Created
September 23, 2015 21:03
-
-
Save anonymous/65ede8f58438544afab6 to your computer and use it in GitHub Desktop.
Lenovo Customer Feedback spyware
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
See: http://www.computerworld.com/article/2984889/windows-pcs/lenovo-collects-usage-data-on-thinkpad-thinkcentre-and-thinkstation-pcs.html | |
What this customer feedback tool actually does is update entries from the "event log" called "Lenovo-Customer Feedback". | |
If you open the Event Viewer you will see entries with a large hexadecimal string. This string is simply the text representation of the bytes of a gzip compressed xml file. | |
The contents of this XML file looks like this: | |
<root> | |
<events>event1</events> | |
<eVar20>Open</eVar20> | |
<visitorID>aca1232d265941f7ae2259e402ab350c</visitorID> | |
<eVar1>aca1232d265941f7ae2259e402ab350c</eVar1> | |
<eVar2>N</eVar2> | |
<eVar3>System Update</eVar3> | |
<eVar4>2015-09-23</eVar4> | |
<eVar5>5.7.0.6</eVar5> | |
<eVar8>20AL00FGMH</eVar8> | |
<eVar9>Think</eVar9> | |
<eVar10>ThinkPad</eVar10> | |
<eVar11>X240</eVar11> | |
<eVar12>Windows 7 Professional</eVar12> | |
<eVar13>US</eVar13> | |
<eVar14>en</eVar14> | |
<pageName>System Update</pageName> | |
<timestamp>09-23-2015 19:54:13 PM</timestamp> | |
<reportSuiteID>lenovoappssystemupdateprod</reportSuiteID> | |
<serverUrl>http://lenovoappssystemupdateprod.112.2o7.net/b/ss/lenovoappssystemupdateprod/6</serverUrl> | |
<assemblyName>Lenovo.TVT.CustomerFeedback.InnovApps</assemblyName> | |
</root> | |
The value aca1232d265941f7ae2259e402ab350c is a unique ID created for the Lenovo application for the user running it. This key is stored in the registry at: | |
HKEY_CURRENT_USER\Software\Lenovo\MetricCollectionSDK\UserAppIDs | |
Removing it will give you a new key when events are logged. | |
The server URL is the server where this data will be posted to. The kind of things logged appear events for the various Lenovo tools, like starting and which Lenevo system update you installed. (Along with data about your hardware/OS). | |
Logging of events is also controlled via the the registry at: | |
HKEY_LOCAL_MACHINE\SOFTWARE\Lenovo\MetricCollectionSDK\ReportSuites | |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Lenovo\MetricCollectionSDK\ReportSuites | |
You can change the "ReportMetrics" setting for each entry to disable it, but I do not know for how long as this data might be overwritten when a new MetricCollectionSubscription.xml file is downloaded from the Lenovo servers (this is stored in C:\Users\USERNAME\AppData\Local\Lenovo\MetricCollectionSDK ) | |
There is also a unique machine id stored at: | |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Lenovo\Customer Feedback | |
This one is generated when it does not exist, and is included in "Lenovo-Customer Feedback" event entries for OmnitureSiteCatalyst. I do not know when these event entries are created . | |
These entries contain XML data like this: | |
<root> | |
<visitorID>10e7794c7d254b4784e77df5c37963e7</visitorID> | |
<eVar12>224d213ffaa14c5aa0d638b2e3a19c72</eVar12> | |
<reportSuiteID>lenovotvtlenovosolutionscenterprod</reportSuiteID> | |
<serverUrl>https://s.lenovo.com/b/ss/lenovotvtlenovosolutionscenterprod/6</serverUrl> | |
<sc_xml_ver>1.0</sc_xml_ver> | |
<pageName>lsc</pageName> | |
<timestamp>2015-09-12T21:35:09.2631913+02:00</timestamp> | |
<events>event11</events> | |
<eVar1>20AL00FGMH</eVar1> | |
<eVar2>2.8.005</eVar2> | |
<assemblyName>Lenovo.TVT.CustomerFeedback.OmnitureSiteCatalyst</assemblyName> | |
</root> | |
So the collected data looks mostly harmless and somewhat anonymous, as far as posting data to a website with a stored ID can be considered harmless. | |
You can disable the uploading of the data by simply disabling the scheduled tasks. And of course you can try to disable the event logging completely by updating the registry. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment