Tuesday, October 23rd 2018

ASUS Z390 Motherboards Automatically Push Software into Your Windows Installation

During testing for our Intel Core i9-9900K review we found out that new ASUS Z390 motherboards automatically install software and drivers to your Windows 10 System, without the need for network access, and without any user knowledge or confirmation. This process happens in complete network-isolation (i.e. the machine has no Internet or LAN access). Our Windows 10 image is based on Windows 10 April 2018 Update and lacks in-built drivers for the integrated network controllers.

Upon first boot, with the machine having no LAN or Internet connectivity, we were greeted by an ASUS-specific window in the bottom right corner of our screen, asking whether we'd like to install the network drivers and download "Armoury Crate". This got us curious and we scanned the system for any files that aren't part of the standard MS Windows installation. We discovered three ASUS-signed files in our Windows 10 System32 folder, which, so it seems, magically appeared on our harddrive out of thin air. Upon further investigation we also found a new, already running, system service called "AsusUpdateCheck."
These files could not have come from either our Windows image or the network, leaving the motherboard's 16-megabyte UEFI BIOS as the only suspect. The files themselves, which total around 3.6 MB in size, appear harmless, and belong to an ASUS-made program called "ASUS Armoury Crate." This program fetches the latest drivers for your hardware from ASUS servers, and installs them for you in an automated process with little user-intervention. This is a very useful feature, as it establishes a method to install network driver and other drivers easily, without the need for a physical driver disc (in times where nobody has an optical drive anymore). After digging around in the UEFI BIOS, we managed to find a fairly nondescript option "Download and Install ARMOURY CRATE app", which of course defaults to "on"; and it's not easy to find, being located in the "Tool" section of the BIOS setup.

The ASUS UEFI firmware exposes an ACPI table to Windows 10, called "WPBT" or "Windows Platform Binary Table". WPBT is used in the pre-built OEM industry, and is referred to as "the Vendor's Rootkit." Put simply, it is a script that makes Windows copy data from the BIOS to the System32 folder on the machine and execute it during Windows startup - every single time the system is booted. According to the Microsoft WPBT reference, which describes this feature as useful for "anti-theft software", this binary is a "native, user-mode application that is executed by the Windows Session Manager during operating system initialization.", which means "before all other programs, with administrative privileges". This gives pretty much full control over everything, including protected folders and the registry.
The ASUS executable unpacks two more files, registers the "AsusUpdateCheck" service and launches it. Once the desktop is loaded, it manifests itself as a bloatware-looking notification near our system tray, requesting you to install the ASUS Armoury Crate software, by fetching the rest of its installer payload from the Internet. Interestingly, it also installs a basic driver to get the integrated network controller working, which is a nice feature. Windows 10 doesn't support the new Z390 integrated Ethernet controller out of the box. This method of writing data to protected areas of the boot drive may not be uncommon with OEM pre-built desktops and notebooks, but for the PC DIY space, in which consumers seek a higher degree of control and privacy over their hardware and software, it is a first and comes across as intrusive. It should normally take a lot of privilege for anything to write to your System32 folder without user-intervention, at least a UAC dialog authenticating the user's consent. Lenovo has used the same method in 2015, which resulted in a huge scandal. They automatically installed a rootkit, which logged data and pushed bloatware into the user's system.

Our motherboard was supplied within the European Union, and yet the software lacks a GPDR-compliant user consent dialog. If nothing else, a person's IP address will be transmitted to ASUS without consent, possibly more, including details like motherboard model, system specs and installed hardware.

We poked and prodded with the service a bit. Deleting the files (and/or the service) simply restores them at the next reboot. Clicking "cancel" in the first instance of the pop-up doesn't end the service, which keeps running in the background until you manually disable it (and it comes back at next reboot). The only way you can ensure the files stay deleted is by disabling the "ASUS Armoury Crate" option in the UEFI setup program, which disables the ACPI-WPBT table. Running the download & install, and then disagreeing with the license agreement will keep Armoury Crate installed on your system. Even when the Armoury Crate Uninstaller is run from "Programs & Software", the AsusUpdateCheck service doesn't get uninstalled, and the uninstaller also forgets to remove a second service it installed.

By default, the ASUS UEFI setup program for our motherboard has the "Download and Install Armoury Crate App" option enabled. Unsuspecting users who glossed over their UEFI setup configuration before installing their OS for the first time, will see the Armoury Crate pop-up even if their machines are not configured to access the Internet. This would do wonders for increasing the user-base of ASUS' software, but are you comfortable with something like this? Given NAND flash pricing, what stops motherboard vendors from embedding a flash-based USB mass-storage device directly onto their motherboards that installs a host of driver software and sponsored bloatware automatically?

