A Little Something Extra

So I may or may not have bought a new laptop recently, and it may or may not have been a Lenovo.

tl;dr: It was a Lenovo, and there are some things you might want to uninstall from your Lenovo.

I’m kind of in awe of how sneaky these guys are, in terms of the stuff they preinstalled on the system. Some of it appears to be straight-up spyware (otherwise known as “user-experience enhancement” software) of some sort, and I’m trying to figure out what these programs do before I wipe them off the system.

Note: I made sure not to use any of my internet passwords or internet services before I had a chance to take a closer look at the three programs in particular, which I do not trust. I’m also writing this blog post from the new laptop only after uninstalling the programs.

The three programs are:

1. CCSDK
2. GDCAgentSetupRed
3. UESDK

All three programs come preinstalled, and survived the upgrade from Windows 8.1 with Bing to Windows 10. All three programs are written by Lenovo. None of the programs are described openly by Lenovo. So that’s minus points for transparency already.

CCSDK

The CCSDK has a log file folder, CCSDK\log, which seems to gain a log file every time you restart the computer.

Directory of C:\Program Files (x86)\Lenovo\CCSDK\log 08/24/2015 10:01 AM <DIR> . 08/24/2015 10:01 AM <DIR> .. 08/24/2015 12:06 AM 5,724 20150823-181332.4660 08/24/2015 09:58 AM 4,107 20150824-013917.2528 08/24/2015 10:01 AM 232 20150824-100129.6808 08/23/2015 06:11 PM 318 20150824-100755.2712 4 File(s) 10,381 bytes 2 Dir(s) 13,565,394,944 bytes free

1 2 3 4 5 6 7 8 9 10

Directory of C:\Program Files (x86)\Lenovo\CCSDK\log   08/24/2015  10:01 AM    <DIR>          . 08/24/2015  10:01 AM    <DIR>          .. 08/24/2015  12:06 AM             5,724 20150823-181332.4660 08/24/2015  09:58 AM             4,107 20150824-013917.2528 08/24/2015  10:01 AM               232 20150824-100129.6808 08/23/2015  06:11 PM               318 20150824-100755.2712                4 File(s)         10,381 bytes                2 Dir(s)  13,565,394,944 bytes free

Let’s look at the contents of 20150824-013917.2528. Oh, that’s nice, it’s reporting something to someone, somewhere:

