NoelC

I use a DNS proxy package and also the Sphinx software firewall. Start with reply 12 here: http://win10epicfail.proboards.com/post/2284/thread Also, I've described my overall security environment here: https://www.askwoody.com/forums/topic/a-description-of-my-quite-effective-security-environment-long/ The key of my post above was that with tweaking the system can be made not to even try to communicate online. -Noel

You can, with a significant customization effort, make Windows 10 private and quiet online. Of course, it's a bit of a moving target... I booted my Win 10 v1703 VM up yesterday and just let it sit there all day without using it interactively. This was the summary of online contacts: [07-May-17 11:54:08] Client 192.168.2.26, www.msftconnecttest.com A not found (1) --- blacklisted by DNS proxy --- [07-May-17 11:54:52] Client 192.168.2.26, www.msftconnecttest.com A not found (1) --- blacklisted by DNS proxy --- [07-May-17 11:55:37] Client 192.168.2.26, www.msftconnecttest.com A not found (1) --- blacklisted by DNS proxy --- [07-May-17 11:56:22] Client 192.168.2.26, www.msftconnecttest.com A not found (1) --- blacklisted by DNS proxy --- [07-May-17 11:57:07] Client 192.168.2.26, www.msftconnecttest.com A not found (1) --- blacklisted by DNS proxy --- [07-May-17 11:57:52] Client 192.168.2.26, www.msftconnecttest.com A not found (1) --- blacklisted by DNS proxy --- [07-May-17 11:58:37] Client 192.168.2.26, www.msftconnecttest.com A not found (1) --- blacklisted by DNS proxy --- [07-May-17 11:59:22] Client 192.168.2.26, www.msftconnecttest.com A not found (1) --- blacklisted by DNS proxy --- [07-May-17 12:00:07] Client 192.168.2.26, www.msftconnecttest.com A not found (1) --- blacklisted by DNS proxy --- [07-May-17 12:00:52] Client 192.168.2.26, www.msftconnecttest.com A not found (1) --- blacklisted by DNS proxy --- [07-May-17 13:55:50] Client 192.168.2.26, time.nist.gov A resolved from Forwarding Server as 129.6.15.28 [07-May-17 19:37:33] Client 192.168.2.26, ctldl.windowsupdate.com A resolved from Forwarding Server as 118.214.160.178 Time.nist.gov is an internet time server, and ctldl.windowsupdate.com is actually a security certificate server (i.e., a legitimate online contact, assuming you feel code signing is legitimate). It tried - and as you can see failed - to contact www.msftconnecttest.com for about 7 minutes after bootup, then fell silent. As far as I know this just feeds the Network Connection Status Indication (NCSI), which can be redirected or disabled via the registry or Group Policy. It's on my list of things to tweak still... Edit: This stopped all further attempts to connect to www.msftconnecttest.com: :: :: Disable active NCSI probing :: SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" -actn setowner -ownr "n:Administrators" REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /f /v "EnableActiveProbing" /t REG_DWORD /d 0 >nul REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /f /v "NoActiveProbe" /t REG_DWORD /d 1 >nul :: SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" -actn setowner -ownr "n:Administrators" REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /f /v "EnableActiveProbing" /t REG_DWORD /d 0 >nul -Noel

It's name-based, meaning if you want to allow communications with definitionupdates.microsoft.com it will allow communications with that server, no matter what address DNS provides for it at any given time. That's huuuuge when it comes to maintenance, since a single server name is how the software is coded, even though it could be a monstrous network of servers.* It's a reasonable concern that Microsoft could have built in back doors (or could in the future), but there's no magic; the underlying Base Filtering Engine is a known quantity. In fact there ARE secret rules. To counter them, the Sphinx firewall package makes sure, by selection of priorities, not to allow the Microsoft secret rules to have precedence, and it lets you know with an alert if something tries to load new ones. See this for more info, and note specifically the response from the Site Admin: -Noel * I specifically mentioned definitionupdates.microsoft.com... I did so on purpose. This is the list of IP addresses, courtesy my DNS logs, that my systems have resolved it into over the past couple of years: 23.14.84.114 23.14.84.155 23.14.84.160 23.14.84.161 23.14.84.162 23.14.84.163 23.14.84.169 23.14.84.170 23.14.84.176 23.14.84.179 23.14.84.184 23.14.84.186 23.14.84.187 23.14.84.192 23.14.84.193 23.14.84.194 23.14.84.200 23.14.84.201 23.14.84.202 23.14.84.203 23.14.84.208 23.14.84.216 23.14.84.217 23.14.84.219 23.14.84.225 23.14.84.227 23.14.84.233 23.14.84.234 23.14.84.241 23.14.84.242 23.14.84.243 23.14.84.43 23.14.84.48 23.14.84.80 23.14.85.19 23.14.85.25 23.14.85.27 23.14.85.33 23.14.85.49 23.14.85.51 23.15.5.105 23.15.5.115 23.15.5.121 23.15.5.197 23.15.5.200 23.15.5.213 23.74.2.112 23.74.2.120 23.74.2.58 23.74.2.98 23.74.8.176 23.74.9.73 96.16.98.11 96.16.98.19 96.16.98.27 104.96.220.113 104.96.220.137 104.96.220.145 104.96.220.98 104.96.221.115 118.214.160.16 118.214.160.185 118.214.160.224 118.214.160.248 157.238.91.17 184.26.136.104 184.26.136.123 184.26.136.137 184.26.142.136 184.26.142.27 184.26.142.42 184.26.142.48 184.26.142.57 184.26.142.58 184.26.142.66 184.26.142.75 184.26.142.80 184.26.142.88 184.26.142.89 184.26.142.90 184.26.142.97 184.26.142.99 184.26.143.106 184.26.143.121 184.26.143.129 184.26.143.138 184.26.143.146 184.26.143.163 184.26.143.98 184.51.126.123 184.51.126.194 204.2.132.50 204.2.178.160 Imagine trying to manage an address-based firewall setup by tracking the above list of addresses, just to specifically allow Windows Defender updates. With the Sphinx firewall, it's just one entry that works now and into the future... Set it and forget it.

It's funny, you call it "great" while at the same time craving the same things we all are... Those of us whom you've characterized as "not liking" Windows 10 want the same things you do, and maybe even a little improvement of Windows 10 where it counts. Computers keep advancing, but you'd be hard pressed to name anything that Microsoft has done to advance the state of the art of operating systems. Microsoft is making changes that benefit THEM mostly, and frankly they're just adding Apps and advancing the Microsoft Store integration of the product. Personally I've been trying with each release in a virtual machine to tweak it back into something I can use, so that I might be able to move my main work systems up to it. Trouble is, I find I keep having to fight Microsoft, because almost everything they're doing to Windows 10 I find I want to undo. I don't want Apps, cloud-integration, and I prefer to have my systems send in no telemetry and to be completely under MY control. Mostly I've been successful, but what's left seems no better than Windows 8.1 or 7 - which are the operating systems I'm still running on my work system hardware. Out of curiosity, what do you feel is "great" about it? Are there things you couldn't do with older versions that you find good or pleasant? -Noel

So it's like most other tweaking, then... Try it and see what happens. I removed all the optional features listed except the IE one in my Creator's Update VM, and am testing. So far so good... -Noel

Yes, he gets it. It's about Microsoft trying to change what's considered "Normal" to something that's both worse and benefits them. -Noel

I like the concept of the feature removals with DISM. I hadn't thought of it. Do you have a reference link handy showing the list of features? For example, if I want to retain Internet Explorer capability, would I want to execute the following? DISM.exe /online /Disable-Feature /Featurename:Internet-Explorer-Optional-amd64 /remove -Noel

