WINDOWS 10 (The Lies Microsoft Told Me)
By Kevin J. Ripa, PI, GSEC, EnCE, CDRP, CEH
Feb. 10, 2016

THE PREAMBLE

Windows 10 has been being crammed down our throats for about 9 months now. Despite the plethora of privacy issues rampant within it (did you know that if you put your files on OneDrive, they get to see/use/have them?), not to mention the fact that even if you use a default search engine such as Google, all of your browsing and search data still gets sent to Bing, people are blindly downloading it. You would think it had to do with the fact that it is new and everyone wants it. Wrong. You might think it is because it is free (even though nothing is free). Wrong again. The reason that it has achieved the astronomical implementation numbers of hundreds of millions of downloads to date has everything to do with the fact that if you are a security conscious user, it has duped you with a false sense of security, and downloaded (and in many cases installed) it with little to no intervention on your part.

Imagine if Maytag had a new washer on the market, and decided that you should have one. A delivery guy shows up at your house every day trying to drop it off. You don’t want it because you are happy with your washer, and there is evidence to show that this new washer will spy on everything you do and send the data back to Maytag. Despite your best efforts and complaints, the Maytag man continues to show up every day. Then one day, he starts sleeping on your front step. You can’t get him to leave. For weeks he is camped out there. Then one day, you come home from work, and he is gone. Oh, but while you were away, he broke into your house and installed the new washer you didn’t want. To make matters worse, he took the old washer that you really, really liked. It even had your favorite pair of jeans in it.

Of course you would be furious, and the issue would have never gotten this far. In fact, it sounds simply foolish to entertain such a notion. Yet this is pretty much exactly what Microsoft has done in delivering Windows 10.

THE TRUST

For decades, Microsoft has been beating the security drum about their patches and security updates. They and many other security professionals, myself included, used to swear by them. “Enable Automatic Updating” was the mantra. We drank the kool-aid. We all turned on Automatic Updating. We trusted them. After all, if a system is properly patched, it is exponentially more difficult to compromise. We loved the update feature, except when the updates broke stuff. But I digress.

THE BREACH OF TRUST

As with so many other things, we bought in. We said, “Microsoft, we trust you to keep us safe.” And then Microsoft decided to hoist us on our own petards. In other words, we trusted them, and never should have.

What am I talking about? Initially, Microsoft decided it would hand out free copies of Windows 10 to whomever wanted them. Good so far. Then they decided, for whatever reason, that we wouldn’t mind if they just started popping annoying banners on us, telling us to upgrade. Guess how that pop up banner started appearing? Through the automatic distribution of Windows Update KB3035583. Yep. You had Automatic Updating enabled, so they fed you something you understood to be an Important security update, and voila. Popups. If anyone else did this, it would be called malware.

Oh but it gets better. They then decided that it would be a great idea to start automatically uploading Windows 10, all 6 GB of it, to your computer, unbeknownst to you. This is fine if you have high speed Internet and unlimited data. But what about many parts of North America, and almost all of Europe, where you pay by the amount of data you use? Now you are paying for 6 GB of data that you neither wanted, nor asked for.

You would think the chicanery would stop there, but it doesn’t. A few months after this deception started occurring, many security folks, myself included, got in under the hood and figured out how all of this was happening, and we wrote articles about how to stop it. For example, you could go and uninstall KB3035583, and the pop ups would stop. Then we would recommend hiding the update so it is ignored going forward. That is/was actually the purpose of being able to HIDE certain updates. We are so silly to think we could end run Microsoft. They merely changed the names of the updates and continued distributing. As if that wasn’t enough, they also are somehow magically reinstating the Hidden updates, so that if you are still foolish enough to trust them with Automatic Updates, they will unhide your hidden updates, and reinstall them.

The coup de grace is that most recently, their updates are going to such levels that you turn your computer on one morning, and all you see is a blue banner that says Install Windows 10. Click here. You have no other options. And that is for the lucky ones that see the banner. Some don’t even get that. They just wake up to Windows 10 one day. Oh by the way, if this has happened to you, don’t be surprised when programs start disappearing. Once Windows 10 gets installed, it looks at all other programs installed on the system, and if it finds any that are incompatible, it just simply uninstalls them. Without asking. Without telling. Thank you very much.

THE MITIGATION

If yours has gotten to the point where it has actually installed, I’m afraid this article can’t help you. Operating System rollbacks are a tricky thing, and I won’t get into them here. But if you are just one of the zillion people who don’t want Windows 10, or at least not yet, but are finding it more and more difficult to dodge banner ads and popups, there is hope. You will have to get your hands dirty, and keep them dirty for the foreseeable future. But it can be done. So roll up your sleeves.

All instructions and downloads from this point forward assume you are using Windows 7, 8, or 8.1. If you are using anything older, get rid of it. Seriously.

Here then, are the steps to taking back your computer, at least for now.

  1. The first thing you need to do is ensure you have the proper permission to perform these steps. Are you planning on doing this to a work computer, and you are not the owner of the company? Then talk to your IT department, and show them this article. DON’T mess with a work-administered computer!
  2. Now we must make some changes to what Windows is showing you. You have to enable viewing of System and hidden files. I like to also see file extensions. How do you do this? Well there are a couple of ways, depending on your operating system, so I am not going to go into detail on how to manually make these changes for each OS, or it will get confusing. You can simply go to Google, and search for “how to show hidden files and system files in Windows”. Insert your Windows version at the end. Or you can do it the really easy way. Download a special registry file I have built by clicking HERE. Once downloaded, just double click it, accept the warnings, and then restart your computer. Don’t be surprised if you see files on your desktop (like desktop.ini) that weren’t there before. They WERE there before, but Microsoft just figured you were too stupid to be given access to them, so they hid them.
  3. Now log in to an account that has Administrative privileges, or temporarily give your account Administrative privilege, but don’t forget to change it back after this is done. This is not mandatory, but if you go through these steps and find that they are not working because you don’t have permission, then you will have to do this. Google it if you don’t know how.
  4. Go to Start, Control Panel, Windows Updates, and click on Change Settings as shown below.

