[Guide] Disable Data Collection in Windows 10

[NoelC]

I've done my own fairly extensive testing.

 

IF you eliminate the "Hybrid/Fast Bootup" abomination, Win 10 does not boot any quicker (comparing a properly functioning modern system running a fresh install of Windows 7 to a fresh install of Windows 10).  I see numbers like 12 seconds for both.  Microsoft seems to want to take credit for computers (and especially SSD-based storage) getting phenomenally faster in recent years.

 

The file system appears to be a touch faster than 8.1, but a good bit slower than 8.0 and 7.

 

Something you can try for yourself on each system.  I've found this to be a fairly good indication how responsive a system will be / feel:

 

1.  Open File Explorer and navigate to the root of C:

2.  Select all files/folders in the Files Pane.

3.  Right click, choose Properties, and time how long it takes to count up all the files.

4.  Once it's done, divide the number of files by the number of seconds.

5.  Do it again to see how long it takes using cached data.

 

I've seen numbers on Win 7 systems as high as 40,000 to 50,000 files per second enumerated.

I'll bet you can't find someone with a Win 10 system that goes beyond 20,000.

On a Win 8.1 system you're lucky to see 10,000.

 

Next time you try to search for a file, or maybe have to read a highly fragmented file, this will matter.

 

Note especially the time to do the job using data already cached in RAM.  THIS is one of the best indications of how efficiently programmed the system really is under the covers.

 

-Noel

Edited August 5, 2015 by NoelC

[ptd163]

Added useful software/scripts section.

[maxXPsoft]

Added useful software/scripts section.

 

Notice after disabling all the above have you looked at this registry key? Some were disabled but there is a lot there that isn't

I'm gonna start looking through reg and try to figure out what those others are but in mean time I just set ALL to Deny

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global

 

[NoelC]

What does that set of keys have to do with telemetry / privacy?  Just curious.

 

I searched my registry and found other references to {21157C1F-2651-4CC1-90CA-1F28B02263F6}, listed below, but with virtually no info describing what they're for.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\AccessChangeProviders\{21157C1F-2651-4cc1-90CA-1F28B02263F6}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\CapabilityMappings\Sms\{21157C1F-2651-4CC1-90CA-1F28B02263F6}

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Classes\{21157C1F-2651-4CC1-90CA-1F28B02263F6}

 

 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{21157c1f-2651-4cc1-90ca-1f28b02263f6}

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{21157c1f-2651-4cc1-90ca-1f28b02263f6}

 

HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}

 

-Noel

Edited August 9, 2015 by NoelC

[maxXPsoft]

What does that set of keys have to do with telemetry / privacy?  Just curious.

 

 

When I disable some Settings Privacy I see it changing some of those keys to Deny

;Account Info OFF

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}]

"Value"="Deny"

 

With everything off there are still about 7 keys that are "Value"="Allow"

I don't know what they are yet I'm still looking. Some keys when searched don't allow you access so will have to change permissions first

[tomasz86]

Windows Search connects to the Internet as soon as you start typing, even if Cortana is disabled.

It can be blocked using the built-in firewall.

Before:

After:

[Aloha]

Tomasz86,

Seems not to work for me! Still seeing SearchUI.exe running. Do we need a reboot?

Can you tell what steps you have made with the firewall so that I can check if I did it the right way? Thank you.

[NoelC]

A firewall entry would only make it impossible for Search to reach the Internet; it would not stop it running.  I'm also still looking for a way to prevent SearchUI.exe from running entirely, but so far no luck.

 

There are a number of ways Microsoft could have started SearchUI, for example as a service or even the Task Scheduler, but noooo, they chose to code it into Windows in some hidden fashion, as they don't want us disabling it.  As far as they're concerned, our computer resources are strictly here to run their OS, not to do anything else.

 

-Noel

[maxXPsoft]

The other 7 keys in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global that are still "Value"="Allow"
This is only 1 place I find them. Most are referenced in other dll also.

1. c_net.inf   {21157C1F-2651-4CC1-90CA-1F28B02263F6} = SMS_InterfaceInstall
2. c_media.inf {2EEF81BE-33FA-4800-9670-1CD474972c3f} = Audiocapture_InterfaceInstall
3. Cortana.Core.dll {7D7E8402-7C54-4821-A34E-AEEFD62DED93}
4. c_sensor.inf {9D9E0118-1807-4F2E-96E4-2CE57142E196} = ActivitySensor_InterfaceInstall
5. SettingsHandlers_Privacy.dll {B19F89AF-E3EB-444B-8DEA-202575A71599}
6. LocationPermissions.dll {E6AD100E-5F4E-44CD-BE0F-2265D88D14F5}
7. c_sensor.inf {E83AF229-8640-4D18-A213-E22675EBB2C3} = CustomSensor_InterfaceInstall

 

 

[NoelC]

On my system, with every setting I can see in the PRIVACY settings panel set to "Off", the following keys under [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global] still have "Value" entries that remain set to "Allow":

 

{21157C1F-2651-4CC1-90CA-1F28B02263F6}

{7D7E8402-7C54-4821-A34E-AEEFD62DED93}

{9D9E0118-1807-4F2E-96E4-2CE57142E196}

{B1920448-233F-46CA-98E3-0839305F2141}

{B19F89AF-E3EB-444B-8DEA-202575A71599}

{BFA794E4-F964-4FDB-90F6-51056BFE4B44}

{E6AD100E-5F4E-44CD-BE0F-2265D88D14F5}

{E83AF229-8640-4D18-A213-E22675EBB2C3}

 

Notably it's a little different than your list.  Different devices detected and available for configuration, maybe?

