Samsung: Disable_Windowsupdate.exe

Re: The Good, the Bad, the Ugly.... and the Bizarre

Okay, it would seem that the .exe isn't actually dropped as such, but generated on the fly from this XML file (as uploaded by the OP). I cannot find the relevant executable embedded within any of the Samsung files. So it would appear to be generated on the fly from this XML.

At a guess I would say it's generated during installation (I'm going to attempt to check that), and run by an as yet unknown process (although the Agent file seems the most likely at this time).

Also - note the "Orca Patch" string on the front. That hints at the mechanism.
 

Attachments

Re: The Good, the Bad, the Ugly.... and the Bizarre

Good luck, Richard. If you can't get to the bottom of it then none of us can.

I particularly enjoyed this line in the XML file he uploaded:

Code:
<Str>This program helps your windows configuration settings.</Str>

Helps? Right... :lol:

I'm glad you have faith in me Tom! I'm not so sure though, I'm not very good at these things :p

But we'll see. It's a personal challenge now!
 
Re: The Good, the Bad, the Ugly.... and the Bizarre

I'd go further, and remove delete permissions on the whole Samsung folder - it seems they cannot be trusted!
 
Re: The Good, the Bad, the Ugly.... and the Bizarre

I have a Samsung.
There's nothing in the C:\ProgramData\Samsung\SWUpdate - no Temp directory.
I'm not able to access C:\ProgramData\applicationdata to search there.

I have the same XML file that Richard has, and a few others.
If you need anything, let me know.
 
Re: The Good, the Bad, the Ugly.... and the Bizarre

Richard, not sure if I'm missing something here or misunderstood you, but isn't it downloaded?

Object moved

That contains the files in question:

Code:
D:\Libraries\Downloads\BASW-A0394A04>tree /F
Folder PATH listing for volume Media
Volume serial number is 0000003F 7C4C:6725
D:.
│   Dis_AU.xml
│   Inst.exe
│   inst.ini
│
├───32
│       Disable_Windowsupdate.exe
│
└───64
        Disable_Windowsupdate.exe


D:\Libraries\Downloads\BASW-A0394A04>

John, I feel like you would've already mentioned this if it was the case but just have to ask: is your Windows Update disabled?
 
Re: The Good, the Bad, the Ugly.... and the Bizarre

Richard, not sure if I'm missing something here or misunderstood you, but isn't it downloaded?

Object moved

That contains the files in question:

Code:
D:\Libraries\Downloads\BASW-A0394A04>tree /F
Folder PATH listing for volume Media
Volume serial number is 0000003F 7C4C:6725
D:.
│   Dis_AU.xml
│   Inst.exe
│   inst.ini
│
├───32
│       Disable_Windowsupdate.exe
│
└───64
        Disable_Windowsupdate.exe


D:\Libraries\Downloads\BASW-A0394A04>

John, I feel like you would've already mentioned this if it was the case but just have to ask: is your Windows Update disabled?

Oh my, you're right, you're really right!! Yes, it is :p

Now to track which process downloads it, and onto the fun part of examining it.....

EDIT: It's worth noting that that URL redirects to http://downloadcenter.samsung.com/content/SW/201504/20150422144036494/BASW-A0394A04.ZIP
 
Re: The Good, the Bad, the Ugly.... and the Bizarre

Interestingly, the Disable_Windowsupdate.exe files themselves (not inst.exe here) actually have the ability to create a scheduled task based off Dis_AU.xml, which has contents

Code:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2006-12-03T15:11:57.570551</Date>
    <Author>Administrator</Author>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger id="145a3a6c-a630-4ec0-985d-1280512f0ba8">
      <Enabled>true</Enabled>
    </LogonTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <GroupId>S-1-5-32-545</GroupId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <IdleSettings>
      <Duration>PT10M</Duration>
      <WaitTimeout>PT1H</WaitTimeout>
      <StopOnIdleEnd>false</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>true</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>"%ALLUSERSPROFILE%\Samsung\Disable_Windowsupdate.exe"</Command>
      <WorkingDirectory>%ALLUSERSPROFILE%\Samsung</WorkingDirectory> 
    </Exec>
  </Actions>
</Task>

I note with interest that this references the path %ALLUSERSPROFILE%\Samsung\Disable_Windowsupdate.exe, which goes back to the ProgramData folder again. The files aren't there most of the time though.
 
Re: The Good, the Bad, the Ugly.... and the Bizarre

This thread has soon spiraled.
Having fun? :grin1:
 
Re: The Good, the Bad, the Ugly.... and the Bizarre

Think it's safe to say it's bad, ugly and bizarre :p
 
Whoever just moved these posts to this thread - thank you.

I literally was in the midst of doing the same, only when I opened a 2nd screen -- the posts were gone from the "Good...Bizarre" thread and I wondered what happened to them.
 
Just as a follow-up, I emailed Microsoft's Security team about this and will let you know what they say.
 
My Windows Update has been working all along.
What I failed to mention is that this system has been upgraded to Win10 from 8.1 about 4 months ago.
 
Okay, wow, yeah... this blew up. Big time.

I have hundreds and hundreds of Twitter notifications to go through, and we're apparently being mentioned in news articles now. This is really good because I was sure to mention Sysnative's name in practically the first part of the blog post. The blog post is getting 1k views every 30 mins or so now since being mentioned in news articles, so Sysnative hopefully may see some new members.

https://news.ycombinator.com/item?id=9769377

Samsung is actively disabling Windows Update on at least some computers | VentureBeat | Security | by Emil Protalinski

Samsung Disables Windows Updates to Favor Its Own Crappy Bloatware

It seems in the VB article they label me the sole discover, which I did not intend and even say all of the discoverers and contributors my blog post, so I'll shoot them am email or something tomorrow after work and have it corrected.


But anyways... good job as always, team : )
 
Last edited by a moderator:
Just an interesting note. Long ago I updated the video drivers on my Samsung laptop from the AMD website and it broke my switchable graphics.
Turns out that Samsung uses an Intel signed driver for it's AMD video cards.
Installing a AMD signed driver will break the switchable graphics - and I have yet to find a way to allow it to revert back at full functionality.

I purchased a new SSD not long ago and will try to reinstall Win8 on it.
Anyone know of a good guide for installing Win8 (not 8.1) on a Win10 system?
I'll try it on my own in the near future - after I backup the current system state (and clean out the terabytes of Win8 backups that I have on my NAS's)
 
A few more bigger sites are picking up on it now:

Samsung silently disabling Windows Update on some computers | Ars Technica UK
Samsung Secretly Deploys Tool on Windows PCs to Disable Windows Update - Softpedia
Samsung cripples Windows Update to 'help your settings'
Samsung disables Windows Update, leaving laptops open to hackers | Technology | The Guardian
Samsung disables Windows Update, putting users at risk - News - Gadgets and Tech - The Independent

A Microsoft support engineer, Patrick Barker, contacted Samsung’s customer services department in an attempt to find out why the tool had been disabled. It appears that the company removed the tool because it will install default drivers from Microsoft, which might not work and so could stop hardware such as mice from functioning.
Independent

Patrick, congratulations on getting a job at Microsoft :lol:

I wonder how long it will be before we see a statement by Samsung.
 
This is definitely blowing up. Now on Forbes with the tag line, 'Killing Windows Updates To Leave Users Vulnerable'. The author found a MS Community report on this from April that clearly went nowhere.
 
Back
Top