NoelC

We can only hope that SO much information will be collected from SO many people that our little personal smudge of data individually will be so insignificant that we'll be overlooked. That would work if a human were going through it all. Trouble is, the bad guys have computers. Seems to me that it's not a matter of IF such a large and valuable database will fall into the wrong hands. I can't see all this heading anywhere except back to a world where to be safe one needs to be disconnected. -Noel

I'm sorry to hear that happened to you. Knock on wood I'm not seeing any problems with build 149. I suggest posting your debug.log entries for range of times you tested the new build in Big Muscle's thread and reporting to him what happened so he can have the best chance of fixing it. -Noel

Seems like most Windows 10 fans just say "use VLC" or some such. It is surprising how much reduction in functionality people are willing to put up with. I used Windows Media Center a while back, with a TV tuner card, but long since found that card unusable as our cable service in this area switched to fiber optic and IPTV, which is a closed system (except to their set-top boxes). -Noel

Well, it wasn't disappointing for long. Big Muscle's latest beta release now allows caption button sizing. -Noel

I've been working some today to refine this. I've been able to simplify it quite a bit today. So far I'm seeing a fair bit of traffic blocked with no apparent downside, save for maybe a little longer log-in time. I'm not ready to publish a full Windows Firewall Policy yet, but if you'd like to have a look at what I've got so far, perhaps to experiment for yourself, here's what it looks like: I've decided to try to manage Windows Updates as just a series of addresses that must be allowed to be contacted via TCP on ports 443 (https) and 80 (http). Mostly those in the 443 list are required to determine if updates are needed, and those in the 80 list are required to actually download them. It's a surprisingly complex process involving servers all over the place. Note that in other places in the world the addresses may well be different. These are the ones that are working for me. Notably when something's blocked by default, what's logged in the Security log are not just the single failures, but rather I see the system hunting around for a working address. It's clear that not all the possible addresses are listed in any one attempt, but it does make it easier to develop lists. You can get the actual address lists I've derived (IPv4 only) from this: I don't imply that any of these lists are complete, but at least the system hangs together okay. The blocking rules are there in case the overall policy gets changed, or that some other rule allows blanket access. At some point I think I'm going to adopt this strategy on my Win 8.1 host workstation as well. It's scary to see how much data is normally being sent out. -Noel

It seems to work fine here on my test system, as did the last version. It turns out I've grown to like having my caption buttons fill the space between the top and the bottom, minus a border that I've defined in my theme atlas. So I'm not going to be using the CaptionHeight setting. But I do know of a lot of folks who will love you for that tweak. Way to go! With the last version I found that a single entry to define the border size gives me what I like. Assuming I'm already happy with the border width, is there a technical advantage to not using: 47;0;3602=4,0,0,0 ...and instead using... ForceSystemMetrics=2 ...then defining the border width elsewhere? -Noel

Perhaps what's confusing people could be cleared up by answering this question: Why single out just one of the biased news-reporting shills? I just want to know one thing: How does one get paid handsomely to praise Windows 10? Does Microsoft just call journalists up out of the blue and say, "Hey ho, we'll send you a few grand and some neat toys if you'll write some really nice things about our turkey of a product"? If so, what would happen if they happened to run across one with integrity who'd report that Microsoft was trying to bribe journalists. Wait, nah, no problem - no such journalist exists. This isn't the 20th century. -Noel

