Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


ptd163

[Guide] Disable Data Collection in Windows 10

Recommended Posts

It's not at all hard to imagine over 100 icons in an application.

 

Well, it's not Word or Excel (say) this application at its core should be a bunch of Registry Entries and a few commands (or little more).

 

jaclaz 

Share this post


Link to post
Share on other sites

Anybody reading this who is using the version of Windows 10 that was released to the general public starting July 29: please check to see if you can turn off the telemetry.

 

I'm off the insider track at this point.

 

While I don't claim to have run all the new "tools" out there, I have researched and disabled a LOT of privacy settings, and outfitted my system with a hosts file that contains a list of Microsoft addresses redirected to 0.0.0.0, and yet I still saw quite a few attempts to communicate online run up against the firewall.  I'm in the process of trying a new firewall management tool right now (Sphinx Firewall Control per xpclient's recommendation) and it has better reporting.  When I get that all configured I'll see what it shows is still trying to get through.

 

The real trick is to distill out the essential network communications - e.g., to support Windows Update - while blocking the telemetry and other data hemorrhaging.

 

-Noel

Share this post


Link to post
Share on other sites

Thanks for this thread, many Windows wide tips and tricks (like the hosts one).

 

I read somewhere about adding this at the start of the hosts file if you are going to use 0.0.0.0 as local host

# Special Entries0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly

Also I tried to download the Scheduled Tasks file, but it seems to be broken (the file itself), I downloaded several times with same effect.

In the same spoiler tab a trick is described to disable the keylogger:

sc delete DiagTracksc delete dmwappushservice

I read this disables Cortana completely (without recovery), why I would still want to use Cortana as an internal search engine. Is it possible?

Edited by Dogway

Share this post


Link to post
Share on other sites

Wouldn't it just be simpler just to downgrade and give all the previous versions of Windows the powers of W10? Or even make an computer appear to be W10.

I understand the needle in the haystack theory with current trends but it just looks like everybody is following the herd

and all Microsoft is doing is slicing off the bird of the herd just to make sure there is no beaks on board the ship.

Also somebody said something about re-installation without noticing. Yes this has occurred many times

Why play follow the leader when it just backfires. Microsoft has turned the OS into the same **** thing that we used in

our teller machines. AKA OS/2. On the outside it looks like your phone ( always monitoring you ). On the inside it is like your

phone ( Always monitoring you ). Always collecting information about who you talk to and how many people you talk to.

It seems the only winner in this are the dozens of wild untammed motor mouth others.

Edited by ROTS

Share this post


Link to post
Share on other sites

I've got news for you ROTS, Windows has been blabbering a long time online.  It's not just Windows 10, though the online communications have increased in the newest version.

 

-Noel

Share this post


Link to post
Share on other sites

Folks, I have found something interesting in regards the hosts file. It looks like patching it will not always prevent the OS to resolve domain names.

 

Here is what I do:

  • In a VM I have Win10. All network traffic of this VM is captured into a pcap file
  • hosts file is patched per this topic headline
  • in addition to that the following lines are added as I saw them in the pcap file
    0.0.0.0 win10.ipv6.microsoft.com
    0.0.0.0 dns.msftncsi.com
    0.0.0.0 fe2.update.microsoft.com
    0.0.0.0 fe2.update.microsoft.com.akadns.net
    0.0.0.0 v10.vortex-win.data.microsoft.com
    0.0.0.0 v4.download.windowsupdate.com
    0.0.0.0 geo-prod.do.dsp.mp.microsoft.com
  • I do ipconfig /flushdns and go to check for updates manually
  • What I see in pcap file is still a DNS request to resolve fe2.update.microsoft.com and a DNS response with CNAME: fe2.update.microsoft.com.akadns.net

Am I doing something wrong? Or it's the OS simply ignores hosts file.

Share this post


Link to post
Share on other sites

 

Am I doing something wrong? Or it's the OS simply ignores hosts file.

The second you said.

A certain number of domains/web addresses are hardcoded in Windows binaries and by-pass the hosts file, this is a known fact since 2006 or so (embedded in DNSAPI.DLL):

http://reboot.pro/topic/20622-windows-10-enterprise-ltsb-mother-of-all-tweak-scripts/?p=194235

 

If and where there are other DLL's or other files including more "hardcoded" addresses specifically in Windows 10 is not (yet) clear AFAIK.

 

jaclaz

Share this post


Link to post
Share on other sites

Huh. Didn't know that, thanks. So does it mean that we actually can't rely on hosts when talking about disabling data collection?

