Care to join a Win7 snooping test?

Topic

New Reply

[Edit by MrBrian on May 21, 2017: The subject of this topic is telemetry that Microsoft added after Windows 7 was released. Additional research can be found in the comments. Also see AskWoody Knowledge Base article 2952664: Telemetry in Win7/8.1 – KB2952664, KB2977759, KB2976978, & KB3150513.]

This from MrBrian: I am conducting Windows telemetry technical tests similar to Ed Bott’s tests [See the full post at: Care to join a Win7 snooping test?]

Reply | Quote

Replies

I don’t seem to have a svchost(utcsvc) process. There are lots of svchost processes but not utcsvc. Any ideas?

Reply | Quote

Interested in doing this, but I don’t have “svchost.exe (utcsvc)” – in resource monitor.

Reply | Quote

For those of you interested in whether the Diagnostics Tracking Service is sending data to Microsoft, you can use Process Monitor’s menu item Tools->Network Summary to summarize network activities. Don’t press the Filter button in that window though unless you want to add another “Include” filter to the output.

Reply | Quote

For those of you who are not finding “svchost.exe (utcsvc)” in Resource Monitor, you either might not have the Diagnostics Tracking Service on your system, or it might be disabled. Check which services are on your system by following steps 1 to 3 of “Option One” at either http://www.sevenforums.com/tutorials/2495-services-start-disable.html (for Windows 7) or http://www.eightforums.com/tutorials/12411-services-start-stop-disable-windows-8-a.html (for Windows 8.1).

Note: in Windows 10 the Diagnostics Tracking Service was renamed to Connected User Experiences and Telemetry in version 1511.

Some alternatives to using Resource Monitor for doing this: “What Is svchost.exe and Why Is It Running?” (http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/).

Reply | Quote

anonymous wrote:

For those of you who are not finding “svchost.exe (utcsvc)” in Resource Monitor, you either might not have the Diagnostics Tracking Service on your system, or it might be disabled.

Are there any adverse effects of deleting the service?

Antec P7 Silent * Corsair RM550x * ASUS TUF GAMING B560M-PLUS * Intel Core i5-11400F * 4 x 8 GB G.Skill Aegis DDR4 3200 MHz CL16 * Sapphire Radeon 6700 10GB * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit

Reply | Quote

I don’t know, but Microsoft at https://blogs.technet.microsoft.com/netro/2015/09/09/windows-7-windows-8-and-windows-10-telemetry-updates-diagnostic-tracking/ recommends to not even disable that service, although they don’t state the reason.

Reply | Quote

Here are my results from my first batch of tests. I used two computers.

Computer 1 is a real computer running Windows 7 x64. Computer 1’s missing Windows updates by category are:
a) Important: 0
b) Recommended: the 5 missing are .NET Framework 4.6.1, KB2952664, KB3021917, KB3068708, KB3080149
c) Optional: 9 missing (not including Language Packs)

Computer 2 is a VirtualBox virtual machine running Windows 7 x64. Computer 2’s missing Windows updates by category are:
a) Important: Many security updates, October 2016 .NET Framework 3.5.1 Monthly Rollup, KB971033
b) Recommended: 14 missing
c) Optional: 7 missing (not including Language Packs)

Computer 2 does have these Windows updates of interest installed: KB2952664, KB3021917, KB3068708, KB3080149, November monthly rollup.

Test 1
——
Used Computer 2 with operating system’s Customer Experience Improvement Program setting = No.
Ran Process Monitor for 25 hours.
Results: Approximately every 30 minutes there is a setting of various registry values in HKLMSOFTWAREMicrosoftWindowsCurrentVersionDiagnosticsDiagTrack. There was one period of time in which various data was read from the system, read or saved to 4 files in C:ProgramDataMicrosoftDiagnosis (read 163,840 bytes, wrote 53,248 bytes), and data exchanged with Microsoft IP address 64.4.54.254 (sent 4,039 bytes, received 4,154 bytes).

Test 2
——
Used Computer 2 with operating system’s Customer Experience Improvement Program setting = No.
Ran Process Monitor for 20 hours.
Results: Approximately every 30 minutes there is a setting of various registry values in HKLMSOFTWAREMicrosoftWindowsCurrentVersionDiagnosticsDiagTrack. There were 2 periods of time in which various data was read from the system, read or saved to 4 files in C:ProgramDataMicrosoftDiagnosis (read 196,608 bytes, wrote 77,824 bytes), and data exchanged with Microsoft IP address 64.4.54.254 (sent 4,638 bytes, received 8,308 bytes).

Test 3
——
Used Computer 1 with operating system’s Customer Experience Improvement Program setting = No.
Ran Process Monitor for 25 hours.
Results: Approximately every 30 minutes there is a setting of various registry values in HKLMSOFTWAREMicrosoftWindowsCurrentVersionDiagnosticsDiagTrack. No networking activity. No other interesting activities.

Test 4
——
Used Computer 1 with operating system’s Customer Experience Improvement Program setting = No.
Ran Process Monitor for 24 hours.
Results: same as in Test 3.

Test 5
——
Used Computer 2 with operating system’s Customer Experience Improvement Program setting = Yes.
Ran Process Monitor for 3.5 hours.
Results: Approximately every 30 minutes there is a setting of various registry values in HKLMSOFTWAREMicrosoftWindowsCurrentVersionDiagnosticsDiagTrack. Approximately every 15 minutes there may or may not be a period of time in which various data was read from the system, read or saved to 6 files in C:ProgramDataMicrosoftDiagnosis (read 196,608 bytes, wrote 425,984 bytes), and data exchanged with Microsoft IP addresses 64.4.54.254 (sent 91,972 bytes, received 35,872 bytes) and 64.4.54.253 (sent 5,405 bytes, received 20,670 bytes).

Info about IP address 64.4.54.253: http://64.4.54.253.ipaddress.com/.
Info about IP address 64.4.54.254: http://64.4.54.254.ipaddress.com/.

Conclusion: The operating system’s Customer Experience Improvement Program setting had a noticeable effect regarding the behavior of Diagnostics Tracking Service in my tests. However, even with Customer Experience Improvement Program setting = No, there are some conditions in which data is sent to Microsoft by Diagnostics Tracking Service; one of my computers sent data to Microsoft in both of two tests, while the other computer did not send data to Microsoft in either of two tests. What these conditions are should be further explored.

Reply | Quote

Here are links with more info about telemetry. Most of these links have been posted at askwoody.com in the past, but some might not have been.

“Is Windows 10 telemetry a threat to your personal privacy?” – http://www.zdnet.com/article/is-windows-10-telemetry-a-threat-to-your-personal-privacy/

“Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data” – http://www.zdnet.com/article/windows-10-telemetry-secrets/

“Windows 10 and telemetry: Time for a simple network analysis” – http://www.zdnet.com/article/windows-10-and-telemetry-time-for-a-simple-network-analysis/ (Woody’s blog post on this – https://www.askwoody.com/2016/windows-10-telemetry/)

“The geek distrust of telemetry risks making software dumber” – http://www.zdnet.com/article/the-geek-distrust-of-telemetry-risks-making-software-dumber/

“Telemetry insights for Windows Server 2016 and System Center 2016” – https://blogs.technet.microsoft.com/windowsserver/2016/05/06/telemetry-insights-for-windows-server-2016-and-system-center-2016/ (Woody’s blog post on this – https://www.askwoody.com/2016/windows-server-and-system-center-2016-telemetry-whitepaper/)

“Configure Windows telemetry in your organization” – https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization

“Manage connections from Windows operating system components to Microsoft services” – https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services

“Windows 7, Windows 8 and Windows 10 Telemetry Updates (Diagnostic Tracking)” – https://blogs.technet.microsoft.com/netro/2015/09/09/windows-7-windows-8-and-windows-10-telemetry-updates-diagnostic-tracking/

“Windows 10 Telemetry: What we do and don’t know” – http://reviewsofblah.blogspot.com/2016/05/windows-10-telemetry-what-we-do-and.html

“Windows telemetry privacy and trust” – https://www.microsoft.com/en-us/trustcenter/Privacy/windows-telemetry-privacy-and-trust.aspx

1 user thanked author for this post.

Elly

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21371.]

You might want to give a go to Wireshark, which is the most suitable tool for monitoring network activity. Unlikely to find out what is transmitted though, as it is all encrypted as far as I know.

Reply | Quote

There is also a logging feature in Process Monitor.

Turn it on by clicking on File > Backing Files…. There will be two options: Use virtual memory (which is the default), and Use file named:.

Click on the Browse button (the one with 3 dots) and it will take you to the folder where Process Monitor is installed. Enter a file name. It will automatically be given an extension of .PML. Click Save.

When Process Monitor is restarted, check that File > Capture Events is checked. It will log everything within the filter criteria that has been set up (default filters are fine for now).

Anyone with Process Monitor will be able to use it to open the .PML file and view it as if it were on their system.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21369.]

If you look in Control Panel > Administrative Tools > Services, you’ll see it listed as “Diagnostics Tracking Service”…

Reply | Quote

@Woody,

Up to now, I have not paid much attention to the nitty-gritty advice given to people in the Group A camp (since my Lenovo computer can’t be in Group A).

Have you done any articles focusing on the steps that the Windows 7/8 “Group A” people can follow to reduce the accompanying telemetry (both old and new types) as much as possible?

If not, I’d like to suggest this as a future topic which would be of interest to many of us.

Of course, MrBrian’s heroic research and testing, as described in this thread, are being conducted in support of that kind of information-gathering and sharing!

I just wondered if Woody had already published any summary guidance for *non-techies* like me on the practical measures that Group A people can take.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21384.]

