Update: Windows Genuine Advantage – What it is, how to ditch it

Windows Genuine Advantage (WGA) software is installed on computers running Windows XP via Microsoft’s online update services. For most XP users, that means Automatic Updates, which Microsoft has worked very hard since Windows XP SP2 to make us run in full-automatic mode. WGA has appeared in several beta versions, with slightly different behaviors, and Microsoft appears to be continuing to develop this software. For many people, the fact that the software giant delivers WGA as a security update is another strong note of insincerity. Microsoft may kid itself into believing that WGA has some sort of security aspect, but many knowledgeable computer users aren’t buying that.

There are two separate parts of Windows Genuine Advantage for Windows XP: WGA Validation and WGA Notifications.

WGA Validation is the component that checks Windows to make sure it’s a properly licensed copy of the software. It first appeared prior to the download of Microsoft AntiSpyware beta 1 (later renamed Windows Defender). Your system must be validated in order to receive some software (such as Internet Explorer 7, Windows Defender, and Windows Media Player 10) from Windows Update and Microsoft Update. WGA Validation has been required for access of these types of downloadble software from Microsoft since July 2005. WGA Validation is the heart of WGA. WGA Validation is not required to receive security patches from Automatic Updates. (See Microsoft’s KnowlegeBase article, Description of Windows Genuine Advantage, for more information about WGA Validation.)

WGA Notifications was designed to remind users who fail validation that their Windows software has been deemed by WGA Validation to be illegitimate. It directs people who experience this to resources to learn more about getting what Microsoft calls “genuine” software. WGA Notifications was rolled out this spring. WGA Notifications is delivered via Automatic Updates and it is technically optional. You can choose not to install it, but figuring out how to keep it from slipping in with high-priority security patches is not that easy (see later in this story for precise instructions on how to do that). According to Microsoft, there is no penalty for opting out of WGA Notifications. Opting out does not stop a user from receiving security updates via Automatic Updates. (See Microsoft’s KnowledgeBase article, Description of Windows Genuine Advantage Notifications, for more information.)

You already have WGA Validation on your Windows XP installation, unless you haven’t received security patches since before July 2005. If you use the Automatic Updates feature of XP, WGA Notifications is also most likely already on your system. WGA Notifications has appeared in several beta versions, with slightly different behaviors. And Microsoft appears to be actively developing this tool. For many people, the fact that the software giant is delivering WGA Notifications, and also continues to deliver WGA Validation as needed — as high-priority security updates — is a strong note of insincerity on the part of the software giant. Microsoft may be kidding itself that WGA has some sort of security aspect, but most knowledgeable computer users aren’t buying it.

At press time, when WGA detects a problem, it lets you keep running Windows, periodically popping up WGA Notifications nag screens to make sure you know that your Microsoft software may be counterfeit. If this happens to you, you should pursue WGA Notifications process; it may provide you with information that will help you rectify the problem. WGA Notifications may be annoying, and it does directly contact Microsoft’s servers on its own, but it is WGA Validation that actually makes the determination about whether you’re in license compliance. WGA Notifications is primarily a messenger, and some of its messages may be helpful.

For example, in my tests I was able to make the WGA “counterfeit” warning appear by changing the date of the system clock one month later. The Web-based WGA program was able to determine that was the problem and it suggested I reset the system date. When I did that, the WGA warnings disappeared. While most WGA detections don’t resolve that easily, it can’t hurt you to learn as much as you can about why WGA believes your copy Windows is illegitimate.

So what could happen? I’ve received several detailed reports from readers about their experiences with WGA that involves purchases of full retail copies of Windows XP from reputable dealers like Fry’s, Staples, and BestBuy. The worst part of this is that there is no external review of WGA Validation’s determinations. And while it’s true that many people may have no idea that their copy of Windows isn’t “genunine,” there’s no way that WGA Validation could be perfect in its determinations. One story I’ve heard from several readers is that they bought a retail “upgrade” installation of Windows XP Pro (from a reputable source) to upgrade a PC that came with Windows XP Home, and got into trouble after installing it. There’s no way that all these copies of Windows XP Pro are counterfeit. And these people have paid the normal price for the software. It should not be up to customers to determine whether software is valid at retail. Microsoft should be able to go after counterfeiters on its own, without getting retail buyers involved.

