A lot of those addresses I remember from our initial scanning. He likely is copying info that we initially collected here on MDL. IIRC it was abbodi who compiled that list earlier in this thread or in the Smorgan thread.
Thank you guys! Here there are always some small network traffic, but after also disabling the "DNS Client" after a minute all goes quiet.
I made my own observation, as soon as I did a clean install I installed X-netstat and noticed 2 instances of explorer.exe connected on port 443 so I copied both IP's and I blocked them with the windows command line example route ADD insertmicrosoftiphere MASK 255.255.255.255 192.168.1.208 as soon as you block both IP's when you open up your browser you get "Cannot Find Server" your internet only starts working when explorer.exe finds 2 new IP's that are not blocked! so it looks like Microsoft has coded explore.exe to stop your internet working when you block both IP's explorer.exe is connected to, maybe someone can edit explorer.exe and make a clean version of it, at least so we can block it from connecting to Microsoft without it breaking your Internet. Lot's of IP's between the Range 157.55 and 157.56, may as well block 157.55.0.0 - 157.56.255.255
Why are you interested about explorer.exe? It's unlikely that the data upload to MS works through that.
In my Pro I set HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener\Start to 0, then reboot, then delete C:\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl (not busy now) and it never appears again. Deleting 2 services is another story, I focused to eliminate unneeded often disk writes into AutoLogger-Diagtrack-Listener.etl log. M$ can adds GUIDs (i.e. hooks) in this key every time, so I don't see benefits of setting Enable for each one of them to 0.
Weird, in my case (both in Pro and Enterprise), that Start value gets reset to 1 and the file is recreated on boot.
I have a similar situation with Enterprise intstalled to a VM. I've never seen the actually file in the VM, but I can confirm that not just the Start value, but the entire key, all its values, all subkeys, and subsequent values of said subkeys change back. Their ownership also gets reverted upon reboot if one tries to to take ownership of any of amount of those keys. How did you set Start to 0 and make it stay 0 Ache? Downloaded and ran it in my Enterprise VM. This was the log it saved to the desktop. Spoiler Starting: 8/4/2015 3:07:19 PM. ------------------------------- Product Name: Windows 10 Enterprise Build: 10240.16384.amd64fre.th1.150709-1700 ------------------------------- ===================================== ------------------------------- [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. ------------------------------- [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. ------------------------------- [SC] DeleteService SUCCESS ------------------------------- Disable feedback ------------------------------- Windows IP Configuration Successfully flushed the DNS Resolver Cache. ------------------------------- Add hosts MS ------------------------------- Start powershell | args: -command "Get-AppxPackage *solit* | Remove-AppxPackage" ------------------------------- Remove-AppxPackage : Deployment failed with HRESULT: 0x80073CFA, Removal failed. Please contact your software vendor. (Exception from HRESULT: 0x80073CFA) error 0x80070032: AppX Deployment Remove operation on package Microsoft.XboxGameCallableUI_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy from: C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy failed. This app is part of Windows and cannot be uninstalled on a per-user basis. An administrator can attempt to remove the app from the computer using Turn Windows Features on or off. However, it may not be possible to uninstall the app. NOTE: For additional information, look for [ActivityId] cad5c44b-cbd2-0000-c4d1-d5cad2cbd001 in the Event Log or use the command line Get-AppxLog -ActivityID cad5c44b-cbd2-0000-c4d1-d5cad2cbd001 At line:1 char:26 + Get-AppxPackage *xbox* | Remove-AppxPackage + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : WriteError: (Microsoft.XboxG...l_cw5n1h2txyewy:String) [Remove-AppxPackage], IOException + FullyQualifiedErrorId : DeploymentError,Microsoft.Windows.Appx.PackageManager.Commands.RemoveAppxPackageCommand Remove-AppxPackage : Deployment failed with HRESULT: 