Provide feature for disabling auto updates and blocking webview2 installation as malware behavior

[ghost]

Is your feature request related to a problem? Please describe.

Suddenly, edge webview2 runtime appeared on my machine. I did not consent, nor did give any permission for it to be installed. Not only that, but a few days after uninstalling it, it reinstalled itself. That's malware behavior. Users that don't want webview2 installed have no way to blocking it, and also users have no way to disable the update service "edgeupdate", which runs all the time, consuming resources.

Describe the solution you'd like and alternatives you've considered

Edge webview2 runtime should be treated as a malware, because it has malware behavior:

• It gets installed without user consent or permission
• It does not allow users to uninstall it
• When users uninstall it, it reinstalls itself
• It is constantly running the edgeupdate service, consuming resources.

AB#33533778

[champnic]

I appreciate your concern here and the jarring nature of WebView2 Runtime showing up on your machine. WebView2 Runtime is used and installed by lots of apps that build on top of its functionality and need it. It is a platform component that apps can use to power their application (think .NET framework) and enable web-based experiences, and can be deployed to devices by apps. For example, Office is using WebView2 and installs the runtime if it's not there (see Microsoft Edge WebView2 and Microsoft 365 Apps - Deploy Office | Microsoft Docs), and other apps will likely have similar behavior. You might have an app on the device that requires it and keep re-installing when it's missing. If you need to, you can block the install via group policy Microsoft Edge Update Policy Documentation | Microsoft Docs. Thanks!

[ghost]

It is a platform component that apps can use to power their application (think .NET framework)

1. I can uninstall .net framework
2. I can disable it easily (see screenshot)
3. Net framework does not update itself
4. Disabled net framework does not come back on it's own

@champnic The issue was closed, but for reasons above, my issue was not addressed.

[ghost]

Also, group policy is not officially supported in "Windows Home" versions. If I have windows at home, does it mean I'm forced to have webview2 installed on my machine whether I want it or not?

[champnic]

We're looking more into if there are controls that are available on Windows Home. For 4) the runtime shouldn't be coming back on it's own - an app is likely trying to install it when it detects that it's missing. If it is coming back on it's own that would be a bug - I'll see if I can reproduce that behavior.

[ghost]

an app is likely trying to install it when it detects that it's missing

Office.

[ghost]

Even after setting up the group policies, and then uninstalling the webview2 malware, it sneakily gets back on my machine.

[ghost]

Hey @phgmacedo - I appreciate your concern here and the jarring nature of WebView2 Runtime showing up on your machine. WebView2 Runtime is used and installed by lots of apps that build on top of its functionality and need it. It is a platform component that apps can use to power their application (think .NET framework) and enable web-based experiences, and can be deployed to devices by apps. For example, Office is using WebView2 and installs the runtime if it's not there (see Microsoft Edge WebView2 and Microsoft 365 Apps - Deploy Office | Microsoft Docs), and other apps will likely have similar behavior. You might have an app on the device that requires it and keep re-installing when it's missing. If you need to, you can block the install via group policy Microsoft Edge Update Policy Documentation | Microsoft Docs. Thanks!

I have just tested this, and it doesn't work.

1. Configure registry and group policy to block edge webview 2 runtime install.
2. Download edge webview 2 installer from website
3. The installer runs, and installs edge webview 2 runtime, ignoring group policy, and ignoring registry settings. This is literally malware behavior.

[ghost]

It seems that a lot of people (top upvoted issue) might want to use webview2, but don't want the installer. Not being able to block the installer makes webview2 runtime spyware.

[ghost]

It's now getting installed by "gaming services" from the windows store, even after I explicitly set the group policy to disable and disallow install. Edge Webview2 is malware.

[ghost]

Of course it's logged in event viewer:

Over time, I hope people will start to become as frustrated and as startled as I am, with this unwanted spyware service, and will attempt more extreme measures to block this.

It reminds of the old time software installers that installed viruses - the term is "potentially unwanted applications" - in your computer, even when you "ticked off" the box asking if you wanted the stuff installed.

Nowadays, you won't even be asked - everything will be done sneakily and silently.

Edit: The cherry on top of the cake is the service running automatically, on startup.

[champnic]

We've been looking into the behavior of the group policy. When you notice that "Gaming Services" is installing the updater, can you confirm that the updater is actually installing the WebView2 Runtime after you've explicitly uninstalled it already, and you have the group policy set? My understanding is that the GP doesn't completely block the updater from being downloaded, but that it will block the installation of the WebView2 Runtime, and then will also uninstall itself after noticing the GP is set. It's possible for this uninstallation of the updater to take a while.

[ghost]

I can confirm que the malware edge runtime was installed, even after I had it uninstalled once, even after applying registry tweaks and group policies.

[ghost]

it will block the installation of the WebView2 Runtime, and then will also uninstall itself after noticing the GP is set.

No. The installation is not blocked, and it also most certainly did not uninstall itself.

Like adwares and malwares, the edge runtine is a "PUA".

[champnic]

Thanks for confirming. Would you be able to provide some info on what you did to configure the group policy? If possible, if you could share the following installer logs from your machine as well that would be helpful:

%ALLUSERSPROFILE%\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
%LOCALAPPDATA%\Temp\msedge_installer.log

Thanks!

[ghost]

The group policy I have configured are the ones listed in the docs.

Here's a screenshot: I disabled the ones for Microsoft Edge as well, in case webview2 would not respect the ones for webview.

The only solution I could find that (for now) prevents the webview2 runtime PUA from getting installed was to take ownership of the regkey Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate and deny everyone permission for reading, updating, and changing permissions.

@champnic Is there an email to where I can send the logs so that I won't have to post potentially sensitive information here?

[champnic]

Thanks for the info! You can email me directly at champnic@microsoft.com.

[ghost]

Thanks for the info! You can email me directly at champnic@microsoft.com.

I've emailed you the logs.

[PPgkYG]

I have same problem(Window7).I find AVIRA done this.

[champnic]

Hey @PPgkYG - Can you add some more details on what is happening and what you'd like to see changed?

We don't ship an exe called webview2.exe - that seems to be what Avira has chosen to call one of their executables.

[PPgkYG]

For me Avira download webview2.exe(edgeupdate.exe) and silent install since Oct 19 or 20 。And why a “runtime” need install individually update server in system？Today Mirosoft just make user mad。

[champnic]

Hey @PPgkYG - I'm not sure I understand your question. Avira relies on the functionality in the WebView2 runtime and so installs the WebView2 runtime.

[PPgkYG]

I think my case may some help for @ghost.

[johanpellkvist]

I agree with ghost this behaves like a malware. At least we should have a simple registry key to be able to avoid updates. We have a whitelisting tool which only will allow controlled binaries to run on the clients, in this case, it works until first update of webview2 and then everything is blocked. Normally the standalone client machines are on a network without internet connection, but sometimes they get contact and get updates and will then stop working.

[paulfwhite]

Yes please. I would like to see a switch to prevent auto updates and be notified of intended changes.

I noticed 6 edgewebview binaries running on my system today. There was an update this morning with new binaries downloaded to: C:\Program Files (x86)\Microsoft\EdgeWebView. The timing coincides with auto updates from Acrobat Reader DC and Google Update Service. Eventlog shows this message (and a couple of times daily) :

The description for Event ID 0 from source edgeupdate cannot be found.

The software was installed over 6 months ago, I recall having MSEdge installed for a brief period.

I have uninstalled using "Add Remove Programs" and to prevent it coming back I have locked down the permissions on the folder. The updater service was automatically removed. I hope to see an error if/when another package tries to re-install or use it.

Win 8.1, Chrome 99.0.44xx Not MSEdge, Not MSOffice. Not Visual Studio

[KirkH420]

I sorta doubt you're gonna see them make any changes to this behavior. What you're seeing is the difference between WebView2 Evergreen (which comes as a bootstrap installer that can be built into source code or a standalone installer) and WebView2 Fixed Version. Microsoft's term "Evergreen" basically means software that keeps it's self updated. It also has the benefit of interoperability with other software that makes use of WebView2.

Developers have the option of packing a Fixed Version of Webview2 into their source, but it will bloat their product with an extra 250MB of data, so not many devs are choosing this option from what I've seen. It also means that the devs will have one more thing to keep up with. They'll be responsible for releasing an update to their software that includes an updated WebView2 when MS releases security related fixes. A Fixed Version will also cause the end-user (you) to have more than one copy of WebView2 installed because, when a program is compiled with a Fixed Version, only that program can use that instance of WebView2. Any other programs (like Xbox Gaming) will continue to use a different instance which, more often than not, will be an Evergreen version. So it really doesn't make much sense to use a Fixed Version.

Unfortunately, if you don't want to use WebView2 Evergreen, you're gonna probably have to uninstall any software that is built to use it. I suppose you if you are really determined and the software you're wanting to use is open source, you could compile your own copy with a Fixed Version WebView.

[modz2014]

hey @ghost are still trying to block webviewer i was wondering where did you find that policy

[champnic]

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#microsoft-edge-webview-policies

[modz2014]

doesn't fix the problem still gets installed without any notice or anything this is becoming malware

[Anthiam]

I would like to add my immense frustration with WebView2. For whatever reason, WebView2 has interfered with our web based POS software. Uninstalling it resolves our issue. We uninstalled on all machines and were immensely frustrated to see it come right back within a few days. We blocked the software with our endpoint management software, but our software blocks by version and WebView2 apparently updates multiple times per week.