I haven’t. I’ve been keeping in the back of my mind that I should take a look at Spybot Anti-Beacon, but haven’t yet taken the plunge.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21384.]

I know that there has already been some discussion around this topic in other threads, and I just ran across a section of posts here that is directly relevant:

https://www.askwoody.com/forums/topic/the-case-for-not-updating-windows-7-ever/

It’s just that the info is pretty scattered around, and understanding the gist of some of the comments requires knowledge that only techies would know.

=====
If you were to do a post about this, I would also ask for the following question to be considered:
“Does Microsoft somehow “punish” people who don’t allow telemetry data to be sent back?”

—
I remember that I looked into SpyBot Anti-Beacon a year or two ago and there was some kind of issue with it and I didn’t install it, but I don’t remember what.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21380.]

Thanks for the recommendation :).

Somebody used Fiddler to investigate Windows 10 at https://www.reddit.com/r/Windows10/comments/3gm1e3/what_windows_10_is_actually_monitoring_regardless/.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21388.]

I haven’t seen any evidence of Microsoft punishing folks who block the snooping.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21388.]

a related article I have run across, no idea how correct it might be, folks are probably already aware of it, but thought I’d post it

“Why You Shouldn’t Use “Anti-Spying” Tools for Windows 10”
http://www.howtogeek.com/273513/why-you-shouldnt-use-anti-spying-tools-for-windows-10/

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21382.]

Well, I’m not sure I have that. I found out that it is supposed to be called “Diagnosenachverfolgungsdienst” in German, but I don’t have that either.

Reply | Quote

I found a 37 page document from Microsoft titled “Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events and Fields” that lists in great detail what is collected via telemetry for Microsoft’s Upgrade Analytics product. I believe this document may be of great value to us even if we don’t use Microsoft’s Upgrade Analytics product. Download the document from “Manage Windows upgrades with Upgrade Analytics” (https://technet.microsoft.com/en-us/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics). This document also contains a Microsoft email address for asking telemetry-related questions.

“Get started with Upgrade Analytics” (https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-analytics-get-started) lists which Windows updates are needed for this product to collect telemetry data. They will look familiar to some of you ;).

A video that introduces Upgrade Analytics: https://www.youtube.com/watch?v=h7mCoTQK1aw.

1 user thanked author for this post.

woody

Reply | Quote

A newer version of document “Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events and Fields” was released in March 2017.

[It’s available here. – WL]

1 user thanked author for this post.

woody

Reply | Quote

This batch of tests looks into conditions under which data is sent by Diagnostics Tracking Service to Microsoft when operating system’s Customer Experience Improvement Program setting = No.

Test 6
——
Used Computer 2 but without “bad” updates KB2952664, KB3021917, KB3068708, or KB3080149 installed. Operating system’s Customer Experience Improvement Program setting = No.
Ran Process Monitor for 19 hours.
Results: Approximately every 30 minutes there is a setting of various registry values in HKLMSOFTWAREMicrosoftWindowsCurrentVersionDiagnosticsDiagTrack. No networking activity. No other interesting activities.

Test 7
——
Used Computer 2 with “bad” updates KB2952664, KB3021917, KB3068708, and KB3080149 again installed. Operating system’s Customer Experience Improvement Program setting = No.
Ran Process Monitor for 6 hours.
Results: Approximately every 30 minutes there is a setting of various registry values in HKLMSOFTWAREMicrosoftWindowsCurrentVersionDiagnosticsDiagTrack. There was one period of time (around 5 hours after the test began) in which various data was read from the system, read or saved to 4 files in C:ProgramDataMicrosoftDiagnosis (read 0 bytes, wrote 20,480 bytes), and data exchanged with Microsoft IP address 64.4.54.254 (sent 1,923 bytes, received 4,154 bytes) and Akamai Technologies IP address 23.10.240.168 (sent 165 bytes, received 1,595 bytes).

Test 8
——
Used Computer 1. Operating system’s Customer Experience Improvement Program setting = No.
Ran Process Monitor for 35 hours.
Results: Approximately every 30 minutes there is a setting of various registry values in HKLMSOFTWAREMicrosoftWindowsCurrentVersionDiagnosticsDiagTrack. No networking activity. No other interesting activities.

Conclusion: In every of my tests thus far, computers with “bad” updates KB2952664, KB3021917, KB3068708, and KB3080149 installed have experienced at least one episode of data being sent by Diagnostics Tracking Service to Microsoft when operating system’s Customer Experience Improvement Program setting = No. In every of my tests thus far, computers without “bad” updates KB2952664, KB3021917, KB3068708, or KB3080149 installed have experienced no episodes of data being sent by Diagnostics Tracking Service to Microsoft when operating system’s Customer Experience Improvement Program setting = No. You can decide how far these results generalize.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21402.]

Interesting. I wonder what in the Sam Hill is getting transmitted….

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21402.]

In a later post I might try to summarize what’s being read from the system by Diagnostics Tracking Service just before data is sent to Microsoft. A potentially innocent explanation is that this could be a “Connectivity Heartbeat” transmission mentioned in Microsoft document “Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events and Fields”:
“TelClientSynthetic.ConnectivityHeartBeat_0 This event is used to determine the connectivity status of the Connected User Experience and Telemetry component that
uploads telemetry events. If an unrestricted free network (for example Wi-Fi) is available, this event updates the last
successful upload time. Else, it checks if a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires
an event. A Connectivity Heartbeat event also fired when a device recovers from costed network to free network.”

Reply | Quote

@MrBrian

Maybe you should continue testing with the relevant Scheduled Tasks disabled.
This seems to be important for those who care, as I think the functionality introduced by KB3080149 and its predecessors appears to be implemented in the monthly rollups now.
There was a registry key mentioned too, related to WMI and autologger.
Those extra settings seem to quiet the telemetry activity completely, regardless of the patches installed.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21405.]

Thank you for your suggestion :).

All of the tests thus far have had November monthly rollup KB3197868 installed.

Reply | Quote

This batch of tests examines the effects of the Microsoft Compatibility Appraiser task that installation of KB2952664 adds to Windows 7 x64.

Background info: Installation of KB2952664 (the version that was current as of November 25, 2016) adds a task in Task Scheduler named Microsoft Compatibility Appraiser, located in MicrosoftWindowsApplication Experience. Its actions (Actions tab) lists the following two actions:
%windir%system32compattelDiagTrackRunner.exe /UploadEtlFilesOnly
%windir%system32CompatTelRunner.exe

Note: the “EtlFiles” in “UploadEtlFilesOnly” above likely refers to ETL (Event Trace Log) files.

Interesting info: Installation of KB2952664 (the version that was current as of November 25, 2016) also changes the action for task ProgramDataUpdater (located in MicrosoftWindowsApplication Experience) from
%windir%system32rundll32.exe aepdu.dll,AePduRunUpdate
to
%windir%system32compattelrunner.exe -maintenance

Task Microsoft Compatibility Appraiser is triggered to run at 3:00 AM every day. Because it’s inconvenient to wait until 3:00 AM, I manually ran Microsoft Compatibility Appraiser to test its effects.

These tests were done using Computer 2 with these updates of interest installed: KB2952664, KB3021917, KB3068708, KB3080149, November monthly rollup (versions that were current as of November 25, 2016). Process Monitor was configured to use one “Include” filter to capture only network activity: “Event Class is network then Include”.

Test 9
——
Reverted to virtual machine snapshot.
Operating system’s Customer Experience Improvement Program setting = No.
Ran Process Monitor for 2 hours.
At 45 and 100 minutes into the test, task Microsoft Compatibility Appraiser was manually run.
Results:
After each manual run of Microsoft Compatibility Appraiser, process compattelrunner.exe runs. The 1st run of compattelrunner.exe took about 10 minutes, while the 2nd run took a few minutes.

Network activity for compattelrunner.exe:
23.10.240.146 (Akamai Technologies) – sent 419 bytes, received 55,723 bytes
23.10.240.168 (Akamai Technologies) – sent 144 bytes, received 982 bytes
23.60.139.27 (Akamai Technologies) – sent 936 bytes, received 8,278 bytes
23.222.196.57 (Akamai Technologies) – sent 175 bytes, received 1,083 bytes
72.21.91.8 (Verizon Business) – sent 141 bytes, received 3,192 bytes
104.43.139.21 (Microsoft Azure) – sent 13,172 bytes, received 41,106 bytes
104.100.107.230 (Akamai Technologies) – sent 169 bytes, received 371 bytes
184.29.170.99 (Akamai Technologies) – sent 169 bytes, received 371 bytes
198.41.215.185 (CloudFlare) – sent 233 bytes, received 2,398 bytes

Network activity for Diagnostics Tracking Service:
23.10.240.155 (Akamai Technologies) – sent 165 bytes, received 1,595 bytes
64.4.54.254 (Microsoft telemetry) – sent 3,750 bytes, received 8,308 bytes

Network activity to Microsoft telemetry for Diagnostics Tracking Service by periods of activity:
2:32 – test starts
3:30 (13 minutes after 1st manual run of Microsoft Compatibility Appraiser was completed) – sent 2,088 bytes to Microsoft telemetry
4:32 (23 minutes after 2nd manual run of Microsoft Compatibility Appraiser was completed) – sent 1,827 bytes to Microsoft telemetry
4:38 – test ends

Test 10
——-
Reverted to virtual machine snapshot.
Operating system’s Customer Experience Improvement Program setting = Yes. Rebooted.
Ran Process Monitor for 2 hours.
At 30 and 100 minutes into the test, task Microsoft Compatibility Appraiser was manually run.
Results:
After each manual run of Microsoft Compatibility Appraiser, process compattelrunner.exe runs. The 1st run of compattelrunner.exe took about 10 minutes, while the 2nd run took a few minutes.

