1 jun 2021

WLMS.exe: the Reboots Lover

Hello everyone!

Today we want to talk about WLMS, better known as Windows License Monitoring Service, the Windows service that allows to manage the evaluation licenses of the ISOs provided by Microsoft in its official repository.

Fig 1: If you have this registry... you have been swindled with your Windows.

How does WLMS work?

WLMS is a service present in Windows evaluation systems responsible for managing the validity of test licenses. This service controls that said license expires within the established deadlines and, in case of doing so, performs certain actions, such as adding a sign indicating that the license has expired or scheduling an automatic system reboot every hour.

Fig 2: If only this was reported, it would be even funny.

However, the limitation of functionalities or the appearance of informative banners are usually not problems for this type of virtual machines, since, normally, the main use of these environments is usually the realization of tests and test deployments. However, the forced reboot every hour... is it really necessary?

Fig 3: Inactive license? Well, I'll reboot you.

How do we avoid reboots?

Although the Microsoft WLMS documentation does not exist (or, at least, we have not been able to find it), there are several articles discussing how it works and possible ways to stop its operation. Obviously, the simplest way is the most optimal: disable the service.

To do this, we have to take into account the following points:

  • The WLMS service runs with SYSTEM integrity, so we will need that integrity to modify permissions and features.
  • The service is defined in such a way that, when there is a failure in its execution, the computer will automatically restart. 
  • Even if the service is disabled, the computer will likely restart itself one last time. From then, it should not restart itself again.
Fig 4: The "untouchable" service.

How do we change the features of this service?

As we have mentioned, we need SYSTEM integrity in order to modify the properties of the service. To achieve such integrity, we have several mechanisms (as detailed in this post). We will choose the comfortable version: Process Hacker. 

Fig 5: Process Hacker + Run as: Cmd as System.

Through Process Hacker, we can obtain a panel with SYSTEM integrity and from where we can open the services.msc process to modify WLMS permissions.

Fig 6: We open services.msc as System.

Once we have the WLMS service open, we can modify its properties: disable the service and, just in case, disable actions in case of service failure.

Fig 7: Final configuration of the service after its modification.

If all went well, after rebooting our machine (or waiting for it to reboot itself), our test device will never reboot itself again, even if the license has expired.

Fig 8: More than 1 hour on without a license...

Finally, if by chance you have a test laboratory with an Active Directory deployed and all your machines are evaluated, you can deploy a GPO that disables this service throughout the infrastructure, facilitating the process and avoiding the use of external programs such as Process Hacker or PsExec.

Fig 9: GPO to disable the service.

Note: with GPO only the service is disabled, its properties remain unchanged in case of failure... although if the service does not run, there should be no execution failures, right?

Fig 10: Although I would change it anyway...

Happy Juanking!

No hay comentarios:

Publicar un comentario