| tl;dr version (since this blew up on Reddit and there's lots of stuff to digest) * in Windows 8+ any PC vendor can include an .EXE in Firmware/BIOS, and Windows will look for this on each boot, and run it right before you log in. This is called "Windows Platform Binary Table". This is something Windows does, and there is no way to turn this off. To me, this is the bigger story, because vendors may now start to use this method to install anything, making a clean windows install impossible. * Lenovo uses this method if you try to install Windows 8, but if you install Windows 7, it does the sketchy "overwrite your system file (autochk.exe)" method instead. * Either way, Lenovo installs a service on your PC. It was found to have security bugs. I can't find the link, but they said this was placed on some laptops/PC's from late 2014 to Summer 2015. They've released a new firmware 2 weeks ago that turns this off. I would like to know if any non-Lenovo pc's have used this "Windows Platform Binary" method to run software from the firmware, because when I searched for it, I saw people with Dell's and HP's who thought they might have a virus, posting scan logs that contained the text "wpbbin.exe" (which would only be there if Windows found it in the BIOS and put it there) For example see https://www.google.com/search?q="wpbbin.exe"+site%3Aforums.m... Check your PC: Windows 8 and up: Check your event log for "Microsoft-Windows-Subsys-SMSS" and if you see "A platform binary was successfully executed." your PC vendor is doing this. Or, look for a file called wpbbin.exe in windows\system32. (This file would ONLY exist if Windows found it in your firmware and ran it.) Windows 7: Verify your autochk.exe is legit. I think you could simply do: "sfc /VERIFYONLY" in cmd.exe (as Admin) but I did not test it. My autochk.exe was signed by Lenovo in 2014 (which tipped me off it didn't come from the Windows 7 DVD I got in 2010!). |