Windows 8 and Windows 10 contain a surprising feature that many users will find unwelcome: PC OEMs can embed a Windows executable in their system firmware. Windows 8 and 10 will then extract this executable during boot time and run it automatically. In this way, the OEM can inject software onto a Windows machine even if the operating system was cleanly installed.
The good news is that most OEMs fortunately do not seem to take advantage of this feature. The bad news is that "most" is not "all." Between October 2014 and April of this year, Lenovo used this feature to preinstall software onto certain Lenovo desktop and laptop systems, calling the feature the "Lenovo Service Engine."
Lenovo's own description of what the software did differs depending on whether the affected system is a desktop or a laptop. On desktops, the company claims that the software only sends some basic information (the system model, region, date, and a system ID) to a Lenovo server. This doesn't include any personally identifying information, but the system ID should be unique to each device. Lenovo says that this is a one-time operation and that the information gets sent only on a machine's first connection to the Internet.
For laptops, however, the software does rather more. LSE on laptops installs the OneKey Optimizer (OKO) software that Lenovo bundles on many of its machines. OneKey Optimizer arguably falls into the "crapware" category. While OKO does do some somewhat useful system maintenanceit can update drivers, for exampleit also offers to perform performance "optimizations" and cleaning "system junk files," which both seem to be of dubious value.
Making this rather worse is that LSE and/or OKO appear to be insecure. Security issues, including buffer overflows and insecure network connections, were reported to Lenovo and Microsoft by researcher Roel Schouwenberg in April. In response, Lenovo has stopped including LSE on new systems (the company says that systems built since June should be clean). It has provided firmware updates for affected laptops and issued instructions on how to disable the option on desktops and clean up the LSE files.
The issue was spotted by a poster on our own forums. That poster described some even more undesirable behavior on Windows 7 systems. On those machines, it appears that LSE replaces a Windows system file, autochk.exe (which is used for the boot-time chkdsk filesystem verification and repair process). The bogus autochk.exe then creates system services that fetch files over unencrypted HTTP.
Lenovo's own guidance alludes to the overwriting of system files, but it's not at all clear how this is happening on Windows 7the Windows capability to run executables stored in firmware appears to be new to Windows 8or why it's overwriting a system file. We've asked Lenovo about these issues, but the company merely referred us to its statement announcing the discontinuation of LSE and the availability of removal tools. (We suspect that the system in question has more than one way of injecting software into Windows, but more on this shortly.)
Microsoft's guidance for the Windows feature that enables this facility has also been updated to note that software injected in this way should be written to be secure and that insecure programs are liable to be treated as malware. As for the feature itself, that remains a part of Windows.
And in its own awful way, it's a feature that makes sense. The underlying mechanism is simple enough; the firmware constructs tables of system information when the machine boots. The operating system then examines these tables to, for example, learn what hardware is installed in the machine and how it is connected. This is all governed by a specification called ACPI, Advanced Configuration and Power Interface. Microsoft defined a new ACPI table, the Windows Platform Binary Table (WPBT), that contains information about a firmware-embedded executable. When it boots, Windows looks for a WPBT. If it finds one, it copies the executable onto the filesystem and runs it.
