Michael Horowitz
Home => Windows 7 PC still infected with GWX software
[Formatted for Printing] From the personal web site of  Michael Horowitz

I found a Windows 7 PC still infected with GWX (Get Windows 10) software

January 14, 2019

Microsoft, it seems, never gives up on a bad idea. This time, the bad idea is forcing Windows 7 machines to upgrade to Windows 10. You would be forgiven for thinking that this was ancient history. Yesterday, I would have said the same thing.

But today, I took a glance at the Event Logs of a Windows 7 PC and found it was still trying to upgrade to Windows 10. I kid you not.

The machine in question last had bug fixes installed on December 3, 2018. In other words, it had all the November 2018 patches.

The Event Log indicated the GWX (Get Windows 10) tasks were scheduled, so I took a look at the Task Scheduler using Nir Sofer's TaskSchedulerView program.

Sorting the list to show the tasks recently executed, turned up a task called Time-5d that ran program GWX.exe in the C:\Windows\system32\GWX folder. The program runs every day and I could not disable the task, even as an Admin user.

The Time-5d scheduled task to run GWX.exe
The Time-5d scheduled task to run GWX.exe

But, that wasn't all.

There was another task that runs every day, called refreshgwxconfig-B (details below). It runs program schtasks.exe and it too, can not be disabled. A third GWX task, Logon-5d (also below), ran at logon time. It also runs program GWX.exe and, like the others, could not be disabled.

The C:\Windows\system32\GWX folder The C:\Windows\system32\GWX folder
Two more live GWX tasks

A quick look at the C:\Windows\system32\GWX folder, showed that program GWX.exe was from May 7, 2015, as were the other GWX related programs. You may recall that Windows 10 itself, was not released until July 2015.

The C:\Windows\system32\GWX folder
The C:\Windows\system32\GWX folder

Scheduled tasks in Windows are always part of a group. These three tasks are in a group called Microsoft\Windows\Setup\GWXTriggers. Sorting the list of tasks by group (shown below) revealed that there were three other tasks in the same group. None of these other tasks, however, had been executed.

8 Scheduled Tasks for upgrading to Windows 10
8 Scheduled Tasks for upgrading to Windows 10

This sorting also turned up a group named Microsoft\Windows\Setup\gwx that consists of two tasks. I had disabled them both already. The launchtrayprocess task also runs program GWX.exe but it last ran in November 2017. Task refreshgwxconfig runs program GWXConfigManager.exe in the GWX folder and it last ran in December 2017.

These eight scheduled tasks, and the programs they run, serve no purpose any more. In December 2018, when bug fixes were last installed on this computer, there was no hint of a Windows 10 upgrade.

Since I could not disable the tasks, I tried to rename program GWX.exe. Needless to say this also failed, even when logged on as an Admin user. But, I was able to rename the GWX folder where all the program reside. Hopefully, this will block these programs from ever running again.

This experience left me angry, not so much at the recurring hassle of avoiding Windows 10, but of not being in command. When Windows 7 stops getting bug fixes, and it's time to chose a new operating system, I want one from a vendor that thinks my computer belongs to me, not to them.

- - - - - - - - - - - - - -

January 15, 2019: To be clear, finding traces of GWX on a Windows 7 machine is the exception, not the rule. I suspect that the normal removal of GWX failed for some reason. Perhaps because I had disabled a couple scheduled tasks? Perhaps it was the Steve Gibson Never10 program to block Windows 10? The computer in question is used for a single task and thus has gone extended periods without Windows patches (see its update history). Maybe that explains things. Then again, perhaps it was sun spots.

Articles about this blog:

Windows 7: The Zombie GWX sighted again by G√ľnter Born January 15, 2019. Also, in German.

Better check your Windows 7 PC for Get Windows 10 (GWX) traces by Martin Brinkmann January 15, 2019.

Brinkmann, Horowitz: Are remnants of the despised "GWX" Get Windows 10 campaign still on your Win7 computer? by Woody Leonhard January 15, 2019. A comment to this article says that kb3184143 was released by Microsoft to remove the GWX triggers and accompanying cruft for Windows 7 and 8 and links to: Remove software related to the Windows 10 free upgrade offer. Even if that patch is missing, I am not going to install it. The computer in question is used for a single task by a small business. It does no web browsing or email, in fact, the only Internet thing it does, is allow itself to be remotely controlled. It is needed 24x7 and the priority is stability over patches. Plus, the current state is not causing a problem for the one task the computer does.



 @defensivecomput TOP Home => Windows 7 PC still infected with GWX software   
 michael--at--michaelhorowitz.com   Last Updated: January 16, 2019 5 PM  
  License Plate
Copyright 2001-2019
Copyright 2001-2019  
Printed at:   June 25, 2019 5:33am   ET
Viewed 2,382 times since January 14, 2019 (15/day over 161 days)