WGA installed somehow. I'd like to remove it. Help appreciated.

Hi all,

I don't have a problem, per se. But...

On principle only, I have avoided installing genuine advantage, because I see it as an insult, and frankly, I don't trust Microsoft. WGA can't help me... it can only hurt.

Somehow, after a BSOD, when rebooting the system, Win 7 decided to install all available updates, including WGA.

My system seems fine, and I understand that it installed in the KB971033 update.


I've uninstalled the update, but I'm guessing that's not enough. MS want's this installed at all costs, and I hear tales that it's hard to make it go away.

I don't want to ruin my perfectly good Win 7... by hacking at WGA. Is there a safe way to remove this update on a fully legitimate system?

I see a lot op people talking about RemoveWAT and such... but that all looks risky to me, and probably meant to support illegit users instead of me.

Thank you for your kind help.





(I don't think this applies... but just following instructions:)

Code:

 
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
 
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-PPFV4-CM7CT-FPM92
Windows Product Key Hash: z2J7lOhqbV/3b1kg744ppvCSvTA=
Windows Product ID: 00371-154-4241557-85980
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {F18217F1-01C4-4B28-9D9F-B7F9370EE591}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A
 
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
 
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
 
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
 
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Basic 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
 
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
 
File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\npwatweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watux.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watweb.dll[Hr = 0x80070003]
 
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{F18217F1-01C4-4B28-9D9F-B7F9370EE591}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-FPM92</PKey><PID>00371-154-4241557-85980</PID><PIDType>5</PIDType><SID>S-1-5-21-2124452708-2489145956-3947965187</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>ASUS P5N-D ACPI BIOS Revision 0402</Version><SMBIOSVersion major="2" minor="4"/><Date>20080305000000.000000+000</Date></BIOS><HWID>40DD3607018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0013-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Basic 2007</Name><Ver>12</Ver><Val>8342AAA90BEEDB0</Val><Hash>FuEXBCBHbA1UNVbZS0VxbgOXqOc=</Hash><Pid>89445-OEM-6472817-12130</Pid><PidType>4</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 
 
Spsys.log Content: 0x80070002
 
Licensing Data-->
Software licensing service version: 6.1.7601.17514
 
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: e838d943-63ed-4a0b-9fb1-47152908acc9
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00170-154-424155-01-1033-7600.0000-3382010
Installation ID: 014765372716980624518450188522846676823056036111385131
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: FPM92
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 5/18/2014 1:54:34 PM
 
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 4:20:2014 11:58
ActiveX: Not Registered - 0x80040154
Admin Service: Not Registered - 0x80040154
HealthStatus Bitmask Output:
 
 
HWID Data-->
HWID Hash Current: NgAAAAIAAgABAAIAAgACAAAAAQABAAEAln0cuEbT4HHAIEgkfn5eFpgiQqrA+5DY3Y6clkxY
 
OEM Activation 1.0 Data-->
N/A
 
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
ACPI Table Name OEMID Value OEMTableID Value
APIC Nvidia ASUSACPI
FACP Nvidia ASUSACPI
HPET Nvidia ASUSACPI
MCFG Nvidia ASUSACPI

Welcome Ryder.

WGA is there because MS doesn't trust you..or me. It is entirely harmless and won't bork your system when it is a legit one. If I remember right, it checks a PC once every 90 days for validity.

You can go to Services, find Windows Activation Technologies and disable it.

Hello Ryder,

If you play with WGA, you're Windows is going to eventually if not immediately become not activated and found to be non genuine.

Without WGA, your Windows installation will be considered to be the same as an illegal copy.

I always thought of it this way. I guess because I try to think simple and don't seem to have a problem doing so.

*I don't own Window 7, I just pay for the right to use it. Kind of like a forever lease.
Therefore I must follow the agreement with Microsoft. To check on that agreement Microsoft takes a look now and again to see if the agreement is being followed by me.
I don't have a problem letting them doing that.

