Skip to content

Instantly share code, notes, and snippets.

@jcary741

jcary741/badlenovo.ps1

Last active November 2, 2025 17:20
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jcary741/19cc74c93a499f8c23ad7dd5a04faf86 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jcary741/19cc74c93a499f8c23ad7dd5a04faf86 to your computer and use it in GitHub Desktop.
Download ZIP
Removal script for Tobii and Nahimic software on Lenovo Legion 5 devices
Raw
badlenovo.ps1
# Version: 0.1 (2025-01-18)
# License: MIT, use at your own risk
#
# This script disables the Lenovo-installed "Tobii experience" software and "nahimic" software.
# Tested on a Lenovo Legion Pro 5 (82WM) with Windows 11 24H2.
# Run it with `powershell.exe -noprofile -executionPolicy Bypass -File badlenovo.ps1`
# Following this script, you should be able to uninstall the "Tobii experience" app from the control panel (appwiz.cpl)
#
# After major updates, you may need to re-run this script.
# Disable services (may be re-enabled on reboot)
Get-Service -Name "Tobii*" | Stop-Service -Force
Get-Service -Name "Tobii*" | Set-Service -StartupType Disabled
Get-Service -Name "Nahimic*" | Stop-Service -Force
Get-Service -Name "Nahimic*" | Set-Service -StartupType Disabled
# Get the service exe paths
$services = Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -like "Tobii*" -or $_.Name -like "Nahimic*"} | Select-Object PathName
$services = $services.PathName -split "`n" | ForEach-Object { $_.Replace('"', '').Trim() }
$services = $services -replace '\.exe.*', '.exe'
## use icacls to deny access to the service exes, so that they can't be started
$services | ForEach-Object {
$servicePath = $_
$acl = Get-Acl $servicePath
$denyEveryone = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "FullControl", "Deny")
$denySystem = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM", "FullControl", "Deny")
$acl.SetAccessRule($denyEveryone)
$acl.SetAccessRule($denySystem)
Set-Acl $servicePath $acl
}
# Find "devices" that are installed by the Tobii or nahimic software and disable them
$devices = Get-PnpDevice | Where-Object {$_.FriendlyName -like "Tobii*" -or $_.FriendlyName -like "Nahimic*"} | Select-Object FriendlyName,InstanceId
$devices | ForEach-Object {
$device = $_
$instanceId = $device.InstanceId
$friendlyName = $device.FriendlyName
Disable-PnpDevice -InstanceId $instanceId -Confirm:$false
Write-Host "Disabled device: $friendlyName"
}
@eabase
Copy link

eabase commented Sep 5, 2025
edited
Loading

@jcary741
@bryantc24

I just noticed after another windows update, that the Tobii malware was updated and reinstalled! WTF MS!!?

I still need to investigate the new installer files, but it seem that for the moment, our previous host file, driver and registry hacks prevented it from running properly! 🥇

Warning

In addition, another very nasty Intel malware was hogging up my CPU and uploading just about every possible Network setting, including info on every single SW and app installed and a full record of what programs have been running on the CPU. The malware is called QUEENCREEK and is supposed to help you tune your processor... Instead uploading just about everything else about your computer, your network, your connected devices, apart your files themselves! There should be prison sentences for this kind of intrusion.

Upload folders can be found here:

  • C:\WINDOWS\system32\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\

Program folder here:

  • C:\Program Files\Intel\SUR\QUEENCREEK\x64\

Registry Keys here:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ESRV_SVC_QUEENCREEK\

Service is called ESRV_SVC_QUEENCREEK.

# Stop Service
sc.exe stop ESRV_SVC_QUEENCREEK

# Delete Service
sc.exe delete ESRV_SVC_QUEENCREEK

# Disable scheduled task:
schtasks.exe /change /tn USER_ESRV_SVC_QUEENCREEK /disable

Use firewall to block port 49350.

Important

This one is very tricky, hiding in plain sight! 👺
However, if you leave your PC without using anything, you will suddenly find your CPU fans and CPU usage go up massively as all the collection scripts are being run and then uploaded to their spy DB servers. As soon as you touch anything, mouse or key button, it immediately drops back to normal. If you're lucky to find any associated process, you'll only see yet another svchost.exe and nothing else obvious.

@bryantc24
Copy link

bryantc24 commented Sep 25, 2025

@eabase I actually don't have Queencreek intel on my machine, which Lenovo PC are you running?

@jcary741
Copy link
Author

jcary741 commented Oct 27, 2025

@bryantc24 I also do not seem to have that one.

I also have once again confirmed that my initial script continues to be effective for Tobii and Nahimic. 9 months of the icacls solution working, nice!

@CristiSalva999
Copy link

CristiSalva999 commented Oct 28, 2025
edited
Loading

Hi @jcary741 @eabase @ComicallyNormal @bryantc24
I've run in the same issue and I made myself some more tests. After restarting the system I was still experiencing the same issue having Tobii/SPIT services and processes running.

I pushed a version of the same file that is working for me. I'm on Lenovo Legion Pro 7 16ARX8H.

On this model I can't find the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ESRV_SVC_QUEENCREEK\ or ESRV_SVC_QUEENCREEK service.

Thanks again for your research and contribution.

@bryantc24
Copy link

bryantc24 commented Nov 2, 2025

@jcary741 Your script is also working on my machine, thank you for writing it :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment