Tuesday, June 23, 2015

Samsung deliberately disabling Windows Update the way the user intends it to

Last updated 6/26/2015 - 4:49 PM EST.

-- Windows Update will be abbreviated as "WU" in text from myself.

First of all, I had this included in my post since the get-go, but it was overlooked as it wasn't at the beginning of the post. With that said, I'm moving it here, and clarifying a bit more. I was not the sole person involved, it was a multiple-person discovery. Here were the people involved:

wavly - The user that had the problem, and the reason we had anything to even discover in the first place.
BrianDrab - Assisted wavly in their Windows Update problem, and investigated with us why it was resetting and disabling the user from keeping it the setting they wanted to.
niemiro - Was largely involved in the discovery by investigating/reverse engineering SW Update.
zcomputerwiz  - Was largely involved in the discovery by suggesting registry auditing.
tom982 - Was largely involved in the discovery by investigating/reverse engineering SW Update.
Tekno Venus -  Was largely involved in the discovery by investigating/reverse engineering SW Update.
Me (Patrick Barker) -  Was involved in the discovery by further reverse engineering and investigating SW Update and its behavior after the above people, and creating the blog post.

I've also seen a few (very few) articles even say I was the individual who was helping with the Windows Update issue(s) wavly was having. For the record, I personally don't know a damn thing about the technicalities of Windows Update, how to fix broken updates, etc. The user that was assisting wavly with the Windows Update issue(s) was BrianDrab, as I had mentioned in this post, just apparently not mentioned enough (or clearly enough). I merely further investigated and reverse engineered SW Update, and brought Disable_Windowsupdate.exe and its silent behavior to light.

Onto the post...

On my home forum Sysnative, a user (wavly) was being assisted with a WU issue, which was going well, aside from the fact that wavly's WU kept getting randomly reset to "Check for updates but let me choose whether to download or install them" after every single reboot of Windows. It was figured out eventually after using auditpol.exe and registry security auditing (shown below later) that the program that was responsible for resetting WU was Disable_Windowsupdate.exe, which is part of Samsung's SW Update software.

SW Update is your typical OEM updating software that will update your Samsung drivers, the bloatware that came on your Samsung machine, etc. The only difference between other OEM updating software is, Samsung's disables WU from working as the user intends it to.

SW Update will install on:

Windows XP (all Service Packs) - Update service will not be installed whatsoever.
Windows Vista (x86/x64)
Windows 7/SP1 (x86/x64)
Windows 8/8.1 (x86/x64)

Do note that it does check for a Samsung environment, and if one is not detected, the program will in general run really buggy. A lot of its features won't drop or work as intended either, which is why a lot of manual work needs to be done to investigate this program.

What devices does SW Update run on?

Samsung notes:
SW Update allows you to download and install the newest drivers, updates, and software for your Windows PC.
So most likely only desktop and laptop type devices that run the Windows OS.

Uninstalling SW Update

UPDATE:  I've received confirmation from a Samsung NP350V5C-A06UK user (Windows 8.1) that uninstalling SW Update via the Programs and Features list does in fact remove all of its installed parts, including the service. With that said, it does indeed stop resetting Windows Update's settings after reboots. So the solution to having SW Update constantly reset your Windows Update settings and disabling it from working as you intended, is to simply uninstall SW Update.

-- Initially today I had this saying it did not stop it from resetting, but wavly got back to me and said they were mistaken.

First off, here's how it was found:

 A registry value was modified.  
      Security ID:          SYSTEM  
      Account Name:          PURGED  
      Account Domain:          WORKGROUP  
      Logon ID:          0x3E7  
      Object Name:          \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update  
      Object Value Name:     UpdatesAvailableForDownloadLogon  
      Handle ID:          0xecc  
      Operation Type:          Registry value deleted  
 Process Information:  
      Process ID:          0x5c  
      Process Name:          C:\Windows\System32\svchost.exe  
 Change Information:  
      Old Value Type:          REG_DWORD  
      Old Value:          0  
      New Value Type:          -  
      New Value:          -  

And then shortly after...

