[Guide]Way to Disable Keylogger/ Telemetry v3.55

1. Which program do you use that show this screenshot ?
2. Where did you find this registry tweak to disable the connect to the internet of explorer.exe ? Interesting to know.
3. After enable this tweak, the access to This PC (file explorer) will be faster ?

 

thats for checking certificates.

@cuteee, lol?

 

for that is free, if dont like just use other system

 

Checking certificate needs a perma connection to the search.msn.com now?

 

But Tinywall is a "friendly" front end for the Windows built-in firewall.

 

Too "friendly", if I remember correctly not associated services no apppkgid, rudimentary rules.

 

Is it necessary to run this tweak ?

 

Explorer.exe has no business connecting to the public internet. I would consider it necessary.

 

Maybe it's not public internet ?

 

I don't seem to have the msnbot connections, there again I have disabled quite a lot of the features and services found in Windows 10.

With regard to certificate checking, this is pretty much spot on. Basically, whenever you launch a signed executable, for example, installing a new application, explorer will check the validity of the certificate used to sign the file. You can check this using something like tcpdump or wireshark.

If you use a firewall, you could choose to allow explorer.exe access to a limited range of ip addresses, simply for the certificate validation process, otherwise just block it.

On the subject of firewalls, if you want a front end for Windows firewall, I'd suggest Windows Firewall control, which can be found at binisoft.org (support thread at wilders). in my opinion it's better than Tinyfirewall, which uses some 'funky' naming when creating rules.

 

All what you need to get to know the behavior of your OS has windows by itself, you will not find better third party software for this work.
For example the discussion on this thread, better protect their privacy you have to know what compromises your privacy. You have to analyze the behavior of each
applications and according to the results apply certain rules. One of the best ways is to enable Detailed Tracking security policy settings and audit events from within Windows. hxxps://technet.microsoft.com/en-us/library/dd772743(v=ws.10).aspx, hxxps://technet.microsoft.com/en-us/library/cc755264.aspx


How is it quite complicated for the average user would satisfy you to follow established and blocked connection by allow auditpol set subcategory:"Filtering Platform Connection" (hxxps://msdn.microsoft.com/en-us/library/windows/desktop/bb309058(v=vs.85).aspx) and track all the way by Event Viewer custom view.
According to the results and of course wishes, make perfect tense block outgoing connections rules by windows build in firewall.

 

That's kind-of a roundabout way of doing it. We just use network monitoring stuff like wireshark.
What you're suggesting is more of a way of evaluating what you're already blocking via firewall disallow.

 

To discuss need to know
- generate a firewall packet log enter this two command with cmd admin


auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable


- now create this two Event Viewer custom views (faster way)


Allowed Connection custom event

Code:

<ViewerConfig><QueryConfig><QueryParams><Simple><Channel>Security</Channel><EventId>5156</EventId><Level>4,0</Level><RelativeTimeInfo>0</RelativeTimeInfo><BySource>False</ByS
ource></Simple></QueryParams><QueryNode><Name>Allowed Connection</Name><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(Level=4 or Level=0) and 
(EventID=5156)]]</Select></Query></QueryList></QueryNode></QueryConfig><ResultsConfig><Columns><Column Name="Level" Type="System.String" Path="Event/System/Level" 
Visible="">280</Column><Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column><Column Name="Date and Time" Type="System.DateTime" 
Path="Event/System/TimeCreated/@SystemTime" Visible="">330</Column><Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" 
Visible="">240</Column><Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">240</Column><Column Name="Task Category" Type="System.String" 
Path="Event/System/Task" Visible="">241</Column><Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column><Column Name="Operational Code" 
Type="System.String" Path="Event/System/Opcode">110</Column><Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column><Column Name="Computer" 
Type="System.String" Path="Event/System/Computer">170</Column><Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column><Column 
Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column><Column Name="Processor ID" Type="System.UInt32" 
Path="Event/System/Execution/@ProcessorID">90</Column><Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column><Column Name="Kernel 
Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column><Column Name="User Time" Type="System.UInt32" 
Path="Event/System/Execution/@UserTime">70</Column><Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column><Column 
Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column><Column Name="Relative Correlation Id" Type="System.Guid" 
Path="Event/System/Correlation/@RelatedActivityID">140</Column><Column Name="Event Source Name" Type="System.String" 
Path="Event/System/Provider/@EventSourceName">140</Column></Columns></ResultsConfig></ViewerConfig>

- save as Allowed Connection.xml


Blocked Connection custom event

Code:

<ViewerConfig><QueryConfig><QueryParams><Simple><Channel>Security</Channel><EventId>5157</EventId><Level>4,0</Level><RelativeTimeInfo>0</RelativeTimeInfo><BySource>False</ByS
ource></Simple></QueryParams><QueryNode><Name>Blocked Connection</Name><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(Level=4 or Level=0) and 
(EventID=5157)]]</Select></Query></QueryList></QueryNode></QueryConfig><ResultsConfig><Columns><Column Name="Level" Type="System.String" Path="Event/System/Level" 
Visible="">100</Column><Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column><Column Name="Date and Time" Type="System.DateTime" 
Path="Event/System/TimeCreated/@SystemTime" Visible="">150</Column><Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">60</Column><Column 
Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">60</Column><Column Name="Task Category" Type="System.String" Path="Event/System/Task" 
Visible="">252</Column><Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column><Column Name="Operational Code" Type="System.String" 
Path="Event/System/Opcode">110</Column><Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column><Column Name="Computer" Type="System.String" 
Path="Event/System/Computer">170</Column><Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column><Column Name="Thread ID" 
Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column><Column Name="Processor ID" Type="System.UInt32" 
Path="Event/System/Execution/@ProcessorID">90</Column><Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column><Column Name="Kernel 
Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column><Column Name="User Time" Type="System.UInt32" 
Path="Event/System/Execution/@UserTime">70</Column><Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column><Column 
Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column><Column Name="Relative Correlation Id" Type="System.Guid" 
Path="Event/System/Correlation/@RelatedActivityID">140</Column><Column Name="Event Source Name" Type="System.String" 
Path="Event/System/Provider/@EventSourceName">140</Column></Columns></ResultsConfig></ViewerConfig>

- save as Blocked Connection.xml


- go Start -> Search tipe Event Viewer, open Event Viewer click on Custom Views, the right side you have Import Custom View...
- Import Allowed Connection.xml and Blocked Connection.xml




I wish you a nice day..


to disable auditpol run

auditpol /set /subcategory:"Filtering Platform Packet Drop" /failureisable
auditpol /set /subcategory:"Filtering Platform Connection" /successisable

 

I guess maybe I just don't understand it?
It's a lot of information and I don't understand the use.
Does it give us a list of connections the system is making?
Because that would be helpful.

 

Yes, all allowed and blocked connections.

 

Could you give me a small example of what to run, where to find the files, and how to read the various IP addresses the system connects to?

 

--doubting ...

 

Would be nice to have a way to pipe that info to a log .

 

Hmm, it's an xml file. We could probably parse it for the lines that show IP and then pipe it to a new txt file.