A Little Something Extra
So I may or may not have bought a new laptop recently, and it may or may not have been a Lenovo.
tl;dr: It was a Lenovo, and there are some things you might want to uninstall from your Lenovo.
I'm kind of in awe of how sneaky these guys are, in terms of the stuff they preinstalled on the system. Some of it appears to be straight-up spyware (otherwise known as "user-experience enhancement" software) of some sort, and I'm trying to figure out what these programs do before I wipe them off the system.
Note: I made sure not to use any of my internet passwords or internet services before I had a chance to take a closer look at the three programs in particular, which I do not trust. I'm also writing this blog post from the new laptop only after uninstalling the programs.
The three programs are:
- CCSDK
- GDCAgentSetupRed
- UESDK
All three programs come preinstalled, and survived the upgrade from Windows 8.1 with Bing to Windows 10. All three programs are written by Lenovo. None of the programs are described openly by Lenovo. So that's minus points for transparency already.
CCSDK
The CCSDK has a log file folder, CCSDK\log, which seems to gain a log file every time you
restart the computer.
Directory of C:\Program Files (x86)\Lenovo\CCSDK\log
08/24/2015 10:01 AM .
08/24/2015 10:01 AM ..
08/24/2015 12:06 AM 5,724 20150823-181332.4660
08/24/2015 09:58 AM 4,107 20150824-013917.2528
08/24/2015 10:01 AM 232 20150824-100129.6808
08/23/2015 06:11 PM 318 20150824-100755.2712
4 File(s) 10,381 bytes
2 Dir(s) 13,565,394,944 bytes free Let's look at the contents of 20150824-013917.2528. Oh, that's nice, it's reporting something
to someone, somewhere:
Log file created at: 2015/08/24 01:39:17
Running on machine: LENOVO-PC
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
I0824 01:39:17.641916 556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x0
I0824 01:39:17.641916 556 SettingsServiceApp.cpp:50] WTSQueryUserToken error: 1008
I0824 09:28:15.962294 556 ServiceWrapper.cpp:347] user selected:.
I0824 09:28:15.962294 556 ServiceWrapper.cpp:357] user has agreed the UE plan.
I0824 09:28:15.962294 556 ServiceWrapper.cpp:201] Initilizing data cache:
I0824 09:28:15.962294 556 ServiceWrapper.cpp:207] Starting worker service...
I0824 09:28:15.962294 556 Service.cpp:464] Worker service start status: 0, active status: 1
I0824 09:28:15.962294 556 Service.cpp:515] UE agreement: 1
I0824 09:28:16.915457 2920 ServerAddress.cpp:52] ping for 223.202.62.231 round trip: 262
I0824 09:28:17.212349 2920 ServerAddress.cpp:52] ping for 223.202.62.231 round trip: 275
I0824 09:28:17.212349 2920 ActiveChecking.cpp:79] start to check active from server.
I0824 09:28:17.212349 2920 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1
I0824 09:28:36.322564 556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1
I0824 09:28:36.478818 556 Service.cpp:422] Last disk info send time: 1440371634
I0824 09:28:36.478818 556 Service.cpp:383] Last dump code send time:
I0824 09:28:37.369484 4296 ServiceEventHandler.cpp:675] starting WinGather...
I0824 09:28:37.369484 4296 ServiceEventHandler.cpp:724] Start to checking user logging for starting CCSDKWing. command: "C:\Program Files (x86)\Lenovo\CCSDK\WinGather.exe" 1 1 1 1
I0824 09:28:37.385109 4296 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1
I0824 09:28:37.400734 556 Service.cpp:635] Yoga monitor started.
I0824 09:28:38.838296 556 Service.cpp:691] system on.
I0824 09:28:38.916426 556 Service.cpp:700] usb list event.
I0824 09:28:38.916426 556 Service.cpp:713] camera event.
I0824 09:28:38.916426 556 Service.cpp:725] speaker event.
I0824 09:28:39.088310 556 Service.cpp:735] install software event.
I0824 09:28:39.119560 556 Service.cpp:748] cpu memory event.
I0824 09:28:39.119560 556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1
I0824 09:28:39.119560 556 ServerAddress.cpp:147] Test server status: 1
I0824 09:28:39.182066 4316 FlexMode.cpp:76] flex mode monitor thread stoped.
I0824 09:28:39.541457 556 ServerAddress.cpp:52] ping for 223.202.62.234 round trip: 351
I0824 09:28:39.916472 556 ServerAddress.cpp:52] ping for 223.202.62.234 round trip: 356
I0824 09:28:40.275861 556 ServerAddress.cpp:52] ping for 223.202.62.234 round trip: 359
I0824 09:28:40.400866 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 76
I0824 09:28:40.447743 4296 ServiceEventHandler.cpp:738] CCSDKWing started.
