kill win10 prompts and GWX

[iamtheky]

*you need psexec (https://technet.microsoft.com/en-us/sysinternals/psexec.aspx)

Yes, some of it is unnecessary, but gravespitting is my second favorite activity.

new and improved, with comments.  If you have any other additions or different pieces please reply and I will add them to post #1.

expandcollapse popup

#RequireAdmin

DllCall("kernel32.dll", "int", "Wow64DisableWow64FsRedirection", "int", 1)
 ; French Fry when you Pizza and you're gonna have a bad time

runwait('cmd /c net stop wuauserv' , @WindowsDir)
; eh, maybe not necessary, but windows update is the issue, right?

runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\Logon-10s" /DISABLE' , @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-10s" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-10s" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-10s" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\Time-10s" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\Time-5d" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\gwx\launchtrayprocess" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\gwx\refreshgwxconfig" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" /DISABLE', @WindowsDir)
runwait('cmd /c psexec -accepteula -s schtasks /change /tn "\Microsoft\Windows\Setup\gwx\refreshgwxcontent" /DISABLE', @WindowsDir)
; disable all gwx tasks, this list is probably incomplete

runwait('cmd /c icacls "c:\windows\system32\gwx" /inheritance:d /T')
;delete inheritance on the folder, because thats what we are doing, deleting things.

runwait('cmd /c icacls "c:\windows\system32\gwx" /inheritance:r /T')
;remove all inheritance, because deleting may mean something else if this is an option

runwait('cmd /c takeown /F "C:\windows\system32\GWX" /R /A' , @WindowsDir)
; takeown becuase setown in icacls does not take it, which is why i also skipped that step

runwait('cmd /c icacls "c:\windows\system32\gwx" /grant Administrators:F /T')
; give administrators group Full Access, and required elevation at the top of the top script

runwait('cmd /c icacls "c:\windows\system32\gwx" /inheritance:e /T')
;turn inheritance back on, in case that matters to let the files get the admin full access /grant without going 1x1

filedelete("c:\windows\system32\gwx")
; delete the contents of that folder, and then you should be able to go delete the leftover empty directory yourself.

RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Gwx" ,"DisableGwx" , "REG_DWORD" , "1")
; as recommended by Orbs in post #2

 

Edited December 21, 2015 by iamtheky

[orbs]

first, shouldn't that be in the Example Scripts forum?

but more important, if you are only handling GWX, then you are in real trouble here - you'll have to repeat that every few hours, when the GWX "update" reinstalls itself.

the formal way to disable GWX (which is working for me for a very long time now) is a simple registry value:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Gwx]
"DisableGwx"=dword:00000001

nothing more is required.

does your script manage any other prompts or notifications (other than GWX, that is)?

[iamtheky]

These are just parts and pieces i have picked up, with no real regard for whether they were doing double work; but I have not had it reappear with the tasks disabled and files gone.  And it could go to the examples, but I have seen many flavors, so i figured let this sit in GH&S for a week and get robust.

is that the only key you are adding?  a single regwrite would be easy enough to add, but it would still leave all the artifacts, no?  and are your scheduled tasks still present, with next scheduled times, but adhering to the reg value to not run?

--and you found one of the activities I cant do without Domain Admin credentials, i will slap it in there blind though as it cant hurt.

 

Edited December 21, 2015 by iamtheky

[orbs]

... are your scheduled tasks still present, with next scheduled times, but adhering to the reg value to not run?

yes, scheduled tasks are present, so are all the GWX related files, as well as that blasted update (which is why it doesn't get reinstalled). i can't seem to find the original article about it, but i remember it is the formal method designed by Microsoft, and it was first made available for sys.admins to deploy to enterprise workstations (because there was quite a fuss about it, and rightfully so. that crap is an olympic-grade nuisance for everyone, but for sys.admins it's far worse).

[iamtheky]

Updated with the registry entry.  If the result is 'cleaned + blocked' this will end up being even more useful

[Trong]

My solution:

expandcollapse popup

#RequireAdmin
#Region
#AutoIt3Wrapper_Change2CUI=y
#EndRegion
Global $GWX_KEY = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GWX.exe'
Global $GWX_NAME = 'Debugger'
Local $__WINVER_RtlGetVersion = __WINVER_RtlGetVersion()
ConsoleWrite("- WINVER Version: " & $__WINVER_RtlGetVersion & @CRLF)
;unsupported OS message box (XP/Vista/8 RTM
;If $__WINVER_RtlGetVersion<>"0x0601" And $__WINVER_RtlGetVersion<>"0x0603" Then
;   MsgBox(48,@error& " Unsupported Operating System","This applicatiion requires Windows 7 SP1 or Windows 8.1");
;   Exit
;EndIf
_Remove()
Func _Remove()
    If StringInStr(@OSArch, "64") Then ConsoleWrite("- Disable Wow64FsRedirection: " & _WinAPI_Wow64EnableWow64FsRedirection(False) & @CRLF)
    ConsoleWrite("- Close GMX Process: " & _ProcessClose("GWX.EXE") & @CRLF)
    ConsoleWrite("- Uninstaller KB3035583: " & RunWait(@ComSpec & " /c wusa /uninstall /kb:3035583 /quiet /norestart", @SystemDir, @SW_HIDE) & @CRLF)
    ConsoleWrite("- TakeOwn: " & RunWait(@ComSpec & " /c takeown /f %windir%\System32\GWX\ /R /D Y", @SystemDir, @SW_HIDE) & @CRLF)
    ConsoleWrite("- Set Atrrib: " & RunWait(@ComSpec & " /c ATTRIB -S -H -R %windir%\System32\GWX\* /S /D", @SystemDir, @SW_HIDE) & @CRLF)
    ConsoleWrite("- Del File: " & RunWait(@ComSpec & " /c DEL /F /Q %windir%\System32\GWX\* /S", @SystemDir, @SW_HIDE) & @CRLF)
    If StringInStr(@OSArch, "64") Then
        ConsoleWrite("- TakeOwn_: " & RunWait(@ComSpec & " /c takeown /f %windir%\SysWOW64\GWX\ /R /D Y", @SystemDir, @SW_HIDE) & @CRLF)
        ConsoleWrite("- Set Atrrib_: " & RunWait(@ComSpec & " /c ATTRIB -S -H -R %windir%\SysWOW64\GWX\* /S /D", @SystemDir, @SW_HIDE) & @CRLF)
        ConsoleWrite("- Del File_: " & RunWait(@ComSpec & " /c DEL /F /Q %windir%\SysWOW64\GWX\* /S", @SystemDir, @SW_HIDE) & @CRLF)
    EndIf
    ConsoleWrite("- Del Task Scheduler: " & RunWait(@ComSpec & " /c schtasks /delete /tn gwx", @SystemDir, @SW_HIDE) & @CRLF)
    ConsoleWrite("- Del Task Scheduler_: " & RunWait(@ComSpec & " /c schtasks /delete /tn GWXTriggers", @SystemDir, @SW_HIDE) & @CRLF)
    ;C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx
    ;C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers

    ;ConsoleWrite("- TakeOwn: "&RunWait(@ComSpec & " /c takeown /f %windir%\System32\Tasks\Microsoft\Windows\Setup\gwx /R /D Y", @SystemDir, @SW_HIDE) & @CRLF)
    ;ConsoleWrite("- Set Atrrib: "&RunWait(@ComSpec & " /c ATTRIB -S -H -R %windir%\System32\Tasks\Microsoft\Windows\Setup\gwx\* /S /D", @SystemDir, @SW_HIDE) & @CRLF)
    ;ConsoleWrite("- Del File: "&RunWait(@ComSpec & " /c DEL /F /Q %windir%\System32\Tasks\Microsoft\Windows\Setup\gwx\* /S", @SystemDir, @SW_HIDE) & @CRLF) & @CRLF)

    Local $GWX_CMD = 'cmd /c echo'
    RegRead($GWX_KEY, $GWX_NAME)
    If @error Then RegWrite($GWX_KEY, $GWX_NAME, 'REG_SZ', $GWX_CMD)
    ConsoleWrite("!-Done-! It'll never run again!" & @CRLF)
EndFunc   ;==>_Remove

Func _Restore()
    RegRead($GWX_KEY, $GWX_NAME)
    If Not @error Then RegDelete($GWX_KEY)
EndFunc   ;==>_Restore

Func _ProcessClose($sProcess)
    Local $Q = 0, $sPID = ProcessExists($sProcess)
    If $sPID = @AutoItPID Then Return SetError(1, 0, 0)
    If Not $sPID Then Return SetError(0, 0, 1)
    While 1
        $sPID = ProcessExists($sProcess)
        $Q += 1
        If $Q > 20 Or $sPID = 0 Then ExitLoop
        ProcessClose($sPID)
    WEnd
    If ProcessExists($sProcess) Then RunWait(@ComSpec & " /c taskkill /T /F /IM " & $sProcess, @SystemDir, @SW_HIDE)
    Return SetError(ProcessExists($sProcess) <> 0, 0, ProcessExists($sProcess) = 0)
EndFunc   ;==>_ProcessClose