A firewall should do whatever it is you want it to do. If the defaults suit you, dhjohns, more power to you. They don't suit me, and now that I've been doing this experimentation I have come to realize how incredibly promiscuous Windows is about sending data out to sites all over the world. It's another case of "what you don't know could hurt you". The strategy I'd like to develop a configuration for is one that: Denies access by default, unless there is a specific rule allowing a connection. This will ensure network accesses that have not yet been vetted re disallowed. Allows only what's really needed by the various components of the system to do things one wants the system to do (such as Windows Update). This involves not only identifying the components (e.g., members of the netsvcs svchost), but also addresses and port numbers needed to succeed at the given tasks. In my case, I trust all the systems inside my router, so I allow all local LAN segment access. This facilitates easy Windows Networking between my machines. I never expect to be able to do Windows Networking with machines outside the LAN. This may not be ideal for everyone. I don't have a Domain so I'm ignoring Domain access and really concentrating on Public internet access. This may not be ideal for everyone. As the system is used in an ongoing fashion, one can note failures and allow connections by applications that are installed by recognizing the application and allowing all access. Under some conditions - e.g., big, cloud-integrated applications, possibly restrict the access somewhat by using addresses and port numbers. Remaining challenges I have been thinking of: Managing such a system long-term will of course take more effort than a permissive one. One will have to constantly be aware that network accesses will fail by default, and occasionally manage the exceptions list as needed. It's still unknown how difficult this will be, though so far it's been pretty trivial to get my stable of applications to work. Funny how the tables have turned, where we can trust applications more than the system itself. Procure or create tools to specifically help manage such a system. Ideally you'd receive a pop-up message for each new network access failure and be presented with a pertinent list of things to do about it (e.g., some combination of deny/allow the application/service, deny/allow the address, ignore default failures for now/forever, etc.). So far I only have IPv4 access to the internet to test with. IPv6 will have to be taken into account as well. Once a working and workable Outbound rule set is developed, reconsider what's going on in the Inbound rule set. For now most application installers don't set up Outbound rules, but many DO set up Inbound rules. It may be that tighter management of Inbound rules is needed too. At this point, armed with an understanding of how the firewall works, I am just in a process of refinement. I've had to enable all network access for certain services, for example, to get Windows Update to work - and that's just too permissive. So now it's a matter of disabling them individually, seeing what addresses/ports are required, and enabling just those. Still, already a huge number of network accesses are being blocked, with no apparent downside, other than it maybe taking a few extra seconds to log in. I'll publish the specific information here once I've got things more nailed down. -Noel

I think both will be needed, based on my experience (allowing exceptions and blocking rules). There are some components - like System and a number of svchost-based services - that need general access to the network for the system to function properly. It's necessary to block individual addresses so that those components can still generally function while keeping the system as private as possible. Finding just the right balance / combo is the key. I'm not there yet. -Noel

Yes, making the caption buttons fit the full height of the title bar is something Microsoft pulled out of its... hat right at the end. You can make caption buttons a few pixels shorter in the theme atlas, but I'm not sure there's any way to make them anything like the way they looked in Win 7 through just atlas graphics changes. It's possible Big Muscle's companion .layout file could be used to help with the task, but it's not documented yet as he hasn't released his Windows 10-compatible Aero Glass tool. This is the best I've been able to get them to look with what we know today (noting that the title bar is shorter owing to changes in the [HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics] key). -Noel

It's pretty clear he has been ironic / sarcastic. As have certain others of us. -Noel

Wait, what, you mean you don't implicitly trust all those journalists who say it's something you really should install, honest? I have to say, though, a lot of the new things I'm learning lately are not pleasant things. Can't say I've ever fooled with firewall software quite so much before, though... That's (a little bit) fun at least. Don't you just crave learning about all the IP address ranges to avoid? -Noel

Restoring plain, flat color seems frankly kind of unrewarding compared to the ability to restore Aero Glass and a nice, usable look with borders and good drop shadows using Big Muscle's Aero Glass for Win 8.1+ tool, especially with the ModernFrame.dll add-on that nicely integrates whatever windowed Modern Apps you choose to use with the rest of the desktop. Big Muscle has said he's close to being done with it. -Noel

Go for it! I'm doing my part. -Noel

Wow, how could I have been so blind as to even begin to doubt the trustworthiness of what is said and written by and about the Great and Generous Provider up on Mount Redmond? I stand humiliated and humbled. I am reborn. Can the high tech world ever begin to accept the apologies of a sinner? Wow, paddling downstream promises to be SOOO nice. The breeze, the cool water... Now, where can I get that oh so liberating and refreshing GWX update... -Noel

By the way, I don't know if many have paid that much attention, but has anyone noticed that the updates coming out for Windows 10 since release have been CUMULATIVE? There's no granularity. Just one big update. Let that sink in. Now imagine how that fits into a strategy of managing / hiding offending updates (hint: it doesn't). -Noel