Share this post


Link to post
Share on other sites

Huh. Didn't know that, thanks. So does it mean that we actually can't rely on hosts when talking about disabling data collection?

Yes and no.

 

Meaning that in theory the mechanism that bypasses the hosts file is (seemingly) limited to a handful of MS addresses connected or related to Windows Update.

 

If you see it objectively, there are some grounds for thinking that the maker of the OS has made a provision that in case a malware compromising the hosts file would not affect the possibility to connect to a trusted source (that may actually contain a hotfix/update capable of recovering from the issue that malware caused).

 

Now the point might be that noone has any idea what exactly is transmitted to (and received from) any of these servers (both those that can be "stopped" through the hosts file and those that are hardcoded) and whether the  *whatever* that "phones home" will not be changed in any moment, remotely and with or without user consent, there is a precedent also for this:

http://www.msfn.org/board/topic/174412-looks-to-me-like-win-10-will-top-out-at-about-10-adoption/#entry1107817

 

jaclaz

  • Upvote 1

Share this post


Link to post
Share on other sites

the maker of the OS has made a provision that in case a malware compromising the hosts file would not affect the possibility to connect to a trusted source (that may actually contain a hotfix/update capable of recovering from the issue that malware caused).

 

Yep that makes a lot of scene. And the way I think about this is that mechanism Redmond guys can make an update once that enables hosts bypass for telemetry services. If not already done so.

Share this post


Link to post
Share on other sites

BTW. When I set up a local DNS service (Acrylic) I was able to block that domain name. So as I understand in this case the only solution to bypass this block would be to hard-code IPs

Share this post


Link to post
Share on other sites

And one more "BTW". Does anyone know why there are efforts being put to hack into Win registry/services/tasks while in the end the idea is to break the connection b/w your PC and MS servers?

 

I was already mentioned (e.g. here in a separate thread) that you can't be sure all the tracking tools are disabled. So why not to focus only on monitoring connections of Win10 with the outer network and block them via DNS and/or a firewall?

 

The 1st answer that came into my head was "one can't trust your SW firewall as Win10 can bypass it". It that the case? Though I was searching through Internet about this but haven't found a clue. So what's the point in all that scripts and bat files being worked on? A local DNS and a set of firewall rules should be a way to go. Or no?

Share this post


Link to post
Share on other sites

Surely an external firewall would do nicely, I don't think that a DNS service in it is actually *needed*.

 

From what NoelC reports:

http://www.msfn.org/board/topic/174264-experimenting-with-windows-firewall-to-block-by-default/

http://www.msfn.org/board/topic/174417-sphinx-windows-er-10-firewall-control/

the "internal" firewall seems to work fine (i.e. it is seemingly not bypassed), still an external one would be IMHO more reliable.

The real issue is that apart the (incomplete) data we have about the exact nature of all the "phoning home" whatever is or will be (finally) discovered is anyway subject to changes that the good MS guys can trigger remotely through an update or some other means, while the internal firewall (and each and every policy/registry setting/etc.) may be subject to changes the external firewall should be exempt from it (of course it needs anyway need to be attentively monitored as the actual list of "contact IP" may change anytime) but in theory one would need to have some form of packet detection and filtering.

 

Now, one could imagine (fictional, hypothetic) that MS acquires 365 IP's in *random* countries and that each morning provides an "update" that changes the IP that the Windows 10 OS connects to, it would become a nightmare to keep the firewall rules "current". :ph34r:

 

jaclaz

Share this post


Link to post
Share on other sites

jaclaz, this pretty aligns with my thinking. However here are a couple of thing I'd like to expand in:

  • The reason I'm talking about an SW firewall (not an external one) is because more people have possibility to install that. And it will also work for a mobile woking station that is not always connected to a specific external firewall. I'm going to keep playing with my WM with Win10+Comodo and collect outgoing traffic to see if firewall does not get bypassed.
  • As of DNS service. Well I think of it like of saving time to put specific IPs into firewall rules. And as you correctly mentioned to keep them actual. E.g. with the example I described several comment above (fe2.update.microsoft.com) - it's easier to me to block the only domain name and not 4-5 IP addresses.
  • As for your comment about continuos updates then I think the opposite. Block all MS connection (including updates) and do maual updates once in a while. I mean explicitly allow certain conections. Press "check 4 updates". and close all connections back. does not seem to be the perfect scenario though :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...