 

Beyond that, and possibly even more interesting...  Who do all the security IDs under the DeviceAccess key belong to?  Edit:  I guess those are the Apps specifically allowed to access certain devices and resources.

 

Edit 2:  I've set everything to "Deny" on my test system, just to see what will happen.  So far I haven't noticed any problems.

 

-Noel

Edited August 12, 2015 by NoelC

[NoelC]

FYI, I just noticed one of the svchost.exe processes communicating regularly with 157.56.106.184, which traces to a Redmond, Washington physical address.  Reverse DNS does not provide a name.  A few hundred bytes every 15 to 25 seconds.

 

This particular svchost process hosts these specific services:

 

BITS, Background Intelligent Transfer Service
Browser, Computer Browser
CertPropSvc, Certificate Propagation
DoSvc, Delivery Optimization
gpsvc, Group Policy Client
iphlpsvc, IP Helper
LanmanServer, Server
ProfSvc, User Profile Service
Schedule, Task Scheduler
SENS, System Event Notification Service
SessionEnv, Remote Desktop Configuration
ShellHWDetection, Shell Hardware Detection
Themes, Themes
UserManager, User Manager
Winmgmt, Windows Management Instrumentation
wuauserv, Windows Update

 

-Noel

[Techie007]

    You might want to download and install Process Hacker.  It is a more powerful version of Process Explorer, and it has a Network tab that should show you exactly which service owns each open connection.

Edited August 12, 2015 by Techie007

[NoelC]

Thanks - I've already got it (assuming you mean Process Hacker 2).  Great tool.  I was using Resource Monitor to look at who's talking to what, but hadn't thought to look at Process Hacker's Network tab to identify the specific service.  Great tip, thanks.

 

There's no persistent connection in this case, though...  It shows that iphlpsvc is occasionally popping out tiny UDP datagrams, and Process Hacker 2 doesn't give you a whole lot of info regarding the other end in that case. 

 

I'm not sure whether I have already effectively blocked this particular activity with a hosts entry to remap 157.56.106.184 to 0.0.0.0.  I haven't had much experience with that form of entry before using the entries described at the top of this thread.  It hasn't stopped the system seeing Windows Updates available.

 

I also see that explorer.exe maintains an ongoing TCP connection with bn1wns2011403.wns.windows.com over which it sends a few bytes now and then.  I wonder what that's about.

 

-Noel

[tomasz86]

Tomasz86,

Seems not to work for me! Still seeing SearchUI.exe running. Do we need a reboot?

Can you tell what steps you have made with the firewall so that I can check if I did it the right way? Thank you.

 

I'll try to explain in details.

I was originally inspired by this Polish blog:

http://www.dobreprogramy.pl/wielkipiec/Analiza-telemetrii-w-Windows-10-czy-ktos-wysilil-sie-sprawdzic,65392.html

 

The author basically advises against using the HOSTS file to block specific addresses. The problem is that they come from various different sources and no one is really sure what each of them means. There is also no guarantee that they are the same for all users and will not change in the future.

 

He used the openly available Windows 10 settings to block telemetry and then analyzed remaining network traffic with Microsoft Network Monitor. The tool creates a log so you can just leave it open and then check what has been going on. There is some interesting information about hidden services and other suspicious things, but I'm not really knowledgeable about that and have no time to translate the whole post.

 

At the end, he recommends to use Windows Firewall to block all of the unnecessary connections. He proves his point by presenting a screen shot with a much reduced network traffic after applying his firewall rules. Unfortunately, he doesn't provide a ready-to-apply list of specific rules to block as, in his words, they will be different in each system (I don't really agree with him here as there are at least a few that are always present).

 

Anyway, as far as I can tell, it should be safe to block all outbound connections for:

 

Search (twice)

Windows Feedback (twice)

 

These two are the most suspicious, and from my own observation using the MS Network Monitor most of the traffic goes away after blocking them. You may also want to have a look at and block outbound connections for:

 

Microsoft Photos

MSN Money

MSN News

Windows Default Lock Screen

Windows Spotlight

Work or school account

Your account (twice; if not using MS account)

 

I haven't tested blocking all of these so please be careful, but I'm really not sure why things such as lock screen would need outbound access. However, just a quick look reveals that such rules did not exist in Windows 8. They are new to Windows 10.

 

As far as SearchUI.exe goes, you can either remove or rename the file itself to get rid of the process. However, doing so will cause a lot of errors in the Event Viewer. The built-in search will also stop working so you will have to rely on 3rd party alternatives (Classic Shell, Agent Ransack, etc.).

[NoelC]

Trying to rid the system of SearchUI will also break system protection (i.e., it will stop passing an SFC check).  If you would like to continue to be a part of the Windows Update process that will matter.

 

-Noel