NoelC

Several things: 1. I'd already opted out of all "send data to Microsoft for further analysis or to improve their malware database" settings. ALL of them. NO Smartscreen, NO MAPS, NO telemetry, NO Windows Update except when I initiate it. Yet the communications attempts continue. Poorly coded software that makes connections regardless of settings but doesn't send anything, or something else? 2. Past descriptions of the Malicious Software Removal Tool (mrt.exe) have said that "it will run one time to ensure you're malware-free". So why is it running in the middle of the night trying to contact Microsoft servers in such places as Sao Paulo, Brazil? I'm not running it, apparently it's being triggered as part of normal Windows Defender activity. Anti-spyware software not advertised to be run that way making encrypted connections to servers named spynet? Hiding things in plain sight, anyone? 3. NOTHING malicious is being detected on my system, yet these ENCRYPTED connections are still being attempted every few hours. What is it trying to send or retrieve that they need to be encrypted? 4. Microsoft has clearly changed its stance in the past few years, and moreso lately. There's no denying they're now predatory and actively seeking to take over and gather information from our computers. Many people have stopped taking some or all Windows Updates. It's time to suspect everything they do. 5. Even ignoring the data content of the messages, just by the act of contacting a Microsoft server somewhere, Microsoft knows your computer is online and running at a given time. That alone is a certain loss of privacy. How does it benefit YOU? Would you choose to get up at 2am and send Microsoft a note saying, "I'm here"? Of course, use your judgment and make your own decisions. -Noel

I am running a fully legitimate, licensed, activated copy of Windows 8.1 x64 Pro MCE. I've been refining a "no Windows Updates, no system networking allowed by firewall" configuration, as I'd like to keep my current perfectly working, privacy-enhanced setup running indefinitely (not moving to Win 10 yet, if ever). By blocking Windows 8.1's attempts to communicate regularly with Microsoft's servers, am I setting myself up for it to deactivate itself in the future? I'm concerned that Microsoft may have built in a time bomb. If the answer is yes, I can consider occasionally opening the firewall (ideally as little as possible) and allow it to do occasional license or Windows Update checks - though the chances I'll be actually installing any more of Microsoft's actual updates are slim. As you can imagine, the information online on or around this subject is more oriented to making an unlicensed installation activated. Let's avoid discussing that if at all possible, that's not my intent. Thanks for any knowledge on keeping Windows 8.1 running "off the grid" that you're willing to share. -Noel

In monitoring network traffic, I've discovered the need for yet another reconfiguration to improve privacy. This one does not appear configured by e.g., O&O ShutUp10. It's possible it's covered by another setting as well, but I had the Microsoft Windows Malicious Software Removal Tool regularly trying to contact Microsoft spynet servers with encrypted connections all over the world before setting it: From this page: support.microsoft.com/en-us/kb/891716 Confirmed to be pertinent to Win 10 here: technet.microsoft.com/en-us/library/mt577208(v=vs.85).aspx Also listed here, by none other than A. User (no, not me) who was subsequently banned by Microsoft: answers.microsoft.com/en-us/windows/forum/windows_vista-security/ms-malicious-software-removal-tool/723cdcec-35de-4e7f-84e6-29d63103809f And one other source: www.ghacks.net/2007/12/16/prevent-malicious-software-removal-tool-from-phoning-home/ -Noel

What's that old line in Jurassic Park, uttered by John Hammond to Dennis Nedry? Seems appropriate... ...our lives are in your hands and you have butterfingers? -Noel

There are always differing viewpoints. Smart people tend to fight the fanboys for a while, then get tired and move to forums like this one where reality tends to override fashion. I wouldn't mind a control panel replacement that's actually COMPLETE and BETTER. As it is, unfortunately Microsoft seems bent on replacing things before the new things are COMPLETE or BETTER than what they're replacing. Just try to request a sync to an internet time server, for example. There are half a dozen more steps than there used to be... -Noel

I'm impressed that people are no longer appear to be abandoning Windows 7 or 8.1 at all. I'm always impressed at the weekend bumps... Can one judge the goodness of an OS by the direction and size of the weekend bumps? Assuming so, what does it say about a society that they generally prefer to run crappier/more frivolous operating systems on the weekends than what they use for their jobs? I think the bumps/dips alone would make a fascinating subject for discussion. -Noel

And don't forget, once we've cut off the patches ultimately they'll say "your system is a threat to all the others, since it's unpatched - therefore we must deactivate your license". Microsoft: Managing Mediocrity to Their Advantage for a Third of a Century -Noel

You're not supposed to notice stuff like that. -Noel

Right. They're definitely pushing the envelope to define the new normal. Got to get all those sheep used to being fleeced in order to get them ready for the slaughter. Where is the Justice Department in all this? I guess the law is all about precedent and "the new normal" too. -Noel