FYI, Microsoft has released, for the savvy, an update hiding tool - which can actually be used to discover pending updates before they're installed. https://support.microsoft.com/en-us/kb/3073930 But they absolutely don't want people "managing" their updates. It leads to mix and match systems that may not be as "secure" as they'd like. Realizes? They're doing this on purpose. Microsoft really doesn't care whether your computing life is (temporarily?) destroyed by one of their updates (which, by the way, also come from 3rd parties, such as display card and other hardware manufacturers). As far as Microsoft is concerned you're just an alpha tester, whose tasks in life are: A. Play games and send them money through the App Store B. Test out new Windows Updates for the business community. Enterprise/Pro business users, who send Microsoft a LOT of money directly for the privilege of running Windows As a Service can of course drop back off the alpha path and be beta testers by delaying their updates until the negative feedback from all the alpha testers in the public drops below a high roar and Microsoft has had time to correct the most faulty of their patches. I'm aware this viewpoint will be considered "negative". Those who think so, get over it. It's reality. -Noel

That's an absolutely great request. Maybe BigMuscle can figure out a way to do it. FYI, I've asked it a number of times of another developer - Ivo Beltchev, who develops Classic Shell and who augments Explorer's operation in a number of ways. His response, unfortunately, was that it's not really feasible / possible. Microsoft themselves can't even accomplish it. That's just sad. -Noel

I think the confusion here about how best to install and manage this software probably implies the need for Big Muscle to provide an updated supervising GUI control panel that manages not only all the specific color, transparency, file choice, etc. settings, but offers the ability to use / not use ModernFrame.dll and properly sets up the AppInit_DLLs setting for that, as well as use / not use Aero Glass and properly sets up the Task Scheduler entries for that. It IS confusing for the uninitiated simply because of the complexity. But Big Muscle doesn't have those things yet. Basically he has a following of users who already know intimately how all this stuff ties together, based on past experience, and is asking us to test the prototype versions he's building to ensure we don't run across things that break on systems different from his own. If anyone's interested in my advice: I would create the GUI control panel first and keep it up to date so that people aren't required to do backflips to test the software. It would provide stern disclaimers about what the risks are with making the various choices. I would not choose to run a beta test on an open forum like this. In fact I run all beta tests of my own software via mailing lists. I might announce on a forum that I'm looking for testers, but all communications thereafter are handled by eMail. It's really a better way to go. -Noel

I cannot recall the specifics, but yes, during the Tech Preview period I have seen it reset permissions during a Windows Update where I have specifically disabled access. The more I think on it, I believe it was an attempt on my part to keep Windows Update from returning the Desktop root namespace under This PC (which I notice is now back yet again on my test system). Thing is, a privileged program can always Take Ownership then do whatever it wants, just as you can as a privileged user. We have entered an era of "what Microsoft wants, Microsoft gets". -Noel

So we can trust the Good Microsoft Guys implicitly with our lives? That's good to know. Thanks. -Noel

It's really about uncertainty I think. A. We've been asked to agree to more unpleasant stuff than ever before. Smart people wonder, why? B. There's now no promise that the OS functionality won't be changed for the worse. This is significant in that Microsoft has promised to change the functionality continuously. It's an actual business/tax model change. C. The system quite clearly is doing more of the stuff people would not like than ever. This has become all too clear to me while I have been experimenting with the firewall. D. Do YOU trust Microsoft to keep all the personal data they gather from you and your use of "Microsoft Services" safe? Forever? Microsoft's recent moves have caused it to actually BE worse in some obvious ways - so people are simply expecting a continuation. Does anyone - do YOU - really believe a policy of continuous updates is going to deliver a better and better experience? Or do you see it as a continuous set of thorns in your side? I believe we're going to see a rise in "re-tweaker" applications, which of course bring their own problems (e.g., when a tweak no longer works properly, as it once did). Things like Classic Shell already detect that the OS has taken their settings out from under them and have to go out of their way to put them back. It's harder than ever to see Win 10 in the same light of our past OSs, which we tweaked and augmented then were able to use effectively for years without significant problems. -Noel

In other words, if the above is all too subtle: Don't install Aero Glass for Win 8.1+ using the AppInit_DLLs entry in the registry. It's the wrong way to do it. -Noel

Windows Update can and has been seen to override anything it wants. Permissions do not daunt it. I'm surprised there's not more being said about this. -Noel

I've been doing some experimenting in this area. See also: http://www.msfn.org/board/topic/174264-experimenting-with-windows-firewall-to-block-by-default -Noel