Windows 7: The ‘Zombie’ GWX sighted again

[German]Another little conspiracy theory about the forced upgrade from Windows 7 systems to Windows 10. I just read a report that someone found GWX on a Windows 7 system. GWX doesn't upgrade this time, but some old GWX tasks are still running.

Some GWX background

In the period from July 2015 to July 2016, Windows 7 and Windows 8.1 were upgraded to Windows 10 free of charge. Microsoft delivered the GWX program as part of updates to this system. With the GWX app, the user could then upgrade from Windows 7/8.1 to Windows 10 free of charge.

The way Microsoft tried to lure users to upgrade to Windows 10 led to a lot of trouble, problems and a some lawsuits. Meanwhile, several lawsuits have come to an end claiming damages from affected users. At the end of the free upgrade period, Microsoft shipped an update to Windows 7/8.1 machines that disabled the GWX app. I had reported in the 2016 blog post Windows 7/8.1: Update KB3184143 removes Get Windows 10 app.

Although there was always the suspicion that the GWX app was back – see my article Some confusion about Updates KB2952664/KB2976978  from 2016,. It turned out that the GWX app came to the systems as part of reliability updates. The functionality for the 'forced upgrade' to Windows 10 was no longer included. A Microsoft spokesperson told InfoWorld that the updates in question did not include code to upgrade to Windows 10.

There is no Get Windows 10 or upgrade functionality contained in this update. This KB article is related to the Windows Update and the appraiser systems that enables us to continue to deliver servicing updates to Windows 7 and Windows 8.1 devices, as well as ensure device and application compatibility.

However, the question arises why GWX is still rolled out with updates for Windows 7 and 8.1. Because Microsoft distributes the nice reliability updates KB2952664/KB2976978 with nice regularity.

Keep reliability updates away

Many users therefore try to keep Windows 7 SP1 systems 'clean' and block reliability updates (for upgrading to Windows 10). However, it doesn't seem that easy, since Microsoft uses many ways to get the updates to the system. A few days ago I blogged about a user experience, that Updates KB2952664/KB2976978 has been blocked but have been installed even though (see my German blog post Zwangsinstallation der Windows 7/8.1 Updates KB2952664/KB2976978 (Januar 2019)?). It became clear that it might be a wrong update setting (it's required to set Windows 7 update that updates are downloaded and installed, only if the user accept that). A blog reader pointed within a comment to a statement from askwoody.com.

"As of the 2018-09 Preview Rollup, and continuing with the monthly Rollups from 2018-10 Monthly Rollup onward, Microsoft has included the functionality of KB2952664 in the Rollups. It is no longer a separate patch and cannot be uninstalled separately from the Rollup. "CompatTelRunner.exe" is a part of this functionality."

In other words: As soon as someone installs Rollups or Preview Rollup Updates, the respective routines are applied to the system.

GWX found on a Windows 7 system

Yesterday I stumbled uppon the article I found a Windows 7 PC still infected with GWX (Get Windows 10) software, dated January 14, 2019, from Michael Horowitz. Michael wrote that he just found a Windows 7 PC, which was still trying to upgrade to Windows 10. He found some attempts in the Event Viewer logs.

Bugfixes were last installed on the affected computer on December 3, 2018, i.e. the system was at the patch level of November 2018. The machine's event log indicated that GWX (Get Windows 10) tasks were scheduled. Michael then looked at the Task Scheduler's entries using NirSoft's TaskSchedulerView program.

GWX-Task
(Source: Michael Horowitz)

Sorting the list to display the most recently executed tasks produced a task called Time-5d, which executed the GWX.exe program in the C:\Windows\system32\GWX folder. The program runs every day and Horowitz could not disable the task, not even as an admin user.

There was another task (refreshgwxconfig-B) that is executed every day. The program schtasks.exe is running and cannot be deactivated. A third GWX task, Logon-5d, was executed at user logon. This also executes the GWX.exe program and, like the others, could not be deactivated.

C:\Windows\system32\GWX
(Source: Michael Horowitz)

A quick look at the folder C:\Windows\system32\GWX showed that the program GWX.exe was created on May 7, 2015. The same applied to the other GWX-related programs. A check of various task scheduler entries revealed that none of the tasks from the Microsoft\Windows\Setup\GWXTriggers group had been executed. Since he could not disable the tasks and rename the GWX.exe, he renamed the parent folder. More details can be found within the article from Michael Horowitz.

The reason still unclear

For me it is unclear why the files and tasks are still on the Windows 7 system. Maybe it's old remnants from 2015 – that's also, what Michael Horowitz suppose (something went wrong during uninstalling).

This entry was posted in Windows and tagged . Bookmark the permalink.

One Response to Windows 7: The ‘Zombie’ GWX sighted again

  1. EP says:

    I'm kinda late on commenting on this but perhaps Michael Horowitz was not fully aware of the KB3184143 update released for Windows 7 back in late 2016, which was supposed to remove much of the GWX stuff. here's the MS support link to the 3184143 update:
    https://support.microsoft.com/en-us/help/3184143

    only certain Windows 7 users who use Windows Update to manually check for updates have been offered the KB3184143 update and is not distributed automatically when Automatic Windows Updates are enabled.

Leave a Reply to EP Cancel reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).