0x80073CFA, Removal failed. Please contact your software vendor. (Exception from HRESULT: 0x80073CFA) error 0x80070032: AppX Deployment Remove operation on package Microsoft.XboxIdentityProvider_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy from: C:\Windows\SystemApps\Microsoft.XboxIdentityProvider_cw5n1h2txyewy failed. This app is part of Windows and cannot be uninstalled on a per-user basis. An administrator can attempt to remove the app from the computer using Turn Windows Features on or off. However, it may not be possible to uninstall the app. NOTE: For additional information, look for [ActivityId] cad5c44b-cbd2-0001-10cf-d5cad2cbd001 in the Event Log or use the command line Get-AppxLog -ActivityID cad5c44b-cbd2-0001-10cf-d5cad2cbd001 At line:1 char:26 + Get-AppxPackage *xbox* | Remove-AppxPackage + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : WriteError: (Microsoft.XboxI...l_cw5n1h2txyewy:String) [Remove-AppxPackage], IOException + FullyQualifiedErrorId : DeploymentError,Microsoft.Windows.Appx.PackageManager.Commands.RemoveAppxPackageCommand ------------------------------- Start powershell | args: -command "Get-AppxPackage *communi* | Remove-AppxPackage" ------------------------------- Start powershell | args: -command "Get-AppxPackage *alarms* | Remove-AppxPackage" ------------------------------- Start powershell | args: -command "Get-AppxPackage *people* | Remove-AppxPackage" ------------------------------- Start powershell | args: -command "Get-AppxPackage *phone* | Remove-AppxPackage" ------------------------------- Start powershell | args: -command "Get-AppxPackage *3d* | Remove-AppxPackage" ------------------------------- Start powershell | args: -command "Get-AppxPackage *camera* | Remove-AppxPackage" ------------------------------- Start powershell | args: -command "Get-AppxPackage *bing* | Remove-AppxPackage" ------------------------------- Start powershell | args: -command "Get-AppxPackage *zune* | Remove-AppxPackage" ------------------------------- Start powershell | args: -command "Get-AppxPackage *soundrec* | Remove-AppxPackage" ------------------------------- Start cmd | args: /c taskkill /f /im OneDrive.exe > NUL 2>&1 ------------------------------- Start cmd | args: /c ping 127.0.0.1 -n 5 > NUL 2>&1 ------------------------------- Start C:\Windows\SysWOW64\OneDriveSetup.exe | args: /uninstall ------------------------------- Start cmd | args: /c ping 127.0.0.1 -n 5 > NUL 2>&1 ------------------------------- Start cmd | args: /c rd "%USERPROFILE%\OneDrive" /Q /S > NUL 2>&1 ------------------------------- Start cmd | args: /c rd "C:\OneDriveTemp" /Q /S > NUL 2>&1 ------------------------------- Start cmd | args: /c rd "%LOCALAPPDATA%\Microsoft\OneDrive" /Q /S > NUL 2>&1 ------------------------------- Start cmd | args: /c rd "%PROGRAMDATA%\Microsoft OneDrive" /Q /S > NUL 2>&1 ------------------------------- Start cmd | args: /c REG DELETE "HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f > NUL 2>&1 ------------------------------- Start cmd | args: /c REG DELETE "HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f > NUL 2>&1 ------------------------------- Disable-ScheduledTask : A positional parameter cannot be found that accepts argument 'Improvement'. At line:1 char:1 + Disable-ScheduledTask -TaskName \Microsoft\Windows\Customer Experienc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: ) [Disable-ScheduledTask], ParameterBindingException + FullyQualifiedErrorId : PositionalParameterNotFound,Disable-ScheduledTask ------------------------------- Disable-ScheduledTask : A positional parameter cannot be found that accepts argument 'Improvement'. At line:1 char:1 + Disable-ScheduledTask -TaskName \Microsoft\Windows\Customer Experienc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: ) [Disable-ScheduledTask], ParameterBindingException + FullyQualifiedErrorId : PositionalParameterNotFound,Disable-ScheduledTask ------------------------------- Disable-ScheduledTask : A positional parameter cannot be found that accepts argument 'Diagnostics\AnalyzeSystem'. At line:1 char:1 + Disable-ScheduledTask -TaskName \Microsoft\Windows\Power Efficiency D ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: ) [Disable-ScheduledTask], ParameterBindingException + FullyQualifiedErrorId : PositionalParameterNotFound,Disable-ScheduledTask ------------------------------- TaskPath