Log file created at: 2015/08/24 01:39:17 Running on machine: LENOVO-PC Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg I0824 01:39:17.641916 556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x0 I0824 01:39:17.641916 556 SettingsServiceApp.cpp:50] WTSQueryUserToken error: 1008 I0824 09:28:15.962294 556 ServiceWrapper.cpp:347] user selected:. I0824 09:28:15.962294 556 ServiceWrapper.cpp:357] user has agreed the UE plan. I0824 09:28:15.962294 556 ServiceWrapper.cpp:201] Initilizing data cache: I0824 09:28:15.962294 556 ServiceWrapper.cpp:207] Starting worker service... I0824 09:28:15.962294 556 Service.cpp:464] Worker service start status: 0, active status: 1 I0824 09:28:15.962294 556 Service.cpp:515] UE agreement: 1 I0824 09:28:16.915457 2920 ServerAddress.cpp:52] ping for 223.202.62.231 round trip: 262 I0824 09:28:17.212349 2920 ServerAddress.cpp:52] ping for 223.202.62.231 round trip: 275 I0824 09:28:17.212349 2920 ActiveChecking.cpp:79] start to check active from server. I0824 09:28:17.212349 2920 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0824 09:28:36.322564 556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0824 09:28:36.478818 556 Service.cpp:422] Last disk info send time: 1440371634 I0824 09:28:36.478818 556 Service.cpp:383] Last dump code send time: I0824 09:28:37.369484 4296 ServiceEventHandler.cpp:675] starting WinGather... I0824 09:28:37.369484 4296 ServiceEventHandler.cpp:724] Start to checking user logging for starting CCSDKWing. command: "C:\Program Files (x86)\Lenovo\CCSDK\WinGather.exe" 1 1 1 1 I0824 09:28:37.385109 4296 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0824 09:28:37.400734 556 Service.cpp:635] Yoga monitor started. I0824 09:28:38.838296 556 Service.cpp:691] system on. I0824 09:28:38.916426 556 Service.cpp:700] usb list event. I0824 09:28:38.916426 556 Service.cpp:713] camera event. I0824 09:28:38.916426 556 Service.cpp:725] speaker event. I0824 09:28:39.088310 556 Service.cpp:735] install software event. I0824 09:28:39.119560 556 Service.cpp:748] cpu memory event. I0824 09:28:39.119560 556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0824 09:28:39.119560 556 ServerAddress.cpp:147] Test server status: 1 I0824 09:28:39.182066 4316 FlexMode.cpp:76] flex mode monitor thread stoped. I0824 09:28:39.541457 556 ServerAddress.cpp:52] ping for 223.202.62.234 round trip: 351 I0824 09:28:39.916472 556 ServerAddress.cpp:52] ping for 223.202.62.234 round trip: 356 I0824 09:28:40.275861 556 ServerAddress.cpp:52] ping for 223.202.62.234 round trip: 359 I0824 09:28:40.400866 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 76 I0824 09:28:40.447743 4296 ServiceEventHandler.cpp:738] CCSDKWing started. I0824 09:28:40.478996 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 73 I0824 09:28:40.557126 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 78 I0824 09:28:40.729006 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 74 I0824 09:28:40.854012 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 75 I0824 09:28:40.947764 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 76 I0824 09:28:41.166530 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 75 I0824 09:28:41.244652 556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 74 I0824 09:28:41.244652 556 Service.cpp:92] device information status: I0824 09:28:57.839133 556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0824 09:28:58.042268 556 WinhttpProxyClient.cpp:782] crack host: 54.215.241.186, 80, /cic/server/pc I0824 09:28:58.329040 556 Service.cpp:189] set device information send success status: 1 I0824 09:28:58.375915 556 Service.cpp:764] device information finished. I0824 09:48:20.072934 2920 ActiveChecking.cpp:79] start to check active from server. I0824 09:48:20.072934 2920 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 [...]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

Log file created at: 2015/08/24 01:39:17 Running on machine: LENOVO-PC Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg I0824 01:39:17.641916   556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x0 I0824 01:39:17.641916   556 SettingsServiceApp.cpp:50] WTSQueryUserToken error: 1008 I0824 09:28:15.962294   556 ServiceWrapper.cpp:347] user selected:. I0824 09:28:15.962294   556 ServiceWrapper.cpp:357] user has agreed the UE plan. I0824 09:28:15.962294   556 ServiceWrapper.cpp:201] Initilizing data cache: I0824 09:28:15.962294   556 ServiceWrapper.cpp:207] Starting worker service... I0824 09:28:15.962294   556 Service.cpp:464] Worker service start status: 0, active status: 1 I0824 09:28:15.962294   556 Service.cpp:515] UE agreement: 1 I0824 09:28:16.915457  2920 ServerAddress.cpp:52] ping for 223.202.62.231 round trip: 262 I0824 09:28:17.212349  2920 ServerAddress.cpp:52] ping for 223.202.62.231 round trip: 275 I0824 09:28:17.212349  2920 ActiveChecking.cpp:79] start to check active from server. I0824 09:28:17.212349  2920 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0824 09:28:36.322564   556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0824 09:28:36.478818   556 Service.cpp:422] Last disk info send time: 1440371634 I0824 09:28:36.478818   556 Service.cpp:383] Last dump code send time: I0824 09:28:37.369484  4296 ServiceEventHandler.cpp:675] starting WinGather... I0824 09:28:37.369484  4296 ServiceEventHandler.cpp:724] Start to checking user logging for starting CCSDKWing. command: "C:\Program Files (x86)\Lenovo\CCSDK\WinGather.exe" 1 1 1 1 I0824 09:28:37.385109  4296 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0824 09:28:37.400734   556 Service.cpp:635] Yoga monitor started. I0824 09:28:38.838296   556 Service.cpp:691] system on. I0824 09:28:38.916426   556 Service.cpp:700] usb list event. I0824 09:28:38.916426   556 Service.cpp:713] camera event. I0824 09:28:38.916426   556 Service.cpp:725] speaker event. I0824 09:28:39.088310   556 Service.cpp:735] install software event. I0824 09:28:39.119560   556 Service.cpp:748] cpu memory event. I0824 09:28:39.119560   556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0824 09:28:39.119560   556 ServerAddress.cpp:147] Test server status: 1 I0824 09:28:39.182066  4316 FlexMode.cpp:76] flex mode monitor thread stoped. I0824 09:28:39.541457   556 ServerAddress.cpp:52] ping for 223.202.62.234 round trip: 351 I0824 09:28:39.916472   556 ServerAddress.cpp:52] ping for 223.202.62.234 round trip: 356 I0824 09:28:40.275861   556 ServerAddress.cpp:52] ping for 223.202.62.234 round trip: 359 I0824 09:28:40.400866   556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 76 I0824 09:28:40.447743  4296 ServiceEventHandler.cpp:738] CCSDKWing started. I0824 09:28:40.478996   556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 73 I0824 09:28:40.557126   556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 78 I0824 09:28:40.729006   556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 74 I0824 09:28:40.854012   556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 75 I0824 09:28:40.947764   556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 76 I0824 09:28:41.166530   556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 75 I0824 09:28:41.244652   556 ServerAddress.cpp:52] ping for 54.215.241.186 round trip: 74 I0824 09:28:41.244652   556 Service.cpp:92] device information status: I0824 09:28:57.839133   556 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0824 09:28:58.042268   556 WinhttpProxyClient.cpp:782] crack host: 54.215.241.186, 80, /cic/server/pc I0824 09:28:58.329040   556 Service.cpp:189] set device information send success status: 1 I0824 09:28:58.375915   556 Service.cpp:764] device information finished. I0824 09:48:20.072934  2920 ActiveChecking.cpp:79] start to check active from server. I0824 09:48:20.072934  2920 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 [...]

