Neutralizing the Windows Platform Binary Table

Last updated on October 17, 2022

You Don’t Control What Runs on Your Laptop!

I installed a fresh copy of Windows upon buying a refurbished Dell laptop, which is a good thing to do for security. I downloaded it from from microsoft.com. I installed nothing else on it. A few reboots later, I noticed six McAfee software packages in Add/Remove Programs, and constantly running in the background.

How did they get installed? I had no idea. So I securely erased the SSD and reinstalled Windows. Same thing!

McAfee is designed to be impossible to installed. Perhaps Dell designed it this way. Perhaps this was a bespoke firmware design for this particular laptop’s corporate lease. The things I tried:

• Windows Add/remove programs: McAfee errors out with an “Enterprise software detected”
• McAfee’s own removal tool asks for a password, which of course, I did not know.
• Terminating the McAfee processes and deleting directories did not help. It just came back in a few hours
• Third party software removal tools all failed. They claimed to delete the directories and registry, but McAfee came back in a few hours
• Dell customer service refused to help without a payment for for software support. More concerning, they refused to acknowledge the problem exists, which convinced me it would be a waste of time.

Nobody could have thought up of a design this terrible!

Research yielded this thread on reddit. Conclusion: laptops can reinstall any kind of bloat because it is baked into the firmware (UEFI)! And there is no official way to disable it in Windows. The subreddit above says it all: assholedesign.

Bottomline: you literally don’t get to have a say in the software that is installed on your own computer. RMS has long warned us about this.

I researched pointers from that reddit thread:

• Zombie Crapware
• Everyone Gets a Rootkit (eclipsiyum)
• Lenovo’s rootkit-like techniques (ycombinator)

So how do we deal with this?

User Jamesits has authored a non-permanent way to disable the WPBT. Since it is non-permanent, the program should be executed every time the computer is rebooted before Windows bootloader starts.

The tricky thing is to ensure this is executed even during the very first boot into Windows during and after a fresh install. This thread shows how.

For those in a similar situation (i.e., wanting to install Windows 10/11 fresh, and ensuring there is not even a single boot up where WPBT is accessible), do this:

Step 1: Create a UEFI bootable USB disk and put dropWPBT-loader.efi in it, which can be done from within Windows admin cmd prompt like so:

diskpart
list disk
select disk X (select your USB drive)
clean
create part primary size=10
select partition 1
assign letter=N
select partiion N
format fs=fat32 quick
active
exit

Then, copy dropWPBT-loader.efi to the USB disk’s \EFI\boot\bootx64.efi. That file is what UEFI boots from on a USB disk. dropWPBT-loader.efi is a bootloader. It boots, disables WBPT, and then looks for a Windows boot .efi anywhere on the system (including other drives), and transfers control to it. Congrats, you have a boot disk.

You will use this disk to boot into Windows until you modify your Windows EFS on your hard drive (as shown in the README.md). Do this every time Windows overwrites the EFS (initial installation and major upgrades). To do so, configure your BIOS to not boot to hard drive, but only boot via this USB disk. Alternatively, use your BIOS’s one-time boot menu to boot from this disk until it’s no longer needed.

Step 2: To perform a fresh Windows 10 or 11 install: when the installer reboots for the first time, it will overwrite the BIOS NVRAM to boot off the hard drive. you’ll have to catch this reboot, interrupt it, and disable this in BIOS, and boot off your custom USB disk above. Once Windows boots up, open a cmd prompt, and follow the README.md in the dropWPBT repo to modify your Windows EFS to point to dropWPBT.efi first.

An Oversimplified Primer

To help you build up a quick mental model, here are my notes:

• A computer’s BIOS is its firmware that begins the boot process.
• UEFI is a modern (~2005) replacement for BIOS
  • a .efi file can run any code it wants, and then transfer control to another .efi
  • so .efi files can be either:
    • boot managers: presents a menu and transfer control to the selected .efi
    • boot loaders: loads an OS kernel into memory
• GPT is the modern partition table standard, a replacement for MBR that works with UEFI
  • UEFI looks for *.efi on GPT based boot media, and boots those files, instead of looking for a particular block on the block device
  • Stores where to boot next in NVRAM
  • Gets past other MBR limitations (eg: 2TB limits, etc.)
• how dropWPBT works: it is a .efi file that is a boot manager. It boots, then simply “screws up the signature” of the table (WPBT) so Windows does not load it, and then looks for a Windows .efi to transfer control to. Very simple, and effective!

References

• Articles on UEFI are surprisingly difficult to come across. The best reference I found on how BIOS/UEFI and the booting process works is rodsbooks.

Notes mentioning this note

There are no notes linking to this note.