[Guide]Way to Disable Keylogger/ Telemetry v3.55

Discussion in 'Windows 10' started by LiteOS, Oct 9, 2014.

Thread Status:
Not open for further replies.
  1. dslr

    dslr MDL Novice

    Jul 8, 2015
    37
    1
    0
    Stays on Basic even after disabling everything (Consolidator, KernelCeip and UsbCeip tasks, ProgramDataUpdater and Microsoft Compatibility Appraiser)...i give up, Windows became self-aware :help2:
     
  2. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    788
    300
    30
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Smorgan

    Smorgan Glitcher

    Mar 25, 2010
    1,855
    1,051
    60
    Basically you guys are changing the settings manually in order to turn such tasks / services off.

    This means when the services check them they incorporate into them a wide range of checks to say ok its off. However we are messing with individual pieces so it will continue to say on. I am personally not sure how they gauge if such a thing is off. Anyone wanna take out IDA Pro or Olly DBG and a few forensics tools?
     
  4. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    788
    300
    30
    I noticed a lot of connection-attempts from explorer.exe on port 80 and 443 uploading to MS servers,
    but on ssl, who knows what's sent exactly.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    7,419
    11,688
    240
    We could also use wireshark again. Flip registry to 0, reboot, start wireshark and wait?
     
  6. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    788
    300
    30
    #527 nexus76, Jul 18, 2015
    Last edited: Jul 18, 2015
    this process looks promising:
    it uses ipsec, so we won't see a lot having wireshark at work ;)
    it appears to be part of the cloud but although I'm not logged in using the live-id
    I wonder it connects to msft servers ...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. pianomanx

    pianomanx MDL Novice

    Aug 8, 2012
    4
    7
    0
    I'm working on IDA/Olly debugging...I'll let everyone know what I get.
     
  8. Smorgan

    Smorgan Glitcher

    Mar 25, 2010
    1,855
    1,051
    60
    That's like taking a magnifying glass to a rug and saying I found something. Please dude at least identify what your looking for before you use those tools.

    @Murphy78: Wireshark for network analyzing. And Procmon for Analyzing of data flow on the OS. Lastly Registrar Pro for handling the registry cause lets face it regedit is a bag of suck.
     
  9. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,769
    1,106
    60
    #530 Mr Jinje, Jul 18, 2015
    Last edited by a moderator: Apr 20, 2017
  10. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    7,419
    11,688
    240
    Hmm... Well I seem to remember quite a lot of ip addresses that they were going through.
    Do you guys think it would be easier to just use the old method of disabling a couple services with elevated permissions?

    I really hate that you can't completely disable this telemetry, easily, for the record. It's f**king annoying and MS should know better.
     
  11. elzna

    elzna MDL Senior Member

    Aug 28, 2013
    434
    56
    10
    #532 elzna, Jul 18, 2015
    Last edited: Jul 18, 2015
    so what did we conclude here? can someone give me the new list of registry values to disable, that changes basic into none.

    is this all?
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\ /v "AllowTelemetry" /d "0" /t REG_DWORD

    It's set to 1 by defualt on my system and I have never changed this before.

    btw correct me if i'm wrong but older keylogger services metioned in OP "sc delete dmwappushsvc" should be sc delete dmwappushservice because the service has changed name a long time ago. dmwappsvc no longer exists since 10100 build something.
     
  12. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    788
    300
    30
    #533 nexus76, Jul 18, 2015
    Last edited by a moderator: Apr 20, 2017
    Code:
    C:\WINDOWS\system32>dism /online /get-packages /format:table
    
    Tool zur Imageverwaltung für die Bereitstellung
    Version: 10.0.10240.16384
    
    Abbildversion: 10.0.10240.16384
    
    Paketauflistung:
    
    
    ---------------------------------------------------------------------------------------------------------- | ----------- | --------------- | -----------------
    Paketidentität                                                                                             | Status      | Versionstyp     | Installationszeit
    ---------------------------------------------------------------------------------------------------------- | ----------- | --------------- | -----------------
    Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~de-DE~10.0.10240.16384                | Installiert | Language Pack   | 10.07.2015 16:34
    Microsoft-Windows-DiagTrack-Internal-Package~31bf3856ad364e35~amd64~~10.0.10240.16384                      | Installiert | Feature Pack    | 10.07.2015 12:20
    Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.10240.16384                              | Installiert | Foundation      | 10.07.2015 12:20
    Microsoft-Windows-LanguageFeatures-Basic-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384            | Installiert | OnDemand Pack   | 10.07.2015 16:35
    Microsoft-Windows-LanguageFeatures-Handwriting-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384      | Installiert | OnDemand Pack   | 10.07.2015 16:35
    Microsoft-Windows-LanguageFeatures-OCR-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384              | Installiert | OnDemand Pack   | 10.07.2015 16:35
    Microsoft-Windows-LanguageFeatures-Speech-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384           | Installiert | OnDemand Pack   | 10.07.2015 16:35
    Microsoft-Windows-LanguageFeatures-TextToSpeech-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384     | Installiert | OnDemand Pack   | 10.07.2015 16:35
    Microsoft-Windows-NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~~10.0.10115.0                             | Installiert | OnDemand Pack   | 17.07.2015 13:21
    Microsoft-Windows-Prerelease-Client-Package~31bf3856ad364e35~amd64~de-DE~10.0.10240.16384                  | Installiert | Language Pack   | 10.07.2015 16:34
    Microsoft-Windows-Prerelease-Client-Package~31bf3856ad364e35~amd64~~10.0.10240.16384                       | Installiert | Feature Pack    | 10.07.2015 12:20
    Microsoft-Windows-RetailDemo-OfflineContent-Content-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 | Installiert | OnDemand Pack   | 10.07.2015 16:46
    Microsoft-Windows-RetailDemo-OfflineContent-Content-Package~31bf3856ad364e35~amd64~~10.0.10240.16384       | Installiert | OnDemand Pack   | 10.07.2015 16:46
    Package_for_KB3064238~31bf3856ad364e35~amd64~~10.0.1.2                                                     | Installiert | Security Update | 17.07.2015 13:35
    Package_for_KB3074663~31bf3856ad364e35~amd64~~10.0.1.0                                                     | Installiert | Security Update | 17.07.2015 13:02
    
    Der Vorgang wurde erfolgreich beendet.
    
    C:\WINDOWS\system32>dism /online /remove-package /packagename:Microsoft-Windows-DiagTrack-Internal-Package~31bf3856ad364e35~amd64~~10.0.10240.16384
    
    Tool zur Imageverwaltung für die Bereitstellung
    Version: 10.0.10240.16384
    
    Abbildversion: 10.0.10240.16384
    
    1 von 1 werden verarbeitet - Paket "Microsoft-Windows-DiagTrack-Internal-Package~31bf3856ad364e35~amd64~~10.0.10240.16384" wird entfernt
    [==========================100.0%==========================]
    Der Vorgang wurde erfolgreich beendet.
    Zum Abschließen dieses Vorgangs muss Windows neu gestartet werden.
    Möchten Sie den Computer jetzt neu starten? (Y/N)
    seems like diagtracking isn't a static package anymore, but still explorer.exe connects on port 443
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    17,223
    90,879
    340
    #534 abbodi1406, Jul 18, 2015
    Last edited by a moderator: Apr 20, 2017
    Prerelease-Client-Package is actually just a parent for DiagTrack-Internal-Package, which is merely represent this registry value
    Code:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack
    "MSFTInternal"=0x00000001
    
    the telemetry client still contained in OneCore-TroubleShooting-Package
     
  14. pirithous

    pirithous MDL Member

    Dec 17, 2014
    198
    78
    10
    #535 pirithous, Jul 18, 2015
    Last edited: Jul 18, 2015
    Let's put the brakes on for a second and think, in an abstract way: what if MS is testing everyone to see how people react to the telemetry stuff (NSA software practically installed on your personal computer) before the 29th? It seems to me that they are not saying build 10240 is RTM or not because they are testing the masses (sheeple) to see whether or not telemetry will be socially accepted. Yes, I'm aware that Windows 10 is now SaaS and RTM means something a lot different today than it did in the WIndows 7 days, but please understand the context I'm using the aforementioned argument in.

    MS are playing their hand, holding their cards very close to the vest -- they can surreptitiously remove the telemetry malware after the 29th if there's a big outcry. When I say surreptitious, I don't mean for them to remove it and not have people notice. I mean they can follow one of two plans, and if it's plan B (to remove it), they don't tell the public anything. They will just stick to the script, which is that it was bound to be removed anyway, just like "everybody" speculated. Even though there were/are a handful in the public who bet on telemetry staying. They don't have to if there isn't. Microsoft has tried to condition their more tech-savvy market; the ones aware it's there, into believing that what they (MS) are doing should be accepted. Just like, "Hey, my Samsung T.V. spies on me and that should be accepted!" The non-tech savvy people don't even know it's there, so no conditioning needed.

    As for my opinion? Here it is: Microsoft is a private company and legally they should be able to do whatever they want with their operating system. This means that I disagree with the U.S. Justice Department suing MS for making Internet Explorer part of Windows. I disagree with that business practice and think it was wrong, but Microsoft owns the product and they should not have been sued. It's like free speech. Anyhow, It looks like I probably won't be using Windows 10 a whole lot -- I don't like being spied on or having that ability even there. Think about getting hacked, and a hacker turning telemetry on and having that data go to them! No thanks! I'm sticking with openSUSE Tumbleweed.

    Microsoft doesn't fool me.
     
  15. LiteOS

    LiteOS Windowizer

    Mar 7, 2014
    2,343
    1,048
    90
    Need to build a better script to disable the Updates from bring it back
    or app with service
     
  16. MSMG

    MSMG MDL Developer

    Jul 15, 2011
    6,414
    15,608
    210
    #538 MSMG, Jul 19, 2015
    Last edited by a moderator: Apr 20, 2017
    Does removing this package will remove the Telemetry stuff completely ?

    Code:
    Microsoft-OneCore-AllowTelemetry-Reduced-Default-Package~31bf3856ad364e35~x86~~10.0.10240.16384
    

     
  17. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    788
    300
    30
    #539 nexus76, Jul 19, 2015
    Last edited by a moderator: Apr 20, 2017
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. dslr

    dslr MDL Novice

    Jul 8, 2015
    37
    1
    0