Network activity for compattelrunner.exe:
23.7.233.120 (Akamai Technologies) – sent 169 bytes, received 371 bytes
23.10.240.139 (Akamai Technologies) – sent 224 bytes, received 1,547 bytes
23.10.240.168 (Akamai Technologies) – sent 144 bytes, received 982 bytes
23.10.240.249 (Akamai Technologies) – sent 241 bytes, received 2,109,791 bytes
23.60.139.27 (Akamai Technologies) – sent 936 bytes, received 8,278 bytes
23.222.196.57 (Akamai Technologies) – sent 175 bytes, received 1,082 bytes
64.4.54.253 (Microsoft telemetry) – sent 2,668 bytes, received 16,304 bytes
72.21.91.8 (Verizon Business) – sent 141 bytes, received 3,192 bytes
104.43.228.202 (Microsoft Azure) – sent 12,864 bytes, received 35,437 bytes
104.100.107.230 (Akamai Technologies) – sent 169 bytes, received 371 bytes
198.41.215.186 (CloudFlare) – sent 233 bytes, received 2,398 bytes

Network activity for Diagnostics Tracking Service:
64.4.54.253 (Microsoft telemetry) – sent 3,231 bytes, received 12,402 bytes
64.4.54.254 (Microsoft telemetry) – sent 116,159 bytes, received 24,070 bytes

Network activity to Microsoft telemetry for Diagnostics Tracking Service by periods of activity:
4:45 – test begins
4:47 – sent 1,251 bytes to Microsoft telemetry
5:12 to 5:16 (within a few minutes after 1st manual run of Microsoft Compatibility Appraiser was started, and before it completed) – sent 6,416 bytes to Microsoft telemetry
5:42 (24 minutes after 1st manual run of Microsoft Compatibility Appraiser was completed) – sent 104,567 bytes to Microsoft telemetry
6:12 – sent 2,328 bytes to Microsoft telemetry
6:47 (19 minutes after 2nd manual run of Microsoft Compatibility Appraiser was completed) – sent 4,828 bytes to Microsoft telemetry
6:49 – test ends

Conclusion: Data is sent to Microsoft telemetry after the task Microsoft Compatibility Appraiser is run when operating system’s Customer Experience Improvement Program setting = No. However, much more data is sent to Microsoft telemetry after the task Microsoft Compatibility Appraiser runs when operating system’s Customer Experience Improvement Program setting = Yes. Regardless of operating system’s Customer Experience Improvement Program setting, nontrivial CPU and disk resources may be used by task Microsoft Compatibility Appraiser.

P.S. During both tests I also manually ran all of the tasks listed at https://pubs.vmware.com/horizon-61-view/topic/com.vmware.horizon-view.desktops.doc/GUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html except Autochk; I didn’t know about Autochk at the time of the tests. All 5 of these tasks completed within a few seconds each.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21402.]

Based on the timing, and also the results of Test 9, I now believe it’s likely that the data transmissions to Microsoft telemetry when operating system’s Customer Experience Improvement Program setting = No happened as a result of the running of scheduled task Microsoft Compatibility Appraiser. This task is added by KB2952664.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21408.]

Good to know. A long-suspected snooping patch nailed.

Reply | Quote

Here are some important folders and files involved:

%Windir%System32appraiser – contains the 3 “compatibility definition update” files mentioned at https://support.microsoft.com/en-us/kb/3150513, as well as some other files

%Windir%AppCompatAppraiser – folder in which compattelrunner.exe does a lot of writing while it runs

C:ProgramDataMicrosoftDiagnosis – contains a number of subfolders and files

C:ProgramDataMicrosoftDiagnosisDownloadedSettings – contains the two files telemetry.ASM-WindowsDefault.json and utc.app.json mentioned at https://support.microsoft.com/en-us/kb/3080149. To give you an idea of what can be in these two files, see http://pastebin.com/C3dHDYYR. The contents of my two files differ from that.

By default, you don’t have permissions to view some of the above files or folders.

The file telemetry.ASM-WindowsDefault.json seems to specify at a high level what type of information will be uploaded to Microsoft, and what the user sampling rate for each type of information is.

Reply | Quote

I have seen several references in comments for other posts at askwoody.com about file C:ProgramDataMicrosoftDiagnosisETLLogsAutoLoggerAutoLogger-Diagtrack-Listener.etl. Some people at other internet sites claim that this is a keylogger file, but my investigation reveals (on Windows 7 x64 at least) this to be a false claim. The registry key HKLMSYSTEMCurrentControlSetControlWMIAutoLoggerAutoLogger-Diagtrack-Listener led me to look up “wmi” “autologger”. That led to “Configuring and Starting an AutoLogger Session” (https://msdn.microsoft.com/en-us/library/windows/desktop/aa363687(v=vs.85).aspx), which shows that this is an “event tracing session [that] records events that occur early in the operating system boot process.”

I examined the file C:ProgramDataMicrosoftDiagnosisETLLogsAutoLoggerAutoLogger-Diagtrack-Listener.etl from my test computer. Size: 65,536 bytes. Last modified timestamp is from when the computer was last booted. Viewing the file contents with a hex editor shows the file consists largely of binary 1’s. Inspecting the file with PerfView (https://www.microsoft.com/en-us/download/details.aspx?id=28567) shows some boot-related events, and that the event trace was active for 77 seconds. Performance Monitor (https://technet.microsoft.com/en-us/library/cc749115(v=ws.11).aspx) Performance->Data Collector Sets->Startup Event Trace Sessions lists AutoLogger-Diagtrack-Listener.

Conclusion: this is not a keylogging file on Windows 7 x64. Instead, it’s a file that contains events from a boot-time event trace.

Reply | Quote

From my testing on Windows 7 x64, Windows Error Reporting (http://www.howtogeek.com/howto/7863/disable-error-reporting-in-xp-vista-and-windows-7/) is independent of Windows Customer Experience Improvement Program, and independent of the Diagnostics Tracking Service. Windows Error Reporting can send data to Microsoft via process werfault.exe.

Reply | Quote

I tested if, when operating system’s Customer Experience Improvement Program setting = No, disabling task Microsoft Compatibility Appraiser (which is added by KB2952664) stops Diagnostics Tracking Service from communicating with Microsoft.

Test 11
——-
Used Computer 2 with operating system’s Customer Experience Improvement Program setting = No.
These Windows updates of interest were already installed: KB2952664, KB3021917, KB3068708, KB3080149, November monthly rollup.
Windows Update was set to never automatically check for updates.
Disabled task Microsoft Compatibility Appraiser.
Ran Process Monitor for 24 hours using one Include filter: “Event Class is network then Include”.
Results: Diagnostics Tracking Service did not communicate with any IP addresses. There was traffic from other svchost.exe processes to Akamai Technologies IP addresses, and to Microsoft Azure IP address 191.232.80.62.

Conclusion: Setting operating system’s Customer Experience Improvement Program setting = No, and disabling task Microsoft Compatibility Appraiser might be sufficient to stop Diagnostics Tracking Service from communicating with Microsoft.

Reply | Quote

I believe that I have discovered a method of listing the telemetry data that Diagnostics Tracking Service sends to Microsoft! This method was inspired by the sentence “Windows 10 and Windows Server 2016 includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data” (from https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization). I tested this method on Windows 7; it probably also works on Windows 8.1 and Windows 10.

Steps:
1. Download PerfView from https://www.microsoft.com/en-us/download/details.aspx?id=28567.
2. Run PerfView. No installation is required.
3. Click menu item Collect->Collect.
4. Set Data File and Current Dir to file name and folder that will store the program’s output.
5. Set Circular MB to at least 900.
6. Click Advanced Options.
7. For Additional Providers, type “Microsoft-Windows-Diagtrack::Verbose” (without quotes).
8. Click Start Collection button.
9. Wait at least 35 minutes (for Diagnostics Tracking Service to have its next activity cycle).
10. Click Stop Collection button.
11. Wait until PerfView is finished processing.
12. In the program’s left pane, double-click Events.
13. In Filter, type “diagtrack” (without quotes).
14. In the left pane, double-click event type Microsoft-Windows-Diagtrack/AsimovUploader_PersistEvent.

The data that appears in the right pane is the data that I believe is sent (encrypted) by Diagnostics Tracking Service to Microsoft telemetry. I can’t prove that, but in my tests so far, the number of Diagtrack-related event bytes from PerfView when saved to file and compressed is pretty close to the number of bytes sent to Microsoft telemetry. As an example, screenshot https://i.imgsafe.org/42b131eb08.png shows 6 events, each of which has more data (and much more interesting data) than visible in the screenshot when the right pane is scrolled to the right.

Notes:
1. You might find more information about the events listed in your trace in Microsoft document “Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events and Fields” (download from https://technet.microsoft.com/en-us/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics).
2. There seems to be an issue when Process Monitor and a PerfView collection are running at the same time that results in Process Monitor not showing some network activity.
3. I don’t know if this method “sees” the uploading of ETL (Event Tracing for Windows) files that seems implied by the task Microsoft Compatibility Appraiser action “%windir%system32compattelDiagTrackRunner.exe /UploadEtlFilesOnly” that I mentioned in a previous comment.

3 users thanked author for this post.

owdrtn, woody, Noel Carboni

Reply | Quote

PerfView has a command-line switch /OnlyProviders that traces only the specified providers. This is handy if you want to reduce the trace file size, which is especially important if you want to run PerfView for longer periods of time.

These are the steps that need be modified:

2.Run PerfView from a command prompt as follows:

perfview.exe /onlyproviders:Microsoft-Windows-Diagtrack

5. Isn’t necessary unless you want to run PerfView for a very long amount of time.

6. Not needed.

7. Not needed. Use default value for Additional Providers.

9. PerfView can be run for days.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21414.]

To give an idea of what the rest of one of the events might contain, here is the entire first event from the screenshot, with some data altered in case there is a privacy issue:

Microsoft-Windows-Diagtrack/AsimovUploader_PersistEvent 436233.731 svchost (1316) ThreadID=”1,460″ EventPayload=”{“ver”:”2.1″,”name”:”Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync”,”time”:”2016-12-04T12:53:52.8440425Y”,”cV”:”e69XH+9z6yhTrbZc.1.4.2.0″,”epoch”:”165674″,”seqNum”:1,”flags”:207,”os”:”Windows”,”osVer”:”6.1.7601.23569.amd64fre.win7sp1_ldr.161007-0600″,”ext”:{“utc”:{“cat”:147753888355358,”flags”:1},”device”:{“localId”:”s:36YA6871-B9F8-4A9C-A2D1-B9EBC2A22623″,”deviceClass”:”Windows”},”user”:{“localId”:”w:5623ECDF-B2D4-0AAD-A4B3-856FB02021BB”}},”data”:{“baseType”:”Ms.Device.DeviceInventoryChange”,”baseData”:{“action”:3,”objectType”:”InventoryMiscellaneousOfficeAddIn”,”objectInstanceId”:””,”syncId”:”{34B5C2E6-047E-5C72-E165-CB2F8B0D7383}”,”inventoryId”:”{B25C75C0-5F4F-28C5-AAF3-3744097751D7}”}}}” EventLatency=”0″ EventPersistence=”0″

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21414.]

Some notes:

1. In that screenshot, you see process name svchost with process ID of 1316. 1316 was the process ID of Diagnostics Tracking Service at that time.

2. In general, these events appear to be events that Microsoft programmed Diagnostics Tracking Service to produce in case they wanted to later troubleshoot Diagnostics Tracking Service issues on a user’s machine.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21409.]

It is further confirmation of what we have already known from abbodi86.
There is utility in allowing this task to run, as it is supposed to assess new applications and inform the user (and Microsoft) about the compatibility of that application with the existing system and its current state of updating, drivers etc.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21411.]

Thank you MrBrian. This is misinformation (“FUD”) spread among others by software like O&O ShutUp 10 which a lot of people tend to consider authoritative.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21417.]

Thank you for that information :).

I haven’t mentioned this before, but some tests I did with Windows Customer Experience Improvement Program setting = No revealed that although running task Microsoft Compatibility Appraiser triggers data to be sent to Microsoft telemetry during the next activity cycle (or two cycles) of Diagnostics Tracking Service, the data that is sent isn’t actually data collected by Microsoft Compatibility Appraiser (at least no data that was written to a file). I thought this result was so odd that I retested it again a few times; I got the same results on all of the retests.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21418.]

You’re welcome :).

Due to permissions issues, it might be difficult to check the file size and last modified timestamp of this file using tools built into Windows. If this is the case, I recommend searching for the file name using UltraSearch (https://www.jam-software.com/ultrasearch/).

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21407.]

The screenshot https://i.imgsafe.org/42b131eb08.png mentioned in my comment https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21435 lists the 6 events that happened on Computer 2 within approximately 45 minutes of manually running task Microsoft Compatibility Appraiser using a similar configuration as Test 9.

Here is some event information that is only partially visible in the screenshot:
1. “Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync”
2. “Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd”
3. “Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInEndSync”
4. “Microsoft.Windows.Appraiser.Critical.GapData”
5. “Microsoft.Windows.Inventory.General.InventoryMiscellaneousCITStartSync”
6. “Microsoft.Windows.Inventory.General.InventoryMiscellaneousCITEndSync”

The first 3 events appear to contain data about Microsoft Office add-ins. The 4th event appears to contain data about Microsoft Compatibility Appraiser. I don’t know what the 5th and 6th events are for.

1 user thanked author for this post.

owdrtn

Reply | Quote

I captured the activity for a setup similar to Test 10, except with just one manual run of task Microsoft Compatibility Appraiser. Windows Customer Experience Improvement Program setting = Yes. The screenshot http://i.imgsafe.org/6bbb67b52d.png shows 1,446 events of event type Microsoft-Windows-Diagtrack/AsimovUploader_PersistEvent occurred. All 1,446 of these events were for process svchost.exe with process ID=1328, which was the process ID of Diagnostics Tracking Service. The saved .CSV file for these 1,446 events is size 108,316 bytes when compressed by 7-Zip, which is close to the 116,159 bytes that were transmitted to Microsoft telemetry IP address 64.4.54.254 in Test 10.

Reply | Quote

I tested if, when operating system’s Customer Experience Improvement Program setting = No, and task Microsoft Compatibility Appraiser (which is added by KB2952664) is disabled, manual running of 6 other tasks related to Customer Experience Improvement Program causes Diagnostics Tracking Service to communicate with Microsoft telemetry.

Test 12
——-
Used Computer 2 with operating system’s Customer Experience Improvement Program setting = No.
These Windows updates of interest were already installed: KB2952664, KB3021917, KB3068708, KB3080149, November monthly rollup.
Disabled task Microsoft Compatibility Appraiser.
Started Process Monitor using one Include filter: “Event Class is network then Include”.
Manually ran each of the 6 tasks (not including Microsoft Compatibility Appraiser) listed at https://pubs.vmware.com/horizon-61-view/topic/com.vmware.horizon-view.desktops.doc/GUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html twice.
Let Process Monitor run for another 45 minutes.
Results: Diagnostics Tracking Service did not communicate with any IP addresses.

Conclusion: Setting operating system’s Customer Experience Improvement Program setting = No, and disabling task Microsoft Compatibility Appraiser might be sufficient to stop Diagnostics Tracking Service from communicating with Microsoft telemetry.

P.S. All 6 of these tasks check the status of Windows Customer Experience Improvement Program setting, which means that each of these 6 tasks might change their behavior depending on the Windows Customer Experience Improvement Program setting. I did this check using a Process Monitor “Include” filter for Path containing “CEIPEnable” (without quotes). See https://msdn.microsoft.com/en-us/library/dd405474(v=vs.85).aspx for Microsoft’s documentation of this registry value.

Reply | Quote

In this post I’ll investigate whether registry value AllowTelemetry (documented at http://gpsearch.azurewebsites.net/default.aspx?ref=1#10937) has any effect in Windows 7 x64. All tests in this post were done using Computer 2 with these Windows updates of interest already installed: KB2952664, KB3021917, KB3068708, KB3080149, November monthly rollup.

Some sources state that the location of registry value AllowTelemetry is HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsDataCollection, while other sources state that it’s HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesDataCollection. In my judgment, the bulk of evidence indicates that HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsDataCollection is the right location, and that’s the location I used in most tests in this batch of tests.

The first batch of tests used Process Monitor filter “Path contains AllowTelemetry then Include” to test whether registry value AllowTelemetry is being used by any processes. I manually ran all of the tasks listed at https://pubs.vmware.com/horizon-61-view/topic/com.vmware.horizon-view.desktops.doc/GUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html, and then waited about 35 minutes for the next Diagnostics Tracking Service activity cycle to occur. In all tests there were 0 matches in Process Monitor.

The second batch of tests used Process Monitor filter “Event class is network then Include” to compare network activity of Diagnostics Tracking Service using most combinations of Customer Experience Improvement Program setting and registry value AllowTelemetry when manually running task Microsoft Compatibility Appraiser (which is added by KB2952664) and then waiting about 35 minutes for the next Diagnostics Tracking Service activity cycle to occur. In a few tests I rebooted immediately after setting registry value AllowTelemetry. A few tests also tried location HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesDataCollection. In all tests, there were no noticeable differences in networking activity of Diagnostics Tracking Service compared to similar tests in previous batches of tests.

Conclusion: In Windows 7 x64 registry value AllowTelemetry likely has no effect.

Reply | Quote

Potentially of interest from “Policy CSP” (https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry):
“System/AllowTelemetry

Allow the device to send diagnostic and usage telemetry data, such as Watson.

The following tables describe the supported values:

Windows 8.1 Values

0 – Not allowed.

1 – Allowed, except for Secondary Data Requests.

2 (default) – Allowed.”

I’m not sure if this applies to PC versions of Windows 8.1.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21424.]