With Windows 10 getting all the hot "Privacy Invasion!" press lately, I thought it's worth mentioning that an updated Windows 8.1 system is as likely to send your data abroad as Windows 10. Perhaps even MORE likely, since there aren't as many tools of the genre "ShutUp8.1"! The subject is finally getting good attention. I've long since thrown all the switches on my Win 8.1 x64 Pro MCE system to the most-private settings, I use a local account, and I have no Metro/Modern/Universal Apps. OneDrive is completely off as well. I've developed a "deny-by-default" firewall configuration based on Sphinx Windows Firewall Control that blocks things I haven't specifically given permission to communicate. You'd be surprised at how many communications are STILL attempted by the operating system itself. As an experiment, with the firewall and full monitoring in place, I left the Windows Update service not running for the past several days. The following is a summary of what I saw: The encrypted communications, marked in red, may represent clandestine attempts to send telemetry or personal data to Microsoft. I attribute the several connections marked in blue at the end to a possible "secret" Windows Update attempt. Unwanted Win 8.1 communications my firewall has blocked in the last few days: TCP 23.1.117.231:80 - Akamai Technologies (CDN), Cambridge MA - by svchost.exe using my login ID TCP 23.13.70.176:80 - Akamai Technologies (CDN), Cambridge MA - by dllhost.exe using SYSTEM login ID TCP 23.14.181.100:80 - Akamai Technologies (CDN), Cambridge MA - by svchost.exe using SYSTEM login ID TCP 23.39.131.234:80 - Akamai Technologies (CDN), Cambridge MA - by svchost.exe using my login ID TCP 23.62.165.99:80 - Akamai Technologies (CDN), Cambridge MA - by svchost.exe using SYSTEM login ID TCP 23.96.212.225:443 - Microsoft Azure, Redmond WA - by Microsoft Windows Malicious Software Removal Tool TCP 23.218.211.122:80 - Akamai Technologies (CDN), Cambridge MA - by svchost.exe using my login ID TCP 104.41.32.78:443 - Microsoft Azure, Sao Paulo, Brazil - by Microsoft Windows Malicious Software Removal Tool TCP 108.162.232.196:80 - CloudFlare, San Francisco, CA - by svchost.exe using my login ID TCP 108.162.232.197:80 - CloudFlare, San Francisco, CA - by svchost.exe using my login ID TCP 108.162.232.198:80 - CloudFlare, San Francisco, CA - by svchost.exe using my login ID TCP 108.162.232.199:80 - CloudFlare, San Francisco, CA - by svchost.exe using my login ID TCP 108.162.232.200:80 - CloudFlare, San Francisco, CA - by svchost.exe using my login ID TCP 108.162.232.201:80 - CloudFlare, San Francisco, CA - by svchost.exe using my login ID TCP 108.162.232.202:80 - CloudFlare, San Francisco, CA - by svchost.exe using my login ID TCP 108.162.232.205:80 - CloudFlare, San Francisco, CA - by svchost.exe using my login ID TCP 172.224.184.228:80 - Akamai Technologies (CDN), Cambridge MA - by dllhost.exe using SYSTEM login ID TCP 191.237.208.126:443 - Microsoft Azure, Wichita, KA - by Microsoft Windows Malicious Software Removal Tool TCP 191.238.241.80:443 - Microsoft Azure, Wichita, KA - by Microsoft Windows Malicious Software Removal Tool TCP 192.204.82.178:80 - NTT, Orlando, FL - by Windows Media Player TCP 192.204.82.210:80 - NTT, Orlando, FL - by Windows Media Player Specifically blocked on Win 8.1 late last night while the system was idle: TCP 104.73.11.204:80 - Akamai Technologies (CDN), Cambridge MA - by svchost.exe using my login ID TCP 23.62.165.99:80 - Akamai Technologies (CDN), Cambridge MA - by svchost.exe using SYSTEM login ID TCP 23.218.211.122:80 - Akamai Technologies (CDN), Cambridge MA Win 8.1 Communications that have succeeded, since I've specifically whitelisted the address or protocol ICMP - 23.99.222.162 - Microsoft, Redmond WA TCP 178.255.83.2:80 - Comodo (Certificate Revocation List server), London, England - by svchost.exe TCP 93.184.215.200:80 - Edgecast Networks (Certificate Revocation List server), Wichita KA - by svchost.exe In the past I have whitelisted the following addresses to allow a successful Windows Update, but communications with these happened autonomously without my having requested a Windows Update These concern me, as they may represent an attempt by the system to do a "secret" Windows Update. It is apparently not fully possible to lock a system down with just a firewall alone and still allow Windows Updates. This is why in general I advocate disabling the Windows Update service when I'm not looking to actually do a Windows Update. TCP 23.14.84.57:80 - Akamai Technologies (CDN), Cambridge MA - by svchost.exe TCP 23.14.84.113:80 - Akamai Technologies (CDN), Cambridge MA - by svchost.exe TCP 96.16.98.112:80 - Akamai Technologies (CDN), Cambridge MA - by svchost.exe I'll be continuing my test a bit longer to see what the system will try to do on its own if Windows Update is left disabled. -Noel

