Lenovo Breaches User Trust Again with ‘Service Engine’ Rootkit

lenovo-logoSeems Lenovo is one company that doesn’t learn its lesson. Following on from the “Superfish” adware and problematic root certificate issues earlier this year, Lenovo is in hot water again over a component which some pundits say closely resembles a rootkit.

The mechanism under fire is called the ‘Lenovo Service Engine’ which downloads a program called ‘OneKey Optimizer’. According to Lenovo, this program “can enhance your PC’s performance by updating firmware, drivers, and preinstalled apps. It also provides power management schemes that can extend the life of your battery.”

Which all sounds harmless enough, however, it also transmits data to the Lenovo servers. According to Lenovo, this data is “non-personally identifiable system data“, including machine type and model, system UUID, region and date. Regardless of Lenovo’s assurances, what makes this particularly worrying is that Windows files are overwritten on boot, that files are added to the Windows system32 directory, and that a service is set up on the system to transfer data to Lenovo. Once that system is in place, who knows what data is really being transmitted?

Even more worrying is the fact that the Lenovo Service Engine is triggered via BIOS meaning it will persist between installations of Windows, even following a format and clean installation:

Lenovo is now using rootkit-like techniques to install their software on CLEAN Windows installs, by having the BIOS overwrite windows system files on bootup. <source>

Scarier and Scarier

scary_computerHere’s the rub: the mechanism Lenovo has been using is actually a Microsoft sanctioned technique, first introduced in November 2011 and updated in July of this year. The feature allows computer manufacturers to push software for installation from the BIOS to the system, meaning it will persist between installations of Windows regardless of whether it’s a clean installation or not. So, other manufacturers could also have been utilizing this technique without user knowledge – however, that remains unconfirmed at this time.

This revelation is very concerning; persistently pushing manufacturer’s bloatware via BIOS messing with system files is a clear abuse of user trust. It appears a truly clean, untouched, manufacturer install of Windows is fast becoming an endangered species.

The Fix

At least there is some good news: if you own one of the affected Lenovo laptops you can disable the feature right now by downloading a utility from Lenovo here: https://support.lenovo.com/us/en/product_security/lse_bios_notebook


  • LSE was shipped on certain notebook systems running Windows 7, 8 and 8.1 – the LSE functionality has been removed from newly manufactured systems.
  • Affected Lenovo models are listed on the page linked to above


About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele... as well as writing for DCT, of course.

There are 7 comments

Comments are closed.