Removing duplicate event types in these 1,446 events, there are 236 types of events in this event trace. You can find a reference to most of these event types in the document “Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events and Fields” that I mentioned previously; don’t include “Add”, “StartSync”, or “EndSync” from the end of the event type when searching that document. Here are the 236 types of events in this event trace:

Census.App
Census.Battery
Census.Camera
Census.Enterprise
Census.Firmware
Census.Flighting
Census.Hardware
Census.Location
Census.Memory
Census.Network
Census.OS
Census.Processor
Census.Storage
Census.Userdefault
Census.UserDisplay
Census.UserNLS
Census.VM
Census.WU
Census.Xbox
Microsoft.Windows.Appraiser.Critical.Alive
Microsoft.Windows.Appraiser.Critical.GapData
Microsoft.Windows.Appraiser.General.Checksum
Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
Microsoft.Windows.Appraiser.General.ChecksumTotalPictureIdHashSha256
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileEndSync
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpEndSync
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageEndSync
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockEndSync
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveEndSync
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeEndSync
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosEndSync
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
Microsoft.Windows.Appraiser.General.DecisionApplicationFileEndSync
Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
Microsoft.Windows.Appraiser.General.DecisionDevicePnpEndSync
Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
Microsoft.Windows.Appraiser.General.DecisionDriverPackageEndSync
Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockEndSync
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveEndSync
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeEndSync
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
Microsoft.Windows.Appraiser.General.DecisionMediaCenterEndSync
Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
Microsoft.Windows.Appraiser.General.DecisionSystemBiosEndSync
Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
Microsoft.Windows.Appraiser.General.DecisionSystemProcessorEndSync
Microsoft.Windows.Appraiser.General.DecisionSystemProcessorStartSync
Microsoft.Windows.Appraiser.General.GatedRegChange
Microsoft.Windows.Appraiser.General.InventoryApplicationAdd
Microsoft.Windows.Appraiser.General.InventoryApplicationEndSync
Microsoft.Windows.Appraiser.General.InventoryApplicationFileEndSync
Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
Microsoft.Windows.Appraiser.General.InventoryApplicationIeAddonEndSync
Microsoft.Windows.Appraiser.General.InventoryApplicationIeAddonStartSync
Microsoft.Windows.Appraiser.General.InventoryApplicationStartSync
Microsoft.Windows.Appraiser.General.InventoryDeviceContainerEndSync
Microsoft.Windows.Appraiser.General.InventoryDeviceContainerStartSync
Microsoft.Windows.Appraiser.General.InventoryDevicePnpAdd
Microsoft.Windows.Appraiser.General.InventoryDevicePnpEndSync
Microsoft.Windows.Appraiser.General.InventoryDevicePnpStartSync
Microsoft.Windows.Appraiser.General.InventoryDriverBinaryAdd
Microsoft.Windows.Appraiser.General.InventoryDriverBinaryEndSync
Microsoft.Windows.Appraiser.General.InventoryDriverBinaryStartSync
Microsoft.Windows.Appraiser.General.InventoryDriverPackageAdd
Microsoft.Windows.Appraiser.General.InventoryDriverPackageEndSync
Microsoft.Windows.Appraiser.General.InventoryDriverPackageStartSync
Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
Microsoft.Windows.Appraiser.General.InventoryLanguagePackEndSync
Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
Microsoft.Windows.Appraiser.General.InventoryMediaCenterEndSync
Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
Microsoft.Windows.Appraiser.General.InventorySystemBiosEndSync
Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
Microsoft.Windows.Appraiser.General.InventorySystemMachineEndSync
Microsoft.Windows.Appraiser.General.InventorySystemMachineStartSync
Microsoft.Windows.Appraiser.General.InventorySystemProcessorEndSync
Microsoft.Windows.Appraiser.General.InventorySystemProcessorStartSync
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageEndSync
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
Microsoft.Windows.Appraiser.General.IsOnlineCosDeviceDataSource
Microsoft.Windows.Appraiser.General.IsOnlineTelemetryOutputter
Microsoft.Windows.Appraiser.General.IsOnlineWuDriverDataSource
Microsoft.Windows.Appraiser.General.RunContext
Microsoft.Windows.Appraiser.General.StartUtcJsonTrace
Microsoft.Windows.Appraiser.General.StopUtcJsonTrace
Microsoft.Windows.Appraiser.General.SystemMemoryAdd
Microsoft.Windows.Appraiser.General.SystemMemoryEndSync
Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeEndSync
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfEndSync
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
Microsoft.Windows.Appraiser.General.SystemProcessorNxEndSync
Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWEndSync
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
Microsoft.Windows.Appraiser.General.SystemProcessorSse2EndSync
Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
Microsoft.Windows.Appraiser.General.SystemTouchAdd
Microsoft.Windows.Appraiser.General.SystemTouchEndSync
Microsoft.Windows.Appraiser.General.SystemTouchStartSync
Microsoft.Windows.Appraiser.General.SystemWimAdd
Microsoft.Windows.Appraiser.General.SystemWimEndSync
Microsoft.Windows.Appraiser.General.SystemWimStartSync
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusEndSync
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
Microsoft.Windows.Appraiser.General.SystemWlanAdd
Microsoft.Windows.Appraiser.General.SystemWlanEndSync
Microsoft.Windows.Appraiser.General.SystemWlanStartSync
Microsoft.Windows.Appraiser.General.TelemetryRunHealth
Microsoft.Windows.Appraiser.General.WmdrmAdd
Microsoft.Windows.Appraiser.General.WmdrmEndSync
Microsoft.Windows.Appraiser.General.WmdrmStartSync
Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
Microsoft.Windows.Inventory.General.Checksum
Microsoft.Windows.Inventory.General.GeneralTelemetryElapsedTime
Microsoft.Windows.Inventory.General.InventoryMiscellaneousAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousAntispywareInformationAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousAntispywareInformationEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousAntispywareInformationStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousBrowserStartupSettingsAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousBrowserStartupSettingsEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousBrowserStartupSettingsStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousChromeAppEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousChromeAppStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousChromeRlzAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousChromeRlzAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousChromeRlzEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousChromeRlzStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousCITModuleLoadedEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousCITModuleLoadedStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousCpuidAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousCpuidEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousCpuidStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousCrashDumpAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousCrashDumpEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousCrashDumpStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousDiscCorruptionAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousDiscCorruptionEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousDiscCorruptionStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousDiskInfoAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousDiskInfoEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousDiskInfoStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousDiskPartitionInfoAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousDiskPartitionInfoEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousDiskPartitionInfoStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousGWXTaskInfoEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousGWXTaskInfoStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousInstalledDotNetFrameworkAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousInstalledDotNetFrameworkEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousInstalledDotNetFrameworkStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousMicrophoneDataAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousMicrophoneDataEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousMicrophoneDataStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousMonitorDataEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousMonitorDataStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousPhysicalDiskInfoEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousPhysicalDiskInfoStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousPreviousUpgradesEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousPreviousUpgradesStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousServicesAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousServicesEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousServicesStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupBootedFromAuditModeAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupBootedFromAuditModeEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupBootedFromAuditModeStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupBootedFromVHDAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupBootedFromVHDEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupBootedFromVHDStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupPendingFirmwareUpdateWithPowerAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupPendingFirmwareUpdateWithPowerEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupPendingFirmwareUpdateWithPowerStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSupportedSleepStatesAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSupportedSleepStatesEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousSupportedSleepStatesStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUserAccountTypeEnumerationAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUserAccountTypeEnumerationEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUserAccountTypeEnumerationStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUserAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUserEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUserStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousVolumeInfoAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousVolumeInfoEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousVolumeInfoStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousWifiAdd
Microsoft.Windows.Inventory.General.InventoryMiscellaneousWifiEndSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousWifiStartSync
Microsoft.Windows.Inventory.General.PerfConfidenceOsArchitectureCheck
Microsoft.Windows.Inventory.Indicators.Checksum
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorEndSync
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
TelClientSynthetic.HeartBeat_5

Reply | Quote

I have investigated the files in “bad” update KB3021917.

This update contains 4 filenames:
1. Core-fundamentals-clientperformance-perftrack.ptxml – file of same size and date exists on a computer without KB3021917 installed.
2. Perftrack.dll – older file with this name exists on a computer without KB3021917 installed.
3. Powertracker.dll – file doesn’t exist on a computer without KB3021917 installed.
4. Wdi.dll – older file with this name exists on a computer without KB3021917 installed.

About Perftrack.dll: From https://chentiangemalc.wordpress.com/2011/05/08/windows-7-default-scheduled-taskscomplete-overview/: File is associated with task Microsoft->Windows->PerfTrack->BackgroundConfigSurveyor. Disabled by default. Perhaps is enabled by group policy http://gpsearch.azurewebsites.net/default.aspx?ref=1#7895. Still disabled on a computer with KB3021917 installed.

About Wdi.dll: From https://chentiangemalc.wordpress.com/2011/05/08/windows-7-default-scheduled-taskscomplete-overview/: File is associated with task Microsoft->Windows->WDI->ResolutionHost. “The Windows Diagnostic Infrastructure Resolution host enables interactive resolutions for system problems detected by the Diagnostic Policy Service. It is triggered when necessary by the Diagnostic Policy Service in the appropriate user session.” Enabled by default. More info: see http://itsvista.com/2007/04/diagnostic-policy-service/.

About Powertracker.dll: From a registry search, this file appears to be a new diagnostics module for Windows Diagnostic Infrastructure.

An educated guess is that this update is not associated with Diagnostics Tracking Service, unlike the other 3 “bad” updates that I have investigated.

Reply | Quote

There is one “bad” update that I had neglected to test thus far: KB3075249. This update is superseded by KB3172605 and a few other updates. I have now tested this update extensively on Computer 2 with baseline updates of interest KB2952664, KB3021917, KB3068708, KB3080149, and November monthly rollup already installed.

In the tests, I manually elevated an executable file to administrator privileges using context menu item “Run as administrator”. In most tests I made this executable file low integrity (https://msdn.microsoft.com/en-us/library/bb625960.aspx) because KB3075249 states “This update adds telemetry points to the User Account Control (UAC) feature to collect information on elevations that come from low integrity levels.” In most tests I used operating system’s Customer Experience Improvement Program setting = Yes. During some tests I used Process Monitor to look at system-wide network activity during the manual elevation. In other tests I used Process Monitor to look at system-wide file writing activity during the manual elevation. In other tests I used the PerfView method I mentioned in a previous comment to inspect what Diagnostics Tracking Service was sending to Microsoft telemetry within 35 minutes of the manual elevation. I also ran these tests without KB3075249 installed. In most tests I modified the executable to crash right after starting, to also test for behavior in Windows Error Reporting.

