[Guide] Disable Data Collection in Windows 10

[jaclaz]

It's not at all hard to imagine over 100 icons in an application.

 

Well, it's not Word or Excel (say) this application at its core should be a bunch of Registry Entries and a few commands (or little more).

 

jaclaz 

[NoelC]

Anybody reading this who is using the version of Windows 10 that was released to the general public starting July 29: please check to see if you can turn off the telemetry.

 

I'm off the insider track at this point.

 

While I don't claim to have run all the new "tools" out there, I have researched and disabled a LOT of privacy settings, and outfitted my system with a hosts file that contains a list of Microsoft addresses redirected to 0.0.0.0, and yet I still saw quite a few attempts to communicate online run up against the firewall.  I'm in the process of trying a new firewall management tool right now (Sphinx Firewall Control per xpclient's recommendation) and it has better reporting.  When I get that all configured I'll see what it shows is still trying to get through.

 

The real trick is to distill out the essential network communications - e.g., to support Windows Update - while blocking the telemetry and other data hemorrhaging.

 

-Noel

[Dogway]

Thanks for this thread, many Windows wide tips and tricks (like the hosts one).

 

I read somewhere about adding this at the start of the hosts file if you are going to use 0.0.0.0 as local host

# Special Entries0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly

Also I tried to download the Scheduled Tasks file, but it seems to be broken (the file itself), I downloaded several times with same effect.

In the same spoiler tab a trick is described to disable the keylogger:

sc delete DiagTracksc delete dmwappushservice

I read this disables Cortana completely (without recovery), why I would still want to use Cortana as an internal search engine. Is it possible?

Edited August 30, 2015 by Dogway

[ROTS]

Wouldn't it just be simpler just to downgrade and give all the previous versions of Windows the powers of W10? Or even make an computer appear to be W10.

I understand the needle in the haystack theory with current trends but it just looks like everybody is following the herd

and all Microsoft is doing is slicing off the bird of the herd just to make sure there is no beaks on board the ship.

Also somebody said something about re-installation without noticing. Yes this has occurred many times

Why play follow the leader when it just backfires. Microsoft has turned the OS into the same **** thing that we used in

our teller machines. AKA OS/2. On the outside it looks like your phone ( always monitoring you ). On the inside it is like your

phone ( Always monitoring you ). Always collecting information about who you talk to and how many people you talk to.

It seems the only winner in this are the dozens of wild untammed motor mouth others.

Edited September 1, 2015 by ROTS

[NoelC]

I've got news for you ROTS, Windows has been blabbering a long time online.  It's not just Windows 10, though the online communications have increased in the newest version.

 

-Noel

[Kelsenellenelvian]

Even xp had a arguably spy ware like service

[Artarga]

Folks, I have found something interesting in regards the hosts file. It looks like patching it will not always prevent the OS to resolve domain names.

 

Here is what I do:

• In a VM I have Win10. All network traffic of this VM is captured into a pcap file
• hosts file is patched per this topic headline
• in addition to that the following lines are added as I saw them in the pcap file
  
  0.0.0.0 win10.ipv6.microsoft.com
  0.0.0.0 dns.msftncsi.com
  0.0.0.0 fe2.update.microsoft.com
  0.0.0.0 fe2.update.microsoft.com.akadns.net
  0.0.0.0 v10.vortex-win.data.microsoft.com
  0.0.0.0 v4.download.windowsupdate.com
  0.0.0.0 geo-prod.do.dsp.mp.microsoft.com
• I do ipconfig /flushdns and go to check for updates manually
• What I see in pcap file is still a DNS request to resolve fe2.update.microsoft.com and a DNS response with CNAME: fe2.update.microsoft.com.akadns.net

Am I doing something wrong? Or it's the OS simply ignores hosts file.

[jaclaz]

 

Am I doing something wrong? Or it's the OS simply ignores hosts file.

The second you said.

A certain number of domains/web addresses are hardcoded in Windows binaries and by-pass the hosts file, this is a known fact since 2006 or so (embedded in DNSAPI.DLL):

http://reboot.pro/topic/20622-windows-10-enterprise-ltsb-mother-of-all-tweak-scripts/?p=194235

 

If and where there are other DLL's or other files including more "hardcoded" addresses specifically in Windows 10 is not (yet) clear AFAIK.

 

jaclaz

[Artarga]

Huh. Didn't know that, thanks. So does it mean that we actually can't rely on hosts when talking about disabling data collection?

[jaclaz]

Huh. Didn't know that, thanks. So does it mean that we actually can't rely on hosts when talking about disabling data collection?

Yes and no.

 

Meaning that in theory the mechanism that bypasses the hosts file is (seemingly) limited to a handful of MS addresses connected or related to Windows Update.

 

If you see it objectively, there are some grounds for thinking that the maker of the OS has made a provision that in case a malware compromising the hosts file would not affect the possibility to connect to a trusted source (that may actually contain a hotfix/update capable of recovering from the issue that malware caused).

 

Now the point might be that noone has any idea what exactly is transmitted to (and received from) any of these servers (both those that can be "stopped" through the hosts file and those that are hardcoded) and whether the  *whatever* that "phones home" will not be changed in any moment, remotely and with or without user consent, there is a precedent also for this:

http://www.msfn.org/board/topic/174412-looks-to-me-like-win-10-will-top-out-at-about-10-adoption/#entry1107817

 

jaclaz

[Artarga]

the maker of the OS has made a provision that in case a malware compromising the hosts file would not affect the possibility to connect to a trusted source (that may actually contain a hotfix/update capable of recovering from the issue that malware caused).

 

Yep that makes a lot of scene. And the way I think about this is that mechanism Redmond guys can make an update once that enables hosts bypass for telemetry services. If not already done so.

[Artarga]

BTW. When I set up a local DNS service (Acrylic) I was able to block that domain name. So as I understand in this case the only solution to bypass this block would be to hard-code IPs

[Artarga]

And one more "BTW". Does anyone know why there are efforts being put to hack into Win registry/services/tasks while in the end the idea is to break the connection b/w your PC and MS servers?

 

I was already mentioned (e.g. here in a separate thread) that you can't be sure all the tracking tools are disabled. So why not to focus only on monitoring connections of Win10 with the outer network and block them via DNS and/or a firewall?

 

The 1st answer that came into my head was "one can't trust your SW firewall as Win10 can bypass it". It that the case? Though I was searching through Internet about this but haven't found a clue. So what's the point in all that scripts and bat files being worked on? A local DNS and a set of firewall rules should be a way to go. Or no?

[jaclaz]

Surely an external firewall would do nicely, I don't think that a DNS service in it is actually *needed*.

 

From what NoelC reports:

http://www.msfn.org/board/topic/174264-experimenting-with-windows-firewall-to-block-by-default/

http://www.msfn.org/board/topic/174417-sphinx-windows-er-10-firewall-control/

the "internal" firewall seems to work fine (i.e. it is seemingly not bypassed), still an external one would be IMHO more reliable.

The real issue is that apart the (incomplete) data we have about the exact nature of all the "phoning home" whatever is or will be (finally) discovered is anyway subject to changes that the good MS guys can trigger remotely through an update or some other means, while the internal firewall (and each and every policy/registry setting/etc.) may be subject to changes the external firewall should be exempt from it (of course it needs anyway need to be attentively monitored as the actual list of "contact IP" may change anytime) but in theory one would need to have some form of packet detection and filtering.

 

Now, one could imagine (fictional, hypothetic) that MS acquires 365 IP's in *random* countries and that each morning provides an "update" that changes the IP that the Windows 10 OS connects to, it would become a nightmare to keep the firewall rules "current".

 

jaclaz

[Artarga]

jaclaz, this pretty aligns with my thinking. However here are a couple of thing I'd like to expand in:

• The reason I'm talking about an SW firewall (not an external one) is because more people have possibility to install that. And it will also work for a mobile woking station that is not always connected to a specific external firewall. I'm going to keep playing with my WM with Win10+Comodo and collect outgoing traffic to see if firewall does not get bypassed.
• As of DNS service. Well I think of it like of saving time to put specific IPs into firewall rules. And as you correctly mentioned to keep them actual. E.g. with the example I described several comment above (fe2.update.microsoft.com) - it's easier to me to block the only domain name and not 4-5 IP addresses.
• As for your comment about continuos updates then I think the opposite. Block all MS connection (including updates) and do maual updates once in a while. I mean explicitly allow certain conections. Press "check 4 updates". and close all connections back. does not seem to be the perfect scenario though