carl0s Posted May 9, 2006 Share Posted May 9, 2006 Could anybody who has the annoying WGA Notify 'you may be a victim of software conterfeiting' XP bug please download and try this simple script I've put together which I'm hoping will automate the removal process. Download the file, run it and then reboot. Here it is http://www2.css-networks.com/wgakill.cmd Let me know the results. Link to comment Share on other sites More sharing options...
Lewis Posted May 9, 2006 Share Posted May 9, 2006 post the code and I will compile it and run it on a box, I'll not download it though mate Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 @echo off > %temp%.\wgakill.reg ECHO REGEDIT4 >> %temp%.\wgakill.reg echo. >> %temp%.\wgakill.reg echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] >> %temp%.\wgakill.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update] >> %temp%.\wgakill.reg echo "AUOptions"=dword:00000001 >> %temp%.\wgakill.reg echo "AUState"=dword:00000007 cd %windir%\system32 taskkill /t /f /im wgatray.exe del wga* regedit /s %temp%\wgakill.reg del %temp%\wgakill.reg > "%allusersprofile%\Start Menu\Programs\Startup\wgakill.cmd" echo del %windir%\system32\wga* >> "%allusersprofile%\Start Menu\Programs\Startup\wgakill.cmd" echo del "%allusersprofile%\Start menu\Programs\Startup\wgakill.cmd" Link to comment Share on other sites More sharing options...
Lewis Posted May 9, 2006 Share Posted May 9, 2006 Is it not easier to just create 0byte files to replace wgatray.exe, wgalogon.dll & spmsg.dll ? you could also just do that in a batch.... I'll install a hookie copy on a box when I get home and take a look for you mate Link to comment Share on other sites More sharing options...
DamanC Posted May 9, 2006 Share Posted May 9, 2006 ah so im not the only one who is having this nightmare I put a machine togther last night only to find my key (which has worked for years) is now apparently validating a counterfeit licence. Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 Is it not easier to just create 0byte files to replace wgatray.exe, wgalogon.dll & spmsg.dll ? I think it would still overwrite them, regardless of any access permissions also set. It seems from what I can see that the winlogon/notify dll monitors and fires up wgatray.exe, but doesn't monitor it's own regsitry key. So if you are quick to delete wgatray.exe after terminating it, then everything looks good, and removing the winlogon\notify key prevents the dll from running on restart, by which time you are able to delete the dll. As a matter of course I have also been disabling the welcome screen on affected machines, but I doubt this would have any effect, so I'm hoping the script will suffice. I forgot to mention that the script also disables automatic updates for you. I should do this properly a-la group policy though so that it can't be re-enabled by user, but for now it simply sets the option for you. Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 Plus the problem is not wgatray.exe being recreated, it's that it's being respawned thereby not allowing it to be deleted. It's just as easy to delete as it is to overwrite it.. Link to comment Share on other sites More sharing options...
michael Posted May 9, 2006 Share Posted May 9, 2006 I've passed this on to someone who keeps wittering at me for a legit copy (spend money!!!!) - is it simple enough for them to use? I can't risk downloading it on this machine - I guess it just executes? Link to comment Share on other sites More sharing options...
Jake Posted May 9, 2006 Share Posted May 9, 2006 [font=Courier New]C:\Documents and Settings\Jake> C:\>cd .\Desktop\Firefox Downloads C:\Documents and Settings\Jake\Desktop\Firefox Downloads>dir wga*.* Volume in drive C has no label. Volume Serial Number is 50E1-E5CF Directory of C:\Documents and Settings\Jake\Desktop\Firefox Downloads 09/05/2006 21:44 770 wgakill.cmd 1 File(s) 770 bytes 0 Dir(s) 18,327,703,552 bytes free C:\Documents and Settings\Jake\Desktop\Firefox Downloads>wgakill.cmd SUCCESS: The process with PID 2456 child of PID 852 has been terminated. C:\WINDOWS\system32\WgaLogon.dll Access is denied. C:\WINDOWS\system32\WgaTray.exe Access is denied. C:\WINDOWS\system32> [/font] Link to comment Share on other sites More sharing options...
JamesG Posted May 9, 2006 Share Posted May 9, 2006 I had this problem on my computer the other day and followed the instructions on this web page to get rid of the startup messages: http://labnol.blogspot.com/2006/04/workarounds-to-disable-non-genuine.html Link to comment Share on other sites More sharing options...
Angarak Posted May 9, 2006 Share Posted May 9, 2006 There are several solutions here also: http://www.mydigitallife.info/2006/04/26/disable-and-remove-windows-genuine-advantage-notifications-nag-screen/ Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 [font=Courier New]C:\Documents and Settings\Jake> C:\>cd .\Desktop\Firefox Downloads C:\Documents and Settings\Jake\Desktop\Firefox Downloads>dir wga*.* Volume in drive C has no label. Volume Serial Number is 50E1-E5CF Directory of C:\Documents and Settings\Jake\Desktop\Firefox Downloads 09/05/2006 21:44 770 wgakill.cmd 1 File(s) 770 bytes 0 Dir(s) 18,327,703,552 bytes free C:\Documents and Settings\Jake\Desktop\Firefox Downloads>wgakill.cmd SUCCESS: The process with PID 2456 child of PID 852 has been terminated. C:\WINDOWS\system32\WgaLogon.dll Access is denied. C:\WINDOWS\system32\WgaTray.exe Access is denied. C:\WINDOWS\system32> [/font] thanks mate. If you haven't already cleared it off, can you try again (I've updated the file..) Link to comment Share on other sites More sharing options...