Despite the possibility of scary messaging, WGA Notifications doesn’t have much of an enforecment bite at present. But might that change in the future? Microsoft has said it won’t “turn off” illegitimate copies of Windows. But could the software giant be interpreting that literally? The more likely preventive measure probably isn’t turning off the computer. It’s not hard to imagine that WGA might direct its predecessor, Windows Product Activation (WPA), to lock you out of your computer until such time that you can present a valid product key. When WPA kicks in, the computer boots to a login screen that doesn’t let you use the computer until a valid activation code is entered. In Vista, this WPA screen links to an option that lets you buy a new copy of Windows, even extending use of Internet Explorer for that purpose, though you can’t actually login to Windows prior to successful activation.

Microsoft has more than once alluded to the fact that it’s reserving the right to require the installation of WGA Notifications on all computers, possibly sometime early this fall. WGA Validation and Notifcation are built into Windows Vista, without any user option to remove them. It’s simply not known yet how Vista’s version of WGA will behave.

At this writing, it is possible to both remove WGA Notifications and also to prevent it from attempting to reinstall after you have removed it.

How to Ditch WGA Notifications

There are many sites on the Internet that purport to help you remove WGA Notifications from your system. Microsoft has recently changed some things about this software, and many of those instructions could be out of date. I have yet to see a definitive work on this subject, and I don’t consider this one to be either. Since WGA is still in beta, and Microsoft is still developing it, I suspect that the best set of instructions is yet to come.

A large portion of my instructions are based on Microsoft’s How to disable or uninstall the pilot version of Microsoft Windows Genuine Advantage Notifications KnowledgeBase article, which showed a July 12, 2006, revision date at the time that I prepared this article. It should be noted that many of the simplistic methods of halting WGA Notifications, such as blocking it with your firewall or renaming the WgaLogon.dll file, are a lot less comprehensive than the instructions that Microsoft offered or that appear in this document. They are effective right now. If Microsoft renames its files, those protections would break.

The reality is, WGA Notifications isn’t the guts of WGA. It’s the part that “phones home.” But I have to be honest with you; that aspect of WGA has never concerned me all that much. It was certainly preposterous for WGA Notifications to reach out to Microsoft’s servers every day. The part of WGA that concerns me most is the virtual certainty that WGA Validation will falsely identify even a small percentage of Windows installations as being “counterfeit” when in fact they are not. OK, let’s get on with removing WGA Notifications.

Important: These instructions require editing the registry. You may want to start by taking a System Restore point so that you could revert to it in the event that something goes wrong. Also, these directions streamline Microsoft’s instructions for uninstalling WGA Notifications and expand them to uninstall additional WGA Notifications leave-behinds. Some of the steps have changed or evolved. There’s no guarantee the directions will work perfectly for you, but lots of smart, positive reader feedback has already improved them immensely, and they should work for you.

Update: These instructions were revised on August 6 to work around any possible removal of WGA Validation, which is needed to download optional programs and non-security updates from Windows Update or Microsoft Update. (WGA Validation is not required for downloading security patches from Windows Update, Microsoft Update, or Automatic Updates.) If you do remove WGA Validation (which consists primarily of the LegitCheckControl.dll in the Windowssystem32 directory), Windows Update and Microsoft Update will both attempt to reinstall that WGA component the next time you try to use them.

To make a System Restore point, open the Start menu, choose Run, copy and paste this line into the Run field, and press Enter:

%SystemRoot%system32restorerstrui.exe

If you prefer not to mess around with the System Registry yourself, there’s a free utility called RemoveWGA available for download on the Internet from Firewall Leak Tester. I’ve tested RemoveWGA 1.2 and I recommend it as an alternative.

Removing WGA Notifications: Step by Step

1. In the Add or Remove Programs Control Panel, turn on the “Show Updates” check box at the top.

2. Open the Folder Options Control Panel. Click the View tab. Remove the check, if any, beside “Hide extensions for known file types.” While you’re at it, click the radio button beside “Show hidden files and folders” and uncheck the box beside “Hide protected operating system files.” Click OK. (Note: If children or computer novices use your computer, you’ll want to reverse these steps later.)

3. The next step is to search your entire system boot drive for any file containing the letters “wga”. To do that, open the Start menu and Choose Search. You will need to configure Search so that it searches system folders, searches hidden files and folders, and searches subfolders. Initiate your search for Drive C or Drive D, or whatever drive Windows is installed on.

