Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jamesits/dropwpbt

Disables the Windows Platform Binary Table (WPBT) in your UEFI firmware.
https://github.com/jamesits/dropwpbt

acpi uefi uefi-application wpbt

Last synced: 5 days ago
JSON representation

Disables the Windows Platform Binary Table (WPBT) in your UEFI firmware.

Host: GitHub
URL: https://github.com/jamesits/dropwpbt
Owner: Jamesits
License: bsd-2-clause
Created: 2020-04-23T03:45:38.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-05-22T09:36:27.000Z (over 4 years ago)
Last Synced: 2024-12-08T14:35:36.814Z (14 days ago)
Topics: acpi, uefi, uefi-application, wpbt
Language: C
Homepage:
Size: 43.9 KB
Stars: 388
Watchers: 12
Forks: 29
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# dropWPBT

Disables the Windows Platform Binary Table (WPBT) in your firmware. This program use a non-permenant, non-destructive method to remove the table from system memory, so it should be executed every time the computer is rebooted before Windows bootloader starts.

## Usage

### Requirements

* amd64 architecture
* UEFI firmware
* disabled Secure Boot

### Installation

#### With a 3rd-party bootloader

Put `dropWPBT.efi` to a location where it will be executed every time before Windows starts.

* [rEFInd](https://www.rodsbooks.com/refind/): `ESP:\EFI\refind\drivers_x64`
* [OpenCore](https://github.com/acidanthera/OpenCorePkg): `ESP:\EFI\OC\Drivers`
* [Clover](https://github.com/CloverHackyColor/CloverBootloader): `ESP:\EFI\CLOVER\drivers\UEFI`

You can also load it using UEFI shell's `startup.nsh`, or even manually.

#### Without an external bootloader

This method is for advanced users. You need to be familiar with how UEFI works. The commands below is just for reference, do not blindly copy and paste!

`dropWPBT-loader.efi` can act as a bootloader itself. To install, launch a `cmd.exe` with Administrator privilege and type something like this:

```
mountvol T: /S
mkdir T:\EFI\boot
cp dropWPBT-loader.efi T:\EFI\boot\bootx64.efi
bcdedit /set {bootmgr} path \EFI\boot\bootx64.efi
mountvol T: /D
```

## FAQ

### What is WPBT?

[Windows Platform Binary Table (WPBT)](https://download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx) is an ACPI table in your firmware allowing your computer vendor to run a program every time Windows (8 or later) boots. This is a convenient method for computer vendors to force the installation of a service program or an anti-theft software, but this also means your fresh installed Windows will have potentially unwanted 3rd party programs running straight on the first boot, and you, the end user, would have no control over it. Also, firmware is not updated as frequently as your OS or software, which means if there is a security vulnerability in the WPBT-loaded program, a fair number of users might never get the update.

A lot PC vendors ([Lenovo](https://borncity.com/win/2017/12/06/vendors-rootkit-windows-platform-binary-table-wpbt/), [ASUS](https://www.dpreview.com/forums/thread/4438288), [Huawei](https://www.v2ex.com/t/665111), etc.) are known to utilize WPBT table to run their own programs on the consumer's computer.

### How to verify if my computer have a WPBT?

You can use one of the following software:

* NirSoft's [FirmwareTablesView](https://www.nirsoft.net/utils/firmware_tables_view.html)
* [RWEverything](http://rweverything.com/)

Note that they might not work if you enabled [HVCI](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity).

Alternatively you can search for `C:\Windows\system32\wpbbin.exe`. This program might delete itself after running so this is not a reliable evidence.

### Is there any alternative methods to disable the WPBT?

#### From Windows

This is an undocumented feature, use it at your own risk. To disable WPBT execution from a running Windows, set the following registry key:

```ini
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"DisableWpbtExecution"=dword:00000001
```

How to set a registry key on the first boot before session manager starts is left as an exercise to the reader. (Hint: One possible method is to set this registry key in a WIM file using [BiscuitTin/Disable-WpbtExecution](https://github.com/BiscuitTin/Disable-WpbtExecution).)

For more information, see [`sminit.c`](https://careers.microsoft.com/).

#### From a 3rd-party Bootloader

Hackintosh-oriented bootloaders such as OpenCore have their own config for deleting ACPI tables which does exactly the same thing as this program. Please see their documentation.

#### From the Firmware

Some vendors provide an option to disable WPBT in the firmware settings on some models.

* Lenovo: [Lenovo LSE Windows Disabler Tool](https://support.lenovo.com/no/zh/downloads/ds104370)
* ASUS: Disable "ASUS Grid Install Service"