# XXXX needs to be replaced with actual device numbers--how to find not sure sc config MessagingService start=disabled sc config MessagingService_XXXXX start=disabled sc config PimIndexMaintenanceSvc start=disabled sc config PimIndexMaintenanceSvc_XXXXX start=disabled sc config UnistoreSvc start=disabled sc config UnistoreSvc_XXXXX start=disabled sc config UserDataSvc start=disabled sc config UserDataSvc_XXXXX start=disabled sc config OneSyncSvc start=disabled sc config OneSyncSvc_XXXXX start=disabled;Unistack; Excerpted from my Windows10ReTweaker script... I've found that if you set the Start type to Disabled of the basic services then reboot, the related ones with the hex codes don't start. Also, for the Creator's update there are several missing from the above list. ECHO. ECHO Disabling Unistack Service Group services. :: SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPUserSvc" -actn setowner -ownr "n:Administrators" SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPUserSvc" -actn ace -ace "n:Administrators;p:full" REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPUserSvc" /f /v "Start" /t REG_DWORD /d 4 >nul :: SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DevicesFlowUserSvc" -actn setowner -ownr "n:Administrators" SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DevicesFlowUserSvc" -actn ace -ace "n:Administrators;p:full" REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DevicesFlowUserSvc" /f /v "Start" /t REG_DWORD /d 4 >nul :: SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MessagingService" -actn setowner -ownr "n:Administrators" SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MessagingService" -actn ace -ace "n:Administrators;p:full" REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MessagingService" /f /v "Start" /t REG_DWORD /d 4 >nul :: SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OneSyncSvc" -actn setowner -ownr "n:Administrators" SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OneSyncSvc" -actn ace -ace "n:Administrators;p:full" REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OneSyncSvc" /f /v "Start" /t REG_DWORD /d 4 >nul :: SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc" -actn setowner -ownr "n:Administrators" SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc" -actn ace -ace "n:Administrators;p:full" REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc" /f /v "Start" /t REG_DWORD /d 4 >nul :: SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnistoreSvc" -actn setowner -ownr "n:Administrators" SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnistoreSvc" -actn ace -ace "n:Administrators;p:full" REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnistoreSvc" /f /v "Start" /t REG_DWORD /d 4 >nul :: SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserDataSvc" -actn setowner -ownr "n:Administrators" SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserDataSvc" -actn ace -ace "n:Administrators;p:full" REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserDataSvc" /f /v "Start" /t REG_DWORD /d 4 >nul :: SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnUserService" -actn setowner -ownr "n:Administrators" SetACL -silent -ot "reg" -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnUserService" -actn ace -ace "n:Administrators;p:full" REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnUserService" /f /v "Start" /t REG_DWORD /d 4 >nul -Noel

I'm happy to report that with my new nVidia P2000 workstation card installed, I have found that Aero Glass for Win 8+ works perfectly with the 10 bits per color mode selected. I thought through the upgrade and know that an ATI -> nVidia switch could be perilous, so I downloaded both ATI's "amdcleanuputility" and nVidia's display driver for the new card ahead of time. All in all the install went easily and everything's working. Photoshop shows no visible bands in a gray gradient. -Noel

I was doing some of the things I normally do during software development yesterday on my Win 10 "Creator's" test system. I opened a File Explorer window to a network drive then clicked a column to re-sort the files by date. The drive was spun down in a power-saving mode on the server (and thus didn't respond right away)... File Explorer just went blank, and didn't ultimately display the files in re-sorted order. It just stayed blank! Only navigating to a different folder and back again caused it to display the files again. THAT is precisely the kind of crap I don't need from an OS that's expected to support my work! And it is a problem I have never seen in prior versions. But even worse, it's precisely the kind of problem that any number of home users won't see during the public "beta test", and thus businesses will struggle with it when it's rolled-out to them, even if they're on the Current Branch for Business. Microsoft has failed to remember that making an OS that businesses use is why people chose to use it at home. They wanted the same thing they were used to using at work. It just isn't valid to try to turn it around and have Windows focus on being a "home system". -Noel

A new nVidia Quadro P2000 did arrive yesterday (Saturday), but it turns out I need a couple of cables I don't have. My old card has a DVI and two mini-DisplayPort sockets and this new one has 4 full-sized DisplayPort sockets (I neglected to note the difference between mini- and full-sized-DisplayPort when ordering). The new card came with one DisplayPort to DVI converter cable, so I need one more of those and one full-sized DisplayPort to DisplayPort cable. A whole US $18 on Amazon.com, but it means another delay. I find modern times somewhat frustrating when such things as these cables just aren't available locally because everything's gotten so dumbed-down that brick and mortar "tech" stores only carry the most basic consumer goods. I hope my system is as stable with this new card as it has been with my current ATI 7850 card. I've had the ATI for 4 years now, and it runs for months and months between reboots without any glitches. Uptime right now since the last reboot due to a Windows Update is almost 11 days. Based on published benchmarks, the new nVidia card should give me double the GPU performance and draw less power to do it, but the most interesting thing to me is the ability to use true 30 bit color. I'll be experimenting with that in Adobe Photoshop, and I will of course report back here on whether Aero Glass works with the settings needed to support 30 bit color. -Noel

Tweakage update: At this point I'm going to attribute the Windows Update issues to Microsoft until I can prove otherwise, and in any case, it updates just fine from the catalog manually and manually controlled updates are my goal, so it's all good. Idle desktop process count is now down to 74 after disabling the Windows Error Reporting Service and a few others. Here are all the services currently running: "dllhost.exe","3740","COMSysApp" "lsass.exe","812","SamSs" "msdtc.exe","3884","MSDTC" "spoolsv.exe","2228","Spooler" "svchost.exe","148","BrokerInfrastructure,DcomLaunch,Power,SystemEventsBroker" "svchost.exe","460","WinHttpAutoProxySvc" "svchost.exe","636","RpcEptMapper,RpcSs" "svchost.exe","932","LSM" "svchost.exe","980","PlugPlay" "svchost.exe","1124","TermService" "svchost.exe","1212","lmhosts" "svchost.exe","1264","EventLog" "svchost.exe","1320","Themes" "svchost.exe","1328","EventSystem" "svchost.exe","1336","ProfSvc" "svchost.exe","1464","SENS" "svchost.exe","1500","AudioEndpointBuilder" "svchost.exe","1540","Schedule" "svchost.exe","1604","AppXSvc" "svchost.exe","1648","BFE,CoreMessagingRegistrar" "svchost.exe","1656","UmRdpService" "svchost.exe","1664","Audiosrv" "svchost.exe","1736","LanmanWorkstation" "svchost.exe","1860","CertPropSvc" "svchost.exe","1868","nsi" "svchost.exe","1896","ShellHWDetection" "svchost.exe","1960","TimeBrokerSvc" "svchost.exe","1968","UserManager" "svchost.exe","1976","Dhcp" "svchost.exe","1984","Dnscache" "svchost.exe","2112","StateRepository" "svchost.exe","2220","SessionEnv" "svchost.exe","2400","IKEEXT" "svchost.exe","2408","PolicyAgent" "svchost.exe","2604","CryptSvc" "svchost.exe","2620","TrkWks" "svchost.exe","2628","DPS" "svchost.exe","2636","NlaSvc" "svchost.exe","2644","Winmgmt" "svchost.exe","2652","DeviceAssociationService" "svchost.exe","2660","tiledatamodelsvc" "svchost.exe","2928","WdiServiceHost" "svchost.exe","2960","LanmanServer" "svchost.exe","3036","iphlpsvc" "svchost.exe","3216","netprofm" "svchost.exe","4724","wscsvc" "vmtoolsd.exe","2692","VMTools" "Windows10FirewallService.exe","2424","Windows10FirewallService" I can't promise this is a good list for the long-term, but it seems to be hanging together for what I do. -Noel

Hey, my hat is custom machined titanium with gold leaf! Hey, if they don't have any of my data, they can't abuse it. I logged what sites the v1703 Creator's Update system tried to contact just after updating my fully private v1607 Anniversary setup and choosing the most private settings in the "privacy configuration" provided by Microsoft... Some of these are legitimate security certificate servers, but the rest... You decide whether all these comms are necessary or wanted. crl.thawte.com A resolved from Forwarding Server as 23.4.181.163 crl.usertrust.com A resolved from Cache to 178.255.83.2 crl.usertrust.com A resolved from Forwarding Server as 178.255.83.2 ctldl.windowsupdate.com A resolved from Cache to 118.214.160.178 ctldl.windowsupdate.com A resolved from Forwarding Server as 118.214.160.178 dev.virtualearth.net A resolved from Forwarding Server as 65.52.108.59 dns.msftncsi.com A resolved Locally to 131.107.255.255 download.windowsupdate.com A resolved from Forwarding Server as 118.214.160.200 download.windowsupdate.com A resolved from Forwarding Server as 8.253.165.248 ecn.dev.virtualearth.net A resolved from Forwarding Server as 23.50.229.80 fe2.update.microsoft.com A resolved from Cache to 134.170.53.29 fe2.update.microsoft.com A resolved from Forwarding Server as 134.170.53.29 fe2.update.microsoft.com A resolved from Forwarding Server as 134.170.58.118 fe2.update.microsoft.com A resolved from Forwarding Server as 191.232.80.62 fe2.update.microsoft.com A resolved from Forwarding Server as 23.103.189.158 fs.microsoft.com A resolved from Forwarding Server as 23.50.230.187 g.live.com A resolved from Forwarding Server as 65.52.108.27 g2.symcb.com A resolved from Forwarding Server as 23.4.187.27 gn.symcd.com A resolved from Forwarding Server as 23.4.187.27 insiderppe.cloudapp.net A resolved from Forwarding Server as 52.168.24.174 login.live.com A resolved from Cache to 131.253.61.84 login.live.com A resolved from Forwarding Server as 131.253.61.84 ocsp.comodoca.com A resolved from Forwarding Server as 178.255.83.1 ocsp.digicert.com A resolved from Forwarding Server as 72.21.91.29 ocsp.msocsp.com A resolved from Forwarding Server as 198.41.214.185 ocsp.thawte.com A resolved from Forwarding Server as 23.4.187.27 ocsp.usertrust.com A resolved from Forwarding Server as 178.255.83.1 ocsp.verisign.com A resolved from Forwarding Server as 23.4.187.27 oneclient.sfx.ms A resolved from Forwarding Server as 23.50.230.130 settings-win.data.microsoft.com A --- blacklisted by DNS server --- sls.update.microsoft.com A resolved from Forwarding Server as 157.55.240.220 sls.update.microsoft.com A resolved from Forwarding Server as 157.56.77.140 sls.update.microsoft.com A resolved from Forwarding Server as 157.56.77.141 t0.ssl.ak.dynamic.tiles.virtualearth.net A resolved from Forwarding Server as 23.50.228.135 t0.ssl.ak.tiles.virtualearth.net A resolved from Forwarding Server as 23.50.229.84 th.symcb.com A resolved from Forwarding Server as 23.4.181.163 th.symcd.com A resolved from Forwarding Server as 23.4.187.27 time.nist.gov A resolved from Forwarding Server as 128.138.141.172 time.nist.gov A resolved from Forwarding Server as 216.229.0.179 v10.vortex-win.data.microsoft.com A --- blacklisted by DNS server --- www.microsoft.com A resolved from Forwarding Server as 23.0.87.187 www.msftconnecttest.com A resolved from Forwarding Server as 13.107.4.52 Since booting up my re-tweaked system and letting it run this morning, it contacted these sites: dns.msftncsi.com A resolved Locally to 131.107.255.255 Thanks dhjohns. We butt heads from time to time, but I think the same of you. -Noel

Cael, what you saw is normal, and disabling Aero Glass for Win 8+ until a compatible version is available is the right approach. Disable the AeroHost entry in the Task Scheduler and run this command in the AeroGlass folder. regsvr32 /u DWMGlass.dll That'll get you back to a functional desktop - if a bit ugly - until Big Muscle has a Creator's Update version available. -Noel

I didn't have instability but I dropped back to 1.4.5.520 because of some on-screen glitches I noticed when I tried 1.4.6.610. And the last error logged in Aero Glass' debug.log for me was back in September 2016, which was right around when I was testing 1.4.6.610. I just searched my event logs and see no problems from DWM (I'm on Win 8.1). I have a new nVidia card on order to swap out my ATI; shipping tracking says it'll be here today. I'll let you know how it goes with the nVidia drivers. -Noel

Thanks. I've fooled with it some and it doesn't appear to be a simple "restart service" type of fix, at least not with what I've tried so far. I even went so far as to restore a VM snapshot of 15063.0, which updated successfully before. Now it doesn't. I'm still working on it when I get time. -Noel

Yep, that's how I start Defender's UI too. Sorry about not describing how. I find it takes a little while for the Windows Defender panel to open, though. I suspect it may feel it's missing something from the UWP side of things. I have also been having some new update problems with 1703 today (as in, it won't update, spewing an 0x80070426 error). Since I installed it directly from the ISO before 1703 was actually released, it's possible I confused the Windows Update process - though I was able to get it all the way up to 15063.138 without any problems. I'm going to try going through the upgrade again since it's supposed to be as easy as restoring a VM snapshot and running Windows Update now... Otherwise, I'm not sure what's gone wrong with the Windows Update process yet. If you figure out what's wrong, please let me know. I hope it's not expecting something to run that's been disabled. -Noel

All O&O does is reduce the attempts to communicate online. DNS blacklisting and a deny-by-default firewall configuration are the real enforcers for me, along with tweaking a number of other settings to discourage the system from trying to be chatty. Don't kid yourself: Win 8.1 and 7 are not mum without similar tweaking. -Noel

Generally speaking: By removing AppX packages, removing other features (e.g., OneDrive), disabling many services, disabling many scheduled tasks - all on the online system that's running. I wrote a re-tweaker script that does a lot of it. One thing I'm NOT concerned with is making the system footprint on disk smaller; even SSD space is far too cheap to try to delete things that the OS wants to see remain there. Notably I'm very careful to ensure the system thinks it's still serviceable (e.g., SFC and DISM /Online report no problems). I have been doing it this way for many years. So far I've never had any failure to update. -Noel

We may have a difference in what you mean by "chopping". I have a trimmed and functional Win 10 v1703 build setup now and I can apply cumulative updates no problem. It leaves me to wonder, what parts do I still have that are not in your ideally "chopped" system? I've removed all Apps, and have reduced the services and scheduled tasks considerably. To support an idle desktop it's running 75 processes and using about 1 GB of RAM. Is this substantially different than the goals in this thread? Have I chopped less deeply? Note that I started by removing things from a full ISO installation done as an in-place upgrade from the prior v1607 system I have been maintaining in a VM since before Win 10 was initially released. Since I was successful at this I'm actually starting to consider whether the ongoing advantages of "keeping current" are starting to outweigh the advantages of sticking with the older system (Win 8.1) I'm still using on my hardware. -Noel

Thanks, I will consider doing so. I'll just have to disable it on my own systems for testing, since I have all the tools in my path. -Noel

Sorry, I don't use UAC, and it works as it always did for me. I suggest that if you were to open a CMD prompt As Administrator, CD to the folder containing the batch file, then run it, it would access the tools from within that same folder. -Noel

As far as I can tell, you can do most anything with it. The configuration capabilities are VERY powerful. But yes, I do understand that it is dauntingly complex at first. It took me months to finally become comfortable with all it does. The author maintains a good forum site if you want to ask questions: http://vistafirewallcontrol.freeforums.org/vistafirewallcontrol-f6.html When I first got the package I deleted all zones and application entries, then started over from scratch. Keep in mind I have an entire career of data communications behind me to rely upon, so a "start over" approach might not be your best path. The philosophy of this firewall is overall "deny by default", meaning if you haven't pre-approved a particular kind of communication it isn't allowed. I have populated the Domains list to allow, for all applications system-wide, communications with security/certificate servers. There are quite a few different certification authorities out there, and installers, services, and applications need to be able to communicate with them as needed in order to verify certificates. Then there's the Programs list, which allows you to set up specific communications capabilities for individual applications. I created a zone called "SysOps" that allows all LAN communications (by address range). I consider systems inside my LAN all trusted, and I want to freely allow communications between my systems. The entries in the Programs list I assign the SysOps zone include System, svchost, and various other system functions. Another zone I created is "Web Browsing", which allows http and https comms (by port number) and assign that to whatever browser needs to reach the web. That zone is actually very permissive by doing that, so it also contains several sites/domains that I never want contacted. I actually settled on fairly few zones - 16 in all - that cover pretty much all the kinds of communications I want any part of the system doing, from full denial (e.g., "Block All") to fully permissive ("Allow All"). The whole list is: Adobe - for allowing communications to the Adobe Creative Cloud All Applications Default Zone - just a placekeeper that allows nothing. Allow All Application Self Update - just allows http and https communications applications use to download their own updates. Block All BowPad - A special zone for the BowPad editor that I use to verify the firewall is working and logging correctly. Classic Shell Update - allows only updates from the sites Classic Shell needs to contact to get its own updates. Defender - Allows Windows Defender / MSE to get definitions updates. DWM Symbol Download - allows access to Microsoft's debug symbol servers. eMail and Web Browsing - basically what's needed by Outlook to send/receive eMail. MalwareBytes - What's needed for MalwareBytes to get its updates. Safari Browsing - Pretty much the same as Web Browsing below, but with a few telemetry sites blocked. SysOps - Allows LAN comms, ICMP (ping) with the world, and other basic system operations such as time sync. SysOps *WU* - Same as SysOps but also allows comms with Windows Update servers. Visual Studio - Allows comms with the servers Visual Studio needs to work. Similar in kind to Adobe. Web Browsing - Allows http and https comms, as well as specific ports I've found are needed for e.g., a speed test. I haven't come across an application I have needed to create another zone for in a long time (probably most of a year). If you'd like to try out a configuration I've developed, I've published one online here: http://Noel.ProDigitalSoftware.com/files/Sphinx8Win10Config.zip I don't expect these profiles to work for anyone but me out of the box, but they could be imported and you could poke around to see how I've set things up. Conceivably with some adjustments they could be made to work for another person's system. -Noel

Thank you for that. I have the WinAero Tweaker, but I didn't know Sergey had built that separate panel. I do like his way of thinking. -Noel

It's a pre-release test version Big Muscle was kind enough to provide to me so I could help test it. It's got a few problems with Modern Apps that I'm sure he feels need to be worked out before sending it out to the world. Thankfully it can facilitate theme replacement, though part 2 is that it's impossible to change the theme from the Settings App on the Modern side. The old control panel applet is still available, but I imagine it'll be out by the next release. And Windows 10 v1703 isn't too perfect yet either... I've seen a number of small problems with it. -Noel