I've learned quite a lot from this community so I thought I would give back by sharing an experience I had recently with Windows 10. I'm on a private network and this still managed to defeat me for months so I'm guessing there was some nearby activity involved as well. The biggest signs that confirmed it was an attack were: LOUD fan / high fan RPM when idle on the machine. Warning from Windows DEP that svchost.exe was trying to be maliciously modified Mouse lagging / video+audio lag when streaming Services with suspicious permissions when investigated in regedit Services that just wouldnt die that are needed for the RAT to work (RemoteAccess / VirtualWifi / Distributed Link Coordinator, Bluetooth networking, OneSync/Setting Sync, ConnectedDevicesPlatform...) Devices installing on their own even with Windows Update, Update Orchestrator Service, Windows Update Medic service disabled Websites redirecting to phishing versions of the site - Gmail was the most obvious There's a longer list I can go through but that was the gist of it. Luckily, a month or so in I found this site confirming my suspicions (I cant post link due to post limit - google "Harden Windows 10 - A Security Guide") . Low and behold, after following his very detailed instructions, it slowed down the attack to the point where I could actually make some progress. Best $10 I ever spent (not affiliated with that sites author - just super happy with results after wanting to bash my head with frustration. He also posts all the instructions WITHOUT having to pay, the donation just provides you with GPO Baselines and Batch Scripts to take care of the work quickly if needed) After documenting the services that would turn themselves on automatically, I was able to determine the madness behind the attack. Bluetooth confirming it was a local attack in addition to internet based VirtualWifi being killed in Wlansvc regedit increased internet responsiveness in addition to using SimpleDNSCrypt to obfuscate traffic entries. Blocking Internet Explorer/Edge/Microsoft.Photos/MobSync with secpol.msc using control+f10 on language selection after install completes on first setup screen increased responsiveness Blocking DHCP service/Workstation/Server/Distributed Transaction/TabletTouch using services.msc during installation in the "Installing Services" screen helped responsiveness Again, this was such an insane attack... I have no idea how Windows is so vulnerable out-of-box. I'm still working on fixes because the occasional service still auto-spawns. Digging into service permissions in HKLM\SYSTEM\CurrentControlSet\Services\ and disabling inheritance, setting myself as the Owner / removing all other users and adding the group "Everyone" set to Deny All is the only way I've found to kill them. I used to use ESET HIPS to monitor when registry values would change, but ESET ended up causing more problems since it relys on dcom which I've learned to disable after reading the instructions I linked above. I'm not going to try and re-explain how the instructions helped, please check out the site if curious. Lots of best practice advice for Windows 10 I was NOT familiar with. Lesson learned. TLDR; Windows Security GPO baselines + Software Policy Active ftw. Bad Services list that would constantly respawn: AssignedAccessManager Bcast BITS CDPUserSvc CBDHsvc DevicesFlow DevicePicker DeviceAssociation DiagTrack UnistoreSvc_XXXX UsrDataSvc_XXXX Microsoft_Bluetooth_AVC NetBios SecLogon SharedRealitySvc SharedAccess Ras_ALL RDP_all RemoteAccess OneSyncSvc PlugNPlay PushToInstall PIMIndexMaintenence PhoneSvc PeerDistSvc TabletInputService SSH SSDP Ike and AuthIP IPsec Keying wuausvc I can finally move on with my life... for now. Cheers and hopefully this never happens to you.