Results: In all cases, I was unable to detect any behavioral difference between KB3075249 installed and KB3075249 not installed.

Conclusion: I’m not sure if KB3075249 actually does any telemetry. Any ideas?

Reply | Quote

Here are my recommendations based on my test results so far (for Windows 7 x64 computers):

If you set operating system’s Customer Experience Improvement Program setting = No, some data is still sent to Microsoft telemetry within 35 minutes after task Microsoft Compatibility Appraiser (added by KB2952664) finishes running, as shown in screenshot https://i.imgsafe.org/42b131eb08.png.

If this is unacceptable, then do at least one of the three following actions (in addition to setting operating system’s Customer Experience Improvement Program setting = No):

Action 1) In Task Scheduler, disable task Microsoft Compatibility Appraiser (located in MicrosoftWindowsApplication Experience). This also stops Microsoft Compatibility Appraiser from sometimes consuming a lot of CPU and disk resources.

And/or Action 2) In firewall or router, block traffic to DNS endpoints settings-win.data.microsoft.com and vortex-win.data.microsoft.com, or equivalent (for now anyway) IP addresses 64.4.54.253 and 64.4.54.254. To do this in Windows Firewall, see http://www.easysecurityonline.com/how-to-protect-windows-7-and-8-from-getting-windows-10-privacy-intrusions-too/. I verified that this blocks Diagnostics Tracking Service telemetry using Process Monitor.

And/or Action 3) Disable service Diagnostics Tracking Service. I verified that this stops Diagnostics Tracking Service telemetry using Process Monitor. Microsoft recommends to not disable this service at https://blogs.technet.microsoft.com/netro/2015/09/09/windows-7-windows-8-and-windows-10-telemetry-updates-diagnostic-tracking/. Third-party programs can also use this service to send telemetry.

There are advantages and disadvantages of each of the above 3 actions. I will probably do Action 2 very soon in Windows Firewall, and also Action 1 if task Microsoft Compatibility Appraiser exists on my computer in the future.

Notes:
1. It’s possible that existing or future Windows updates, or perhaps even other situations, could re-enable Microsoft Compatibility Appraiser or Diagnostics Tracking Service if they are disabled. This makes Action 2 attractive.
2. I don’t know if any of the above actions causes problems. I didn’t notice any problems during my tests though.
3. There is no guarantee that following this advice will be effective on your computer. It was effective in my tests though.
4. I don’t know if following this advice is effective on Windows 8.1. I might test Windows 8.1 if there is enough demand, or if Woody asks me to do it.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21435.]

Note: Any of these three actions (in conjunction with operating system’s Customer Experience Improvement Program setting = No) stops transmission of KB2952664-gathered telemetry to Microsoft through Diagnostics Tracking Service. Action 1 is the only of these three actions that stops KB2952664 from gathering telemetry.

Reply | Quote

A high-level summary of the functionality of Diagnostics Tracking Service is that it appears to send information gathered by gatherers, but it doesn’t gather information.

The only gatherer (for sending by Diagnostics Tracking Service) that I’ve seen firsthand evidence of so far is task Microsoft Compatibility Appraiser, which is installed by KB2952664. Third-party programs can also use Application Insights (http://www.computerworld.com/article/2917448/app-development/microsoft-jumps-into-app-monitoring-with-application-insights.html) to gather information for sending by Diagnostics Tracking Service.

Reply | Quote

I hadn’t previously tested the Customer Experience Improvement Program-related tasks listed at https://pubs.vmware.com/horizon-61-view/topic/com.vmware.horizon-view.desktops.doc/GUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html with “bad” updates KB2952664, KB3021917, KB3068708, and KB3080149 not installed. I have now tested this on Computer 2. I looked at the behavior of each of those tasks with Process Monitor, except task Microsoft Compatibility Appraiser, which is added by KB2952664. I tested each of these tasks with both settings of operating system’s Customer Experience Improvement Program.

Results: These five tasks seem to do nothing important regarding network and file writing activity with either setting of operating system’s Customer Experience Improvement Program: AITAgent, UsbCEIP, KernelCEIPTask, Consolidator, and Proxy. Task ProgramDataUpdater (without KB2952664 installed) can use significant cpu and disk resources with either setting of operating system’s Customer Experience Improvement Program. Task ProgramDataUpdater (without KB2952664 installed) sends data to Microsoft only when operating system’s Customer Experience Improvement Program setting = Yes.

Conclusion: With “bad” updates KB2952664, KB3021917, KB3068708, and KB3080149 not installed, tasks AITAgent, UsbCEIP, KernelCEIPTask, Consolidator, Proxy, and ProgramDataUpdater obey the operating system’s Customer Experience Improvement Program setting with regard to networking activity. However, task ProgramDataUpdater (without KB2952664 installed) can use significant cpu and disk resources regardless of the operating system’s Customer Experience Improvement Program setting.

Note: Installation of KB2952664 (the version that was current as of November 25, 2016) changes the action for task ProgramDataUpdater from
%windir%system32rundll32.exe aepdu.dll,AePduRunUpdate
to
%windir%system32compattelrunner.exe -maintenance

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21435.]

Further testing has revealed that task ProgramDataUpdater can use significant cpu and disk resources in some situations. Thus, you may wish to disable task ProgramDataUpdater. See my other comment from December 14, 2016 for more details.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21435.]

@MrBrian,

Is my understanding of your guidance for people who want to avoid Windows 7 telemetry correct?

In order to better get a handle on it for myself, I have attempted to summarize it:

=====
Step I. For everyone who wants to stop telemetry on Windows 7 machines:

Set the operating system’s Customer Experience Improvement Program setting to No.

(If you have KB2952664 installed, go to step II next.
If you do not have KB2952664 installed, go to step III next.)

=====
Step II. Only for those who have already installed update KB2952664 on their Windows 7 machines:

After Step I, take one or more of the following 3 actions:

—
Action 1:

Disable the task for Microsoft Compatibility Appraiser (located in MicrosoftWindowsApplication Experience) in the Task Scheduler.

How does it work?
Stops KB2952664 from gathering telemetry, so there isn’t any to be sent through the Diagnostics Tracking Service
—

and/or

—
Action 2:

In firewall or router, block traffic to DNS endpoints settings-win.data.microsoft.com and vortex-win.data.microsoft.com, or equivalent (for now anyway) IP addresses 64.4.54.253 and 64.4.54.254. (stops transmission of KB2952664-gathered telemetry)

How does it work?
Stops the transmission of any KB2952664-gathered telemetry through the Diagnostics Tracking Service
—

and/or

—
Action 3:

Disable the Diagnostics Tracking Service in Services

How does it work?
Stops the transmission of any KB2952664-gathered telemetry through the Diagnostics Tracking Service
—

=====
Step III. For those who do not have KB2952664 installed on their machines:

After Step I,
consider disabling the Task ProgramDataUpdater.

Although ProgramDataUpdater (without KB2952664 installed) only sends telemetry data to Microsoft when the CEIP setting is set to Yes, when KB2952664 is not installed that task can use significant cpu and disk resources regardless of whether the CEIP setting is Yes or No.
=====

Beware:

a. There is no guarantee that following this advice would be effective in limiting the telemetry Microsoft receives from your computer.

b. There is no guarantee that following this advice would not cause some sort of problem for your computer.

c. Even if these steps work for your computer, it’s possible that existing or future Windows updates, or perhaps even other situations, could re-enable the disabled Microsoft Compatibility Appraiser and/or the disabled Diagnostics Tracking Service

==========
==========
Some other information:

With the following 4 “bad” updates not installed:
KB2952664, KB3021917, KB3068708, and KB3080149,

the tasks
AITAgent, UsbCEIP, KernelCEIPTask, Consolidator, Proxy, and ProgramDataUpdater

DO obey the operating system’s Customer Experience Improvement Program setting.

—-
My questions on the above:

1. Should all four of these “bad” patches be avoided?
Should one or more of Step II’s three actions be done if _any_ of those four patches is/are installed?
Or was it later concluded that KB2952664 is actually the only one to worry about?

2. Is there any reason to voluntarily install KB2952664 – does it do any good stuff?
Or even if you have chosen to be in Group A in terms of the new updating system, is it best to avoid having KB2952664 as long as you can?

3. Out of an abundance of caution, should the Step II action(s) be taken now anyway, whether or not KB2952664 is currently installed, because when the Group A Monthly comprehensive Rollup starts to become historically cumulative in a few months (according to Microsoft’s earlier statement about their plans for the Rollup), it will include KB2952664.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21435.]

I should have indicated that my advice was intended to apply to those who either have the “bad” updates installed, or are in Group A and thus will probably be getting the “bad” updates in early 2017.

For those in Group B, you could instead:
1. Don’t install the “bad” updates (KB2952664, KB3021917, KB3068708, KB3080149, and KB3075249), or uninstall them if you already have them.
2. For those without KB2952664 installed, consider disabling task ProgramDataUpdater because it can use significant CPU and disk resources.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21449.]

On my real computer, I have avoided installing the “bad” updates, although I am in Group A. I don’t know of any problems that happen to those who avoid installing the “bad” updates. I don’t know of any benefit of having the “bad” updates installed, other than letting Microsoft have data which could help them improve their products, and businesses that use Windows Upgrade Analytics.

Question #1: You said: “(If you have KB2952664 installed, go to step II next. If you do not have KB2952664 installed, go to step III next.)”

