-
-
Save jcary741/19cc74c93a499f8c23ad7dd5a04faf86 to your computer and use it in GitHub Desktop.
| # Version: 0.1 (2025-01-18) | |
| # License: MIT, use at your own risk | |
| # | |
| # This script disables the Lenovo-installed "Tobii experience" software and "nahimic" software. | |
| # Tested on a Lenovo Legion Pro 5 (82WM) with Windows 11 24H2. | |
| # Run it with `powershell.exe -noprofile -executionPolicy Bypass -File badlenovo.ps1` | |
| # Following this script, you should be able to uninstall the "Tobii experience" app from the control panel (appwiz.cpl) | |
| # | |
| # After major updates, you may need to re-run this script. | |
| # Disable services (may be re-enabled on reboot) | |
| Get-Service -Name "Tobii*" | Stop-Service -Force | |
| Get-Service -Name "Tobii*" | Set-Service -StartupType Disabled | |
| Get-Service -Name "Nahimic*" | Stop-Service -Force | |
| Get-Service -Name "Nahimic*" | Set-Service -StartupType Disabled | |
| # Get the service exe paths | |
| $services = Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -like "Tobii*" -or $_.Name -like "Nahimic*"} | Select-Object PathName | |
| $services = $services.PathName -split "`n" | ForEach-Object { $_.Replace('"', '').Trim() } | |
| $services = $services -replace '\.exe.*', '.exe' | |
| ## use icacls to deny access to the service exes, so that they can't be started | |
| $services | ForEach-Object { | |
| $servicePath = $_ | |
| $acl = Get-Acl $servicePath | |
| $denyEveryone = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "FullControl", "Deny") | |
| $denySystem = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM", "FullControl", "Deny") | |
| $acl.SetAccessRule($denyEveryone) | |
| $acl.SetAccessRule($denySystem) | |
| Set-Acl $servicePath $acl | |
| } | |
| # Find "devices" that are installed by the Tobii or nahimic software and disable them | |
| $devices = Get-PnpDevice | Where-Object {$_.FriendlyName -like "Tobii*" -or $_.FriendlyName -like "Nahimic*"} | Select-Object FriendlyName,InstanceId | |
| $devices | ForEach-Object { | |
| $device = $_ | |
| $instanceId = $device.InstanceId | |
| $friendlyName = $device.FriendlyName | |
| Disable-PnpDevice -InstanceId $instanceId -Confirm:$false | |
| Write-Host "Disabled device: $friendlyName" | |
| } |
I'd be very careful with actually removing a device. If you accidentally get it wrong...that's a PITA to fix.
You can always remove a driver with the /force switch, so read the help from pnputil.exe --help.
/delete-driver <oem#.inf> [/uninstall] [/force] [/reboot]
Delete driver package from the driver store.
/uninstall - uninstall driver package from any devices using it.
/force - delete driver package even when it is in use by devices.
/reboot - reboot system if needed to complete the operation.
Examples:
Delete driver package:
pnputil /delete-driver oem0.inf
Force delete driver package:
pnputil /delete-driver oem1.inf /force
Instead disable the device, in case something goes wrong.
/disable-device [<instance ID> | /deviceid <device ID>] [/class <name | GUID>]
[/bus <name | GUID>] [/reboot] [/force]
Disable devices on the system.
/deviceid <device ID> - disable all devices with matching device ID.
/class <name | GUID> - filter by device class name or GUID.
/bus <name | GUID> - filter by bus enumerator name or bus type GUID.
/reboot - reboot system if needed to complete the operation.
/force - disable even if device provides critical system functionality.
Examples:
Disable device:
pnputil /disable-device "USB\VID_045E&PID_00DB\6&870CE29&0&1"
Disable all devices with specific hardware/compatible ID:
pnputil /disable-device /deviceid "USB\Class_03"
Disable all devices of a specific class on a specific bus:
pnputil /disable-device /class "USB" /bus "PCI"
2 month update: The initial script to cripple tobii and nahimic in place appears to be working just fine and has survived several minor windows updates.
It worked as well
@jcary741
@bryantc24
Thanks for reporting back.
I haven't looked at this lately, as I didn't have any further issues, and had more severe update issues with the bloated Intel Graphic driver.
I just noticed after another windows update, that the Tobii malware was updated and reinstalled! WTF MS!!?
I still need to investigate the new installer files, but it seem that for the moment, our previous host file, driver and registry hacks prevented it from running properly! 🥇
Warning
In addition, another very nasty Intel malware was hogging up my CPU and uploading just about every possible Network setting, including info on every single SW and app installed and a full record of what programs have been running on the CPU. The malware is called QUEENCREEK and is supposed to help you tune your processor... Instead uploading just about everything else about your computer, your network, your connected devices, apart your files themselves! There should be prison sentences for this kind of intrusion.
Upload folders can be found here:
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\
Program folder here:
C:\Program Files\Intel\SUR\QUEENCREEK\x64\
Registry Keys here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ESRV_SVC_QUEENCREEK\
Service is called ESRV_SVC_QUEENCREEK.
# Stop Service
sc.exe stop ESRV_SVC_QUEENCREEK
# Delete Service
sc.exe delete ESRV_SVC_QUEENCREEK
# Disable scheduled task:
schtasks.exe /change /tn USER_ESRV_SVC_QUEENCREEK /disableUse firewall to block port 49350.
Important
This one is very tricky, hiding in plain sight! 👺
However, if you leave your PC without using anything, you will suddenly find your CPU fans and CPU usage go up massively as all the collection scripts are being run and then uploaded to their spy DB servers. As soon as you touch anything, mouse or key button, it immediately drops back to normal. If you're lucky to find any associated process, you'll only see yet another svchost.exe and nothing else obvious.
Deleting these drivers seems to only be possible if the host device is removed or disabled. I have removed with
Time will tell if this needs to be repeated or not for me.