How to Prevent OEM Software and Hardware from Spying on You?

I recently found out that Lenovo Vantage, a software on my device installed by default by Lenovo, is monitoring my WiFi network and sending data to an Israeli company. This made me worry about my privacy.

How can I make sure that no software from the device manufacturer is spying on me? Would reinstalling Windows help?

Can spying elements somehow survive Windows re-installations?

Can there be spying elements built into the hardware, like the motherboard?



The Windows Platform Binary Table (WPBT) is a feature that allows PC manufacturers to install software that runs automatically when Windows starts. To see if your PC uses this feature, search for wpbbin.exe in the C:\Windows\system32 folder. If this file is there, it means the software was included in the UEFI firmware (the system that starts your PC) and Windows is programmed to run it. If the file isn’t there, then your PC doesn’t have any WPBT-related software set to auto-run.


  1. Delete Windows Platform Binary Table option in BIOS.
  2. Fresh install Windows (you can find out how to do so safely on Privacy Guides, I am not sure how, but I know it involves a USB installer).
1 Like

Open source software cannot even guarantee you a spyware free binary (see XZ debacle). What chance does closed source software have of even offering you a guarantee that it will not spy on you?

It’s just the typical bloatware that comes with laptops.

Probably isn’t but Lenovo did have the Superfish incident in the past.

Technically this is possible with the Windows Platform Binary Table (WPBT). You can disable that in the BIOS.

Run Wireshark on the network and see. That is really the only way to determine these things. You’ll need a root CA so you can decrypt any https data.

1 Like

Specifically, this means you need a separate machine that will run wireshark on a managed switch that will duplicate the packets to your computer running wireshark.

1 Like

Definitely out of my knowledge limit at the moment. However, I found this folder on my computer, which you said I could delete using BIOS:

The Windows Platform Binary Table (WPBT) is a feature that allows PC manufacturers to install software that runs automatically when Windows starts. To see if your PC uses this feature, search for wpbbin.exe in the C:\Windows\system32 folder. If this file is there, it means the software was included in the UEFI firmware (the system that starts your PC) and Windows is programmed to run it. If the file isn’t there, then your PC doesn’t have any WPBT-related software set to auto-run.

@dngray @fiwayan173 should this be incorporated into the Windows guide? Sorry, I have one more question, should I delete the Lenovo system folder (C:\Windows\Lenovo)?

Lastly, I will see if I can find this option in my BIOS to delete the WPBT-related software.

The issue I think will be that some BIOSes provide a option to disable it and some do not. Example being ASUS provide an option to disable ASUS Grid Install Service and so does Gigabyte, he also mentions MSI has a similar feature on their boards.

Every motherboard is different, and we really don’t know what is out there. We should probably do some research on it and find some generic way to disable it.

Not sure that will do any good, because you’ll need to disable services that are set to start up otherwise Windows will throw errors that the services can’t be found. Also WPBT runs on boot of Windows, so it may just re-install the missing software unless it is disabled. There is some general documentation.

None of my systems actually have the feature so I haven’t had to deal with it.

1 Like

Unfortunately, without open firmware (or open hardware), this is nigh on improbable. For example, OEM may not even connect through the access point (wifi) you’ve setup and embed a UICC card (or even eSIM) to connect to its servers. If that were the case, running sniffers or interceptors like Wireshark won’t reveal much, if anything.

In cases where OEMs are in your threat model, no amount of reinstalling software will help. For example, you could start using a Linux distro, and that won’t improve things one bit.

The OEM bits? Yes. They survive until you attain the ability to reflash their firmware and whatever it is they’re running in privilege modes (which can be removed by replacing the bootloader). See initiatives like CoreBoot and the kind of trust base they want OEMs to build, for example.

Yes, there are known instances of this, including Intel running an entire OS; Qualcomm, Samsung running a Hypervisor on Androids etc. Things like Verified Boot (on Androids) don’t tell you anything about what the OEM is doing, just that the OEM is doing what it is supposed to and nothing has yet tampered with that.

The keyword you’re looking for is Trusted computing base, achieving which is kind of the holy grail in computer security (not because it is technically impossible but because it isn’t economically feasible on top being technically impracticable).

Daniel Micay, creator the GrapheneOS, has written about this extensively (from the perspective of Androids and Pixels in particular).


Interesting @ignoramous, my knowledge in computer science is very vague, but I have a decent idea of what you are trying to say.

Trusted computing base is indeed the relevant term.

I am especially concerned about third party OEMs that are running Windows (e.g., Lenovo, HP, Dell etc.) or any other OS. I would prefer that the OS and hardware are made by the same companies or at least, two or more respectable companies.

What can I do to eliminate the spying abilities of third party OEMs like Lenovo, as much as possible?

Coreboot looks awesome, will I be able to use them and wipe my entire computer either now or in the future? Or are they pushing for new standards, without the goal of developing a BIOS or UEFI (no idea what the diff is between these two)?

