R IV Panasonic Lumix DC-G9 Sony FE 50mm F2.8 Macro Sony FE 24-105mm F4 +4 more
OP Billiam29 Senior Member • Posts: 2,134
Re: Certain Asus motherboards installing software from their UEFI/BIOS

Robert Zanatta wrote:

The mechanism is fine as its been around for a few years and is fine. If you don't trust it, then you can't trust the BIOS or Windows.

It's not the BIOS that can't be trusted. It's what the PC makers (Lenovo) and motherboard manufacturers (ASUS) are doing with this BIOS-based feature that can't be trusted.

And a wag of the finger to Microsoft for apparently not allowing any way to bypass this. You should have a choice in the matter. It would be understandable if you had to jump through several hoops, but you should have a choice. Perhaps they feel that their "guidelines" now including the ability to disable the feature from within the BIOS is enough but that seems like somewhat of a feeble gesture to me.

LongTimeNikonUser Senior Member • Posts: 1,351
Re: Certain Asus motherboards installing software from their UEFI/BIOS

To the OP:  Are you describing ASUS systems, or ASUS motherboards that people like me buy as part of a home- built system?

If that vendor file (wppin.exe ?) is deleted, does it automatically regenerate the next time the system is booted?

Has anyone done a decompile on one of these files?

-- hide signature --

LongTimeNikonUser

 LongTimeNikonUser's gear list:LongTimeNikonUser's gear list
Nikon D3 Nikon AF-S Nikkor 24-70mm f/2.8G ED Nikon AF-Nikkor 80-200mm f/2.8D ED +8 more
OP Billiam29 Senior Member • Posts: 2,134
Re: Certain Asus motherboards installing software from their UEFI/BIOS

LongTimeNikonUser wrote:

To the OP: Are you describing ASUS systems, or ASUS motherboards that people like me buy as part of a home- built system?

I honestly don’t know if it’s just motherboards or if it could be an issue with complete Asus systems as well. I came across a reference at Ars Technica which pointed to the small thread below on Asus’ RoG forum.

I’m only ankle deep versed in Asus’ product line so I don’t know if the RoG moniker means anything as far as what software is included with motherboards vs. complete systems. The Tech Power Up article that I linked was centered on a motherboard so that’s all I was comfortable mentioning.

https://rog.asus.com/forum/showthread.php?111012-AsusUpdateCheck-exe-reappears-after-reboot

Sean Nelson
Sean Nelson Forum Pro • Posts: 14,965
Re: Certain Asus motherboards installing software from their UEFI/BIOS
3

Billiam29 wrote:

It's not the BIOS that can't be trusted. It's what the PC makers (Lenovo) and motherboard manufacturers (ASUS) are doing with this BIOS-based feature that can't be trusted.

BIOS code is ALWAYS run before the OS boots - it's the BIOS that loads the OS in the first place.  Therefore, you HAVE to trust the motherboard manufacturer and, by implication, the PC manufacturer.   There's no technical reason why the BIOS can't access the boot drive on its own BEFORE the OS is booted and write whatever the heck it wants into whatever files it fancies.   Even on encrypted drives, the BIOS could install it's own rootkit prior to OS initialization.

We are as much at the mercy of motherboard and PC manufacturers as we are the OS manufacturers themselves. We are also at the mercy of router and firewall manufacturers, writers of device drivers, and a whole host of other avenues that can be used as backdoors into our systems.

Joep van Steen
Joep van Steen Regular Member • Posts: 427
Re: Certain Asus motherboards installing software from their UEFI/BIOS

Sean Nelson wrote:

Billiam29 wrote:

It's not the BIOS that can't be trusted. It's what the PC makers (Lenovo) and motherboard manufacturers (ASUS) are doing with this BIOS-based feature that can't be trusted.

BIOS code is ALWAYS run before the OS boots - it's the BIOS that loads the OS in the first place.

This is nothing new and has been for decades. However this appears fundamentally different as the 'BIOS' now seems capable of:

- Copying files to a formatted drive

- Have access to Windows startup vectors to make sure their installed software and services run

Until now a BIOS has always been about executing code already there, do POST, load MBR and execute whatever code it finds there. It's now pushing it's code 'into' Windows.

-- hide signature --

Joep

Robert Zanatta Senior Member • Posts: 2,190
Re: Certain Asus motherboards installing software from their UEFI/BIOS

It's been capable of doing this for years, and has done so on a lot of machines.

 Robert Zanatta's gear list:Robert Zanatta's gear list
Canon EOS 5D Mark IV
Joep van Steen
Joep van Steen Regular Member • Posts: 427
Re: Certain Asus motherboards installing software from their UEFI/BIOS

Yes, but not ALWAYS which is what I was responding to. It works different from what I assumed though.

-- hide signature --

Joep

Joep van Steen
Joep van Steen Regular Member • Posts: 427
Re: Certain Asus motherboards installing software from their UEFI/BIOS

Any BIOS manufacturer could I recon, not at all ASUS specific. https://borncity.com/win/2017/12/06/vendors-rootkit-windows-platform-binary-table-wpbt/

It's basically an option to make Windows load a 'native' executable at a very early stage during boot process.