4. If WGA is installed on your computer, the search should return the filenames WgaLogon.dll and WgaTray.exe in your WindowsSystem32 folder. You’ll also find WGA’s LegitCheckControl.dll in the same folder (but it won’t be in your search results). You may well have several other search results, and we’ll come back to those later.

5. In the search results window, rename the following two files as shown:

WgaLogon.dll => WgaLogon.old

WgaTray.exe => WgaTray.old

Note: You can delete these files after a subsequent reboot if you prefer. At this point, WGA Notifications is disabled. You could stop here if you’d rather not go all the way down this path.

6. Open the Start menu, choose Run, type “regedit” without the quotation marks, and press Enter. This opens the Registry Editor.

7. Locate and delete the last subkeys (folders) in these locations in the Registry. (Note: HKLM stands for HKEY_Local_Machine.)

HKLMSOFTWAREMicrosoftWindowsNT CurrentVersionWinlogonNotifyWgaLogon

HKLMSOFTWAREMicrosoftWindows CurrentVersionUninstallWgaNotify

Note: Just to be clear, for that first line, you would navigate through the Registry beginning with HKEY_Local_Machine area, tunneling in by opening each folder named in the Registry path until you see the WgaLogon folder on the left side of the Registry Editor. Then just delete that folder. Repeat for the other Registry subkey, WgaNotify.

8. That ends Microsoft’s initial instructions. On my computers, I reboot my computer and remove the following subkeys as well. You should not attempt to remove every instance of WGA in the Registry.

HKLMSOFTWAREMicrosoftUpdatesWgaNotify

HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp ManagementARPCacheWgaNotify

9. The next step is to delete other WGA Notifications files returned in your search. It’s not absolutely essential for you to remove every last trace of WGA Notifications, especially when that attempt could very likely get you into trouble. For example, wgaapi.dll isn’t part of Microsoft WGA, it’s part of a wireless networking driver. You can safely delete any file you find with “wganotify” in its name.

On several of my computers I didn’t find WGA installed, but I did find an installer for it that seemed poised to run the installation. Presumably that’s because those computers were using the Automatic Updates setting that automatically downloads but does not install updates without your permission. They’re usually located in a folder with a name consisting of gobbledy-gook (hash of alphanumeric characters) found the Windowssoftwaredistributiondownload folder. It’s possible to delete these folders, but remember that WGA Validation and WGA Notifications are different things, and you need WGA Validation to get security patches. Folders that contain WgaTray.exe and/or WgaLogon.dll are for WGA Notifications. When in doubt, leave them as is.

You may find that the operating system blocks you from deleting these folders. If so, you can either reset the file object permissions (assumes you have Windows XP Pro with the NTFS file system and you’re running with Simple File Sharing turned off) or you can boot into Safe Mode and try deleting them there. If you’re not sure how to do these things, it is truly not worth bothering with. Leave well enough alone.

Preventing Recurrences

You’re not quite done yet. If you don’t follow this next set of steps, you may find that WGA Notifications has reinstalled a couple of days or hours from now. I’ve written these steps specifically for Automatic Updates, but there’s a corresponding, almost identical set of set of steps in Windows/Microsoft Update. It’s faster, in fact, to use Windows or Microsoft Update since you don’t have to wait for Automatic Updates to discover that WGA Notifications is missing from your PC.

1. Change the Automatic Updates Control Panel setting to “Notify me but don’t automatically download or install them.” From now on, you will need to closely monitor every update that Microsoft wants to install on your computer.

2. Wait for the yellow shield icon to appear in your system tray that signifies that updates are available. This can take as much as two days, but it’s usually only a couple of hours.

3. Click the yellow icon and, if prompted, choose the “Custom Install” option, which will bring up the “Choose updates to download” dialog.

4. Remove the check mark beside any entry that contains the words “Windows Genuine Advantage” and click Close. (If there are other security updates waiting to install too, leave their check marks in place and they will continue to be available later.)

5. Yet another box will open labeled Hide Update. Remove the check mark beside “Don’t notify me about these updates again.”

Some WGA Resources

These additional sources of information are required reading about WGA:

• Truth and Distortion About Microsoft’s WGA – Computerworld Blog
• Ed Bott’s Microsoft Report – ZDNet
• Windows Genuine Advantage FAQ
• Windows Genuine Advantage Talkback Forums – Microsoft

Finally, send the author e-mail if you have learned something about WGA or would like to suggest something that would help with WGA removal or installation prevention. Thanks.