If you put aside the privacy concerns for a moment, there are both advantages and disadvantages for what ASUS is trying to accomplish. Since it's enabled by default, this method makes installing drivers and system software easier than ever, since it also gets the network controller to work. It's particularly useful given that motherboard vendors continue to ship drivers on a DVD, and optical disc drives are on the decline, leaving people with little option but to copy their drivers onto a USB flash drive, just to get the NIC working. The application also fetches the very latest (most stable) versions of drivers found on ASUS website. The most obvious disadvantage is cybersecurity. If any of ASUS' on-chip code has security vulnerabilities that can be exploited, there is little way to fix it but with BIOS updates from ASUS.

ASUS needs to make a few changes and release UEFI BIOS updates, on the double. One option could be to disable the Armour Create option in BIOS by default, so unsuspecting users don't get these files. It could be advertised in the home-screen of the UEFI setup instead. Another option could be to properly clean up the installed files if the users chooses to not use Armoury Crate and not install them again on next reboot. Also required is a GPDR-compliant license agreement, that clarifies which data is collected, how it is processed, and whether it is shared with third parties. While this probably won't happen, some kind of ASUS warranty to include liability for any future malware that exploits WPBT to survive OS reinstalls, would go a long way.

We're sure that as a market-leading motherboard vendor, the intentions behind this couldn't have been bad. It only needs a bit of polish, and a lot of transparency with the user.
Add your own comment

68 Comments on ASUS Z390 Motherboards Automatically Push Software into Your Windows Installation

#1
Mayclore
Like Windows 10 needs any help with installing bloatware.
Posted on Reply
#2
erixx
Great and balanced news alert, W1zard.
Asking Asus to "properly clean up" is maybe asking too much, given it's decades old history of doing the contrary? Needing underground tools like "AI Suite cleaner" to do it? It's amazing that they do not hire software engineers with enough qualification... As you say "they will perfect it"... slowly... I'll leave it here. ;)
Posted on Reply
#3
windwhirl
Wow, such a nice feature. How long until someone finds a vulnerability and makes malware for it?
Posted on Reply
#4
kastriot
Just don't use internet and no probs..
Posted on Reply
#5
R-T-B
I told everyone earlier, in a certain UEFI spyware thread:

Nothing scares me more than big cheap flashroms on motherboards... spyware, vendors, all of them have the power to misuse this.

"kastriot said:
Just don't use internet and no probs..
Comprehension fail.
Posted on Reply
#6
srsbsns
This has happened for a long time with Asus. Why is this news now? My Crosshair VII does this as well. I disable from the Bios and uninstall. problem solved.
Posted on Reply
#7
Joss
To be able to install a clean copy of Windows and only the software you chose is one of the advantages of building your PC. This move from Asus is inadmissible and a privacy intrusion.
Besides, don't give us the "for your convenience" justification, being a builder is inconvenient per nature, and that's how we like it.
Posted on Reply
#8
xkm1948
TPU: We found some potential potential privacy intrusive practice on a multi-national corporations.


---> Lawyers want to know your location/


---> EU administration intensifies.

Me:

Posted on Reply
#9
Agentbb007
Thanks for the heads-up, I will definitely disable this on my XI Hero if Amazon ever ships my 9900k. I like the idea of installing a NIC driver but other stuff not so much.
Posted on Reply
#10
R-T-B
"srsbsns said:
This has happened for a long time with Asus. Why is this news now? My Crosshair VII does this as well. I disable from the Bios and uninstall. problem solved.
That's even worse then.

This shouldn't be possible as far as I am concerned, but since that ship has sailed,AT LEAST have some sense and turn it off by default, ASUS.

"Agentbb007 said:
if Amazon ever ships my 9900k.
Amazon is claiming a backlog to december last I heard...
Posted on Reply
#11
noel_fs
oof asus is a no no for me for now on
Posted on Reply
#12
bonehead123
1. no
2. no
3. HELLL NO

No asus craploaders fo me....

isn't it bad enuff that we have to deal with hackers, spywarz, malwarez, meltdowners, specters etc etc etc, and now this........wTf ???????????
Posted on Reply
#13
SIGSEGV
Is it a new invention from ASUS? /sarcasm

lol
Posted on Reply
#14
Cybrnook2002
"windwhirl said:
Wow, such a nice feature. How long until someone finds a vulnerability and makes malware for it?
You mean like the way the Chinese have supposedly done the same with the BMC and Supermicro? (At least according to Bloomberg) Loading files/code into an installed OS.
Posted on Reply
#15
Owen1982
It would be nice if you could choose what drivers were installed with tickboxes in the BIOS.
Posted on Reply
#16
Octopuss
Looks like I won't be buying Asus motherboards if this is common practice then. Out of general principle. I am not paranoid or anything, but I absolutely despise shit being installed without my consent or even knowledge.
Posted on Reply
#17
HammerOn1024
" This is a very useful feature, as it establishes a method to install network driver and other drivers easily, without the need for a physical driver disc (in times where nobody has an optical drive anymore)"

Great... jut what I need: Another uncertified software tool downloading software and installing it without my knowledge. Another hackers paradise has been created. Nice move ASUS.