 A registry value was modified.  
      Security ID:          SYSTEM  
      Account Name:          PURGED  
      Account Domain:          WORKGROUP  
      Logon ID:          0x3E7  
      Object Name:          \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update  
      Object Value Name:     UpdatesAvailableForDownloadLogon  
      Handle ID:          0x135c  
      Operation Type:          New registry value created  
 Process Information:  
      Process ID:          0x5c  
      Process Name:          C:\Windows\System32\svchost.exe  
 Change Information:  
      Old Value Type:          -  
      Old Value:          -  
      New Value Type:          REG_DWORD  
      New Value:          0  

      Object Server:          Security  
      Object Type:          Key  
      Object Name:          \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update  
      Handle ID:          0x144  
      Resource Attributes:     -  
 Process Information:  
      Process ID:          0x1ae4  
      Process Name:          C:\ProgramData\SAMSUNG\SWUpdate\Temp\Packages\BASW-A0394A05\64\Disable_Windowsupdate.exe  
 Access Request Information:  
      Transaction ID:          {00000000-0000-0000-0000-000000000000}  
      Accesses:          DELETE  
                     Query key value  
                     Set key value  
                     Create sub-key  
                     Enumerate sub-keys  
                     Notify about changes to keys  
                     Create Link  
      Access Reasons:          -  
      Access Mask:          0xF003F  
      Privileges Used for Access Check:     -  
      Restricted SID Count:     0  


There were other Object Value Names, such as:
  • CachedAUOptions
  • InstallInProgress,
  • UpdatesAvailableForInstallLogon 
  • UpdatesAvailableWithUiLogon 
  • UpdatesAvailableWithUiOrEulaLogon
  • FirmwareUpdatesNotDownloaded
  • FirmwareUpdatesNotInstalled
Anyway, moving on, let's take a look!

 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\AuthorizedCDFPrefix: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Comments: "SW Update Setup"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Contact: "Samsung Electronics CO., LTD."  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\DisplayVersion: "2.2.9"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\HelpLink: "http://www.samsung.com"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\HelpTelephone: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\InstallDate: "20150623"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\InstallLocation: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\InstallSource: "C:\ProgramData\Samsung\SWUpdate\Temp\"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\ModifyPath: "MsiExec.exe /I{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Publisher: "Samsung Electronics CO., LTD."  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Readme: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Size: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\EstimatedSize: 0x00008172  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\UninstallString: "MsiExec.exe /I{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\URLInfoAbout: "http://www.samsung.com"  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\URLUpdateInfo: ""  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\VersionMajor: 0x00000002  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\VersionMinor: 0x00000002  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\WindowsInstaller: 0x00000001  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Version: 0x02020009  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Language: 0x00000409  
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\DisplayName: "SW Update"  

Here's its basic information from a comparison of registry changes after installation.

 HKLM\SOFTWARE\Samsung\CurrentPath\20000: ""C:\Program Files\Samsung\SW Update\sManager.exe""  
 HKLM\SOFTWARE\Samsung\SW Update\AgentPath: "C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe"  
 HKLM\SOFTWARE\Samsung\SW Update\InstallPath: "C:\Program Files\Samsung\SW Update\sManager.exe"  
 HKLM\SOFTWARE\Samsung\SW Update\TrafficDecentralize: "Y"  
 HKLM\SOFTWARE\Samsung\SW Update\LastORCAServerUpdateDateTime: "2015-06-22T02:28:42"  
 HKLM\SOFTWARE\Samsung\SW Update\AgentSleepSec: "300"  
 HKLM\SOFTWARE\Samsung\SWMCommon\FirstAgentExecDateTime: "2015-06-23T01:47:42"  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\Type: 0x00000110  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\Start: 0x00000002  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\ErrorControl: 0x00000001  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\ImagePath: "C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe /SERVICE"  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\DisplayName: "SW Update Service"  
 HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\ObjectName: "LocalSystem"  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\Type: 0x00000110  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\Start: 0x00000002  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\ErrorControl: 0x00000001  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\ImagePath: "C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe /SERVICE"  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\DisplayName: "SW Update Service"  
 HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\ObjectName: "LocalSystem"  

Here we can see some more information, such as its agent's sleep is set to 300 seconds, its first execution timestamp, and the creation of the "SW Update" service. I'll break down the service stuff:

Type (0x00000110): As far as I know, this implies it's a Win32 program that can be started by Windows' Service Controller, and that it obeys the service control protocol. This type of Win32 service runs in a process by itself.

Start: (0x00000002): This implies it's set to load or startup automatically for all startups, regardless of the service type. Its loader is the Service Control Manager, where as the 0x0 (boot) would be the kernel, and 0x1 (system) would be the I/O Subsystem.

