Skip to content

Instantly share code, notes, and snippets.

@ceres-c

ceres-c/WPAD_kill.md

Last active December 10, 2021 05:57
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save ceres-c/653a357a12e4c45fec44ee953056ea9a to your computer and use it in GitHub Desktop.
Save ceres-c/653a357a12e4c45fec44ee953056ea9a to your computer and use it in GitHub Desktop.
Download ZIP
Personal reminder on how to kill WPAD service
Raw
WPAD_kill.md

Disabling WPAD

WPAD is the Windows Proxy Auto Discovery service, used since Windows 95, IIRC, to automatically discover network configurations. Since Windows 10 Microsoft decided for some reason that users shall NOT be allowed to disable this (mostly) useless and problematic service.

Can't disable WPAD service

Problem is: on my laptop this feature used up to 20% of the CPU while doing nothing at all due to some bug I don't want to dig into. The best part is that it often triggered after disconnection from a wireless network. Discovering proxies makes lot of sense once you are NOT connected to any network, huh? Also, there were multiple vulnerabilities related to this service and cute tools such as Responder leverage on it.

Killing WPAD

The service can still be disabled writing in the registry, but it will be randomly re-enabled by windows after updates/who-knows-what, so the best way to prevent this is a scheduled task running on every boot which runs a powershell script to kill the service and disable it.

The script

I saved it as wapd_kill.ps1 in my Documents folder

$WPADName = "WinHttpAutoProxySvc"

Start-Transcript -Path Join-Path -Path $pwd -ChildPath "wapd_kill.log"
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc -Name Start -Value 0x00000004
Write-Host "Wrote registry to disable WPAD"
$WPADServ = Get-Service -Name $WPADName
if ($WPADServ.Status -eq "Running") {
    Write-Host "WPAD is running: Stopping it"
    $ServicePID = (get-wmiobject win32_service | where { $_.name -eq $WPADName}).processID
    Stop-Process $ServicePID -Force
} else {
    Write-Host "WPAD not found running"
}
Stop-Transcript

The scheduled task

  • Create a new task, configure the General tab as follows General tab config

    NOTE: I configured the script to be run as SYSTEM. This is terribly UNSAFE because a world writable script will be executed with the maximum privileges. I don't care, but you might

  • In the Triggers tab add a new trigger on logon Trigger on logon
  • Add a new action with the following config
    • Action: Start a program
    • Program/script: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
    • Add argument -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File "<POWERSHELL_SCRIPT_PATH_HERE>"
  • Set the following Conditions Task conditions
  • Configure the Settings Task settings

Done.

Please read the above NOTE about security concers. This is mostly a reminder for myself, I don't advise you to follow this script, but if you're fed up with WPAD as well, this works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment