Lenovo's PC proved to have a dangerous function to overwrite Windows system files at the BIOS level

The Lenovo PC has a function of sending user information to the server by overwriting the Windows system file at the time of booting the BIOS "Lenovo Service Engine(LSE) ", and it is pointed out that there is a danger that code can be executed from the outside by misusing this.

Lenovo used Windows anti-theft feature to install persistent crapware | Ars Technica
http://arstechnica.com/information-technology/2015/08/lenovo-used-windows-anti-theft-feature-to-install-persistent-crapware/

◆ What is the Lenovo Service Engine?
For Windows 8 and Windows 10, OEM manufacturers of PCs have the function to embed executable files in system firmware, and by executing these files at OS startup, OEM There is a function "Windows Platform Binary Table" that you can install software made by the manufacturer.

Originally, Windows Platform Binary Table was originally expected to be used in anti-theft programs, but Lenovo uses this feature to create its own software "Lenovo Service Engine (LSE)" from Lenovo I installed it on a desktop PC or laptop.


According to Lenovo 's announcement, the desktop PC version of LSE will send PC system model, regional information, date and time, unique system ID information to the server only once at the first launch. On the other hand, Laptop PC version LSE has the function of installing Lenovo's own preinstalled software called "OneKey Optimizer (OKO)", and OKO will perform system maintenance etc.

The problem is that the OKO system has a disadvantage of safety. In April 2015, security researcher Roell Schweenberg reported on security issues such as "Buffer overflow and insecure network connection possible" to Microsoft and Lenovo, Lenovo installed LSE installation Will stop temporarily, in June 2015Announcing a list of affected laptops and a way to stop LSEDid.

As to how LSE · OKO behaves,Ars Technica Open ForumReported by Mr. ge 814. According to ge 814, in Windows 7 and Windows 8, the BIOS checks whether the system file "C: \ Windows \ system32 \ autochk.exe" is Microsoft genuine or Lenovo when booting the OS and ifIf it was not made by LenovoWill go to "C: \ Windows \ system32 \ 0409 \ zz_sec \ autobin.exe" and overwrite "autochk.exe" made by Lenovo.


After that, "autochk.exe" made by Lenovo writes the mysterious file "LenovoUpdate.exe" "LenovoCheck.exe" to the system32 directory and executes one of the services when the Internet connection is established. Furthermore, Mr. ge 814 said that they are not sure what these two services are doing, and "http://download.lenovo.com/ideapad/wind ... 2_oko.json"We have confirmed that you have confirmed that you will load code that does not use SSL.

◆ How to delete LSE · OKO
Since there is a function to read code that does not use SSL, LSE · OKO can be a vulnerability causing a cyber attack, so it seems necessary to stop LSE · OKO in order to eliminate such risk, As mentioned above, it is impossible to remove LSE · OKO even by clean installation of OS. That is why it seems to only stop the LSE · OKO function as announced below by Lenovo.

Lenovo Service Engine (LSE) BIOS for Notebook - Lenovo Support (US)
https://support.lenovo.com/us/en/product_security/lse_bios_notebook

· When using UEFI mode on Windows 8 / 8.1 / 10
This landing pageDownload "Lenovo LSE disabler tool" from, and execute it. The "Lenovo LSE disabler tool" stops the LSE service and "C: \ windows \ system32 \ wpbbin.exe" "C: \ windows \ system32 \ LenovoUpdate.exe" "C: \ windows \ system32 \ LenovoCheck. Exe "is automatically deleted, and" autochk.exe "is restored to genuine Microsoft products.

· When you are not using UEFI mode on Windows 7/8 / 8.1 / 10
First of allThe siteClick on the download link destination of the corresponding notebook PC to download the latest BIOS firmware and update it. Once the BIOS has been updated to the latest version,This landing pageDownload "Lenovo LSE disabler tool" from, and run it.