That deceptive, misleading WGA installation

That deceptive, misleading WGA installation

Summary: Why can’t Microsoft describe its WGA tools in simple, direct language? They want you to install a small program that checks the product key you used to activate Windows XP – the same one you already sent them when you first installed the operating system – so they can verify that your copy of Windows is properly licensed. That’s not so hard to understand, is it? So why use these misleading and deceptive descriptions?

TOPICS: Windows

Slowly, oh so slowly, Microsoft is trying to undo the damage its Windows Genuine Advantage anti-piracy program has inflicted. But the company still has a long ways to go.

Case in point: The two WGA components that are loaded into Windows XP computers via the Windows Update servers are still presented to Windows users using a process that can fairly be described as deceptive and misleading.

Last month, my ZDNet colleague David Berlind analyzed the WGA installation process and its accompanying disclosure and concluded that “one of the WGA components that Microsoft is loading onto end users' systems through its Windows Update service is, contrary to what Microsoft says, installed without the end user's consent.” As part of his investigation, David documented the installation process in this image gallery.

Nearly five weeks later, despite improvements in the license and privacy agreements and some changes to the WGA code, Microsoft’s customers are still not getting an accurate and full disclosure of what’s being downloaded and installed on their computer. I’ve prepared an updated image gallery that shows the WGA installation process as it takes place today.

If anything, the problem has gotten worse. In the past few weeks, at least one well-respected and widely read Windows expert has recommended that Windows users disable Automatic Updates and install security patches using manual procedures instead. In his Windows Secrets Newsletter of June 29, Brian Livingston argued that WGA qualifies as spyware and urged his 140,000 readers to “dump Windows Update.” In today’s newsletter, he repeated the admonition, recommending that "all Windows users, other than novices … turn off Automatic Updates.” That’s bad advice, in my opinion, but it’s understandable, given the complete lack of transparency that Microsoft has displayed on this issue.

So what’s going on with WGA today? Here’s the condensed version:

Let’s say you visit Microsoft’s Windows Update using a PC on which Windows XP with Service Pack 2 has been freshly installed. You choose the Custom option, because you want to review any available updates before installing them. But Windows Update throws up a roadblock:


You “need to upgrade some of its components.” Sounds fairly innocuous, doesn’t it? The accompanying explanation, which includes six bullet points and more than 100 words, doesn’t mention Windows Genuine Advantage. It doesn’t explain that the Validation Tool (the component you’re about to download) is an anti-piracy utility that allows Microsoft to identify computers that contain “non-genuine” copies of Windows XP. Even if you click the tiny Details button, the explanation falls far short of describing what the tool really does.

After you install the WGA Validation Tool, you’re allowed in to the Windows Update website, where a second WGA component is included among the list of High Priority updates. The Windows Genuine Advantage Notification tool is supposed to be an opt-in program. The current version of the WGA FAQ page says: “While the program is presently opt-in, as it expands later in the year, it may become a requirement for the [Automatic Updates] service.” But it’s delivered as a High Priority update along with critical security patches. If you use Microsoft’s Automatic Updates program, you’ll get it with no notice.

So how do you opt out? If you visit Windows Update and use the Custom option, you can clear one check box to prevent WGA Notification from being installed. You can then click another check box to specify that you don’t want to see this update again:


That should be that. But the next time you visit Windows Update, you’re confronted with an ominous dialog box that contains this warning:


Your computer might be at risk? That’s nonsense. The WGA Notification tool doesn’t provide any security benefit, and refusing to install it involves no – zero, null, nada – risk to you or your computer.

For the record, I don’t think that there’s anything dangerous or onerous about the current versions of the WGA Validation and Notification tools. If their true nature and purpose were clearly explained, I think most people would be perfectly willing to install them.

My question is simple: Why can’t Microsoft describe both of these tools in simple, direct language? As a condition of using Windows Update, they want you to install an ActiveX control that checks the product key you used to activate Windows XP – the same one you already sent them when you first installed the operating system – so they can verify that your copy of Windows is properly licensed. That’s not so hard to understand, is it? So why use these misleading and deceptive descriptions? As a business decision, that’s just plain stupid.

Topic: Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • nonsense? not really

    I have a friend that works in customer service, and at the bottom of each email is the usual 'may contain proprietary information / copyrighted stuff' tag line. Now, yesterday she typed back that lunch was on. The fact that we were having lunch might be copyrighted? Nonsense?
    No, like the MS tag-line at not downloading something marked 'high-priority', it goes along with each and every communication of that type.
    • Except...

      Every other download in the High Priority category is designed to fix a potential security issue. Every single one. EXCEPT the WGA tools.

      See my point?
      Ed Bott
      • I agree

        wholeheartedly that WGA does not belong in the High Priority category; that, or MS needs to clearly and publicly (re?)define what High Priority means, and what we can expect to find classified that way.

        But it containing the same tag line? I think that is legit.
        • sure but Microsoft knows...

          If they put it plain as day:

          "This software may produce pop-ups if your windows is not Genuine. We alson don't guarantee that it's 100% correct.. While we're at it, we also won't help you should you have a legitimate copy and the app doesn't believe it's genuine..

          You should also know that it connects to Microsoft to report your unique location (which can link you to Microsoft which is retrieved by your IP Address) as well as information about your computer... AND we can in the future also put the ability to turn your computer off.

          Let's also not forget that should your copy be legit, and your copy fail the Genuine. We aren't responsible for the security holes that will occur because you won't be allowed to update."

