UnattendedWinstall icon indicating copy to clipboard operation
UnattendedWinstall copied to clipboard
verified publisher icon memstechtips

[Request] Disable Wpbt Execution

Open Cyantox opened this issue 9 months ago • 3 comments

Currently, the script does not disable the Windows Platform Binary Table (WPBT), which allows OEMs to execute programs at every boot. While WPBT can be used for beneficial purposes like anti-theft software, it also introduces significant security risks by enabling persistent software execution without user consent. This is particularly concerning for laptops and mini PCs from manufacturers (especially from China), where the risk of pre-installed malware or surveillance software is relatively high. WPBT can allow malicious software to persist even after OS reinstallation, creating a potential backdoor. Deactivating WPBT before the initial installation would greatly enhance security.

ChrisTitus also recently included this in Winutil: https://github.com/ChrisTitusTech/winutil/commit/6038556e64f81b4575485bc150032b3cfce1d7f8

Suggested Solution:

To enhance security, consider adding something like the following registry modification during the specialize phase in autounattend.xml:

<RunSynchronousCommand wcm:action="add">
  <Order>XX</Order>
  <Path>reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FirmwareResources" /v WPBT /t REG_BINARY /d 0 /f</Path>
</RunSynchronousCommand>

This will disable WPBT execution at the firmware level before the system boots into Windows for the first time (no guarantee that this will work like that).

Pros (Security Benefits):

  • Prevents OEMs from force-installing unwanted software, spyware, virus, etc.
  • Reduces the risk of security vulnerabilities related to WPBT abuse.
  • Aligns with best practices for system hardening.

Cons (Potential Drawbacks):

  • Some OEM features, such as anti-theft software or essential drivers, may rely on WPBT.
  • Could affect recovery mechanisms or system management tools provided by manufacturers.
  • May require manual installation of certain vendor-specific utilities.

Cyantox avatar Feb 28 '25 18:02 Cyantox

Hey there and sorry for the late reply.

I will do some more research into this and decide if I want to include it in future versions or not.

memstechtips avatar Nov 14 '25 19:11 memstechtips

This would have been a nice thing to add to the answer file. Does Winhance not do this?

Forkinator avatar Nov 16 '25 20:11 Forkinator

@Forkinator

Not at the moment no, but I do think I will add it.

memstechtips avatar Nov 24 '25 09:11 memstechtips