Jake Posted May 9, 2006 Share Posted May 9, 2006 C:\Documents and Settings\Jake\Desktop\Firefox Downloads>wgakill(2) SUCCESS: The process with PID 2852 child of PID 852 has been terminated. C:\WINDOWS\system32\WgaLogon.dll Access is denied. C:\WINDOWS\system32\WgaTray.exe Access is denied. C:\WINDOWS\system32> Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 I have seen the other solutions, and for the most part this is what this script does. I'm just wanting it to be easier so that if someone phones up I can say 'download and run this.." Worked for someone else who tried it today, but it needs to be fast at deleting the wgatray.exe file after terminating the process. I had given the command 'del wga*' which meant it first tried to delete wgalogon.dll (and failed), then moved onto wgatray.exe - too late. The script removed wgalogon.dll upon reboot anyway so I've ammended it to just try to delete wgatray.exe after killing the process. Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 C:\Documents and Settings\Jake\Desktop\Firefox Downloads>wgakill(2) SUCCESS: The process with PID 2852 child of PID 852 has been terminated. C:\WINDOWS\system32\WgaLogon.dll Access is denied. C:\WINDOWS\system32\WgaTray.exe Access is denied. C:\WINDOWS\system32> You must still have the old version - I just modified it not try to delete wgalogon.dll. try downloading again and check that line 10 says "del wgatray.exe" , not "del wga*" Link to comment Share on other sites More sharing options...
Whitesupraboy2 Posted May 9, 2006 Share Posted May 9, 2006 cool i can sort B'have machine out at some point for him Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 Perhaps it's cached somewhere at your end/your isp. Try http://www2.css-networks.com/wgakill2.cmd (same file, new name..) Link to comment Share on other sites More sharing options...
Jake Posted May 9, 2006 Share Posted May 9, 2006 C:\Documents and Settings\Jake\Desktop\Firefox Downloads>type wgakill(2).cmd @echo off > %temp%\wgakill.reg echo REGEDIT4 >> %temp%\wgakill.reg echo. >> %temp%\wgakill.reg echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] >> %temp%\wgakill.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update] >> %temp%\wgakill.reg echo "AUOptions"=dword:00000001 >> %temp%\wgakill.reg echo "AUState"=dword:00000007 cd %windir%\system32 taskkill /t /f /im wgatray.exe del wgatray.exe regedit /s %temp%\wgakill.reg del %temp%\wgakill.reg > "%allusersprofile%\Start Menu\Programs\Startup\wgakill.cmd" echo del %windir%\system32\wga* >> "%allusersprofile%\Start Menu\Programs\Startup\wgakill.cmd" echo del "%allusersprofile%\Start menu\Programs\Startup\wgakill.cmd" Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 C:\Documents and Settings\Jake\Desktop\Firefox Downloads>type wgakill(2).cmd @echo off > %temp%\wgakill.reg echo REGEDIT4 >> %temp%\wgakill.reg echo. >> %temp%\wgakill.reg echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] >> %temp%\wgakill.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update] >> %temp%\wgakill.reg echo "AUOptions"=dword:00000001 >> %temp%\wgakill.reg echo "AUState"=dword:00000007 cd %windir%\system32 taskkill /t /f /im wgatray.exe del wgatray.exe regedit /s %temp%\wgakill.reg del %temp%\wgakill.reg > "%allusersprofile%\Start Menu\Programs\Startup\wgakill.cmd" echo del %windir%\system32\wga* >> "%allusersprofile%\Start Menu\Programs\Startup\wgakill.cmd" echo del "%allusersprofile%\Start menu\Programs\Startup\wgakill.cmd" hmm. if that's the file that you ran before (it sure looks like it) then it doesn't make any sense. can you try http://www2.css-networks.com/wgakill2.cmd anyway mate? Link to comment Share on other sites More sharing options...
DamanC Posted May 9, 2006 Share Posted May 9, 2006 Carlos - i have a machine sitting here, ill try it now....... Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 I've passed this on to someone who keeps wittering at me for a legit copy (spend money!!!!) - is it simple enough for them to use? I can't risk downloading it on this machine - I guess it just executes? No mate it's just a batch file. You have to run it. All it would do on a legit machine is set your automatic updates option to disabled, and stop the wga notification applet if it's installed. Link to comment Share on other sites More sharing options...
DamanC Posted May 9, 2006 Share Posted May 9, 2006 Testicles, ive deleated wgatray.exe off this machine in the past Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 [font=Courier New] SUCCESS: The process with PID 2456 child of PID 852 has been terminated. [/font] hmm. On the machines I was working on, wgatray.exe didn't have any child processes - I set the script to do a tree kill anyway, just in case (taskkill /t) but I wonder if there's a new improved wgatray Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 Testicles, ive deleated wgatray.exe off this machine in the past oh well Link to comment Share on other sites More sharing options...
carl0s Posted May 9, 2006 Author Share Posted May 9, 2006 Jake's gone quiet.. I hope I didn't break his machine You need to reboot after btw for it to remove wganotify.dll Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now