          And the list goes on.
        • sorry not legit

          Lazy at best however AFAIC no question intentional - MS history makes it obvious to the point of embarrassment.
          • No, perfectly legit

            WGA is a critical update(as defined by the manufacturer). Every critical update has that tagline, should you refuse to install it.
            Plain, simple, direct, and correct.

            Should it be a critical update? Now we can talk.
          • Talking.

            > Should it be a critical update? Now we can talk.

            It should not.
      • I can see the point

        WGA however is high priority - to Microsoft. Hear me out here. Microsoft loses money every time someone installs and uses a pirated copy of Windows. Because they didn't pay Microsoft for it. Now it does make good business sense for Microsoft to want to validate the version of Windows. That again in itself makes it a high priority for Microsoft to want it validated. It doesn't have a blessed thing to do with the security of the End User's system.

        Microsoft has a responsibilty to make things crystal clear to the End User and not hide things deep into the installs they way that they have been doing. With respect to WGAT I would say that they have failed miserably.
        • His point, yes.

          > WGA however is high priority - to Microsoft.

          Regardless of its importance to Microsoft, this "high priority" update is not a "critical" update. Keep in mind that one of Bill Gate's very first public messages, in the 1970s, decried software piracy. Microsoft has gained its current market position despite the doon-and-gloom warnings he made then. Where Microsoft DOES legitimately lose money is to the counterfeiters who sell bogus copies to paying customers. But the impact of casual copying on Microsoft's bottom line is overstated. That's because many of the casual copiers wouldn't have bought the product anyway.

          Nevertheless, I advocate zero piracy. If you can't afford Windows, use something else, like Linux or BSD.

          As to your last comment... Microsoft has failed in their responsibility to make things crystal clear to the end user... I agree entirely.
        • Ok, lets talk

          WGA was meant to scan your system and if found in non-compliance, report back to MS. Ok, critical no, necessary, yes. Lets look at definitions: the definition of spyware is:

          2 entries found for spyware.
          Main Entry: spyware
          Part of Speech: noun
          Definition: any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes
          Usage: computing
          Source: Webster's New Millennium? Dictionary of English, Preview Edition (v 0.9.6)
          Copyright ? 2003-2005 Lexico Publishing Group, LLC


          <software> (Or "adware") Any type of software that transmits
          information without the user's knowledge.<p>

          Information is sent via the Internet to a server somewhere,
          normally as a hidden side effect of using a program.
          Gathering this information may benefit the user indirectly,
          e.g. by helping to improve the software he is using. It may
          be collected for advertising purposes or, worst of all, to
          steal security information such as passwords to online
          accounts or credit card details.
          Spyware may be installed along with other software or as the
          result of a virus infection. There are many tools available
          to locate and remove various forms of spyware from a computer.
          Some HTTP cookies could be considered as spyware as their
          use is generally not made explicit to users. It is however
          possible to disallow them, either totally or individually, and
          some are actually useful, e.g. recording the fact that a user
          has logged in.
          We already know that WGA phones home, we already know it timestamps you, records the bios, machine type and language, and maybe many more things. It wasn?t disclosed to the public just what information was collected. It was not ?forthcoming? in it?s disclosure reported by top officials at MS. <p>

          Microsoft will not make anything clear to any user as they feel they are god. They walk all over everyones rules, regardless of country borderlines. They answer to no government. What makes you think MS gives a crap about you or your opinion? Why do you think they are so inundated with trying to patch an OS that they will give up on by 2007? Not one version of windows has ever been secure, not one office product was created as backward compatible. All lies. And yet the lies keep coming and people just accept them like sheep to a slaughter. And for those of us who do move on, and embrace Linux, we are touted as deserters. <p>

          When a ship starts to sink, even the rats run for safety.
      • Not true.

        Not everything under "high priority" is security related. There have been some that address non-security-related crashes--these are likely released outside of the normal service pack channel because MS gets lots of error reports about them.
        • Problem is....

          If you are a tech servicing a system and need information about a certain security update or you need to look up an article, will WGA prevent you from accessing that information without a costly subscription? For those of us who service windows clients, but don?t use windows ourself, will we be out of luck should WGA be necessary to gain access to articles and service packs?
  • Dude, this horse was dead two weeks ago.

    You need to find a new dead horse to beat.
    • So change your handle No_Horse_to_Beat.
      Ed Bott
      • hahahahaha

        That was a gooood one!

        What a freakin troll that stupid No_horse is.
        Reverend MacFellow
        • I can't seem to help myself

          but it's not no horse.
          try No Facts
    • Not at all No_Ax

      As there has been no resolution about this issue, you cannot rightfully accuse Ed of over-reporting on this.
      When either:

      a) Microsoft change how WGA is announced and delivered to end users, or
      b) A third-party explains how, or develops a tool to automatically block WGA from being downloaded via Automatic Updates

      then you can start covering this horse with lime. Until then....
    • Wrong. I want the progress report....

      I won't feel safe from M$ until this is *completely* fixed. And it takes publicity from people like Ed in a public forum to make M$ do it. Bad PR is the only way to get them to change.
    • If it's dead, then why is MS still hiding things?

      I don't have a problem with MS trying to validate installs (assuming that's all they're doing here). So why not be upfront about it? If it's a dead issue, why haven't they come clean?
      tic swayback
    • The horse isn't dead...

      ...until the WGA issue is resolved.