I0824 09:28:40.478996 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 73
I0824 09:28:40.557126 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 78
I0824 09:28:40.729006 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 74
I0824 09:28:40.854012 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 75
I0824 09:28:40.947764 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 76
I0824 09:28:41.166530 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 75
I0824 09:28:41.244652 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 74
I0824 09:28:41.244652 556 Service.cpp:92] device information status:
I0824 09:28:57.839133 556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1
I0824 09:28:58.042268 556 WinhttpProxyClient.cpp:782] crack host: 54.215.241.186, 80, /cic/server/pc
I0824 09:28:58.329040 556 Service.cpp:189] set device information send success status: 1
I0824 09:28:58.375915 556 Service.cpp:764] device information finished.
I0824 09:48:20.072934 2920 ActiveChecking.cpp:79] start to check active from server.
I0824 09:48:20.072934 2920 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1
[...]I wonder what WinGather.exe is, what it gathers, and what it sends.
GDCAgentSetupRed
The GDCAgentSetupRed app has a log file folder, GDCAgentSetupRed\log, which seems to gain a
log file every time you restart the computer.
Directory of C:\Program Files (x86)\Lenovo\GDCAgentSetupRed\log
08/24/2015 10:01 AM .
08/24/2015 10:01 AM ..
06/05/2015 02:03 PM 680 20150605-103724.1808
08/23/2015 11:58 PM 9,530 20150823-181345.4688
08/24/2015 09:48 AM 2,226 20150824-013939.1004
08/24/2015 10:01 AM 213 20150824-100132.7076
4 File(s) 12,649 bytes
2 Dir(s) 13,564,915,712 bytes free 20150823-181345.4688 looks like this, and the other files look similar:
Log file created at: 2015/08/23 18:13:45
Running on machine: LENOVO-PC
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
I0823 18:13:45.257730 4756 ServiceWrapper.cpp:276] user has agreed the UE plan.
I0823 18:13:45.257730 4864 ActiveChecking.cpp:99] start to check active from server.
I0823 18:13:45.257730 4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1
I0823 18:13:46.210901 4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1
I0823 18:13:49.664186 4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1
I0823 18:13:49.664186 4864 SettingsServiceApp.cpp:50] WTSQueryUserToken error: 5
I0823 18:13:49.664186 4864 ServiceWrapper.cpp:190] Initilizing ...:
I0823 18:13:49.664186 4864 ServiceWrapper.cpp:196] Starting worker service...
I0823 18:13:49.664186 4864 Service.cpp:383] Worker service start status: 0, active status: 1
I0823 18:13:49.664186 4864 Service.cpp:432] active directory setting: .
I0823 18:13:49.664186 4864 Service.cpp:455] UE agreement: 1
I0823 18:13:49.664186 4864 Service.cpp:465] http server thread started!
I0823 18:13:49.664186 4864 Service.cpp:477] data sender thread started!
I0823 18:13:49.664186 4864 Service.cpp:66] device information status:
I0823 18:13:49.679815 4892 DataSender.cpp:206] Data sender thread is running..... :
I0823 18:13:49.679815 4892 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1
I0823 18:13:49.679815 4892 DataSender.cpp:76] Nation : United States
I0823 18:13:49.789193 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 80
I0823 18:13:49.867321 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 73
I0823 18:13:49.945449 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 73
I0823 18:13:49.945449 4892 DataSender.cpp:83] serverdomain : mus.lenovo.com.cn
I0823 18:13:49.945449 4892 DataSender.cpp:84] serverurl : http://54.215.241.186/cic/reaper
I0823 18:13:50.023578 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 82
I0823 18:13:50.101706 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 73
I0823 18:13:56.695768 4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1
I0823 18:13:56.695768 4864 WinhttpProxyClient.cpp:727] crack host: mcn.lenovo.com.cn, 80, /cic/config/device/info.do
I0823 18:13:59.086506 4864 Service.cpp:215] set device information send success status: 1
I0823 18:13:59.086506 4864 Service.cpp:488] device information finished.
I0823 18:33:50.185498 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 83
I0823 18:33:50.277794 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 88
[...]Question: What is it telling the Lenovo server, and why?
I'm not sure what the answer to this is, as I didn't get a chance to run Wireshark against the programs, before uninstalling them. Also, I noticed that Ccleaner removed some files related to Lenovo from the Windows Temp folder, but I forgot to check there after uninstalling the Lenovo apps.
Additionally, two files are regularly updated in the GDCAgentSetupRed folder, database.db and
sendlog.txt:
Directory of C:\Program Files (x86)\Lenovo\GDCAgentSetupRed
08/24/2015 10:45 AM .
08/24/2015 10:45 AM ..
