NoelC

Thanks. I've done some more work on this today... The Windows Firewall Notifier malfunctions in Win 10 in both its latest release version and its alpha version, failing to put up notifications for every blocked connection (which would be necessary to make this a viable long-term solution). I'll look into that other one on the binisoft.org site, maybe it's more mature, though I think the real problem is in the way Win 10 has changed the notification interface. Even with the program not giving every blocked connection notification, I WAS able to discern the necessary services and addresses to make Windows Update work. At this point I have a configuration that completes a Windows Update, allows a base set of my applications to access the net as needed, and has a set of addresses that are explicitly denied. Windows tries to connect to sites all over the world! I've seen it try to reach Redmond, Kansas City, St. Louis, Boston, and even London. Once you sort out the initial jumble of what services and addresses to allow the required firewall maintenance activity settles right down and you can just use the system. I'm starting to think the ongoing maintenance activity needed to support this approach, if supported by a firewall augmentation tool that really pops-up notifications when it should, it's really possible to keep a system on "deny all outbound networking with exceptions". Of course, there's no guarantee Microsoft doesn't circumvent their own firewall under some conditions. If they were actually caught at doing that, though... Bad juju. -Noel

That's awesome, thanks! I had been considering writing a handler that would watch for such events, since the firewall itself neglects to pop up such messages, and lo and behold someone's already written one. I'm just imagining now, though, that trying to run Windows Update will yield something like the need to enable svchost.exe, which would just be silly. Let's see if it turns out to be... -Noel

I for one fully understand how one can get that frustrated. I'm not yet ready to give up on Windows 10, though. I have stepped off the bandwagon before, for several years at a time (Vista before service packs, and Windows 8.0), and I may well do it again. But it's worth noting those times were for technical reasons - i.e. the OS just didn't do what I needed, and there was no tweak or 3rd party software at the time that would make it do it. This time it's different. Win 10 actually DOES do all I need at this point, and the tweaks and 3rd party software are already substantially there. So the question becomes this: Can additional tweaks be done to mitigate the policy issues? Can we effectively block virtually all of Microsoft's gathering of our private information, as well as blocking the adware, and still get value out of a Windows 10 setup plugged-in to the Internet? I'm betting, because Microsoft DARE NOT alienate business (from which much of their money comes) that it will be technically possible. Barely. -Noel

I'm not quite ready to give up on the Windows firewall just yet. I hear you regarding the system itself bypassing the firewall. However, if they were caught doing that, it could be very bad press for them. And regarding using an "allow by default, with exceptions" strategy, how can we know all the addresses one would want to block? We simply can't. Who knows what's built into the binaries. So for now a "deny by default" strategy seems a reasonable answer. It's just a matter of discovering the various exceptions. Right now I'm having trouble getting Windows Update to work. I've added exceptions for the wuauserv service and several other programs (e.g., msdt) and it seems to try just slightly harder, but in fairly short order it just fails with error code 0x80072EFD. I'm guessing that Microsoft did not update the firewall software to understand the modern Windows Update changes yet. Anyone have any idea what additional services or executables need to be allowed to facilitate Windows Updates? -Noel

It occurred to me in all these discussions about data collection, etc., as an experiment to try to set the Windows firewall to block outbound connections by default. This is experimentation I've been meaning to do for a very long time, and I'm finally getting around to it. The trick, of course, will be to define enough rules so that the basic things one DOES want to communicate on the net will still work, while (hopefully) disallowing as much snooping as possible. Yes, it implies an ongoing responsibility to manage the firewall whenever new things are added or needed of the system. I started by disabling all the rules except those labeled as "Core Networking" for All profiles, and Network Discovery and FIle and Printer sharing for the Private profile. Then I added a couple of obvious Allow entries for All profiles, for example to allow iexplore.exe to reach the network. So far it seems effective. I can reach my other computers on my LAN via Windows Networking. I can browse the web with Internet Explorer. Off the top of my head, the following things still need to be addressed to provide essential network communications, and I'm not yet sure how to accomplish them: In order to continue to be able to get Windows Updates, the Windows Update services/processes, including the wushowhide tool will need to be able to reach the net to check for updates. Various other applications and tools that need to be able to reach the network to do things like check for new versions of themselves or activate online. Other things as needed. Once the basics are set up, I believe this could potentially be a reasonably manageable approach, and should increase system security overall. -Noel

I continued to see a VERY low rate small packet UDP traffic flow to / from 157.56.106.184 by iphlpsvc as I mentioned up above. I/O rate is literally about 1 or 2 bytes per second overall, according to Resource Monitor. Almost off the radar. When I blocked it with the Windows firewall, it began communicating instead with 94.245.121.253. Once I blocked that I didn't see it go further, but it did continue to try multiple times to re-establish communications with 94.245.121.253. Interestingly, 157.56.106.184 is Microsoft Corp. in Redmond while 94.245.121.253 is Microsoft Limited in London. Edit: After a long while it switched to using 94.245.121.251. I'll keep blocking and listing addresses here to see how far this goes. The iphlpsvc list so far: 157.56.106.184 94.245.121.253 94.245.121.251 -Noel

Something dawned on me... Maybe Microsoft realizes that no matter what they do, 3rd party developers will come along and save their bacon. Think of the freedom of just doing whatever the hell you want then having someone, somewhere in the world who has the time and skills to just fix it, without your having to bear any of the responsibility. One could build pyramids with that kind of loyal following. -Noel

By the way, is this build also inclusive of Windows 8.1? I haven't tried it on my Win 8.1 VM but I could if that would be helpful to you. -Noel

Just for reference, Aero Glass doesn't use measurably more battery power than if it's not running. -Noel

Yes, I need to do the testing and investigation. I wondered whether anyone else had been down the road. And yes, I understand the . Touche. I don't actually want Media Center. What I'd like to do is to run Media Player with whatever codecs get added by the MCE upgrade. I've always liked Media Player. Simple, to the point. Another item on my big list of things to do... -Noel

Started right up smoothly by running aerohost in Task Scheduler. Comes up fine on reboot. No longer seeing any glitches on a monitor left of the primary monitor. Functions smoothly with Classic Shell and my theme atlas. Mysterious pixel at the upper-left corner of the active ModernFrame-replaced window is still there (problem in ModernFrame.dll?) debug.log, if it's interesting: -Noel

Heh, maybe someone needs to make a small, low-impact program just sit around and watch for the appearance of C:\$WINDOWS.~BT. It would run in the background and pop up a warning if the folder appears. It could be started at logon and just sit out there, tirelessly watching your 6... Over time it might grow into a watchdog of epic proportions as more and more things had to be watched / protected. Could be a whole new market of products on the horizon. -Noel

I've monitored Win 10 build 10240 for a while now, and with nothing done beyond deconfiguration of the overt options, deinstall of unneeded Metro Apps, and additions to my hosts file I find it DOES send periodic very small (on the order of a few tens of bytes) UDP packets every minute or so. I don't know if that's some kind of heartbeat or what. I didn't see any big block transfers. Assuming it isn't uploading my keystroke buffer 30 bytes at a time (which it may well be), I didn't find any evidence that it was uploading mass quantities of my data autonomously to Microsoft. On the other hand, given the TREMENDOUS number of programs that now do things like check for updates to themselves online it's getting to be near impossible to do anything on a system and not have it do a fair bit of network communication. Just starting certain apps muddied the water when I was testing. What does this prove? Nothing. Just remember that Sinofsky was already collecting mass quantities of data even back with Windows 7. The illusion of safety and privacy has been just that for a while. -Noel

Yes, some of the updates have been known to show up again as many as two additional times. I think Microsoft promoted them through all the levels ("optional, recommended, important" or whatever categories they use). Microsoft, with their aggressive business practices, has ensured that these are definitely not "set it and forget it" times! For reference, my short lists are a little shorter than the ones proposed at the top of this thread, and don't include hiding the "improvements" to Windows Update itself - just the ones that overtly seem to benefit no one but Microsoft, revolving around the installation of Win 10. Honestly, probably only hiding (and watching out for the recurrence of) updates like KB3035583 that explicitly are known to push Windows 10 would be enough. The trouble with hiding too many updates is that you could end up with a Frankenstein's monster of a system, where some parts may not work with other parts. Nothing says Microsoft has made each and every update a package that can be left out from a system and have it work properly in the future. -Noel

The answer is right in your picture. See that 12 about 2/3 of the way down? Set the Glass geometry radius, which guides the rendering in the corners to Win 8 Style (i.e., no rounding, square corners). -Noel

Ralcool, had you hidden the GWX update beforehand? If so, what other updates did you hide? I'm just trying to be rigorous about what stops the updates. So far I haven't seen any C:\$WINDOWS.~BT folders showing up on my several systems, on which I've hidden just the following: Win 7: KB2952664 KB3021917 KB3035583 KB3068708 Win 8.1: KB2976978 KB3035583 KB3046480 KB3068708 -Noel

Well, to be fair I've not thrown the switch and upgraded any important systems; it's still only on a test VM here for now. This kind of thing could keep me from throwing that switch, though I'm not convinced it's as bad as being described, nor that it's not feasible to block the spying activity. There's no way in hell enterprise would agree to that kind of data upload, and Microsoft can't afford to alienate business - so Windows has to have a way to turn it off. I'm presently running monitoring activity to see if it's anything like what's described in the linked article on localghost.org. -Noel

I guess the only way to totally disable Cortana and telemetry is to find those IPs and implement a router-based firewall blocking those IPs. Unless MS is truly evil and hosts Windows Update and Microsoft.com on the same IP range, but that can be seen as both a curse and a blessing. That's disturbing. Off to learn more about what my router can do, and how to do it... -Noel

Is there any chance hopeful users are triggering the download process somehow manually? -Noel

Exactly on point. Then later, "Hardly anyone went to the effort (and we didn't go out of business), so clearly no one needed it that badly." -Noel

That speaks nicely to my point. Either you are fully on the bandwagon and just select everything (or allow Microsoft to select it for you), or you are in the limo along side and making your own choices about what to do. Of course you have to plan ahead and pay more to be in the latter situation. In this case, paying more attention, taking more time to vet every update... Breaking a habit of handing over control is what's really under discussion. Just because the ability to avoid handing over control may be more hidden or subtle doesn't mean it's not still there. But make no mistake, there are things we don't have control over - have NEVER had control over - and for that we need to place a certain amount of trust in the OS maker. We haven't ever, for example, had any control over the source code that goes into the gigabytes of binaries we get from Microsoft. We've had to trust them to do that properly in the past, and now we have to trust them to not completely take away control over application of individual updates. They HAD done so, but then had to relent because there really ARE legitimate reasons for needing that control. I personally don't think they're going to be able to take it away entirely, long-term, as the users for Windows 10 (beyond the initial rush to upgrade by frivolous users) are now becoming all the more serious. Microsoft doesn't dare alienate the entire business community. I DO find it disturbing that they're taking a different tack for the Enterprise variant than the Pro variant, as a small business doesn't really have the opportunity to license Enterprise for a reasonable rate. -Noel

What ads? You haven't followed my advice and adopted the MVPS hosts file? As far as I understand it, if you don't "hack" it and/or seize stronger control by running your own enterprise WSUS server, all the updates will come on an Enterprise system, just later, after Microsoft has had the public test them and has corrected their bugs. Caveat: I'm not running Enterprise and only tested it briefly myself during the technical preview period. -Noel

No, I was meaning that the power of a business agreement is stronger than even the constitution of the United States, and that organizations such as condo associations or homeowners associations actually CAN dictate what you can and can't do and can even foreclose and take your home if you don't comply. -Noel

So? Why is there always a tacit assumption that taking "Security Updates" is some kind of absolute requirement to continuing to be able to run Windows effectively? Your system isn't going to just fall over and die if you freeze the OS software at a given state. Right now, today, there are any number of undiscovered "security vulnerabilities" in Windows. Many of them have been there all along, and there will always be some that are occasionally being discovered. And there is no guarantee that software updates are not introducing new ones! Dilbert's boss would demand that the undiscovered vulnerabilities all be listed, but anyone with their head screwed on straight needs to just accept that they're there - a fact of life. If you wanted to run only perfectly secure software you would wait forever. There is always some risk. After the next set of "Security Updates" there will still be more undiscovered vulnerabilities. You need to take appropriate measures to balance your value / risk equation - well above and beyond just running the OS out of the box - and that MAY include keeping up with Windows Updates, or it may not. Keeping up with security updates is a good idea, but most certainly not the most important thing you need to do. If you're doing the right things you're simply not exposing yourself to the vast majority of possible exploits, and other than on the "zero day" that the exploit becomes known they become less prevalent over time as the sites are discovered and shut down. With the lion's share of Windows 10 users getting all the updates all the time that'll be all the more true (Microsoft's plan is revealed!). Since exploits won't be viable for very long, the threat lifetime will shrink. Very few people understand practical security. That's the real rub, isn't it? With Microsoft working from an entirely different business model ("Windows as a service" vs. "It does what it says on the box") and promising constant updates, they could do ANYTHING and we would have either to follow them down the path, or divorce ourselves and stop taking updates. In other words, while with the past model we could count on running Windows in its released form, with minor improvements and bugfixes only, for a few years. Now how long is it going to be? A few months? The world - especially the BUSINESS WORLD - cannot run on such a short cycle. Much of business is currently still running Windows XP for precisely this reason. I was at a LabCorp facility yesterday and their office is happily running on XP. I think the idea is that Windows Phone and desktop fun and games users shouldn't have any problem keeping up with this week's whims of Microsoft, and so Microsoft has been tight-lipped about how stable Windows will remain, but that's where they're dead wrong. They have such serious market dominance precisely because the richness of the application environment ALSO requires multi-year stability in the OS. -Noel P.S., if you make a practice of waiting a few months after Windows Updates bring most people OS updates, then absorb other folks' anecdotes about what the updates have done to them - one of which could be "the windows update hiding tool has stopped working!" then you can either A. try hiding the particular update that breaks it or B. just stop taking updates. Voila, your system continues working just as it is - as you need it to. You have control NOW. That's what matters. If you're serious about wanting to be sure Windows 10 updates don't bring changes you can't stand, you should be running a test environment on which you vet new updates yourself before accepting them on your production system. Either you're on the bandwagon with Microsoft, adult beverage in hand and enjoying the ride, or you're riding along side in your limo, partying with the best of them yet with a safe way to pull over if the bandwagon catches fire. When you think about it this isn't really all that different than it has been in the past.

Using Big Muscle's Aero Glass Configuration GUI tool, Theme & appearance section, what do you have the Caption glow effect mode set to? Try setting it to either Use atlas image or Use atlas image and theme opacity. Basically, Big Muscle is at the prototype stage with all this new stuff. What that means to you and me is that we need to fool with the settings until we find a combo that's pleasing. -Noel Edit: grammar