Stays on Basic even after disabling everything (Consolidator, KernelCeip and UsbCeip tasks, ProgramDataUpdater and Microsoft Compatibility Appraiser)...i give up, Windows became self-aware
Basically you guys are changing the settings manually in order to turn such tasks / services off. This means when the services check them they incorporate into them a wide range of checks to say ok its off. However we are messing with individual pieces so it will continue to say on. I am personally not sure how they gauge if such a thing is off. Anyone wanna take out IDA Pro or Olly DBG and a few forensics tools?
I noticed a lot of connection-attempts from explorer.exe on port 80 and 443 uploading to MS servers, but on ssl, who knows what's sent exactly.
this process looks promising: it uses ipsec, so we won't see a lot having wireshark at work it appears to be part of the cloud but although I'm not logged in using the live-id I wonder it connects to msft servers ...
That's like taking a magnifying glass to a rug and saying I found something. Please dude at least identify what your looking for before you use those tools. @Murphy78: Wireshark for network analyzing. And Procmon for Analyzing of data flow on the OS. Lastly Registrar Pro for handling the registry cause lets face it regedit is a bag of suck.
Hmm... Well I seem to remember quite a lot of ip addresses that they were going through. Do you guys think it would be easier to just use the old method of disabling a couple services with elevated permissions? I really hate that you can't completely disable this telemetry, easily, for the record. It's f**king annoying and MS should know better.
so what did we conclude here? can someone give me the new list of registry values to disable, that changes basic into none. is this all? REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\ /v "AllowTelemetry" /d "0" /t REG_DWORD It's set to 1 by defualt on my system and I have never changed this before. btw correct me if i'm wrong but older keylogger services metioned in OP "sc delete dmwappushsvc" should be sc delete dmwappushservice because the service has changed name a long time ago. dmwappsvc no longer exists since 10100 build something.
Code: C:\WINDOWS\system32>dism /online /get-packages /format:table Tool zur Imageverwaltung für die Bereitstellung Version: 10.0.10240.16384 Abbildversion: 10.0.10240.16384 Paketauflistung: ---------------------------------------------------------------------------------------------------------- | ----------- | --------------- | ----------------- Paketidentität | Status | Versionstyp | Installationszeit ---------------------------------------------------------------------------------------------------------- | ----------- | --------------- | ----------------- Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~de-DE~10.0.10240.16384 | Installiert | Language Pack | 10.07.2015 16:34 Microsoft-Windows-DiagTrack-Internal-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 | Installiert | Feature Pack | 10.07.2015 12:20 Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 | Installiert | Foundation | 10.07.2015 12:20 Microsoft-Windows-LanguageFeatures-Basic-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 | Installiert | OnDemand Pack | 10.07.2015 16:35 Microsoft-Windows-LanguageFeatures-Handwriting-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 | Installiert | OnDemand Pack | 10.07.2015 16:35 Microsoft-Windows-LanguageFeatures-OCR-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 | Installiert | OnDemand Pack | 10.07.2015 16:35 Microsoft-Windows-LanguageFeatures-Speech-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 | Installiert | OnDemand Pack | 10.07.2015 16:35 Microsoft-Windows-LanguageFeatures-TextToSpeech-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 | Installiert | OnDemand Pack | 10.07.2015 16:35 Microsoft-Windows-NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~~10.0.10115.0 | Installiert | OnDemand Pack | 17.07.2015 13:21 Microsoft-Windows-Prerelease-Client-Package~31bf3856ad364e35~amd64~de-DE~10.0.10240.16384 | Installiert | Language Pack | 10.07.2015 16:34 Microsoft-Windows-Prerelease-Client-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 | Installiert | Feature Pack | 10.07.2015 12:20 Microsoft-Windows-RetailDemo-OfflineContent-Content-de-de-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 | Installiert | OnDemand Pack | 10.07.2015 16:46 Microsoft-Windows-RetailDemo-OfflineContent-Content-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 | Installiert | OnDemand Pack | 10.07.2015 16:46 Package_for_KB3064238~31bf3856ad364e35~amd64~~10.0.1.2 | Installiert | Security Update | 17.07.2015 13:35 Package_for_KB3074663~31bf3856ad364e35~amd64~~10.0.1.0 | Installiert | Security Update | 17.07.2015 13:02 Der Vorgang wurde erfolgreich beendet. C:\WINDOWS\system32>dism /online /remove-package /packagename:Microsoft-Windows-DiagTrack-Internal-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 Tool zur Imageverwaltung für die Bereitstellung Version: 10.0.10240.16384 Abbildversion: 10.0.10240.16384 1 von 1 werden verarbeitet - Paket "Microsoft-Windows-DiagTrack-Internal-Package~31bf3856ad364e35~amd64~~10.0.10240.16384" wird entfernt [==========================100.0%==========================] Der Vorgang wurde erfolgreich beendet. Zum Abschließen dieses Vorgangs muss Windows neu gestartet werden. Möchten Sie den Computer jetzt neu starten? (Y/N) seems like diagtracking isn't a static package anymore, but still explorer.exe connects on port 443
Prerelease-Client-Package is actually just a parent for DiagTrack-Internal-Package, which is merely represent this registry value Code: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack "MSFTInternal"=0x00000001 the telemetry client still contained in OneCore-TroubleShooting-Package
Let's put the brakes on for a second and think, in an abstract way: what if MS is testing everyone to see how people react to the telemetry stuff (NSA software practically installed on your personal computer) before the 29th? It seems to me that they are not saying build 10240 is RTM or not because they are testing the masses (sheeple) to see whether or not telemetry will be socially accepted. Yes, I'm aware that Windows 10 is now SaaS and RTM means something a lot different today than it did in the WIndows 7 days, but please understand the context I'm using the aforementioned argument in. MS are playing their hand, holding their cards very close to the vest -- they can surreptitiously remove the telemetry malware after the 29th if there's a big outcry. When I say surreptitious, I don't mean for them to remove it and not have people notice. I mean they can follow one of two plans, and if it's plan B (to remove it), they don't tell the public anything. They will just stick to the script, which is that it was bound to be removed anyway, just like "everybody" speculated. Even though there were/are a handful in the public who bet on telemetry staying. They don't have to if there isn't. Microsoft has tried to condition their more tech-savvy market; the ones aware it's there, into believing that what they (MS) are doing should be accepted. Just like, "Hey, my Samsung T.V. spies on me and that should be accepted!" The non-tech savvy people don't even know it's there, so no conditioning needed. As for my opinion? Here it is: Microsoft is a private company and legally they should be able to do whatever they want with their operating system. This means that I disagree with the U.S. Justice Department suing MS for making Internet Explorer part of Windows. I disagree with that business practice and think it was wrong, but Microsoft owns the product and they should not have been sued. It's like free speech. Anyhow, It looks like I probably won't be using Windows 10 a whole lot -- I don't like being spied on or having that ability even there. Think about getting hacked, and a hacker turning telemetry on and having that data go to them! No thanks! I'm sticking with openSUSE Tumbleweed. Microsoft doesn't fool me.
Does removing this package will remove the Telemetry stuff completely ? Code: Microsoft-OneCore-AllowTelemetry-Reduced-Default-Package~31bf3856ad364e35~x86~~10.0.10240.16384