ErrorControl: (0x00000001): This implies if the driver fails to load or initialize, proceed regardless with startup, however display a warning.

We note that its ImagePath is:


If you show hidden files & folder and navigate here, you have two folders - "SW Update Service", and "SWUpdate". If you actually have a Samsung machine, you instead have two "SWUpdate" folders, and they both contain XML files. If we take a look at one (BASW-A0394A05_1B33BCEB.xml):

 <?xml version="1.0" encoding="UTF-8"?>  
 <InstallPara1>/pbr /na</InstallPara1>  
 <Str>Windows Configuration</Str>  
 <Str>Windows Configuration</Str>  
 <Str>This program helps your windows configuration settings.</Str>  
 <Str>이 프로그램은 Windows configuration 프로그램입니다.</Str>  
 <TargetCISCode> </TargetCISCode>  
 <BulletineDate>2015-05-12 17:12:43</BulletineDate>  
 <Value>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update</Value>  
 <Value>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update</Value>  
 <FromDate>1900-01-01 오전 12:00:00</FromDate>  
 <ToDate>1900-01-01 오전 12:00:00</ToDate>  

Note its installer file.

We can see now how Disable_Windowsupdate.exe begins the process to its "drop", which is downloading the zip its contained in from:


I find this string excerpt particularly funny:

 <Str>This program helps your windows configuration settings.</Str>  

Once the zip is dropped, we can inspect its contents as well:

If we check the config file for the installer file:

 ;HowTo : The registry location of the installed language....  
 ;%CD%\ = Current Folder Location Variable  
 ;%WinDir% = Windows Folder               ex) C:\Windows C:\Winnt  
 ;%ProgramFiles% = Program Files Folder     ex) C:\Program Files, C:\Archivo de program, C:\Programme  
 ;HowTo : The registry location of the installed language....  
 ;LangID     Lang / Export to  
 ;0412     KOR / KOR  
 ;0409     ENG / UK, HKG  
 ;040C     FRN / FRN  
 ;0407     GER / GER  
 ;0411     JPN / JPN  
 ;0404     CHT / CHT  
 ;0804     CHS / CHS  
 ;0C0A     SPA / SPA  
 ;0816     POR / POR  
 ;0419     RUS / RUS  
 OSConditional= TRUE  
 ShowWin = FALSE  
 RunInAuditMode     = TRUE  
 Setup1=xcopy 32\Disable_Windowsupdate.exe "%ALLUSERSPROFILE%\Samsung\" /y  
 Setup2=schtasks /create /XML "%CD%\Dis_AU.xml" /tn "Dis_AU"  
 Setup1=xcopy 64\Disable_Windowsupdate.exe "%ALLUSERSPROFILE%\Samsung\" /y  
 Setup2=schtasks /create /XML "%CD%\Dis_AU.xml" /tn "Dis_AU"  

We can see its using the xcopy command to inevitably "drop" Disable_Windowsupdate.exe in \ProgramData\Samsung. %ALLUSERPROFILE% is an environment variable for \ProgramData on >Vista, and \Documents and Settings\All Users on XP.

We can confirm this by checking ourselves:

Note that the exe is actually signed by Samsung themselves:

So a big thing is the question as to how this persistently resets Windows Update from working after you change it and reboot, and it's actually not SW Update. SW Update is basically just there to genuinely do its job, which is to update Samsung's drivers, software, etc.

What's actually causing Windows Update to persistently become reset and not allow the user to set it the way they want it to, is the fact that Disable_Windowsupdate.exe creates a scheduled task that runs at every logon to ensure that Windows Update is indeed consistently reset to "Check for updates but let me choose whether to download or install them".

We can see the task's contents below:

 <?xml version="1.0" encoding="UTF-16"?>  
 <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">  
   <LogonTrigger id="145a3a6c-a630-4ec0-985d-1280512f0ba8">  
   <Principal id="Author">  
  <Actions Context="Author">  

Let's see it in action

So first off, as I noted earlier in the post, if you're trying to run the Samsung update software + disabler, etc, on a non-Samsung environment, it's really buggy. My VM was going through convulsions trying to just take screenshot examples after frequent restarts, etc, so there's a few minutes in between each screenshot.

