I didn’t have the time to post this one before Christmas, but it’s so funny and sad at the same time I don’t want to keep this from you. It turns out that in the days leading up to Christmas this year, users of ASUS computers – or with ASUS motherboards, I guess – were greeted with a black bar covering about a third of their screen, decorated with a Christmas wreath.
I am making this post for the sake of people like me who will have a black box show up at the bottom of their screen with a Christmas wreath labeled “christmas.exe” in task manager and think it’s Windows 10/11 malware. It is not. It is from the ASUS Armoury Crate program and can be safely closed and ignored. It looks super sketchy and will hopefully save you some time diagnosing the problem.
↫ Slow-Macaroon9630 on reddit
So yes, if you’re using an ASUS computer and have their shovelware installed, you may have been greeted by a giant black banner caused by an executable called “christmas.exe”, which sounds exactly like something shitty malware would do. The banner would disappear after a while, and the executable would vanish from the list of running processes as well. It turns out there’s a similar seasonal greeting called “HappyNewYear.exe”, so if you haven’t done anything to address the first black bar, you might be getting a second one soon.
The fact that shitty OEM shovelware does this kind of garbage on Windows is nothing new – class is not something you can accuse Windows of having – but I was surprised to find out just how deeply embedded this ASUS shovelware program called Armoury Crate really is. It doesn’t just come preinstalled on ASUS computers – no, this garbage program actually has roots in your motherboard’s firmware. If you merely uninstall Amoury Crate from Windows, it will automatically reinstall itself because your motherboard’s firmware tells it to.
I’m not joking. To prevent Armory Crate from reinstalling itself, you have to reboot your PC into its UEFI, go to the Advanced Mode, go to Tool > ASUS Armoury Crate, and disable the option Download & Install ARMOURY CRATE app. I had no idea Windows hardware makers had sunk to this kind of low, but I’m also not surprised. If Microsoft shoves endless amounts of ads and shovelware on people’s computers, why can’t OEMs?
> I had no idea Windows hardware makers had sunk to this kind of low, but I’m also not surprised.
Lenovo was caught red-handed a few years ago. Lenovo didn’t even offer a bios option to disable forced install of their crap/spyware, but had to release a bios update to remove it after the outcry.
Well, that’s a new low. Good grief. Who comes up with this garbage? My list of blacklisted tech grows by leaps and bounds. What a time to be alive…
I’m guessing ASUS uses the same mechanism Lenovo did…
The question is whether they stopped there or went as far as Lenovo did:
It’s apparently a trick they copied off Computrace. (https://unix.stackexchange.com/questions/572427/does-computrace-work-on-nix-like-systems)
Sounds like more reason to run your WPBT-ignoring OS with boot drive encryption as a safety measure.
It reminds me of the “autoload.exe” from (windows 95?) years ago that would automatically launch on removable media without asking the user. MS disabled it at some point because it was obviously bad for security, but I guess they created an autorun backdoor for the BIOS manufacturers. Sounds like it could be a useful place to hide windows malware. In theory sophisticated BIOS malware could propagate itself into windows anyways, but this mechanism makes that a whole lot easier and without requiring any kernel modifications.
You mean autorun.exe… and that’s just convention, given that the autorun.inf is the only fixed name.
Similar rationale though. Reduce support costs from the dumbest section of the user base by making the computer just automatically do “the right thing” on their behalf.
I’m not sure if you’re remembering MS’s decision to restrict AutoRun to only the read-only optical media it was originally intended for (to prevent it from being a vector for USB flash drive viruses) or when the CDAutoPlay PowerToy got polished up into a default component of the OS so that, instead of launching directly into the AutoRun handler, you’d get a menu that let you choose other installed applications like your audio track ripping software.
ssokolow (Hey, OSNews, U2F/WebAuthn is broken on Firefox!),
You’re right.
https://www.thewindowsclub.com/changes-in-autorun-feature-in-windows-7
I had no idea Autorun would still run on cd media unprompted. I thought it was disabled altogether. I use a corporate laptop and now it seems probable that I’m mis-attributing a group policy change to microsoft.
I’m assuming this can’t be “fixed” by running the sfc utility? I’d imagine Lenovo and Asus are leveraging their relationship with Microsoft to be able to cryptographically sign the modified .exe files to pass the system file check. One more reason to ditch anything Microsoft related; they will only make the OS as secure and safe as their hardware partners want them to.
Well, doesn’t matter in my case as I have Linux. I mean, shovelware is bad, but the situation could be worse than some seasonal greetings.
I remember one of my computers doing the same thing with Windows 98 many years ago. I never investigated it, but after every new Windows installation, it managed to push some odd software into the Windows installation.
These things are always a nice reminder of who is really in control 🙂
It’s a good thing there are now multiple Coreboot based options. The last laptops I bought ran Libreboot or Dasharo. I can recommend it, it makes things much smoother.
UEFI is a plague, back in the BIOS days, we didn’t have crap like this. I will also mention Intel Management Engine because that’s horrible too.
And despite all this OEM fiddling with the OS, we still have to manually download drivers from the manufacturers website. I set up a used Area-51m computer I bought from eBay some weeks ago, and even running Dell’s support utility didn’t install all the required drivers.
And Redmond wonders why anyone who needs a premium computer and doesn’t need a discrete GPU gets a Mac.
It’s ASUS. It probably had a 50-50 chance of making money from their target demographic.
A couple of years back, I had an employer who mandated use of Windows, and supplied me with a Surface laptop. I didn’t complain as at least WSL2 works well enough and if I worried about privacy, at least I had my personal kit running Linux for everything I care about.
I think the pinnacle of pain for me was a Dell keyboard/mouse combo which was supplied to comply with UK DSE requirements. Plugging the receiver into the USB port immediately installed some Dell shovelware, which immediately popped up an options window, the bottom option of which had a privacy section, with options to share system information with Dell pre ticked by default.
I have no idea how or if the EU data privacy laws apply in this post-Brexit shit show but this was such a worrying occurrence for just a damned input device. What a mess.
So. Motherboards, any peripherals, it’s just waiting for exploitation. How long before it presents genuine security concerns?