To worry about that little bit of code is like taking a pe pe in the Atlantic thinking the sea level is going to raise. Don't worry the sea level isn't going to rise. I have tried it; and that little bit of code isn't going to hurt computers that have a legal copy of Windows. I have tried that also.

Recently I read that the more one tries to be anonymous on the net, the harder the NSA or homeland Security tries to find you. You're not paranoid, people are out to get you.

Now for the facts :)

Please do not confuse WGA with the WAT update - WGA is the underlying technology while the update is an add-on that seeks to improve on the basic detection provided by WGA.

1) Uninstalling the WAT update (KB971033) is simple - and RyderWSF has already done it, as evidenced by his(?) MGADiag report - use the option to uninstall it from Installed Updates, or run the manual command
wusa /uninstall /kb:971033
in an elevated Command Prompt window.

2) the WAT update occasionally 'phones home' simply to update its knowledge of the latest hacks and cracks that MS posts (it may also send back unidentifiable details, if a non-genuine situation is found).

3) The WAT update is an add-on to the basic WGA system in Windows 7 only - and runs roughly every 90 days to check system integrity. If it's not allowed to contact the servers (after a number of attempts) for any reason, it will flag the system as non-genuine for this reason (which is why it should not be installed on standalone systems with no internet access).

4) The basic WGA system also runs checks on the system at every boot, and at roughly 24-hour intervals, to check system integrity. If the system fails any of these tests, or they are not completed in a timely manner, then the system will be flagged as potentially non-genuine.

At no time does WGA (or MGA) send any personally-identifiable data anywhere. As far as I am aware, the nearest it gets to such data is a hardware hash and a hash of the Product ID.

The number of CPU cycles used by either WGA or WAT are miniscule compared to the number available. The purpose of BOTH is to attempt to ensure that the user is aware that they are using either counterfeit or potentially-compromised software. The SPPSVC service that effectively is WGA must run on startup - or the system will almost immediately be flagged as non-genuine. It then goes into a sleep mode and is woken by either a validation/activation request, or by a Scheduled task. It does its job in about 5 seconds, then waits in the background for a minute, and goes back to sleep.

The WAT update runs soon after installation to update itself, then switches off completely - it is re-awoken either by a validation request, or by another Scheduled task at variable intervals (which get longer each time) of up to 90 days. It then attempts to contact the server and update itself again for up to 10 days. If it fails to do this it will flag the system as non-genuine. If it succeeds, then it does a quick check against its definitions and forces a WGA scan and if it finds nothing amiss it switches itself off until the next time the Schedule dictates. If it does find a problem, it flags the system as non-genuine.

Validating Windows at www.microsoft.com/genuine/validate will effectively force an install of the WAT update, as will validating to download/install some non-security updates from the MS download centre without using the alternative validation method.

In short, there has been a lot of myth, rubbish and scare-mongering surrounding both WGA and WAT ever since they were first devised in an effort to reduce the prevalence of counterfeit software in the market. Much of the scaremongering was in fact generated by people who had an axe to grind - those who produced the counterfeits, and laced them with malware and backdoors to be able to run botnets on the resulting installs. It was perpetuated by journalists who like a good scare-story as much as (if not much more than) most.

One of the myths is that WAT causes a non-genuine problem when installed. It doesn't. It simply runs and finds that the non-genuine problem already existed, and therefore flags it. Many systems should be showing as non-genuine that aren't, simply because the WAT update isn't installed - running MGADiag shows a number of instances where a problem exists, but the system isn't showing as non-genuine. Installing the WAT update provides additional diagnostic data to MGADiag, which allows a more informed diagnosis and repair.

WAT DOES NOT SLOW THE PC - except for about 5 seconds every couple of months
WGA DOES NOT SLOW THE PC - except for about 5 seconds every boot, and another 5 seconds every so often.
NEITHER WAT NOR WGA send personally-identifiable information anywhere.

Hope this helps a little! :)

Good job Noel, and yes it does help. Even for a simple person like me.

I can live with a 5 sec sneak peak every month or so.