Notwithstanding GWX, there have been folks who have reported online that the Win 10 "up"grade proceeded without their permission. Did they or some other user of their computer accidentally click through and take the wrong decision when prompted by GWX? It's possible. -Noel

How is that new news? It's already been doing exactly that. Are they planting such press info so that moving forward, people bit by the GWX malware can be told, "you were warned"? -Noel

Heh, I appreciate the thoughts and regards, bphlpt, though I've not made a particularly fundamental shift. Don't forget who recommended suspicion of the New Microsoft back in February 2014 here. :-) Thing is, all us folks with some actual knowledge of the tech and the industry could see this coming. And to be brutally honest I really don't like where I see it going! Microsoft can no longer return to the straight and narrow, and so the future of computing is going to shift in ways that are hard to see. Much as I have never loved Unix, it (and its derivatives) may ultimately win out and define the future. Who knows, maybe Apple will rule the high tech world one day... At least they've never left behind the "it needs to actually work" concept. -Noel

Actually, the time I mentioned above has passed. NOW may be the time to disable Windows Updates entirely. I haven't done so yet, but my Win 8.1 system is perfectly stable, and having to go through and try to read between the lines in the mostly undocumented update descriptions is just ridiculous. I've come to realize that the more Microsoft wants it, the less I want it. -Noel

It's when those sheep start calling the folks who DO care and speak out "haters" and "wearers of tin foil hats" that things get irritating. -Noel

"...our system..." Oops, someone's forgotten who owns the computer again. Regarding the second quote... Those bozos have once again failed to consider small business (using Windows Pro) in with Enterprise, as though small business doesn't matter, or even exist... -Noel

What you don't know can't hurt me. -Noel

Want a Halloween scare? The future of the computing world is in these hands. -Noel

I'm convinced they're marching to some higher level multi-year plan to eliminate computing as we know it and bridge to something where every little bit of data manipulation will cost you. -Noel

No, it's an attempt to update Microsoft's database. Participation in that is all turned off here. I suppose the software could be attempting the connection anyway. Nothing seems to break when the firewall blocks these connections to spynet2.microsoft.com and spynetalt.microsoft.com, though I always prefer to set things up so the system doesn't even try unwanted communications. Could just be sloppy programming on Microsoft's part (OMG, is that even possible?)... FYI, this seems to apply equally to Win 7, 8.1, and 10. -Noel

Thanks for the explanation. I suspect you're right on in identifying the reason. That you delete it upon logout is most likely why I don't get a corruption message during logon, but only when MalwareBytes AntiMalware runs while I'm logged-in. Would you consider implementing a workaround to create a situation where the HKCU handle is not requested and held by your DWM software? Say, for example, if a flag were found set in the HKLM section that instructs Aero Glass to "use system-wide settings on this system ONLY". I would prefer that, as I don't have multiple user accounts that need different Aero Glass setups. -Noel

Thanks for confirming you see it too. It's entirely possible this is normal to see (noting that it's an Informational). I see the above message logged (without listing aerohost.exe of course) even if I don't have Aero Glass for Win 8+ running at all, so if it's a bug the Aero Glass product isn't the only one that does it. The actual registry corruption message I'm investigating was logged during a MalwareBytes Antimalware scan and may have nothing to do with this. In fact, there's online evidence others are seeing it with MBAM and that it might have something to do with Visual Studio 2015 Community Edition. I'm still gathering information on that. -Noel

Hi Big Muscle, I've detected what looks like a possible design problem... Whenever I log off I see logged in the Windows Application log a message implying that aerohost.exe is holding onto a user registry key... The reason I'm investigating this is that when I run a MalwareBytes Antimalware scan, I'm getting messages logged claiming the user registry is corrupted. Is there a workaround to the above? Would using the system portion of the registry to configure Aero Glass instead of the user portion help? Others using Aero Glass on Win 8.1... Do you see a message like this when you log off? -Noel

Looking through the registry, it appears mrt.exe can be run as a fallback if Windows Defender fails in some way. For example, mrt.exe is listed in the "FailureCommand" value in [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]. For me MsMpEng.exe may be considering itself to fail (and thus causing mrt.exe to run) because it is unable to use (the disabled) Windows Update to load the latest virus definitions - even though it falls back to direct access and succeeds. One possible answer may be to just disable Windows Defender. It's not like it has EVER blocked anything for me. -Noel

Yes, that's sensible, though one thing still bothers me... This "Malicious Software Removal Tool" is clearly running on a schedule attempting these connections, yet note this wording: -Noel