Func __WINVER_RtlGetVersion()
    Local $tOSVI = DllStructCreate('dword;dword;dword;dword;dword;wchar[128]')
    DllStructSetData($tOSVI, 1, DllStructGetSize($tOSVI))
    Local $Ret = DllCall("ntdll.dll", "int", "RtlGetVersion", "ptr", DllStructGetPtr($tOSVI))
    If @error Or $Ret[0] <> 0 Then Return SetError(1, 0, 0) ; RtlGetVersion returns STATUS_SUCCESS = 0

    ; 0x0501 = Win XP
    ; 0x0502 = Win Server 2003
    ; 0x0600 = Win Vista
    ; 0x0601 = Win7 / Major Version = 6, Minor Version = 1
    ; 0x0602 = Win8
    ; 0x0603 = Win8.1
    ; 0x0604 = Win10 "Technical Preview"
    ; 0x0A00 = Win10 RTM (build 10240 or later) / Major Version = 10, Minor Version = 0
    ;"WIN_10", "WIN_81", "WIN_8", "WIN_7", "WIN_VISTA", "WIN_XP", "WIN_XPe",
    ;    for Windows servers: "WIN_2016", "WIN_2012R2", "WIN_2012", "WIN_2008R2", "WIN_2008", "WIN_2003"".
    ; Return "0x" & Hex(BitOR(BitShift(10, -8), 0), 4)
    Return "0x" & Hex(BitOR(BitShift(DllStructGetData($tOSVI, 2), -8), DllStructGetData($tOSVI, 3)), 4)
EndFunc   ;==>__WINVER_RtlGetVersion


Func _WinAPI_Wow64EnableWow64FsRedirection($bEnable)
    Local $aRet = DllCall('kernel32.dll', 'boolean', 'Wow64EnableWow64FsRedirection', 'boolean', $bEnable)
    If @error Then Return SetError(@error, @extended, 0)
    ; If Not $aRet[0] Then Return SetError(1000, 0, 0)
    Return $aRet[0]
EndFunc   ;==>_WinAPI_Wow64EnableWow64FsRedirection

 

Simple solution:

#RequireAdmin
Global $GWX_KEY = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GWX.exe'
Global $GWX_NAME = 'Debugger'
Global $GWX_CMD = 'cmd /c echo'

Func Block()
    RegRead($GWX_KEY, $GWX_NAME)
    If @error Then RegWrite($GWX_KEY, $GWX_NAME, 'REG_SZ', $GWX_CMD)
    Local $msg = "It'll never run again!" & @CRLF & 'Do you want restart to apply all changes now?'
    If MsgBox(32 + 4 + 262144, 'Done', $msg) = 6 Then Shutdown(6)
EndFunc   ;==>Block

Func Restore()
    RegRead($GWX_KEY, $GWX_NAME)
    If Not @error Then RegDelete($GWX_KEY)
    MsgBox(64 + 262144, 'Done', "It'll show again on next time when Windows start!")
EndFunc   ;==>Restore

 

Edited December 22, 2015 by Trong

[iamtheky]

eyeballing it, looks like i need the wusa command.

 and i dont have that $GWX_Key so what would be the purpose of adding that entry with a value of 'cmd /c echo'?  If the installer puts it back I would imagine it would overwrite that, no?

and I leave the schtasks as it was speculated in another forum that the missing tasks were triggering the redeploy, but disabling them did not.  I will test more tomorrow, thanks trong.

Edited December 22, 2015 by iamtheky

[orbs]

... If the installer puts it back I would imagine it would overwrite that, no?

no. Microsoft has yet to achieve that level of a malware behaviour.

[iamtheky]

@orbs I only ask about Trongs registry entry since it is not 'the recommended' one.  I would not expect them to honor all random registry entries, and would like to know what triggers the 'cmd /c echo' registry value to fire as I am not seeing that key on any machines

Edited December 22, 2015 by iamtheky

[MuffinMan]

Trong's REG key just tells Windows to run 'something else' instead of running GWX.exe.  In his case the something else is "cmd /c echo" which basically does nothing.  I have seen this used before but I think we used "c:\windows\system32\systray.exe" which to the user doesn't do anything either.  As long as MS doesn't change the name of GWX.exe, it will always run the other program instead.

[iamtheky]

i see now, it was late and I was watching rockets.  thanks.

The potential unintended effects of the IFEO key would have my script leaving artifacts that do more than the intent of the script.  I have not had the triggers nor the prompt fire since running my script two days ago, so would not want to take the additional step of preventing anything named gwx.exe from running.

Still playing with the wusa command, but the KB does queue back up, and the uninstall command does not remove the files or tasks?  What are the added benefits of running the uninstaller?

Edited December 23, 2015 by iamtheky