Some Lenovo PCs reload software even with a clean Windows install, but there is a fix

Lenovo has been found to be installing software on their Windows PCs that cannot be removed by their users unless they download a special patch and tool. The software is automatically downloaded on those systems even if their owners perform a clean install of Windows.

Here's the summary of what those affected Lenovo PCs have been downloading and why, as reported by The Next Web:

"The mechanism triggering this is called the Lenovo Service Engine, which downloads a program called OneKey Optimizer used for "enhancing PC performance by updating firmware, drivers and pre-installed apps as well as "scanning junk files and find factors that influence system performance."

Lenovo used the "Windows Platform Binary Table" developed by Microsoft, to deliver its software on its PCs. It's designed to send and install software from the BIOS to the system and will stick around even with a clean install of Windows.

As it turns out, Lenovo was apparently aware of a "security vulnerability" earlier in 2015 in its Lenovo Service Engine after it was alerted by a researcher. It has since released a BIOS update to disable the service engine, along with a software tool designed to remove any services and files sent via that engine. The files are available for Lenovo notebooks (opens in new tab) as well as the company's desktops (opens in new tab). A list of affected Lenovo PCs are available at both download sites. Lenovo added that the service engine is no longer being installed on the company's new PCs.

From the Lenovo Press Release on the issue: (opens in new tab)

"The vulnerability was linked to the way Lenovo utilized a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs. Think-brand PCs are unaffected. Along with this security researcher, Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.""As a result of these findings, Microsoft recently released updated security guidelines (see page 10 of this linked PDF) on how to best implement this Windows BIOS feature. Lenovo's use of LSE was not consistent with these new guidelines. As a result, LSE is no longer being installed on Lenovo systems. It is strongly recommended that customers update their systems with the new BIOS firmware which disables and or removes this feature."

Lenovo specifically mentions that the "software does not come loaded on any Think-branded PCs."

This is the second time this year Lenovo has been found to have installed software on their PCs without previously informing their customers. In the fall of 2014, the company pre-installed the Superfish software on some of its notebooks. Users later discovered the application placed third-party ads on Google search results and other websites, and also used a root certificate that was quickly cracked by security researchers. After this was revealed to the public in 2015, Lenovo apologized and offered PC owners with the Superfish program a way to delete both the software and the certificate.

