Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Wednesday, May 31, 2006

WgaTray.exe opens security hole

It’s called Windows Genuine Advantage.   I’ve received a couple Emails about the file WgaTray.exe which was part of this weeks Windows Update. Some questioned how this file was able to run on startup but isn’t listed by WinPatrol or other programs as an AutoStartup program.

Well, the answer is simple; this program is part of the Windows Operating system.  After Windows starts it looks for this file in the system32 folder and runs it.  Unfortunately, there’s a serious problem in with the way how Microsoft has implemented their anti-piracy system.  The way Windows handles this file opens up a big security hole that most programs won’t plug.  Any malicious program can delete the WgaTray.exe and replace it with its own malware using the same name.  Windows does nothing to verify this program before running it the next time you reboot.

Microsoft describes this program as follows: "By using genuine Microsoft software, you can be confident that your software is legitimate and fully supported by Microsoft.” As if  “you” didn’t already know.  More information can be found at and

You can also find a discussion at Broadband,15963038  The topic of the discussion is more about flaws in Windows piracy then security.  If you have your system set for auto-updates the newest version of WgaTray.exe will have been downloaded this week.


Share on Facebook


Anonymous Anonymous said...

Truth: Windows starts WGATray.exe just like any other auto-start program (anti-virus scanners, firewalls, etc).

Reality-check: Without an antivirus program running in the background (most of which DO check for program replacement activity, as do anti-spyware programs), ANY file can be replaced by "some" malicious program.

Protection: run in 'limited-user' mode all the time. Only change yourself to privileged-user when you absolutely HAVE to do so (like when installing programs). A limited user cannot delete executables in the Windows folders, cannot install programs and cannot set things to auto-start. Running as a limited-user will also prevent many other kinds of problems too.

6:58 PM  
Blogger Unknown said...

You make great points, thanks for taking the time to post.

It's not just another auto-start program because it's not even detected by msconfig. That's the root of my complaint.

WgaTray isn't implemented like other Windows system file. When Windows core technology was designed a lot of smart ideas for security were built in. The WGA technology was an after-thought which was probably created at the request of some non-technical higher up.

The threat from WgaTray isn't high-risk because it can only be used if Malware has been introduced on a machine in the first place. If it was I'd be making a lot more noise.

Unfortunately, "I knew I shouldn't have hit that button" infections happens all the time. Most users have good Anti-Malware software which will detect and clean up any infiltrations. If however, the malware replaces WgaTray.exe it won't be detected. And then, if it tries to communicate out to the net, will Windows XP's built in firewall catch it?
Non-Microsoft firewalls will catch it but many users will probably give it permission.

It's a sloppy way to implement copy protection.

3:41 PM  
Blogger O2B said...

Instead of renaming files and modifying registry keys could I simply tell my comodo firewall to not allow wgatray.exe to connect to the internet and make it a permanent rule by ticking the check box ?

12:54 PM  
Anonymous Anonymous said...

Ubuntu, anyone?

10:30 PM  

Post a Comment

<< Home