Here's what WU looks like directly after installing SW Update:

Note that it's set to 'Check for updates but let me choose whether to download and install them'.

Let's change it to 'Install updates automatically (recommended)':

Cool, let's restart and check again.

Oh, this doesn't look right. Let's check the settings:


There's a bit more to it that I'd like to get to eventually, but I suppose this is enough to get the point across. Anyway, with this known, I decided to try Samsung's chat to see if they knew of it:

You are now chatting with 'Rep'. There will be a brief survey at the end of our chat to share feedback on my performance today.
Your Issue ID for this chat is *purged*.
Rep: Hi, thank you for reaching out to Samsung technical support. How may I assist you?
ringzero: Hi Rep, I have a question regarding your SW Update software.
Rep: Hi Ringzero, please go ahead with your question.
Rep: I'll be glad to assist you.
ringzero: Thanks Rep! My question is, why does this software actively monitor the registry and deliberately cripple Windows Update by forcefully disabling it?
Rep: SW Update tool helps in automatically detecting the hardware on the laptop and installs the supporting drivers for them. I am afraid; this tool has directly no effect on the registry of your laptop or Windows Updates.
ringzero: Rep, I am afraid that you're incorrect. SW Update drops an exe named "Disable_Windowsupdate.exe"
ringzero: When SW Update is installed, Windows Update is always disabled. If it's enabled, or set to a setting of your liking, it'll be re-disabled on reboot.
ringzero: If SW Update is uninstalled, Windows Update stays enabled persistently throughout reboots.
Rep: Thank you for waiting. I'll be with you in just a moment.
ringzero: Sure.
Rep: When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work. For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates.

So thanks to Rep over at Samsung, we now know Samsung's motive to disabling WU.

OEMs, come on... has Superfish taught us nothing?

Upload/report this as malware to Microsoft/MSRC, etc, because that's exactly what it is. Why would you ever tamper with WU in such a fashion (or in general), in a way a generic user cannot control, leaving them vulnerable?

x86 MD5


x64 MD5


x86 SHA-256


x64 SHA-256


Small edit: I edited out the Samsung rep's real name to just 'Rep'. It was clearly a tier 1/2 support just doing their job, and I of course don't want them getting in any trouble since this appears to be blowing up. After all, as I said, this isn't their fault at all.


According to a few news articles, here's Samsung's latest statement:
"It is not true that we are blocking a Windows 8.1 operating system update on our computers. As part of our commitment to consumer satisfaction, we are providing our users with the option to choose if and when they want to update the Windows software on their products," said Samsung.
"We take product security very seriously and we encourage any Samsung customer with product questions or concerns to contact us directly at 1-800-SAMSUNG."
I don't understand what this statement is implying, and it may have been a loss in translation between whichever article reporter/editor got the statement from Samsung, because I never implied it specifically blocked a "Windows 8.1 OS system update", just that their SW Update software is preventing Windows Update from automatically installing updates, and forcing the user to have it set to "let me choose whether to download and install". If you attempt to change it, it'll switch right back on a reboot. Microsoft has openly stated that they do not like the fact that it's persistently changing, or even existing in the first place without the user's consent. It's disabling Windows Update from working as the user intends it to.

However you look at this, Samsung's solution to what we can guess is a device driver workaround was not done in the best way, or a safe way. I mean, come on, the exe is named Disable_Windowsupdate.exe. In any case, if it appears I am acting as an enemy to Samsung, I'm not. I'm just a 22 year old cashier with a love for Windows internals that found a security risk for Windows' Samsung users with a few others. That's it.

Update #2

According to a few news articles, here's Samsung's latest statement:
“Samsung has a commitment to security and we continue to value our partnership with Microsoft. We will be issuing a patch through the Samsung Software Update notification process to revert back to the recommended automatic Windows Update settings within a few days."
I'm very glad Samsung is committed to implementing a resolution to this issue so soon. Ultimately, in a perfect world, I hope OEMs will learn from Superfish/SW Update, as it would be disheartening to see a similar issue occur in the future. I feel OEMs need to disclose whatever they intend with their users with their software, and if possible, giving them a choice.

If this is done, it's not "under the table" anymore so to speak. If Samsung's users were notified in the first place that their Windows Update settings were being actively modified, then even though it still potentially may have been a question of poor implementation/methods, it probably wouldn't have been seen as malicious or questionable behavior in the first place as it would have at least been known.