Yet another reason to having nothing to do with Microsift or ASUS.
Posted on Reply
#18
TheLaughingMan
As if we needed another reason to hate ASUS bloatware. Stop making it. Just stop all RnD for software no one wants or uses. Spend that money on a office party or something, it can't be that much.
Posted on Reply
#19
Dimi
"HammerOn1024 said:
" This is a very useful feature, as it establishes a method to install network driver and other drivers easily, without the need for a physical driver disc (in times where nobody has an optical drive anymore)"

Great... jut what I need: Another uncertified software tool downloading software and installing it without my knowledge. Another hackers paradise has been created. Nice move ASUS.

Yet another reason to having nothing to do with Microsift or ASUS.
It doesn't download anything, did you even read it?
They are drivers that are built in somewhere on the motherboard. They are loaded, not downloaded from the internet..
Posted on Reply
#20
CrAsHnBuRnXp
"Agentbb007 said:
Thanks for the heads-up, I will definitely disable this on my XI Hero if Amazon ever ships my 9900k. I like the idea of installing a NIC driver but other stuff not so much.
I have to second this. Im waiting on my z390 board and 9900k still as well. Amazon is saying between nov 15th and december 12th for my motherboard.

"Dimi said:
It doesn't download anything, did you even read it?
They are drivers that are built in somewhere on the motherboard. They are loaded, not downloaded from the internet..
These files could not have come from either our Windows image or the network, leaving the motherboard's 16-megabyte UEFI BIOS as the only suspect. The files themselves, which total around 3.6 MB in size, appear harmless, and belong to an ASUS-made program called "ASUS Armoury Crate." This program fetches the latest drivers for your hardware from ASUS servers,
The Amory Crate downloads from the internet.
Posted on Reply
#21
TheinsanegamerN
My asus crosshair VII did something similar, it would place some files directly onto the C: drive upon startup, unless the process was disabled via task manager. These files did not come from the internet, as the NIC was not plugged in when I first installed.

Will probably be my last ASUS board until they stop doing this BS. I dont need my motherboard pushing files to my PC for any reason.
Posted on Reply
#22
ZhangirDuyseke
I find extremely useful! That means that I don't need to manually download drivers from website after installing OS. Great! Once again paranoid techpowerup users who believe in conspiracy theories, UFO, FBI spying on you and other bullshit! Evil ASUS want to spy on you and your library of hentai and midget porn, ahahah. Techpowerup users are ridiculous! Always find something to complain. It's done for our convenience and very helpful and saved my time.

"Octopuss said:
Looks like I won't be buying Asus motherboards if this is common practice then. Out of general principle. I am not paranoid or anything, but I absolutely despise shit being installed without my consent or even knowledge.
Even if that's latest drivers and useful software? It seems techpowerup users like it hard way.

"Joss said:
To be able to install a clean copy of Windows and only the software you chose is one of the advantages of building your PC. This move from Asus is inadmissible and a privacy intrusion.
Besides, don't give us the "for your convenience" justification, being a builder is inconvenient per nature, and that's how we like it.
Don't speak for all builders! Privacy intrusion?! Yeah like ASUS is very "interested" in your hentai and midget porn library, lol. It's extremely useful and saves a lot of time for me. Very convenient:)
Posted on Reply
#23
Joss
"ZhangirDuyseke said:
like ASUS is very "interested" in your hentai and midget porn library
It's Victorian nudes if you please :rolleyes:
Posted on Reply
#24
theoneandonlymrk
This is not intel specific, the crosshair 7 hero i bought did the exact same thing, except it calls it asus grid which then downloads updater which then downloads the armoury crate.
I didn't mind being assisted to find driver's and I doubt first time builders or OEM builders mind.

I believe it to have been a good faith , easy use feature that IS easily disabled.

It just should be advertised and easily enabled and default to off.
Posted on Reply
#25
Salty_sandwich
The moment you read the words

"If you put aside the privacy concerns for a moment"

in this day and age? put privacy concerns aside! lol like we have a choice, our privacy is taken at any given chance these days, no matter what ya do....
Posted on Reply
Add your own comment