TaskName State -------- -------- ----- \Microsoft\Windows\Shell\ FamilySafetyMonitor Disabled ------------------------------- TaskPath TaskName State -------- -------- ----- \Microsoft\Windows\Shell\ FamilySafetyRefresh Disabled ------------------------------- Disable-ScheduledTask : The filename, directory name, or volume label syntax is incorrect. At line:1 char:1 + Disable-ScheduledTask -TaskName \Microsoft\Windows\Application Experi ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Disable-ScheduledTas k], CimException + FullyQualifiedErrorId : HRESULT 0x8007007b,Disable-ScheduledTask ------------------------------- Disable-ScheduledTask : The filename, directory name, or volume label syntax is incorrect. At line:1 char:1 + Disable-ScheduledTask -TaskName \Microsoft\Windows\Application Experi ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Disable-ScheduledTas k], CimException + FullyQualifiedErrorId : HRESULT 0x8007007b,Disable-ScheduledTask ------------------------------- Disable-ScheduledTask : The filename, directory name, or volume label syntax is incorrect. At line:1 char:1 + Disable-ScheduledTask -TaskName \Microsoft\Windows\Application Experi ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Disable-ScheduledTas k], CimException + FullyQualifiedErrorId : HRESULT 0x8007007b,Disable-ScheduledTask ------------------------------- TaskPath TaskName State -------- -------- ----- \Microsoft\Windows\Autochk\ Proxy Disabled ------------------------------- Disable-ScheduledTask : A positional parameter cannot be found that accepts argument 'Improvement'. At line:1 char:1 + Disable-ScheduledTask -TaskName \Microsoft\Windows\Customer Experienc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: ) [Disable-ScheduledTask], ParameterBindingException + FullyQualifiedErrorId : PositionalParameterNotFound,Disable-ScheduledTask ------------------------------- Disable-ScheduledTask : A positional parameter cannot be found that accepts argument 'Improvement'. At line:1 char:1 + Disable-ScheduledTask -TaskName \Microsoft\Windows\Customer Experienc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: ) [Disable-ScheduledTask], ParameterBindingException + FullyQualifiedErrorId : PositionalParameterNotFound,Disable-ScheduledTask -------------------------------
I disable 2 services mentioned in the topic start first, perhaps it plays role. "Start" is editable with Administrator elevated permissions.
I just find it suspicious that they choose a file that is absolutely system critical and it aggressively shuts your Internet off if you dare to block the IP's and your Internet only works again when it connects to unblocked IP's.
I deleted the two services (dmwappushsvc and diagtrack) mentioned in the OP, but the registry keys still revert themselves.
Do you use "Run as administrator" for regedit (or cmd reg)? I have no other ideas why it stays as 0 for me after change. You can try to temporary disable write permissions for this key for SYSTEM or EventLog and see, if it change anything.
I took the code from the OP: Code: sc delete dmwappushsvc sc delete diagtrack put that in a .cmd file and ran it as administrator.
Yep, correct . Seems indeed to work and even survived a reboot. Any other serices to, mention ? Vanilla Win 10 Pro: Code: Microsoft Windows [Version 10.0.10240] (c) 2015 Microsoft Corporation. Alle Rechte vorbehalten. C:\Windows\system32>sc query dmwappushservice SERVICE_NAME: dmwappushservice TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Windows\system32>sc query diagtrack SERVICE_NAME: diagtrack TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Windows\system32> After running: Code: sc delete dmwappushservice sc delete diagtrack Followed by a Reboot: Code: Microsoft Windows [Version 10.0.10240] (c) 2015 Microsoft Corporation. Alle Rechte vorbehalten. C:\Windows\system32>sc query dmwappushservice [SC] EnumQueryServicesStatus:OpenService FEHLER 1060: Der angegebene Dienst ist kein installierter Dienst. C:\Windows\system32>sc query diagtrack [SC] EnumQueryServicesStatus:OpenService FEHLER 1060: Der angegebene Dienst ist kein installierter Dienst. C:\Windows\system32>
I deleted the two services in my Enterprise VM and the Start value and all the subkeys I had deleted still came back on restart. So as a last resort I deleted the entire AutoLogger-Diagtrack-Listener key and nothing comes back anymore.