Good point. I think it would be better to reverse the service a little and see if it's related to the event logs and/or reporting.
Bloody well works but as pointed out we need to find exactly what it does. So what say I pull out my reversing tools again? This will be a very long post as disassembling is complex. And there is no details on what the actual service does so ya...
Good point which will require a good amount of logging in general. OFF TOPIC: What OS should I pick out this time? I was thinking of Windows 7 (Server 2008 R2) or 8.1 (Server 2012 R2) because it would be on a brand new Samsung 850 pro SSD (512 GB). I'll keep the usual programs I load on it but was just curious on thoughts here.
Man I really wish MS would just have a way to turn off the telemetry, but our whole point was always about learning for RTM anyway. Nobody ever said it would be easy; learning never is.
my method doesn't delete the service, and i'm offended by the fact that you think that i'm that lazy, and would take the easy way out. this stops the service ( without restart ) on a per session basis. or with one more edit permanently.
once disabled it stays disabled. the interesting part is for fun i set it to manual and it stayed stopped. ran the computer for a while and it still was stopped, meaning nothing calls this service or it would restart. as far as setacl is concerned, yeah you can use it to set the permissions, but as i stated earlier no super permissions (i.e. trustedinstaller ) are needed. i did it manually with regedit, taskkill, and explorer. all i have to do is refine the list to see if every step i took is needed. i just figured i put it out there so others could help. oh well.
simple misunderstanding, I'm sure. jinje is like a pro scripter and has more expertise on the acl and permissions stuff than me or smorg. smorg, from what I can tell is like a newish-to-medium powershell scripter and good with reversing and troubleshooting this kinda stuff. I'm more of an integration expert but I'm decent at cmd scripts. I've handled very little powershell scripting. Now that we have introductions out of the way, do you have an exact method you are using? ACL and then sc stop/config? Also, has anyone been testing the various connections with the certs installed? I'd imagine there'd be some attempted handshaking and then failure based on the disallow list for the cert, but I'm more curious as to what all it blocks. Because, honestly, if we can block the transfers with 2 simple certs, this whole effort is going to be fruitless. They have a saying in engineering that if you try to make something complicated, it's going to fail. The same is true for software. If you try to do too much, it will come out badly. The reason I changed my mind about the all-around approach and changed to the optional approach in my v2 script is so if certs are all that are required to block this stuff, then we just use that. If hosts editing are all that is necessary to block this stuff, but certs don't work, then we use that. It's good to know our options but we need to figure out what is required and focus a little less on every single possible aspect of modding.
I didn't even think about that. What if it has a simple rule that you cannot stop it while it's running... It hadn't occurred to me because it says that it's stoppable, but I've seen malware that does the exact same thing so I know it's possible. That would be interesting to test. Perhaps just taskkill it and then try to sc stop/config start= disabled on the service. The less registry modding you need to do, the better.
i'm just using regedit. just got home and decided to try something. i believe it is even simpler than my first endeavor. i've done it once, and am just reinstalling a fresh copy to verify. also i found that i believe MS allows you to remove diagtrack. got to verify that too. it should be able to be scripted in a couple lines. also from what i've seen so far, dwmappushsvc is only a calling service. it doesn't do anything by itself, because it stays stopped when set to manual.
In manual mod it cannot start itself automatically, until unless you start it manually so its also considered safe for restricting the service from running automatically
Might be, i still prefer disabling in that case. The Powershell script does this nicely, only needs one reboot so far (huih another 30 secs on SSD).
ok i've got it done and wrote it down who shall i give it to test and disseminate if it's deemed worthy.
This is true I've done more scripting with cmd then I have with powershell. I wanted to start using powershell given that it can do more stuff than cmd. If you told me to write this thing up in bat I could do it pretty quickly lol. I wanted to move on from bat scripting to learning the other scripting languages. That being said I've been doing reversing for quite some time so I'm good with that kinda stuff but the problem here is that inside of the software I'm using to take apart dmwappushsvc there is very little information given on what the dll actually does apart from being part of the service host manager. At this point I've done more OEM packing then I have powershell scripting along with basically anything else computer wise lol. I agree that this is Jinjin area of expertise but it doesn't mean I can't start learning . That being said simple misunderstanding on the deletion of the service but we really really need to figure out what this thing does. At this point we have the complete break down of what it does with the import / export table. And we have full control over the dll so it's just a matter of time We have a way to disable it... Yes however its more important to figure out what it does!!!