Vendors ‘rootkit’: ‘Windows Platform Binary Table’ (WPBT)

[German]Within this blog post I like to address a feature called 'Windows Platform Binary Table' (WPBT), that has been used aon OEM PCs to enable manufacturers to download and install their software, even if the user tries a clean install of Windows.


In February 2015 I blogged about Lenovo's Superfish adware shipped with new systems (see Lenovo ships Superfish adware preinstalled on systems). A few weeks later we learned about Lenovo Service Engine (LSE), which I called Superfish reloaded II. Lenovo Service Engine (LSE) is a software, that allows the OEM to service a Windows installation on Lenovo machines. But this OEM software called Lenovo Service Engine (LSE) survives a fresh Windows install. The case has been discussed here at the arstechnica forum. User ge814 wrote:

Before booting windows 7 or 8, the bios checks if C:\Windows\system32\autochk.exe is the Lenovo one or the original Microsoft one. If it is not the lenovo one, it moves it to C:\Windows\system32\0409\zz_sec\autobin.exe, and then writes it's own autochk.exe. During boot, the Lenovo autochk.exe writes a LenovoUpdate.exe and a LenovoCheck.exe file to the system32 directory, and sets up a services to run one of them when an internet connection is established. I don't know too much exactly what those do, but one appears to phone home to this address, which is a bit worrying with the combination of a "ForceUpdate" parameter shown and the lack of ssl, making it fairly likely that it's exploitable for remote code execution by anyone who can intercept your traffic (public wifi, etc).

It's possible to remove this behavior during flashing the BIOS/UEFI with a modified firmware. I've covered this story within my German blog post Lenovo Service Engine (LSE) – Superfish reloaded II. Lenovo later provided a Lenovo LSE Disabler Tool to remove this feature.

Windows Platform Binary Table (WPBT)

After discussing the Lenovo case above, let's come back to the topic. I have notified by German blog reader Michael Bormann, who told me, I should provide a little blog post about a thing called Windows Platform Binary Table (WPBT). At arstechnica somebody mentioned:

turns out to be a method Microsoft introduced with Windows 8 to allow the BIOS to execute code on boot up (!?!) called "Windows Platform Binary Table (WPBT)"

The mechanism has been documented within this Word .docx document from Microsoft (here is the Google cache entry, in case the document will be removed in future). Here is an excerpt from this document:

A platform can be provisioned with the Windows operating system by entities including an enterprise, a system reseller, or an end-user customer. If the platform has drivers, system services, or executable files that are integral to the platform, the platform binaries must either be distributed as part of the Windows image or they must be injected into the Windows image by each of the possible provisioning entities. A rich set of tools exist to aid Windows provisioning, ranging from driver injection and offline registry management to sysprep imaging tools. However, there is a small set of software where the tools are not enough. The software is absolutely critical for the execution of Windows but for one reason or another, the vendor is unable to distribute the software to every provisioning entity. This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution. The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table.

The information provided here was originally published in conjunction with the availability of Windows 8. The guidance and requirements to use WPBT functionality has been updated for the Windows 10 timeframe.

With WPBT, it is possible to execute code to manipulate Windows operating systems while booting already in the BIOS boot phase (UEFI is also included). The original idea was that OEMs should have the ability to update Windows, regardless of whether the user has done a clean install of Windows. Lenovo used this to include its own updater in the Windows autostart, no matter what the user did.


And here is a hint that HP and Dell are using this to inject drivers from the BIOS into a Windows using the [F6] function key. On the other hand, my sources are suggesting that HP and/or Dell are currently using this stuff. The anti-theft technology introduced by Intel in 2012 but discontinued in January 2015 (see) works like the former Computrace and also uses BIOS ROMs entries to be reinstalled during an OS re-install.

Even under Windows 7 and older BIOS variants, the approach seems to be usable via code injection via ACPI table entries and IRQ 15 (some Microsoft document, which has been pulled, references this, but somewhat more vague).

This makes it clear, that OEMs gain control over your machines and over Windows installs, even, if you intend to do a clean install with Microsoft's Windows install media. The only way to avoid this on affected OEM machines: Install Linux, if available.

Similar articles:
Lenovo ships Superfish adware preinstalled on systems
Dell's Superfish 2: Devices shipped with cloneable Root certificate
Uninstalling 'uninstallable' Windows Updates
Windows 10 error 'Device not migrated'
How to block Windows 10 updates

Cookies helps to fund this blog: Cookie settings

This entry was posted in computer, Windows and tagged , , , . Bookmark the permalink.

4 Responses to Vendors ‘rootkit’: ‘Windows Platform Binary Table’ (WPBT)

  1. Gilles says:

    Maybe another way to avoid this is to install windows on a veracrypt partition ?

  2. a d00d who doesn't want to get cracked says:

    "The only way to avoid this on affected OEM machines: Install Linux, if available."

    If only! Superfish proved that since this is a negative-Ring (hypervisor+) it can be used to inject ANY arbitrary binary. This would be a perfect vector for an Evil Maid attack or NSA-style "Add the Root Kit at the Factory (or Store)"–not as good as Intel ME for stealth but far easier to use locally.

    What this really proves is that any part of any computer that's locked out to you must be assumed to contain spy/malware; guaranteed if you're a high-value target.

  3. Pingback: Erweiterte Konfiguration und Stromversorgungsschnittstelle – Enzyklopädie

Leave a Reply

Your email address will not be published. Required fields are marked *