Thanks to this poor implementation, to which I agree with the user above calling it malware, I have to check EVERY DAY to see if I need to ban a new version. It appears O365 may have a way to turn this off, but we are not using O365. It appears we can disable Edge updates, but that interferes with another one of our platforms. Once again Microsoft has put users between a rock and a hard place with anti-consumer practices. Disabling it may interfere with Microsoft apps... oh no, we don't use any in our environment. Thanks for protecting us from an acceptable use case...

This worthless software has cost me tens of hours of time. Microsoft does not think we should have the ability to choose for ourselves. If uninstalling it causes other issues, we will figure it out then. Stop deciding these things for us.

[Shituation]

webview2 is just another way of getting user's private data and serve ads.

[thanhle7]

On my windows, I am not using neither Edge nor any outlook-like software but WebView2 keeps getting installed back automatically :)=

[thanhle7]

@champnic Can you please let me know how to get rid of MS Edge and WebView2. I am not using Edge, MS Office, neither VStudio with Xam for mobile app dev. My windows laptop is just for web browsing using Firefox. By the time I got my windows 10 license bask in 2016, I didn't have Edge or any thing like WebView2 on the system software list.

[IBM50Z]

OP's comments .. "I did not consent, nor did give any permission for it [WebView2] to be installed. Not only that, but a few days after uninstalling it, it reinstalled itself. That's malware behavior." .. still applies! It would be MUCH appreciated if the Powers That Be provide a WebView2 stop-install-stop-update setting in GP and/or the Registry. At the very least! TIA.

As of late I have tried to uninstall WebView2 by using Geek Uninstaller "Force Removal" (including numerous registry settings). I am not sure this is a good idea and/or if it holds in the longer term .. but I neither need nor want this software on my computer!

[Shituation]

They are not going to let us uninstall edge because thats big part of how MS gets our private data. They are pushing the use of edge, they insist so much on using it. Why MS? why do you try so hard? why do you FORCE the users to use or at least have executing a browser ON THE BACKGROUND that they DON'T WANT TO USE ?

Whats happening now?

"well if people doesn't like it by good means, lets make EDGE a core part of the software we distribute so they MUST have this DEPENDENCY on their systems. We will start requesting developers to use edge code in their UWP apps and we will """"update"""" the OS so we can make Edge a system dependency."

[IBM50Z]

I noticed that the OP's user account has been deleted. (Hi, I'm @ghost! I take the place of user accounts that have been deleted. 👻 Nothing to see here, move along.) So, I gather this thread is pretty dead!

Maybe @champnic can give an update and/or referral on the subject matter?! TIA.

[KirkH420]

One thing that people can try, as a method of preventing the automatic re-installation of a particular software, is to use Windows' built-in User Account Control permissions to revoke the system's ability to Write to the directory where the program gets installed. You'd do it by visiting the folder's properties panel and navigating to the Advanced Security panel. Take ownership of the folder. Then you would press the "ADD" button, then press "Select a principal", which opens another small window. In the box, type the word "Everyone" (no quotes) and click OK. Next, change the Type so the dropdown box says "Deny" and then enable the checkbox named "FULL CONTROL". Click OK/Apply/OK and that's it, you're done. With these settings, the computer shouldn't be able to create files/folders in that directory any more. It will also allow you to easily undo this configuration by simply removing that new "Everyone" entry that you just created.

I've used this method for a number of situations, just not this particular situation with WebView2. Ideally you wouldn't want to need something like this, but there are times when you may.

[thanhle7]

My solution is to remove Edge and disable its update using regedit.

[Shituation]

Absolutely not forcing us to keep edge open. No sir.

Nice backdoor.

[champnic]

Hey all - Our team isn't planning to do specific work to block the WebView2 from updating besides the policy controls we provide for managed machines. As noted in this thread, there are some workarounds if you are really trying to disable or remove the WebView2 runtime, though note that apps which use and rely on WebView2 may not work as intended, and by disabling updates the version of the runtime on your machine may become out-of-date and be missing security updates and other bug fixes. I'm going to Close this thread, but feel free to keep using this thread to discuss further. Thanks

[KirkH420]

Absolutely not forcing us to keep edge open. No sir.

Nice backdoor.

If you're interested, Microsoft provides some additional Group Policies that you can add to your computer. They're for Edge Business edition, but many of them will work for all editions of Edge. Many people, such as myself, use tools to completely remove Edge from their machine (after every major Windows Update), but I added this collection of Group Policies to my machine anyway, just so I could get an idea of what they can do.

Find out more and download them from this Microsoft link: https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ *Click the link that says "Download Windows 64-bit Policy"

And here is a guide to help you get the policies installed: https://technoresult.com/how-to-install-group-policy-templates-for-microsoft-edge/