Neutralizing the Windows Platform Binary Table
You Don’t Control What Runs on Your Laptop!
I installed a fresh copy of Windows upon buying a refurbished Dell laptop, which is a good thing to do for security. I downloaded it from from microsoft.com. I installed nothing else on it. A few reboots later, I noticed six McAfee software packages in Add/Remove Programs, and constantly running in the background.
How did they get installed? I had no idea. So I securely erased the SSD and reinstalled Windows. Same thing!
McAfee is designed to be impossible to installed. Perhaps Dell designed it this way. Perhaps this was a bespoke firmware design for this particular laptop’s corporate lease. The things I tried:
- Windows Add/remove programs: McAfee errors out with an “Enterprise software detected”
- McAfee’s own removal tool asks for a password, which of course, I did not know.
- Terminating the McAfee processes and deleting directories did not help. It just came back in a few hours
- Third party software removal tools all failed. They claimed to delete the directories and registry, but McAfee came back in a few hours
- Dell customer service refused to help without a payment for for software support. More concerning, they refused to acknowledge the problem exists, which convinced me it would be a waste of time.
Nobody could have thought up of a design this terrible!
Research yielded this thread on reddit.
Conclusion: laptops can reinstall any kind of bloat because it is baked into the
firmware (UEFI)! And there is no official way to disable it in Windows. The subreddit
above says it all: assholedesign
.
Bottomline: you literally don’t get to have a say in the software that is installed on your own computer. RMS has long warned us about this.
I researched pointers from that reddit thread:
So how do we deal with this?
User Jamesits
has authored a non-permanent way to disable the WPBT.
Since it is non-permanent, the program should be executed every time the computer is
rebooted before Windows bootloader starts.
The tricky thing is to ensure this is executed even during the very first boot into Windows during and after a fresh install. This thread shows how.
For those in a similar situation (i.e., wanting to install Windows 10/11 fresh, and ensuring there is not even a single boot up where WPBT is accessible), do this:
Step 1: Create a UEFI bootable USB disk and put dropWPBT-loader.efi in it, which can be done from within Windows admin cmd prompt like so:
diskpart
list disk
select disk X (select your USB drive)
clean
create part primary size=10
select partition 1
assign letter=N
select partiion N
format fs=fat32 quick
active
exit
Then, copy dropWPBT-loader.efi
to the USB disk’s \EFI\boot\bootx64.efi
. That file is
what UEFI boots from on a USB disk. dropWPBT-loader.efi
is a bootloader. It boots,
disables WBPT, and then looks for a Windows boot .efi
anywhere on the system
(including other drives), and transfers control to it. Congrats, you have a boot disk.
You will use this disk to boot into Windows until you modify your Windows EFS on your
hard drive (as shown in the README.md
). Do this every time Windows overwrites the EFS
(initial installation and major upgrades). To do so, configure your BIOS to not boot to
hard drive, but only boot via this USB disk. Alternatively, use your BIOS’s one-time
boot menu to boot from this disk until it’s no longer needed.
Step 2: To perform a fresh Windows 10 or 11 install: when the installer reboots for
the first time, it will overwrite the BIOS NVRAM to boot off the hard drive. you’ll have
to catch this reboot, interrupt it, and disable this in BIOS, and boot off your custom
USB disk above. Once Windows boots up, open a cmd prompt, and follow the README.md
in
the dropWPBT repo to modify your Windows EFS to point to dropWPBT.efi
first.
An Oversimplified Primer
To help you build up a quick mental model, here are my notes:
- A computer’s BIOS is its firmware that begins the boot process.
-
UEFI is a modern (~2005) replacement for BIOS
- a
.efi
file can run any code it wants, and then transfer control to another.efi
- so
.efi
files can be either:- boot managers: presents a menu and transfer control to the selected
.efi
- boot loaders: loads an OS kernel into memory
- boot managers: presents a menu and transfer control to the selected
- a
- GPT is the modern partition table standard, a replacement for MBR that works with UEFI
- UEFI looks for
*.efi
on GPT based boot media, and boots those files, instead of looking for a particular block on the block device - Stores where to boot next in NVRAM
- Gets past other MBR limitations (eg: 2TB limits, etc.)
- UEFI looks for
- how dropWPBT works: it is a
.efi
file that is a boot manager. It boots, then simply “screws up the signature” of the table (WPBT) so Windows does not load it, and then looks for a Windows.efi
to transfer control to. Very simple, and effective!
References
- Articles on UEFI are surprisingly difficult to come across. The best reference I found on how BIOS/UEFI and the booting process works is rodsbooks.
Notes mentioning this note
There are no notes linking to this note.