I wonder what WinGather.exe is, what it gathers, and what it sends.

GDCAgentSetupRed

The GDCAgentSetupRed app has a log file folder, GDCAgentSetupRed\log, which seems to gain a log file every time you restart the computer.

Directory of C:\Program Files (x86)\Lenovo\GDCAgentSetupRed\log 08/24/2015 10:01 AM <DIR> . 08/24/2015 10:01 AM <DIR> .. 06/05/2015 02:03 PM 680 20150605-103724.1808 08/23/2015 11:58 PM 9,530 20150823-181345.4688 08/24/2015 09:48 AM 2,226 20150824-013939.1004 08/24/2015 10:01 AM 213 20150824-100132.7076 4 File(s) 12,649 bytes 2 Dir(s) 13,564,915,712 bytes free

1 2 3 4 5 6 7 8 9 10

Directory of C:\Program Files (x86)\Lenovo\GDCAgentSetupRed\log   08/24/2015  10:01 AM    <DIR>          . 08/24/2015  10:01 AM    <DIR>          .. 06/05/2015  02:03 PM               680 20150605-103724.1808 08/23/2015  11:58 PM             9,530 20150823-181345.4688 08/24/2015  09:48 AM             2,226 20150824-013939.1004 08/24/2015  10:01 AM               213 20150824-100132.7076                4 File(s)         12,649 bytes                2 Dir(s)  13,564,915,712 bytes free

20150823-181345.4688 looks like this, and the other files look similar:

