Asus Recovery DVD scandal: How it happened

For those who haven’t already heard, the PC OEM company Asus was involved in a major scandal where a directory on the recovery DVD and inside c:\Windows\ConfigSetRoot\ contained a software crack for the WinRar program, software serial numbers, a resume (presumably for a now-jobless Asus employee), an internal Asus powerpoint describing “known compatibility issues”, Asus source code, and even an OEM issued Microsoft document, which mainly says “do not distribute DR-DOS with any computers”.

We now know from an OEM source how exactly the files got where they did in the first place, and it isn’t very surprising.

An Asus representative said they would be investigating the matter, and while someone is still going to lose their job over this just so Asus can say so, the way the files made it to thousands of PCs is pretty common.

An OEM employee (name not mentioned here) discussing the matter said that during the vista installs, the generic vista disc installing the OS looks for an XML file (unattend.xml) on a flash drive, and upon finding it the installation parses it and runs the XML code as installation instructions so nobody has to go through the installation menu for the hundreds of synchronous installations (hence the unattend).

BUT… there is another twist: If a certain tag or attribute is present, all files other than unattend.xml itself on the flash drive will be copied to c:\windows\configsetroot – see the connection?

So apparently an Asus employee happened to have a personal flash drive, and stored his resume (presumeably, conspiracy theorists may disagree) as well as a few ‘harmless’ keygens and serials on it as well, in his defence in case maybe he lost the serial to winrar or other programs. Apparently the same employee used the flash drive to store or back up confidential Asus documents and source code, as well.

So if the Asus internally distributed unattend.xml file was copied to this unnamed (and jobless) employee’s personal flash drive, and included the xml tag/attribute to copy over everything to the system root and, therefore, recovery DVD as well, then voila! Then the only way somebody could come under fire because of this is because of oh, I don’t know, not checking the installation root once everything was installed!

So now we know HOW exactly this whole ordeal was started, and there is a lesson to be learned here…. somewhere.


Anthony Cargile is the founder and former editor-in-chief of The Coffee Desk. He is currently employed by a private company as an e-commerce web designer, and has extensive experience in many programming languages, networking technologies and operating system theory and design. He currently develops for several open source projects in his free time from school and work.

More Posts - Website


  1. Override100 May 9, 2010

    I presume not good testing procedures in Asus if no one checks the content in the master disk.
    100 porcent agree.
    sorry for the late response

  2. It’s no surprise that nobody checks the final build, the tech world is getting shonkier by the day. Three nights this week I’ve been unable to use my ’3′ wireless broadband (getting less than 20kbps) – which means that my Internet experience now is considerably worse than it was in 1995. Not enough staff, no time to check or test, fragile, brittle solutions everywhere.

  3. I presume not good testing procedures in Asus if no one checks the content in the master disk.

Leave a Comment

Your email address will not be published. Required fields are marked *