permanent way to disable explorer.exe from creating watermarks?

Discussion in 'Windows 10' started by grim3271, Aug 5, 2017.

  1. grim3271

    grim3271 MDL Novice

    Aug 13, 2015
    12
    1
    0
    Basically I've used Windows Toolkit to activate Windows, but then while removing its botnet I eventually entirely disabled the Windows Activation service and blocked all Windows update domains in my hosts file after editing dnsapi.dll to remove the domain whitelist.

    Doing this causes the "Activate Windows" watermark to appear, even though I'm "activated" and I've found some registry edits on the internet that cause it to disappear on every relog and reappear like every couple hours I leave the OS running. Restarting removes it.

    It's drawn by explorer.exe, killing explorer.exe removes it, but once it starts back there is no delay before it draws it again. I don't know the difference between restarting and killing the process from the prespective of explorer.exe but there is a difference.

    Can anyone tell me how I can force explorer.exe to NOT draw it, and possibly, tell me how I can stop the process that makes explorer.exe draw it in the first place?

    The service I disabled that caused this issue to transpire is sppsvc, and I'd rather never start it again on my computer.

    Thanks for the help in advance.
     
  2. grim3271

    grim3271 MDL Novice

    Aug 13, 2015
    12
    1
    0
    So far, using Process Hacker I've discovered that explorer.exe loads both slc.dll and sppc.dll the latter which always has a running thread in explorer.exe. Every time I tried to remove either Windows started up with a black screen. So far I've not figured out how to make explorer.exe start without them or if they even cause the watermark to appear, all I know is that they're dlls related to activation.

    Does anyone know how to remove them or make them unused?
     
  3. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,354
    2,026
    210
    You are totally hacking the activation. Definitely not recommended!
     
  4. grim3271

    grim3271 MDL Novice

    Aug 13, 2015
    12
    1
    0
    why are you so sarcastic lmao, googling didn't help and I'm fairly ignorant about how Windows works so I'm just trying whatever I can
     
  5. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,354
    2,026
    210
    Sarcastic? Not in that case (believe me), just gave you my advice (which you can of course ignore!)
     
  6. grim3271

    grim3271 MDL Novice

    Aug 13, 2015
    12
    1
    0
    The reason I'm doing this is because I want a computer that is completely silent on the network until I initiate programs myself. Windows 10 is built to do the direct opposite of that, and even though I'm using Windows Firewall set to the strictest settings I still don't trust it to really block all the requests Microsoft uses to spy on you. I consider the "sppsvc" service to violate my privacy since it always tries to contact Microsoft and uses my processor cycles in a way I don't want them to be used in. Having activation components active in my Windows is useless anyways since it's stolen, I can't even buy it legitimately because it's the Enterprise LTSB edition (AFAIK, the Windows edition with the least spying) not that I would since Microsoft is a company that doesn't respect the user anyways.

    I would consider removing the activation components "recommended" since it gives the user more control over his computer. AFAIK RemoveWAT did this, but it's not made for Windows 10 and since I don't have a list of what it does if it breaks Windows then I can't revert it.

    Thanks for your opinion though.
     
  7. dhjohns

    dhjohns MDL Guru

    Sep 5, 2013
    3,262
    1,731
    120
    Spying implies malicious intent without knowledge of the party involved. Since there is no malicious intent from Microsoft, and all communication is done with the consent of the person installing the software it is not spying.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. grim3271

    grim3271 MDL Novice

    Aug 13, 2015
    12
    1
    0
    Yes, apparently you consent to all the network connections that are made even after you explicity tell it in the settings not to make when you install Windows in the first place, but I still consider any and all collection of information anonymized or not as "Spying"

    By that logic, telemetry, updates, activation, diagnostics and a lot of other Windows services are all spying on you, and that's why I choose not only to turn them off, but to delete them and pull them out by the roots so they can't re-enable themselves again as they're known to do.

    But again, this thread is not dedicated to the philosophy behind what you should consider spying or not, rather just the removal of a function in explorer.exe
     
  9. grim3271

    grim3271 MDL Novice

    Aug 13, 2015
    12
    1
    0
    After many observations, I have strong reason to believe that the watermark is drawn after exactly 3 hours and 5 minutes of run-time, I have set up a task to forcefully kill explorer.exe and restart it, but that did literally nothing, as 5 minutes after the freshly-restarted process had started it came up again.

    Killing explorer.exe dwm, and literally every other process I can terminate without killing my display did not remove it. It appeared instantly as soon as explorer.exe started.

    Since a restart removes it this leads me to believe it's in one of the sensitive processes (with low PIDs) or that a file change is made and is reset when Windows shuts down?

    At this point I'm just wondering if the exact string "Activate Windows" is stored in unicode somewhere where I can HEX edit it into spaces or invisible characters?

    One thing to note is that explorer.exe's memory usage increased by approximately 11mb when the watermark appeared.

    Anyone know where Windows could store such strings?
     
  10. endbase

    endbase MDL Guru

    Aug 12, 2012
    4,667
    1,708
    150
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. grim3271

    grim3271 MDL Novice

    Aug 13, 2015
    12
    1
    0
  12. tracit99

    tracit99 MDL Senior Member

    Oct 17, 2014
    278
    105
    10
    Have you considered Universal Watermark Remover utility? I used to use it quite often, but I have not used it in a long time. I am not sure if it still works, but if all you want to do is to remove the watermark from Windows 10 Desktop it might be worth try.
     
  13. tfwmdl

    tfwmdl MDL Novice

    Feb 18, 2010
    14
    2
    0
    Don't see the point in hacking the executables, since they are digitally signed and modifying 1 byte will essentially stop it from running. Using host files won't stop Windows sending telemetry data to MS since the IPs are hardcoded in one of the DLLs.
     
  14. grim3271

    grim3271 MDL Novice

    Aug 13, 2015
    12
    1
    0
    I've used a resource extractor to see what sort of images are inside explorer.exe, the activation .dlls and a bunch of other s**t, so far no dice, only found random icons.
    However, I found a "Watermark" entry in the registry that had "Timestamp" in it with some value. I wrote FF's over the current value and saved. I've yet to see if this might change anything, but this entry was specified in explorer.exe.
     
  15. Hadron-Curious

    Hadron-Curious MDL Guru

    Jul 4, 2014
    3,730
    603
    120
    Why don't you use 'KMSAuto Net 2015 v1.3.6WIN10' to do the activation so that the watermark will go away?
     
  16. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    4,071
    4,651
    150
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...