Log file created at: 2015/08/23 18:13:45 Running on machine: LENOVO-PC Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg I0823 18:13:45.257730 4756 ServiceWrapper.cpp:276] user has agreed the UE plan. I0823 18:13:45.257730 4864 ActiveChecking.cpp:99] start to check active from server. I0823 18:13:45.257730 4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0823 18:13:46.210901 4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0823 18:13:49.664186 4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0823 18:13:49.664186 4864 SettingsServiceApp.cpp:50] WTSQueryUserToken error: 5 I0823 18:13:49.664186 4864 ServiceWrapper.cpp:190] Initilizing ...: I0823 18:13:49.664186 4864 ServiceWrapper.cpp:196] Starting worker service... I0823 18:13:49.664186 4864 Service.cpp:383] Worker service start status: 0, active status: 1 I0823 18:13:49.664186 4864 Service.cpp:432] active directory setting: . I0823 18:13:49.664186 4864 Service.cpp:455] UE agreement: 1 I0823 18:13:49.664186 4864 Service.cpp:465] http server thread started! I0823 18:13:49.664186 4864 Service.cpp:477] data sender thread started! I0823 18:13:49.664186 4864 Service.cpp:66] device information status: I0823 18:13:49.679815 4892 DataSender.cpp:206] Data sender thread is running..... : I0823 18:13:49.679815 4892 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0823 18:13:49.679815 4892 DataSender.cpp:76] Nation : United States I0823 18:13:49.789193 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 80 I0823 18:13:49.867321 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 73 I0823 18:13:49.945449 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 73 I0823 18:13:49.945449 4892 DataSender.cpp:83] serverdomain : mus.lenovo.com.cn I0823 18:13:49.945449 4892 DataSender.cpp:84] serverurl : http://54.215.241.186/cic/reaper I0823 18:13:50.023578 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 82 I0823 18:13:50.101706 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 73 I0823 18:13:56.695768 4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0823 18:13:56.695768 4864 WinhttpProxyClient.cpp:727] crack host: mcn.lenovo.com.cn, 80, /cic/config/device/info.do I0823 18:13:59.086506 4864 Service.cpp:215] set device information send success status: 1 I0823 18:13:59.086506 4864 Service.cpp:488] device information finished. I0823 18:33:50.185498 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 83 I0823 18:33:50.277794 4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 88 [...]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

Log file created at: 2015/08/23 18:13:45 Running on machine: LENOVO-PC Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg I0823 18:13:45.257730  4756 ServiceWrapper.cpp:276] user has agreed the UE plan. I0823 18:13:45.257730  4864 ActiveChecking.cpp:99] start to check active from server. I0823 18:13:45.257730  4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0823 18:13:46.210901  4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0823 18:13:49.664186  4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0823 18:13:49.664186  4864 SettingsServiceApp.cpp:50] WTSQueryUserToken error: 5 I0823 18:13:49.664186  4864 ServiceWrapper.cpp:190] Initilizing ...: I0823 18:13:49.664186  4864 ServiceWrapper.cpp:196] Starting worker service... I0823 18:13:49.664186  4864 Service.cpp:383] Worker service start status: 0, active status: 1 I0823 18:13:49.664186  4864 Service.cpp:432] active directory setting: . I0823 18:13:49.664186  4864 Service.cpp:455] UE agreement: 1 I0823 18:13:49.664186  4864 Service.cpp:465] http server thread started! I0823 18:13:49.664186  4864 Service.cpp:477] data sender thread started! I0823 18:13:49.664186  4864 Service.cpp:66] device information status: I0823 18:13:49.679815  4892 DataSender.cpp:206] Data sender thread is running..... : I0823 18:13:49.679815  4892 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0823 18:13:49.679815  4892 DataSender.cpp:76] Nation : United States I0823 18:13:49.789193  4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 80 I0823 18:13:49.867321  4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 73 I0823 18:13:49.945449  4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 73 I0823 18:13:49.945449  4892 DataSender.cpp:83] serverdomain : mus.lenovo.com.cn I0823 18:13:49.945449  4892 DataSender.cpp:84] serverurl : http://54.215.241.186/cic/reaper I0823 18:13:50.023578  4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 82 I0823 18:13:50.101706  4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 73 I0823 18:13:56.695768  4864 SettingsServiceApp.cpp:46] WTSGetActiveConsoleSessionId: 0x1 I0823 18:13:56.695768  4864 WinhttpProxyClient.cpp:727] crack host: mcn.lenovo.com.cn, 80, /cic/config/device/info.do I0823 18:13:59.086506  4864 Service.cpp:215] set device information send success status: 1 I0823 18:13:59.086506  4864 Service.cpp:488] device information finished. I0823 18:33:50.185498  4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 83 I0823 18:33:50.277794  4892 ServerAddress.cpp:54] ping for 54.215.241.186 round trip: 88 [...]

Question: What is it telling the Lenovo server, and why?