Source: The Next Web

John Callaham
  • Lenovo is just getting shadier from what I see
  • Since Mr. Rubino did not include it in the article, here's the list of affected laptops: Flex 3 1120 G70-80 Y40-80 Flex2 pro 15(BDW) Flex2 pro 15(HSW) S41-70, Flex3 1470/1570 Yoga 3 14 G40-80, G50-80 G40-80m, G50-80m Z70-80  
  • Thanks so much for this! I was gonna get a Lenovo flex earlier this year, but got something else instead
  • I agree, Lenovo has done several things I dislike, stick with Dell. From a Tech perspective I hate automating Windows installations for Lenovo computers. Dell is better to work with.
  • TBH I like their system optimizers. The One-touch and System Updater apps are necessary to get the latest BIOS and firmware drivers for things like the touchpad. It's actually a pita the other way like on my HP Spectre. I did a clean install, but it was only after I downloaded/installed the HP system tool did I see there were like 5 drivers updates including a BIOS all for Windows 10. If you do a 100% clean install and don't install that HP app, you simply do not get those drivers. This is, in many ways, a general PC issue: How do you get BIOS and firmware updates to users if they have a pure installation? How do they know they are getting the optimized hardware instead of returning the machine because "it doesn't work right"? I guess my bigger issue is this: how is this any different then smartphones that come with pre-installed software? Sure, you can delete it but upon a hard-reset they magically come back.
  • As nice as it is, what happens if they start charging for that service and since it's been embedded in the bios it will be pretty much persistent; until it's disabled manually. You can't rule anything out these days.
  • I agree 100% with you, Lenovo 'bloatware' is actually really useful. Still, forcing it into user's PCs is just not right, it doesn't worth the bad press.
    I love Lenovo products and the whole support you get from them, but this kind of moves, I just can't understand.
  • Yup, agree it wasn't the right way to do it, but once again, this is something that has already ended and is after the fact. I guess just after using many PCs lately, I get how if a consumer does a clean install, their hardware is not going to be full optimized.
  • well some of it is usefull, some of it no (depends on the user). I only installed the Thinkpad software update utility, power manager and fingerprint software on my ThinkPad W510. i hate all the messages that come with stuff like complete software sollution etc. :) Anyway, that model is now not officially supported for windows 10, so i installed none of their bloatware :) And it works fine :)
  • I feel like someone reinstalling Windows is more tech savvy and so they'd know to download the latest drivers and such from the manufacturer's website. That's what I do anyway.
  • Everything should be distributed via windows update, no exceptions.
  • That I agree with too. However, like Xbox support, I am not sure what the hurdles are there for making that happen. Surely it's not easier for the OEMs? This is a big grey area that we know little about, but certainly MS should work with vendors on that.
  • I have three words to say "I love ThinkPad"
  • I do understand that but there are people out there who would rather choose to install the HP support assistant.  I do on my company laptop and I don't mind it at all.  But I wouldn't want to have the BIOS force the install without my consent.  Especially if I'm doing a clean install of Windows.  And you can always get the drivers and firmware yourself. Still, it seems the issue was they found vulnerabilities in LSE.  It's not so much that Lenovo was doing it that was the issue, it was the fact that it presented security issues that impact the BIOS and software that forces itself into Windows with system level rights.  That could present a very serious threat.  If something infected the LSE installer in the BIOS then you could do a fresh install of Windows and already be infected.
  • You seem to have missed something Dan...
    Lenovo's convenient solution is also a security risk. In the grand scheme of things, it's better to have a secure computer with some glitches than a trouble free one that is at risk of attack.
  • You go to the manfuactures web site, look up your model machine and download all the driveers and install manually. Same with the firmware... Takes a little time but, in the end, to get rid of all the crap in OEM laptops and desktops it's worth it...
  • In Windows Phone there is a bug (to be fixed by windows10) which doesn't reinstall "extra" apps after a hard reset. The only way to reinstall them is flashing the stock rom again since they get installed by a file downloaded along with the rom but it's not permanently transferred to the phone. I thought it was intended, a good behaviour in my opinion
  • Lenovo did not install this and the adware on its Think-branded hardware.  The reason being, the corporate world is better equipped to detect their shenanigans and their repercussion would be much more serious.  While consumers are far less likely to detect and combat their intrusion.  The adware took months to come to light.  Even as they faced security experts - Lenovo first denied adware installation!  I do not trust these OEMs - from Lenovo installing adware; to Samsung disabling Windows Updates; to Dell updating Backup/Recovery to extort money from it's users; and years of horrible ware installations which crippled the very machines they were selling.  So, yes BIOS and firmware updates are in my best interest.  However, I do NOT want these OEMs to be the gatekeepers - as they have treaded on the customers trust to make a quick penny for way too long.  All updates should go thru Windows. 
  • Hey Daniel, which softwares(no HP System tool i found, but HP Support assistant that do that for drivers in W8.1) would do this for HP as i want to clean install Windows 10 on HP.
  • I am liking Lenovo less and less...
  • They have second thoughts
  • Superfish 2: The Sequel!!!
  • Glad they're getting this removed.  I'd like to buy a Lenovo laptop in the near future without any crap pre-loaded or snuck onto it. 
  • I think it's already gone. My X1 Carbon had a clean install and I had to manually install the Lenovo apps like their System Updater. Nothing happened without my intention.
  • Hopefully it's been removed on the low end devices as well.
  • This is very worrying,bye bye lenovo.
  • It's one screw up after another. This must warrant Lenovo some kind of award or something. Jesus!
  • Hehehe ahhh good ole Lenovo.   People still buy their stuff? No lessons learned?
  • Well, I bought a ThinkPad and, once again, those were unaffected with this issue. It seems to be their consumer devices.
  • You would think these people would learn.
  • People if you buy a Lenovo laptop, buy Thinkpad! :)
  • The Chinese People's Liberation Army has to be sure it's monitoring software loads on everysytem.  Don't worry, your information is backed up and very secure!
  • You do realize that many smartphones come with such software on it too, right? Samsung is a big fan of it on their Galaxy phones.
  • You do realise this is Windows Central...
    Frankly, who cares what additional security issues Samsung are adding to the Android mix. It's already a security nightmare...and it really is of little relevance to us Windows device owners.
    Also, just because other companies do something in a particular way doesn't mean it is right. You should be more vocal in your criticism of companies that persist in compromising our devices with their shoddy software.
  • "Other people do it" is not a very valid argument. If it's not system-essential, it should simply be available on Lenovo's website and you should be able to uninstall it whenever you want. If it's supposed to optimize your PC, you should get it through Windows Update -- there's definitely something fishy if Microsoft won't let them distribute it through the proper channels.
  • I was refering to government spyware. I Just assume that most devices, PCs, phones, come with backdoors for the NSA and the PLA, and possible many others.
  • Hm, is this how the AT&T app knows to install on my Surface 3 LTE?  All it does is show data usage and reminds me to pay my bill. What is odd is the Surface app does not install on a clean setup.
  • I'm not sure if I'm to do anything here... I do use my Lenovo G505 optimizers from time to time
  • I did an upgrade in a Lenovo g470 just fine haven't issues
  • At this point, why even risk buying a Lenovo? It's one questionable practice after another.
  • I wonder if this is the issue giving me failures to install Windows 10... I have tried everything, including a system restore and a system refresh, and win 10 upgrade still fails (Yoga 2, 11" i3)... Troubleshooter, dism /restore, sfc /scannow, deleting download data in windows system update file... NOTHING works. The best it does is install windows, then upon the reboot, goes into windows 8.1 as if I was never installing any updates or anything! Crap Lenovo!!!!
  • Have you tried just downloading the iso onto a USB-disk, then installing the upgrade from there?
  • But why Thinkpads r not affected? They haven't these tools? Or their BIOS work differently?
  • ThinkPads are usually for businesses... They probably don't want to play games with enterprise customers
  • has Lenovo every made a Windows phone? i fnot did they say they were? the reason i asked because should we care about this event.
  • sorry i thought i was reading a different article
  • wrong article
  • With all these shady OEM practices being brought to light lately, I'm starting to wonder if MS is going to take a serious look at redoing their OEM license agreement.
  • I'm really tired of this. They didnt learn anything from Superfish?