-- hide signature --

Joep

Joep van Steen
Joep van Steen Regular Member • Posts: 427
Re: Certain Asus motherboards installing software from their UEFI/BIOS

Robert Zanatta wrote:

The mechanism is fine as its been around for a few years and is fine. If you don't trust it, then you can't trust the BIOS or Windows.

Well maybe that's a bit naive, I wonder. Is this the same mechanism Lenovo used to load it's rootkit perhaps?

-- hide signature --

Joep

Janoch
Janoch Veteran Member • Posts: 4,656
Re: Certain Asus motherboards installing software from their UEFI/BIOS

Wonder how it would look, if you installed Linux on such a BIOS?

Or will it prevent it, ie an OS lock??

 Janoch's gear list:Janoch's gear list
Nikon D800 Nikon AF-S Nikkor 17-35mm f/2.8D ED-IF Nikon AF-S Nikkor 70-200mm F4G ED VR Sigma 105mm F2.8 EX DG Macro Nikon AF-S Nikkor 28-70mm f/2.8 ED-IF +1 more
OP Billiam29 Senior Member • Posts: 2,134
Re: Certain Asus motherboards installing software from their UEFI/BIOS

A lot of the discussion seems to have shifted to the WPBT mechanism. That’s not really the issue here, IMO. As I said elsewhere in the thread, it’s what’s being done with that mechanism that’s cause for concern.

I have no problem with the use of WPBT for anti-theft software. I *do* have a problem with WPBT being used for an “update checker” which I could otherwise disable or choose to uninstall if it were implemented as a normally installed piece of software.

Even if you’re OK with the software that’s being implemented with WPBT, what about the consequences of flaws in that software? With a normally installed application you again could simply choose disable it or uninstall it until the problem is fixed. These routine actions aren’t valid with WPBT. And what about when the problem is fixed? It seems that you’ll need to do a BIOS update just to implement what would otherwise be a standard application patch.

Joep van Steen
Joep van Steen Regular Member • Posts: 427
Re: Certain Asus motherboards installing software from their UEFI/BIOS

From what I understand right now it works the other way around (this particular feature). So the OS, Windows in this case 'pulls' the native exe from UEFI BIOS and allows it to execute.

-- hide signature --

Joep

Joep van Steen
Joep van Steen Regular Member • Posts: 427
Re: Certain Asus motherboards installing software from their UEFI/BIOS

Billiam29 wrote:

A lot of the discussion seems to have shifted to the WPBT mechanism. That’s not really the issue here, IMO. As I said elsewhere in the thread, it’s what’s being done with that mechanism that’s cause for concern.

Exactly. Apart from every mechanism being offered for benign purposes can also be exploited.

I have no problem with the use of WPBT for anti-theft software. I *do* have a problem with WPBT being used for an “update checker” which I could otherwise disable or choose to uninstall if it were implemented as a normally installed piece of software.

Yes, the tendency (I think) that takes away control from the end user.

-- hide signature --

Joep

Patco Forum Pro • Posts: 15,440
Akin to Lenovo rootkit?

Joep van Steen wrote:

Robert Zanatta wrote:

The mechanism is fine as its been around for a few years and is fine. If you don't trust it, then you can't trust the BIOS or Windows.

Well maybe that's a bit naive, I wonder. Is this the same mechanism Lenovo used to load it's rootkit perhaps?

I'm by no means an expert in this area, but at first glance, that seems to me to be the case:

https://www.google.com/search?client=firefox-b-d&sxsrf=ACYBGNS4b9Tkct62q8MUWZhzPul1Zb5DWw%3A1572548802568&ei=wjC7XeCsIoiMsQWkzKbgAg&q=lenovo+rootkit&oq=lenovo+rootkit&gs_l=psy-ab.3..0l2j0i22i30l5.2067948.2075114..2081859...0.2..0.205.2474.0j13j1......0....1..gws-wiz.......0i71j0i131j0i67.FOxqF2QIHLU&ved=0ahUKEwjglZPmmMflAhUIRqwKHSSmCSwQ4dUDCAo&uact=5

-- hide signature --

Patco
A photograph is more than a bunch of pixels.

Sean Nelson
Sean Nelson Forum Pro • Posts: 14,965
Re: Certain Asus motherboards installing software from their UEFI/BIOS
2

Billiam29 wrote:

A lot of the discussion seems to have shifted to the WPBT mechanism. That’s not really the issue here, IMO. As I said elsewhere in the thread, it’s what’s being done with that mechanism that’s cause for concern.

I have no problem with the use of WPBT for anti-theft software. I *do* have a problem with WPBT being used for an “update checker” which I could otherwise disable or choose to uninstall if it were implemented as a normally installed piece of software.

The real issue isn't the mechanism, it's the trust.  What you fear can be done with or without WPBT.

Do you trust the BIOS and motherboard manufacturer?   If not, choose a different one.

Keyboard shortcuts:
FForum MMy threads