I’m not sure what the answer to this is, as I didn’t get a chance to run Wireshark against the programs, before uninstalling them. Also, I noticed that Ccleaner removed some files related to Lenovo from the Windows Temp folder, but I forgot to check there after uninstalling the Lenovo apps.

Additionally, two files are regularly updated in the GDCAgentSetupRed folder, database.db and sendlog.txt:

Directory of C:\Program Files (x86)\Lenovo\GDCAgentSetupRed 08/24/2015 10:45 AM <DIR> . 08/24/2015 10:45 AM <DIR> .. 06/05/2015 02:03 PM 525,752 AutoUpdateModule.exe 08/24/2015 10:45 AM 29,696 database.db 06/05/2015 02:03 PM 193,976 DatabaseFileProcess.exe 06/05/2015 02:03 PM 1,115,064 GDCAgent.exe 08/24/2015 10:01 AM <DIR> log 06/05/2015 02:03 PM 174,520 RegClean.exe 08/23/2015 11:58 PM 756 sendlog.txt 06/05/2015 02:03 PM 5,823 unins000.dat 06/05/2015 02:03 PM 718,497 unins000.exe 11/27/2014 01:01 PM 0 updateSQL.txt 9 File(s) 2,764,084 bytes 3 Dir(s) 13,459,546,112 bytes free

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Directory of C:\Program Files (x86)\Lenovo\GDCAgentSetupRed   08/24/2015  10:45 AM    <DIR>          . 08/24/2015  10:45 AM    <DIR>          .. 06/05/2015  02:03 PM           525,752 AutoUpdateModule.exe 08/24/2015  10:45 AM            29,696 database.db 06/05/2015  02:03 PM           193,976 DatabaseFileProcess.exe 06/05/2015  02:03 PM         1,115,064 GDCAgent.exe 08/24/2015  10:01 AM    <DIR>          log 06/05/2015  02:03 PM           174,520 RegClean.exe 08/23/2015  11:58 PM               756 sendlog.txt 06/05/2015  02:03 PM             5,823 unins000.dat 06/05/2015  02:03 PM           718,497 unins000.exe 11/27/2014  01:01 PM                 0 updateSQL.txt                9 File(s)      2,764,084 bytes                3 Dir(s)  13,459,546,112 bytes free

Let’s take a look at sendlog.txt. Oh look, it’s filled with timestamps. That’s nice. I’m glad to know our Chinese overlords are aware of when I’m using my laptop:

2015-08-23 18:34:54 2015-08-23 18:35:58 2015-08-23 21:15:10 2015-08-23 21:16:14 2015-08-23 21:37:26 2015-08-23 21:38:30 2015-08-23 21:39:34 2015-08-23 22:00:39 2015-08-23 22:01:43 2015-08-23 22:02:47 2015-08-23 22:03:51 2015-08-23 22:24:55 2015-08-23 22:25:59 2015-08-23 22:27:03 2015-08-23 22:28:07 2015-08-23 22:49:11 2015-08-23 22:50:15 2015-08-23 22:51:19 2015-08-23 22:52:23 2015-08-23 22:53:27 2015-08-23 23:14:31 2015-08-23 23:15:35 2015-08-23 23:16:39 2015-08-23 23:17:43 2015-08-23 23:18:47 2015-08-23 23:38:47 2015-08-23 23:38:47 2015-08-23 23:38:47 2015-08-23 23:38:47 2015-08-23 23:38:47 2015-08-23 23:58:47 2015-08-23 23:58:47 2015-08-23 23:58:47 2015-08-23 23:58:47 2015-08-23 23:58:47 2015-08-23 23:58:47

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

2015-08-23 18:34:54 2015-08-23 18:35:58 2015-08-23 21:15:10 2015-08-23 21:16:14 2015-08-23 21:37:26 2015-08-23 21:38:30 2015-08-23 21:39:34 2015-08-23 22:00:39 2015-08-23 22:01:43 2015-08-23 22:02:47 2015-08-23 22:03:51 2015-08-23 22:24:55 2015-08-23 22:25:59 2015-08-23 22:27:03 2015-08-23 22:28:07 2015-08-23 22:49:11 2015-08-23 22:50:15 2015-08-23 22:51:19 2015-08-23 22:52:23 2015-08-23 22:53:27 2015-08-23 23:14:31 2015-08-23 23:15:35 2015-08-23 23:16:39 2015-08-23 23:17:43 2015-08-23 23:18:47 2015-08-23 23:38:47 2015-08-23 23:38:47 2015-08-23 23:38:47 2015-08-23 23:38:47 2015-08-23 23:38:47 2015-08-23 23:58:47 2015-08-23 23:58:47 2015-08-23 23:58:47 2015-08-23 23:58:47 2015-08-23 23:58:47 2015-08-23 23:58:47

Let’s take a look at database.db, maybe it’s in a standard format we can decipher? I tried using SQLite Database Browser, but it doesn’t recognize the file format. If someone has a better idea on how to crack this file, get in touch with me, and I’ll send it to you. Who knows, maybe you’ll get my admin password (which would suck), but then if it’s in there, we all have much bigger problems.

UESDK

UESDK\uehelper.log

Directory of C:\Program Files (x86)\Lenovo\UESDK 08/24/2015 07:48 AM <DIR> . 08/24/2015 07:48 AM <DIR> .. 08/24/2015 07:48 AM 154 uehelper.log 06/05/2015 02:03 PM 329,688 UESDK.exe 06/05/2015 02:03 PM 3,713 unins000.dat 06/05/2015 02:03 PM 718,497 unins000.exe 4 File(s) 1,052,052 bytes 2 Dir(s) 13,564,915,712 bytes free

1 2 3 4 5 6 7 8 9 10

Directory of C:\Program Files (x86)\Lenovo\UESDK   08/24/2015  07:48 AM    <DIR>          . 08/24/2015  07:48 AM    <DIR>          .. 08/24/2015  07:48 AM               154 uehelper.log 06/05/2015  02:03 PM           329,688 UESDK.exe 06/05/2015  02:03 PM             3,713 unins000.dat 06/05/2015  02:03 PM           718,497 unins000.exe                4 File(s)      1,052,052 bytes                2 Dir(s)  13,564,915,712 bytes free

UESDK doesn’t have a log file folder, but it does have uehelper.log, which looks like this:

10 32 M-80M4002DUS ------------------6AF0761C------ United States 2015-06-05 11:06:44:411 United States 2015-08-24 07:48:11:361

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

10 32                                   M-80M4002DUS ------------------6AF0761C------ United States             2015-06-05 11:06:44:411 United States 2015-08-24 07:48:11:361

The 80M4002DUS identifies what model of laptop I bought, which the astute reader could google easily enough. (Admittedly, it’s not a bad little laptop for the money, either.)

The row with dashes actually seems to be some kind of unique identifier, and there were a lot more digits in there, which I’ve blanked out for obvious reasons. I’m not sure how the identifier is formed, I checked the network MAC addresses, but it doesn’t seem to be using those.

The 2015-06-05 11:06:44:411 timestamp was the time of manufacture / initial power-on date for the machine. This matches up nicely with the identifiers on the shipping box that indicated a ship date of 2015-06-08.

The 2015-08-24 07:48:11:361 timestamp matches up with the start of the current Windows login session.

Network Sockets

The GDCAgent.exe program will listen to connections on localhost port 31752. I’m not sure what exactly it does with this open port, though:

Process Explorer

Digging into the process tree on the system reveals that Lenovo’s three programs run with pretty high credentials.

Programs like these can do just about anything they want to a system: restart it, shut it down, rewrite firmware, and so on. Also irritating, neither the Description column nor the Company Name column are filled in.

So what, exactly, do these programs do?

Final Thoughts

For $180 including tax, the laptop was a pretty good deal, it’s only $80 more than getting a Windows license. But it’s buyer beware, with these dubious pieces of software running at all times on the system.

After uninstalling all of the Lenovo preinstalled software, I noticed no difference in the functionality of the laptop. The volume up / volumn down function keys, the brightness up / brightness down keys worked fine. So by that logic, the extra apps that they installed perform no role but to report back to Lenovo every time you turn the computer on or off.

This is not why we buy computers.