dropWPBT

Disables the Windows Platform Binary Table (WPBT) in your firmware. This program use a non-permenant, non-destructive method to remove the table from system memory, so it should be executed every time the computer is rebooted before Windows bootloader starts.

Usage

Requirements

• amd64 architecture
• UEFI firmware
• disabled Secure Boot

Installation

With a 3rd-party bootloader

Put dropWPBT.efi to a location where it will be executed every time before Windows starts.

• rEFInd: ESP:\EFI\refind\drivers_x64
• OpenCore: ESP:\EFI\OC\Drivers
• Clover: ESP:\EFI\CLOVER\drivers\UEFI

You can also load it using UEFI shell's startup.nsh, or even manually.

Without an external bootloader

This method is for advanced users. You need to be familiar with how UEFI works. The commands below is just for reference, do not blindly copy and paste!

dropWPBT-loader.efi can act as a bootloader itself. To install, launch a cmd.exe with Administrator privilege and type something like this:

mountvol T: /S
mkdir T:\EFI\boot
cp dropWPBT-loader.efi T:\EFI\boot\bootx64.efi
bcdedit /set {bootmgr} path \EFI\boot\bootx64.efi
mountvol T: /D

FAQ

What is WPBT?

Windows Platform Binary Table (WPBT) is an ACPI table in your firmware allowing your computer vendor to run a program every time Windows (8 or later) boots. This is a convenient method for computer vendors to force the installation of a service program or an anti-theft software, but this also means your fresh installed Windows will have potentially unwanted 3rd party programs running straight on the first boot, and you, the end user, would have no control over it. Also, firmware is not updated as frequently as your OS or software, which means if there is a security vulnerability in the WPBT-loaded program, a fair number of users might never get the update.

A lot PC vendors (Lenovo, ASUS, Huawei, etc.) are known to utilize WPBT table to run their own programs on the consumer's computer.

How to verify if my computer have a WPBT?

You can use one of the following software:

• NirSoft's FirmwareTablesView
• RWEverything

Note that they might not work if you enabled HVCI.

Alternatively you can search for C:\Windows\system32\wpbbin.exe. This program might delete itself after running so this is not a reliable evidence.

Is there any alternative methods to disable the WPBT?

From Windows

This is an undocumented feature, use it at your own risk. To disable WPBT execution from a running Windows, set the following registry key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"DisableWpbtExecution"=dword:00000001

How to set a registry key on the first boot before session manager starts is left as an exercise to the reader. (Hint: One possible method is to set this registry key in a WIM file using BiscuitTin/Disable-WpbtExecution.)

For more information, see sminit.c.

From a 3rd-party Bootloader

Hackintosh-oriented bootloaders such as OpenCore have their own config for deleting ACPI tables which does exactly the same thing as this program. Please see their documentation.

From the Firmware

Some vendors provide an option to disable WPBT in the firmware settings on some models.

• Lenovo: Lenovo LSE Windows Disabler Tool
• ASUS: Disable "ASUS Grid Install Service"