Answer: Action 1 shouldn’t be applicable for those in Group B who haven’t installed KB2952664. Action 2 you may still wish to do if you are in Group B as an extra defense. Action 3 shouldn’t be applicable for those in Group B who avoided the “bad” updates.

Question #2: You said about Action 1: “How does it work? Stops KB2952664 from gathering telemetry, so there isn’t any to be sent through the Diagnostics Tracking Service.”

Answer: Correct in regards to Windows 7 itself, as far as I know. However, third-party applications can also use Diagnostics Tracking Service to send gathered data.

Question #3: You said about Action 2: “How does it work? Stops the transmission of any KB2952664-gathered telemetry through the Diagnostics Tracking Service.”

Answer: Correct, as far as the IP addresses that I have seen being used by Diagnostics Tracking Service. However, I don’t know if other IP addresses can be used when third-party programs use Diagnostics Tracking Service to send data.

Question #4: You said about Action 3: “How does it work? Stops the transmission of any KB2952664-gathered telemetry through the Diagnostics Tracking Service.”

Answer: Correct. It should also stop transmission of third-party program-gathered data being sent through Diagnostics Tracking Service.

Question #5: You asked: “Should all four of these “bad” patches be avoided?”

Answer: I personally have avoided installing these “bad” updates on my real computer, without any known problems. However, I assume I will probably be getting the functionality of these “bad” updates in early 2017 since I am in Group A.

Question #6: You asked “Should one or more of Step II’s three actions be done if _any_ of those four patches is/are installed? Or was it later concluded that KB2952664 is actually the only one to worry about?”

Answer: If you have just some of the “bad” updates installed, you should consider doing those of the three actions of Step II that are applicable. KB2952664 is the only gatherer that I have seen firsthand, but Microsoft has documented that third-party programs can also use Diagnostics Tracking Service to send data.

Question #7: You asked: “Is there any reason to voluntarily install KB2952664 – does it do any good stuff?”

Answer: I don’t know of any benefit of having KB2952664 installed, other than letting Microsoft have data which could help them improve their products, and businesses that use Windows Upgrade Analytics.

Question #8: You asked: “Or even if you have chosen to be in Group A in terms of the new updating system, is it best to avoid having KB2952664 as long as you can?”

Answer: We don’t know for sure yet that Group A will be getting the functionality of KB2952664, so I’ve avoided installing it even though I am in Group A.

Question #9: You asked: “Out of an abundance of caution, should the Step II action(s) be taken now anyway, whether or not KB2952664 is currently installed, because when the Group A Monthly comprehensive Rollup starts to become historically cumulative in a few months (according to Microsoft’s earlier statement about their plans for the Rollup), it will include KB2952664.”

Answer: I think Action 2 is a good step to take now, and I plan to do so myself. Also, set operating system’s Customer Experience Improvement Program setting = No.

Question #10: You said: “With the following 4 “bad” updates not installed: KB2952664, KB3021917, KB3068708, and KB3080149, the tasks AITAgent, UsbCEIP, KernelCEIPTask, Consolidator, Proxy, and ProgramDataUpdater DO obey the operating system’s Customer Experience Improvement Program setting.”

Answer: In my tests, the answer is yes regardless of the setting of the operating system’s Customer Experience Improvement Program, with one exception: when KB2952664 isn’t installed, ProgramDataUpdater can sometimes use significant CPU and disk resources regardless of the setting of the operating system’s Customer Experience Improvement Program.

Reply | Quote

I’ve neglected to mention thus far that when the operating system’s Customer Experience Improvement Program setting = Yes, and there are no gatherers gathering telemetry data for Diagnostics Tracking Service to send, Diagnostics Tracking Service periodically sends the TelClientSynthetic.HeartBeat_5 event that is described by Microsoft (in document “Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events and Fields”) as:
‘This event contains statistics about the health and quality of the telemetry data from the given device. Also enables data
analysts to determine how “trusted” the data is from a given device. Fires every 30 minutes and linked to the previous
heartbeat event using the PreviousHeartBeatTime parameter.’

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21454.]

How are the tasks under Application Experience configured in this latest finding? I am enquiring specifically about ProgramDataUpdater and Microsoft Compatibility Appraiser. They both run the compattelrunner.exe process, at least this is how it is named under Windows 10.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21455.]

For Windows 7 x64, without installation of KB2952664, the action for task ProgramDataUpdater (located in MicrosoftWindowsApplication Experience) is
%windir%system32rundll32.exe aepdu.dll,AePduRunUpdate

This configuration of ProgramDataUpdater can sometimes use significant CPU and disk resources.

For Windows 7 x64, with installation of KB2952664, the action for task ProgramDataUpdater is
%windir%system32compattelrunner.exe -maintenance

This configuration of ProgramDataUpdater has always run very quickly in my tests.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21456.]

Interesting finding, I was convinced that without KB2952664, ProgramDataUpdater task does not exist, but it appears that it is in fact modified by KB2952664.
It is true though that compattelrunner.exe is installed by KB2952664 and used by at least 2 Scheduled Tasks.
This is the process which makes everyone not sleeping at night and is not subject of CEIP control, which is in fact documented, but not in plain English for everyone to understand it.
A lot of the big software companies make their money from Enterprise Support Contracts and not from software. 1 hour of support costs about 3 times or more compared to a retail license and most enterprises pay less than retail price for software due to volume savings.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21435.]

I’ve done two tests of whether a disabled Diagnostics Tracking Service is re-enabled when an update with Diagnostics Tracking Service is installed. In one of the cases, the update contained a newer version of Diagnostics Tracking Service. In both cases, the Diagnostics Tracking Service remained disabled after the update installed.

Reply | Quote

There is another update which goes under the radar because it is superseded and I think it was made expired by Microsoft as being a “bad” update, but some people may still have it.
A while ago I brought it to abbodi’s attention and he confirmed it to me that my finding is correct.
It is KB3022345.
http://www.infoworld.com/article/2926179/microsoft-windows/microsoft-confirms-patch-kb-3022345-breaks-sfc-scannow.html

Also see this article
Update for customer experience and diagnostic telemetry
https://support.microsoft.com/en-us/kb/3022345

This update has been replaced by the latest update for customer experience and diagnostic telemetry that was first released on June 2, 2015. To get the update, see 3080149 Update for customer experience and diagnostic telemetry.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21456.]

So a good reason to install KB2952664 🙂

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21449.]

@poohsticks

In summary, I think MrBrian’s testing found that everything that Microsoft says in the description of all Scheduled Tasks is accurate.

At minimum, to avoid telemetry, it is enough to do the following (assuming that all updates are installed, including KB2952664 and its update):

Disable 2 scheduled tasks under Application Experience:

– Microsoft Compatibility Appraiser
– ProgramDataUpdater

Only those 2 tasks do not claim to comply with CEIP and they do not.

Reply | Quote

This is the full list of “dubious” updates:

Only desktop OS
KB2952664 Compatibility update for upgrading Windows 7
KB3150513 Latest compatibility definition update for Windows, follow up to KB2952664 which is pre-requisite
KB3021917 Update to Windows 7 SP1 for performance improvements

Common to Windows 7 and Server 2008 R2
KB3022345 Update for customer experience and diagnostic telemetry
KB3068708 Update for customer experience and diagnostic telemetry
KB3080149 Update for customer experience and diagnostic telemetry

The next one is here only because it comes up elsewhere, but it is not harmful by itself and there is no good reason to avoid.
KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21464.]

Thank you for the list :).

Of the updates that you listed, these two I did not mention before in this blog post or its comments:

1. KB3150513 – this can be considered definitions updates for KB2952664. The latest version of KB2952664 appears to contain newer versions of all of the files in KB3150513.
2. KB3022345 – this isn’t available in the catalog anymore, although as you said some may still have this update installed.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21462.]

In my tests, in regards to CPU and disk resources, task Microsoft Compatibility Appraiser (from KB2952664) is worse than pre-KB2952664 task ProgramDataUpdater.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21463.]

Here is the full list of what I found for Windows 7 x64 that violates the operating system’s Customer Experience Improvement Program setting:
1. Pre-KB2952664 task ProgramDataUpdater (but not post-KB2952664 task ProgramDataUpdater) can use significant CPU and disk resources.
2. Task Microsoft Compatibility Appraiser (from KB2952664) can use significant CPU and disk resources.
3. Diagnostics Tracking Service sends some data to Microsoft after task Microsoft Compatibility Appraiser runs, although a lot less than compared to when the operating system’s Customer Experience Improvement Program setting = Yes.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21441.]

Documentation from Microsoft supports this. From “Configure telemetry in your organization” (https://technet.microsoft.com/en-us/library/mt668436(v=vs.85).aspx):
“How is the data gathered?

Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.

1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.

2. Events are gathered using public operating system event logging and tracing APIs.

3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.

4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning.”

Note: Diagnostics Tracking Service was renamed to Connected User Experience and Telemetry in newer operating systems.

Reply | Quote

@MrBrian

I don’t see any mention of KB3150513 in your tests. This is an update to KB2952664 definitions for Application Compatibility and should be installed to have the testing fully relevant.
However, I am not expecting different conclusions at all, as this update appears to only provide definitions and no change of functionality.
KB3150513 is an update for Windows 10 as well and I assume that the KB2952664 functionality is already built in Windows 10.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21467.]

Excellent findings and definitive conclusions I would say! ?
This post should be made a sticky under the new lounge if Woody agrees.

1 user thanked author for this post.

MrBrian

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21470.]

Absolutely. Great Knowledge Base material.

1 user thanked author for this post.

MrBrian

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21469.]