2016-03-07 5-34-32 PM

  1. You will now see the Window below. Ensure that 1, 2, and 3 are set the same on your computer as they are below. Then click OK, and close the Window.

2016-03-07 5-36-37 PM

  1. By now, you have probably noticed the Windows logo in the lower right corner of your screen as shown below.

Figure 1

  1. You have also probably grown VERY tired of the VERY annoying pop up every time you open up your browser (and other times) that tells you what to do, as shown below.

Figure 2

  1. Here is how to get rid of both. First, click on your Start menu, and then go into your Control Panel, as shown below. Yes your Start menu may look different.

 Figure 3

  1. Once the Control Panel window opens, locate and open Programs and Features, as shown below.

Figure 4

  1. In the top left corner of the Programs and Features window, click on the link entitled View installed updates, as shown below.

Figure 5

  1. A listing of all of the installed Windows Updates on your computer will now be shown. Be patient. It can take some time to load them all, and there will be hundreds. (Kinda says something about Windows, doesn’t it?) Scroll down the list, looking specifically for “Update for Microsoft Windows (KB3035583)”, as shown below.

Figure 6

  1. Right click on it, and select Uninstall. You will be asked to confirm that you want to do this, as shown below.

Figure 7

  1. Once the uninstall is complete, you will be asked to restart your computer, as indicated below. Do this now.

Figure 8

  1. Feeling pretty good about yourself, you cyber-evangelist, you? Well the pain has only just begun. Remember way back when I said Microsoft has created many more updates besides this one to accomplish basically the same task? I (and others) have identified no less than 16 of these little beasts that either help Microsoft sneak Windows 10 onto your computer, or exfiltrate data from your computer. Would you like to do the above 16 times? No? I didn’t think so.
  2. I have created a batch file called Telemetry.bat that will automate the process. You can download it HERE. Once downloaded, RIGHT click on it, and select “Run As Administrator” as seen below.

2016-03-07 6-13-36 PM

  1. A command line window will open, and you will see something like the Window below. Just hit Enter when prompted, (should be twice), and after the second one, the Window will close. Now restart your computer.

2016-03-07 6-04-47 PM

  1. Once the computer restarts, go back to step 10 and open that list again. Look for the 16 KB articles listed in the batch file above, and also listed below. If you find any, uninstall them manually. It has been my experience that one or two get left behind. You can search for them in the search bar at the top right corner of the window. You can keep checking back at this page. We will add to this list and batch file as we discover them. By the way, if you are wondering why we bother with the batch file if we just have to go back and look through the list anyway, well first of all, I don’t trust Microsoft, and second, when you use the batch file, you don’t have to restart the computer after each uninstall.

KB3012973
KB3021917
KB3035583
KB2952664
KB2976978
KB3022345
KB3068708
KB2990214
KB3075249
KB3080149
KB3044374
KB2977759
KB3050265
KB3068707
KB3058168
KB3123862

  1. Now go to your Control Panel and run Windows Updates. Even if it says there are no updates, click on the link on the upper left of the window to search for updates. Once done, you may see the updates (the ones you just uninstalled) ready to be installed again. We certainly don’t want that to happen, so ensure the box beside the update is UNCHECKED, and then right click on the update and select “Hide update”, as shown below, and then click OK.

Figure 9

  1. In some cases, you may see Windows 10 in this list as well. Just do the same for it. Uncheck, right click, and select “Hide update”. But you are not done yet. Now we have to dig under the hood and get rid of the Windows 10 garbage that Microsoft already put there without you knowing.
  2. Open Windows Explorer. Don’t know how? Google it. Or ask your nearest 12 year old.
  3. Double click on your C: Drive. Check the list of folders and see if you have one titled “$windows.~BT”. If so, its gotta go. (If not, lucky you) Right click on it and delete it. It may decide not to, saying you don’t have permission, even though you are the Administrator. If that happens, click HERE and download a little program called TakeOwnership. It is really just another registry file like the one from step 2.
  4. Once downloaded, just double click on it, and you will see the following message below.

  1. Click Yes, and you will see the Window below.

2016-03-07 6-51-59 PM

  1. Click OK, and then navigate back to Windows Explorer at the C: drive and find the folder named $windows.~BT again. Right click on it, and select TakeOwnership from the dropdown menu, as shown below.

2016-03-07 6-56-04 PM

  1. A command line window will open, and for the next few minutes, files will be flying past faster than you can read them. That is the TakeOwnership program doing its thing. Once it is done, the Window will close.
  2. Now you can right click on $windows.~BT and delete it, and it will actually delete.
  3. Once done, in that same Window, double click on Windows, then on system32. Inside that folder, you may see a folder entitled GWX. If it is not there, then great, but if it is, follow the same procedure as with the $windows.~BT.
  4. Once done, restart your computer.

You are now free of the Microsoft malware and its persistence. Having said that, you now are not receiving Automatic Updates anymore, and this is not optimal. To counter this, you need to now go to your Windows update at least bi-weekly, on Wednesday, and check for updates. When you see the list of what is available, check them against the list of Microsoft crapware in the list above, and if you see anything reappear, simply right click, hide the update, and continue installing whatever else is there.

Kevin J. Ripa is the President of Computer Evidence Recovery, Inc., and has been involved in numerous complex cyber-forensic investigations. He can be contacted via his website at www.computerpi.com.