While this is possible, I would love to hear of concrete examples of this occurring in consumer technology[1]

Intel ME FUD? really? You have a legitimate point with trusted computing base but inject some ME FUD because reasons…

  1. if I recall correctly, car makers love to send telemetry back via cellular radios in their cars, but I don’t recall ever hearing about e.g., computer OEMs hiding cellular radios in their laptops to “spy” on users on any large scale ↩︎


That is pretty unlikely and would show up in physical inspection, servicing. Also any device sold in the US with cellular access needs a FCC authorization so there isn’t any way to legally hide this in a device.

I have done a bit of research into this, and yes, with cars it’s far less regulated as those onboard computers are generally coupled with navigation technology. The companies have dubious privacy policies and there doesn’t appear to be any regulation enforcing the requirement that users not have to opt into such programs. Mozilla wrote a bit about that:

and situations like this:

It uses the “Data Communication Module (DCM)” which is not a small as you might think. This is one for Toyota, but DCMs for other cars look quite similar.


Except for the fact that WPBT isn’t supported in Linux :wink: So I wouldn’t say “one bit” is accurate at all.

No need for anything as complicated as that when Microsoft gives WPBT. Reflashing proprietary BIOS with a free-er one like Coreboot requires very specific hardware, and will certainly violate vendor warranties, and it is unnecessary for a user with limited experience.

There is no accurate evidence that Intel ME or other SoCs running on the mainboard are actually spying on you or a privacy risk. It is not uncommon for SoCs to have an alternative processor for out of band management and other security operations. Seeing as you mentioned Intel you can read about what AMT actually is. It’s not as scary as it sounds as it’s really meant for organizations which want to manage their devices. Most of the AMT features also not included in most laptops, except for very high end business laptops and server boards.

Link please. I doubt he has written anything saying what you wrote above.

Simply refers to things like Secure Boot, etc. See Trusted Computing for actual information about it. It is used increase security and reduce likelihood of a rootkit tampering with the boot process, you know an actual real one not an imagined one.

Another part of it is the TPM which can be used to store encryption keys such as those for Bitlocker or LUKS. Then you only have to remember a shorter password which has hardware rate limiting preventing brute force attacks.

It will however only work on some devices so no, you can’t just throw Coreboot at the problem.

Look in your BIOS see if there is a feature that relates to WPBT. It may not be entirely obvious. Reinstall windows with that feature disabled. The only other viable alternative is to build windows media with the registry key that disables it.

  1. Would it be accurate to say that an outbound firewall like OpenSnitch on Linux or Little Snitch or Lulu on MacOS can detect OS and app/package connections but Wireshark would be needed for theoretical hardware-level connections?

  2. A few years back it was discovered on MacOS that Apple had connections that were excluded from outbound firewalls like Little Snitch and Lulu. Does anyone know if this is occurring on any Linux distros? I’ve been pleased at how few outbound connections occur on my Fedora box in OpenSnitch (I need appx 13 rules only) compared to my past Macs and Little Snitch (dozens and dozens of rules needed, Macs are very chatty). Can I feel good that Opensnitch has captured all of the outbound traffic or could Fedora be bypassing the outbound firewall?


OpenSnitch/Little Snitch, at the most, can only observe the domains/IPs that your device is connecting to. They cannot see the whole URL nor request payload of those connections (which is what https is built for). You need software like Wireshark (with a root CA) to do that. It’s not really about “hardware-level connections”.

Because it’s entirely off topic read OP’s original question and think about how that does not have anything to do with their threat model.

The post was lazy at best, just listed a bunch of ancient programs from the snowden leaks that have nothing to do with the topic.

1 Like

Probably, manufacturers don’t go to a lot of effort to do this. The purpose of creating a self signed cert or rootca and then signing it is so that you can perform MITM on yourself would be required if they are sending data to https (TLS encrypted) domains and you want to look inside. The one I use for this kind of research is mitmproxy

Everything has to go through the kernel so it’s not really possible to “hide” much. This seems like something implemented on macOS and Little Snitch - specifically related to Apple domains.

The other option is of course to route traffic through a router and do the sniffing there.


I will try again, I will disappointed if I can’t find it, I did a lot of research and still no luck, if anyone knows anything about Lenovo let me know.

It won’t necessarily be called WPBT. It might have some sort of reference to some “Lenovo specific sounding” features though.


I am not speaking from a place of knowledge, but I think the subject the poster was talking about sounds relevant, or is at the very least interesting, in all honesty you might have been a bit too harsh. I may be wrong and the post could have been harmful, but I doubt it, especially if it was in good faith. Anyway, not trying to stir up drama.


I’ll try look for it again, thanks so much! This has been an informative conversation to say the least.

1 Like

I mean… that is just a fact, security vulnerabilities caused by Intel ME are well documented. It’s not just the subject of security researcher theory either, cybercrime groups have exploited IME in the wild :flushed:

Probably a better discussion for Intel ME and more - #3 by jonah though, since this topic is more about OEM software.

There are bugs with any code, that’s just the way things are.

People like that will exploit anything that is viable.

This isn’t relevant to this specific topic.