The latest version of KB2952664 appears to contain newer versions of all of the files in KB3150513 (by file date and file sizes, since there are no version numbers in these files).

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21472.]

As far as I know, KB3150513 is getting installed on top of the latest version of KB2952664. I don’t know if the supersedence metadata is incorrect or not in that case.

Reply | Quote

[Edit by MrBrian on May 21, 2017: This post is in response to post #21473.]

I installed KB3150513 from the catalog after KB2952664 (latest version as of a few weeks ago) was installed. KB3150513 installs an older version of component Microsoft-Windows-Application-Experience-Inventory.Data that KB2952664 also installs. The files in the newer version of the component from KB2952664 continued to be the active files.

Reply | Quote

Microsoft’s Windows Analytics blog (https://blogs.technet.microsoft.com/upgradeanalytics/) may have information of interest about some of the “bad” Windows updates covered in this thread.

More information from Microsoft about Upgrade Analytics is at “Manage Windows upgrades with Upgrade Analytics” (https://technet.microsoft.com/en-us/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics). “Get started with Upgrade Analytics” (https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-analytics-get-started) contains this interesting information:
“If you are planning to enable IE Site Discovery, you will need to install a few additional KBs.

KB3080149

[…]

Install the latest Windows Monthly Rollup. This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.”

Reply | Quote

For those interested in the DNS endpoints involved with these “bad” updates, there are at least three Microsoft pages with somewhat varying info:

1. https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started

2. https://blogs.technet.microsoft.com/ukplatforms/2017/03/13/upgrade-readiness-client-configuration/

3. https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/

Reply | Quote

OK, did some test today (around 40 minutes on each step):

1. fuly updated 8.1 (important + recommended) – CEIP off

2. fuly updated 8.1 (important + recommended) – CEIP on

3. KB3080149, KB2976978 & KB3044374 uninstalled, CEIP off

Results are in the table below – seems like uninstalling telemetry updated does not have any effect on data gathered:

Antec P7 Silent * Corsair RM550x * ASUS TUF GAMING B560M-PLUS * Intel Core i5-11400F * 4 x 8 GB G.Skill Aegis DDR4 3200 MHz CL16 * Sapphire Radeon 6700 10GB * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit

1 user thanked author for this post.

ch100

Reply | Quote

Task Microsoft Compatibility Appraiser by default runs once a day.

Reply | Quote

anonymous wrote:

Task Microsoft Compatibility Appraiser by default runs once a day.

The above results were from 40 minutes – was I “lucky” enough to trigger the process within this window?

Antec P7 Silent * Corsair RM550x * ASUS TUF GAMING B560M-PLUS * Intel Core i5-11400F * 4 x 8 GB G.Skill Aegis DDR4 3200 MHz CL16 * Sapphire Radeon 6700 10GB * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit

Reply | Quote

Probably not. You can check in Task Scheduler: Task Scheduler (Local) -> Task Scheduler Library -> Microsoft -> Windows -> Application Experience. What I did during testing was manually run task Microsoft Compatibility Appraiser.

Reply | Quote

Version 22 of KB2952664 was made available as an update of Optional status on March 7, 2017, and as an update of Recommended status on March 14, 2017.

1 user thanked author for this post.

woody

Reply | Quote

Just wanted to say excellent work to Brian and anyone else who contributed to these tests. I love learning new stuff about Windows and used these test results to uninstall several updates among other things. Great work.

1 user thanked author for this post.

MrBrian

Reply | Quote

Knowledge Base article 2952664: Telemetry in Win7/8.1 – KB2952664, KB2977759, KB2976978, & KB3150513

Reply | Quote

From Get started with Upgrade Readiness:

“When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas are created when the update package is installed. A full scan averages to about 2 MB, but the delta scans are very small. For Windows 10 devices, its already part of the OS. This is the Windows Compat Appraiser task. Deltas are invoked via the nightly scheduled task. It attempts to run around 3AM, but if system is off at that time, the task will run when the system is turned on.”

When task Microsoft Compatibility Appraiser runs for the first time, it does a full scan.

Reply | Quote

More test results will be posted soon, including one that surprised me!

For the record, before today (April 9, 2017) these versions of these standalone Windows updates were used:

KB2952664 version 20 – digitally signed Sept. 12, 2016.

KB3021917 – digitally signed Jan. 9, 2015.

KB3068708 – digitally signed May 27, 2015.

KB3080149 – digitally signed July 23, 2015.

Starting today (April 9, 2017), I will be using KB2952664 version 22, digitally signed Feb. 23, 2017, unless otherwise noted.

2 users thanked author for this post.

woody, PKCano

Reply | Quote

I see that I never posted the test results. If I recall correctly, the big reveal was that if Windows Customer Experience Improvement Program is turned on, and KB2952664 is installed, then KB2952664 telemetry will be sent to Microsoft even if Diagnostics Tracking Service is not installed.

3 users thanked author for this post.

woody, satrow, Elly

Reply | Quote

Packet Captures Filtered by Process
Published: 2017-04-13
Last Updated: 2017-04-13 02:55:10 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

Already you’re thinking, did I read that right? The answer is nope, you absolutely can capture by Windows Process, just not with Windump or Wireshark. A while back I wrote a short diary about using NETSH to capture packets ( https://isc.sans.edu/diary/19409 ), and this story builds on that one.

A quick recap – to capture packets using NETSH, for a basic capture you’d do something like:

netsh trace start capture=yes tracefile=c:\temp\trace.etl

Then to stop the capture, execute:

netsh trace stop

Read More:
https://isc.sans.edu/forums/diary/Packet+Captures+Filtered+by+Process/22296/

1 user thanked author for this post.

MrBrian

Reply | Quote

“here are IP addresses or DNS endpoints that seem to be associated with telemetry for new Windows updates from the past few years” – see https://www.askwoody.com/forums/topic/is-the-group-b-approach-of-installing-security-only-updates-still-viable/#post-111012.

Reply | Quote

I researched whether KB3068708 and KB3080149 should be avoided for those in Group A. I installed KB3068708 and KB3080149 on a Windows 7 x64 virtual machine that was Group A updated on May 12, 2017 except for KB2952664, KB3021917, KB3068708, and KB3080149.

 

I used program SysTracer to list file system changes from before KB3068708 and KB3080149 were installed to after KB3068708 and KB3080149 were installed.

Results (only file system changes that I found interesting are listed):

In c:\Windows\System32\

diskperf.exe
old: v6.1.7600.16385 19,456 bytes
new: v6.1.7601.18869 19,456 bytes

logman.exe
old: v6.1.7601.17514 104,448 bytes
new: v6.1.7601.18869 104,448 bytes

relog.exe
old: v6.1.7601.17514 43,008 bytes
new: v6.1.7601.18869 43,008 bytes

sechost.dll
old: v6.1.7600.16385 113,664 bytes
new: v6.1.7601.18869 113,664 bytes

tdh.dll
old: v6.1.7601.18247 859,648 bytes
new: v6.1.7601.18939 879,104 bytes

tracerpt.exe
old: v6.1.7600.16385 404,992 bytes
new: v6.1.7601.18869 404,992 bytes

typeperf.exe
old: v6.1.7600.16385 47,104 bytes
new: v6.1.7601.18869 47,104 bytes

In c:\Windows\SysWOW64\

(same 7 files changed as in c:\Windows\System32\)

 

I used program Autoruns to list autorun changes from before KB3068708 and KB3080149 were installed to after KB3068708 and KB3080149 were installed.

Results:

sechost.dll changed in c:\Windows\System32\ and c:\Windows\SysWOW64.

 

Conclusion:

In my opinion, those in Group A should install KB3068708 and KB3080149.

 

P.S. The file description for tdh.dll is “Event Trace Helper Library.”

Reply | Quote

Of the 7 “interesting” changed files (from a baseline of almost fully patched in May 2017), 6 files had the same size after as before. Perhaps nothing important changed in those 6 files.

The one “interesting” changed file that did have a change in file size was tdh.dll, which has a file description of “Event Trace Helper Library.” One of the fixes listed for KB3080149 is: “Fixes an occasional event decoding issue in the Trace Data Helper (TDH) TdhGetEventInformation function that caused Event Tracing for Windows (ETW) events created by using the .NET Framework 4.6 or ILoggingChannel Interface to decode incorrectly.” Another of the fixes listed for KB3080149 is: “Reduces the network connections on a Windows system that doesn’t participate in the Windows Customer Experience Improvement Program (CEIP).” I don’t know which older version(s) of tdh.dll have these issues. On my test system, KB3068708 also installed a version of tdh.dll (v6.1.7601.18869) that was newer than the May 2017 baseline’s tdh.dll (v6.1.7601.18247). I don’t know why Microsoft didn’t include either of these newer versions of tdh.dll in a Windows monthly rollup.

Reply | Quote

See some results here https://www.askwoody.com/forums/topic/comments-on-akb-2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/#post-118310

1 user thanked author for this post.

MrBrian

Reply | Quote

There may be evidence that newer versions of the Windows Update client for Windows 7 have switched to using Diagnostics Tracking Service to transmit Windows Update telemetry. Evidence: the names of many of the newer functions in Windows Update client for Windows 7  are associated with Diagnostics Tracking Service.

Also see Update Services Privacy Statement.

Reply | Quote

From Windows 7, Windows 8 and Windows 10 Telemetry Updates (Diagnostic Tracking):

“To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM).”

Reply | Quote

I just searched for the meaning of CIT and that can mean Customer Interaction Tracker, so likely miscellaneous telemetry/data about your usage was captured and updated by Windows.

1 user thanked author for this post.

MrBrian

Reply | Quote