Windows Genuine Advantage Notifications (WGA Notify) is an annoying upgrade to the Windows Genuine Advantage system Microsoft uses to deal with bootlegged copies of Windows XP. If you boot up your machine one day and see the message:
You may be a victim of software counterfeiting. This copy of Windows is not genuine and is not eligible to receive all updates and product support from Microsoft.
Click Get Genuine now to get more information and resolve this issue.
your computer has automatically downloaded service patch KB905474 and you are now the proud owner of WGA Notify. It thinks you have a bootleg copy of Windows!
I don’t care if you run a bootleg copy of Windows. I personally own a legal copy of Windows XP but I’ve already had a run-in with the WGA system thinking I wasn’t “legit”. I figure this little Notify bugger is going to screw up on some people as well. We can’t have that, can we? The following isn’t a crack, it is merely a way around an annoying problem.
What is it?
WGA Notify is basically a persistent nag screen with some malware-like capabilities. It is started at boot, but not with the usual startup vectors. You won’t see it using msconfig. If you look in Add/Remove Programs, near the bottom along with the other software updates you will find a update called “Windows Genuine Advantage Notifications (KB905474)”. When you click on it, text underneath the title will inform you that “this update cannot be removed” and you will see no remove button. If you bring up the process list with Ctrl-Alt-Del you will see a process called WgaTray.exe. If you try to End Process it disappears and comes back. A lot of viruses and malware systems do this very same thing.
If WGA Notify thinks your copy of Windows is not “genuine” the nag program will be running, even if you have told it to go away. The process viewer in Windows can’t stop it. But a process viewer like prcview can. Download the prcview Zip file then extract it somewhere. There is no installer. Double-click on prcview.exe to run it. Using prcview, select WgaTray.exe in the list and right-click on it. Select “Kill” in the menu. When prcview asks to confirm click the “Kill” button. This will make the nag screen go away.
Preventing It From Starting
The dropper for WgaTray.exe is WgaLogon.dll. This library is run by winlogon.exe, one of the normal Windows XP components activated on boot. If you are feeling frisky, you can use prcview to see the module usage of winlogon.exe; you will find that WgaLogon.dll is one of its modules.
To make winlogon.exe not load WgaLogon.dll, Run regedit.exe from the Start Menu. Find this key in your registry
and delete it. This will prevent WgaLogon.dll from starting.
An analysis of the KB905474 update.inf file tells us why WGA Notify can’t be automatically uninstalled: it does not copy an uninstaller and it toggles a number of registry keys so the option isn’t even offered. It does not make an $NTUninstallKB905474$ folder in your Windows folder. But you can still delete its files. Use the Search Tool to search your boot drive (C: in most cases) for “wga”. Remember to check the “Search system folders”, “Search hidden files and folders”, “Search subfolders” boxes. The files that have been bothering you live in the WINDOWS folder, though a number of copies will be found in other folders. Delete all of the WgaTray.exe and WgaLogon.dll files you find.
If you don’t want to see it listed in the Add/Remove Programs list delete this registry key:
What Side Effects Does This Have?
Removing the WGA Notify tool won’t stop you from getting automatic critical updates, but it will stop you from downloading things from Microsoft and from using the Windows Update site (unless you have the legitcheck crack, of course). Since there is very little Microsoft has that you can’t get elsewhere, this is hardly a problem.
Also, this is a temporary solution. The next time you get a round of critical updates, the WGA Notify tool will return, requiring you to carry out this process again.