06/05/2015 02:03 PM 525,752 AutoUpdateModule.exe
08/24/2015 10:45 AM 29,696 database.db
06/05/2015 02:03 PM 193,976 DatabaseFileProcess.exe
06/05/2015 02:03 PM 1,115,064 GDCAgent.exe
08/24/2015 10:01 AM log
06/05/2015 02:03 PM 174,520 RegClean.exe
08/23/2015 11:58 PM 756 sendlog.txt
06/05/2015 02:03 PM 5,823 unins000.dat
06/05/2015 02:03 PM 718,497 unins000.exe
11/27/2014 01:01 PM 0 updateSQL.txt
9 File(s) 2,764,084 bytes
3 Dir(s) 13,459,546,112 bytes free Let's take a look at sendlog.txt. Oh look, it's filled with timestamps. That's nice. I'm glad
to know our Chinese overlords are aware of when I'm using my laptop:
2015-08-23 18:34:54
2015-08-23 18:35:58
2015-08-23 21:15:10
2015-08-23 21:16:14
2015-08-23 21:37:26
2015-08-23 21:38:30
2015-08-23 21:39:34
2015-08-23 22:00:39
2015-08-23 22:01:43
2015-08-23 22:02:47
2015-08-23 22:03:51
2015-08-23 22:24:55
2015-08-23 22:25:59
2015-08-23 22:27:03
2015-08-23 22:28:07
2015-08-23 22:49:11
2015-08-23 22:50:15
2015-08-23 22:51:19
2015-08-23 22:52:23
2015-08-23 22:53:27
2015-08-23 23:14:31
2015-08-23 23:15:35
2015-08-23 23:16:39
2015-08-23 23:17:43
2015-08-23 23:18:47
2015-08-23 23:38:47
2015-08-23 23:38:47
2015-08-23 23:38:47
2015-08-23 23:38:47
2015-08-23 23:38:47
2015-08-23 23:58:47
2015-08-23 23:58:47
2015-08-23 23:58:47
2015-08-23 23:58:47
2015-08-23 23:58:47
2015-08-23 23:58:47Let's take a look at database.db, maybe it's in a standard format we can decipher? I tried
using SQLite Database Browser, but it doesn't
recognize the file format. If someone has a better idea on how to crack this file,
get in touch with me, and I'll send it to you. Who knows,
maybe you'll get my admin password (which would suck), but then if it's in there, we all have much
bigger problems.
UESDK
UESDK\uehelper.log
Directory of C:\Program Files (x86)\Lenovo\UESDK
08/24/2015 07:48 AM .
08/24/2015 07:48 AM ..
08/24/2015 07:48 AM 154 uehelper.log
06/05/2015 02:03 PM 329,688 UESDK.exe
06/05/2015 02:03 PM 3,713 unins000.dat
06/05/2015 02:03 PM 718,497 unins000.exe
4 File(s) 1,052,052 bytes
2 Dir(s) 13,564,915,712 bytes free UESDK doesn't have a log file folder, but it does have uehelper.log, which looks like this:
10
32
M-80M4002DUS
------------------6AF0761C------
United States
2015-06-05 11:06:44:411
United States
2015-08-24 07:48:11:361The 80M4002DUS identifies what model of laptop I bought, which the astute reader could google easily enough. (Admittedly, it's not a bad little laptop for the money, either.)
The row with dashes actually seems to be some kind of unique identifier, and there were a lot more digits in there, which I've blanked out for obvious reasons. I'm not sure how the identifier is formed, I checked the network MAC addresses, but it doesn't seem to be using those.
The 2015-06-05 11:06:44:411 timestamp was the time of manufacture / initial power-on date for the machine. This matches up nicely with the identifiers on the shipping box that indicated a ship date of 2015-06-08.
The 2015-08-24 07:48:11:361 timestamp matches up with the start of the current Windows login session.
Network Sockets
The GDCAgent.exe program will listen to connections on localhost port 31752. I'm not sure what
exactly it does with this open port, though:
Process Explorer
Digging into the process tree on the system reveals that Lenovo's three programs run with pretty high credentials.
Programs like these can do just about anything they want to a system: restart it, shut it down, rewrite firmware, and so on. Also irritating, neither the Description column nor the Company Name column are filled in.
So what, exactly, do these programs do?
Final Thoughts
For $180 including tax, the laptop was a pretty good deal, it's only $80 more than getting a Windows license. But it's buyer beware, with these dubious pieces of software running at all times on the system.
After uninstalling all of the Lenovo preinstalled software, I noticed no difference in the functionality of the laptop. The volume up / volumn down function keys, the brightness up / brightness down keys worked fine. So by that logic, the extra apps that they installed perform no role but to report back to Lenovo every time you turn the computer on or off.
This is not why we buy computers.
- ← Previous
Interview Problem: One LED for Status - Next →
Lenovo IdeaPad K1 Unlock