WGAtray.exe (Windows Genuine Authentication) spyware. Can this be disabled?

I didn't track at which point Microsoft dumped this on my host. I have a genuine version (OEM) of Windows XP Pro when I bought the hardware and software components for my system. As part of Microsoft discontinuance of supporting pirated versions of Windows so they cannot get updates or service packs (an understandable stance on their part), they have decided to install spyware on all their customers' hosts. It is the wgatray.exe process. See http://www.theinquirer.net/?article=31281.

I don't want processes consuming resources that are not germane to *MY* use of *MY* hardware and the licensed software. I disable or set to Manual any NT services that I don't need. I disable apps that want to run at startup that I don't need or need so rarely that starting them manually is not great loss of ease-of-use for them, or I disable or remove their startup entries from the registry, Start group, or Task Manager if they don't provide the option to *not* load them on Windows startup. I don't want all that crap running on my host.

Microsoft got a bit more tricky with the WGA program. It won't appear in msconfig as a startup item. Some utilities that let you check the startup items won't show it. I used AutoRuns from SysInternals and found it hiding (as some malware does also) under:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

under a data item named "WgaLogon". The executable file is at:

c:\windows\system32\wgalogon.[exe|dll]

Like rootkits, Microsoft will hide the WGA processes in the hopes that users won't wonder what the hell it is. They also have the kernel hide it when using Explorer when looking in the System32 folder (but other file search tools, like Agent Ransack, the free version of FileLocator, will find it). I noticed it because I use DiamondCS' ProcessGuard which won't let a process load into memory unless authorized by the user.

I can understand the need to stop supporting pirated copies of Windows but that should be performed during the session with Windows Update, not by running some client-side utility that always performs the check when it doesn't apply. It is not Microsoft's place to interfere with the operation of the OS during its use, only when the pirating user attempts to get updates. Since the Windows Update site already requires the use of an ActiveX control, let Microsoft use that mechanism for qualifying the connected user as to whether or not they can get updates (and make damn sure there is a free support line just for problems that arise from false triggers).

Anyone know how to keep wgatray.exe from running? Would deleting its registry entry as a WinLogon event eliminate it? What if I configure ProcessGuard to *not* allow that process to load into memory (if Microsoft has decided to play the role of a virus and circumvent any standard means of preventing a process from loading on Windows startup)? Microsoft needs to learn that it cannot resort to spyware to regulate who uses their operating systems. I won't be annoyed by the popups (but supposedly pirates will although it has yet to be seen how accurate is their detection) but I really don't want anymore extra crap, er, fluff running on my system since it is *MY* hardware, not Microsoft's. I don't want anything stealing CPU cycles and memory that I don't know about and which I cannot control; otherwise, it is considered malware. It wouldn't be as much of an insult if Microsoft had not chose to hide what they are doing to their customers. Guess they liked what Sony did with their rootkit and have followed suit. Microsoft produces the Windows Defender anti-spyware product yet Microsoft also introduces spyware.

--
__________________________________________________
Post replies to the newsgroup. Share with others.
For e-mail: Remove "NIX" and add "#VN" to Subject.
__________________________________________________

.

Relevant Pages

  • WARNING LONG - Brian Livingstons take on Windows Genuine Advantage
    ... Genuine Advantage is Microsoft spyware ... Some tech writers have said categorizing WGA as spyware is arguable. ... It causes serious problems for some legitimate Windows users and was sprung on customers with no notice other than a press release the day before. ... If an instance of Windows doesn't seem to have a valid license, display notices to the user and prevent any updates being downloaded from Microsoft.com except security upgrades that are rated "Critical." ...
    (alt.sys.pc-clone.dell)
  • Re: device drivers
    ... > does any one know how i can find out what drivers are in my system, ... Microsoft has these suggestions for Protecting your computer from the ... I'll mainly work around Windows XP, as that is what the bulk of this ... How to configure and use Automatic Updates in Windows XP ...
    (microsoft.public.windowsxp.general)
  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • Re: Computer skills
    ... > I spent several 100 bucks on buying programs from Microsoft, ... > I can't get any updates, to fix the issues which you did not manage ... only normal computer maintenance skills - ... What to Know Before You Download and Install Windows XP Service Pack 2 ...
    (microsoft.public.windowsupdate)
  • Re: WGAtray.exe (Windows Genuine Authentication) spyware. Can this be disabled?
    ... To disable WGA Notify, with minimal risk, download Sysinternals ... Microsoft discontinuance of supporting pirated versions of Windows ... I disable or remove their startup entries from the registry, ...
    (microsoft.public.windowsxp.general)
Loading