How much telemetry is going out with this month’s “Security-only” Win7 patch?

Topic

New Reply

Interesting question from Susan Bradley: https://twitter.com/SBSDiva/status/1156433770750205952 Faucet drip level – or firehose? Anybody want to take
[See the full post at: How much telemetry is going out with this month’s “Security-only” Win7 patch?]

2 users thanked author for this post.

Elly, FakeNinja

Reply | Quote

Replies

Is the telemetry going to be in the group A monthly roll up or group B, or both ?

Reply | Quote

The telemetry (KB2952664 functionality = Compatibility Appraiser) was rolled into the Rollup Preview in Sept. 2018 and into the Monthly Rollup in Oct 2018 – has been there for a while.

The July 2019 Security-only Update (Group B) is the first time (that we know of) that the Compatibility Appraiser has been included int the (no longer) Security-only patch.

6 users thanked author for this post.

Elly, bifido, ebrke, FakeNinja, bobcat5536, woody

Reply | Quote

[BobT]

Thanks for the investigation, but any amount is “too much” in a SECURITY ONLY patch.

Stopped installing patches from June, and no this kinda stuff actually puts me off moving to Windows 10 even more..

Don’t care what they think and what their EULA says, my PC is my PERSONAL COMPUTER, I say what goes on it, and dodgy tricks make me even less likely to give enough trust to installing anything else.

FOr many of us, support has ended 6 months early.

• This reply was modified 3 years, 7 months ago by BobT.

11 users thanked author for this post.

wrangler, Elly, Kranium, ebrke, FakeNinja, des911, ek, lanceboil, HiFlyer, GreatAndPowerfulTech, bobcat5536

Reply | Quote

I agree with your sentiment, but want to establish that we’re seeing more than just the ability to send telemetry and the scheduled tasks to make it happen (both of which are known to be included in the July “Security-only” patch).

How big a beast are we talking about?

5 users thanked author for this post.

Elly, Chessie, ebrke, HiFlyer, bobcat5536

Reply | Quote

If telemetry is there to tell Microsoft that your machine didn’t blue screen Is that too much?  Seriously if a level of telemetry is there to give MS feedback on the quality of updates so that you don’t have to suffer through bad updates and even worse support experience why is that a bad thing?

As an aside I thought this wasn’t the first time telemetry updates were included in security updates but I’m trying to find that post.

You leak data on the web now.  Chrome leaks it.  Firefox leaks it.  It helps developers know when crashes are occurring and to fix their software.  Why is this evil?

 

Susan Bradley Patch Lady

4 users thanked author for this post.

rc primak, woody, des911, jabeattyauditor

Reply | Quote

See #1898757. Monthly Rollups are Security updates, but not Security-only updates.

1 user thanked author for this post.

walker

Reply | Quote

Susan Bradley wrote:

Seriously if a level of telemetry is there to give MS feedback on the quality of updates so that you don’t have to suffer through bad updates and even worse support experience why is that a bad thing?

@Susan, you are dreaming when you think that 1. Microsoft cares about its users. 2. That these are Microsoft’s real intentions for Telemetry. For example : why Microsoft does scan every media file on Windows OS and sends the list vis Telemetry? what does this has to do with “better” support ?
Microsoft knows exactly how many users use Office vs LibreOffice vs Google Docs vs… How many users use none. How many users use VLC vs MPC-HC vs… How many use OneDrive vs Google Drive vs iCloud…In short, Microsoft has each user’s list of software and this is worth $Billions to Microsoft and 3rd party software vendors with whom Microsoft shares its data.

7 users thanked author for this post.

rc primak, Elly, Kranium, ebrke, FakeNinja, des911, HiFlyer

Reply | Quote

I guess if they were little more transparent and announced that, it would be understandable somehow

btw, most added appraiser files are from Windows 10 build 18362 (1903)
why would Windows 7 need those to check current status?

you probably mean KB3121461, which was a security update for the Compatibility Appraiser (aka KB2952664, KB2976978)

3 users thanked author for this post.

woody, des911, HiFlyer

Reply | Quote

It would be nice if we had official reasons rather than guessing.  My guess – some enterprise who uses security only patches needs the data in their rollout/rollup to Windows 10 for analyzing if something is compatible.

Yes I do think that Microsoft cares about “users”.  Granted these days those “users” may be Enterprise users, but I know enough good people at Microsoft to understand and know that they aren’t inherently evil.  They have good intentions and good reasons.  Generally speaking and especially in the Security department they want to keep Microsoft customers safe.  They may (are) be heavy handed about it.

Susan Bradley Patch Lady

4 users thanked author for this post.

rc primak, Chessie, abbodi86, des911

Reply | Quote

I think an official announcement along the lines of “We’re starting to collect telemetry with Security-only patches because blah blah blah” would be a foregone conclusion.

Part of the problem with the debate over whether MS is benevolent or malicious is that MS isn’t a monolith. There are many, many, many good people at MS. Always have been. But some of the people who make the decisions don’t make the right decisions, some of the time.

It’s up to us cackling geese to raise the alarm.

7 users thanked author for this post.

rc primak, walker, Elly, rowrbazzle, Chessie, abbodi86, ebrke

Reply | Quote

As far as I know, Microsoft has never stated that they only collect telemetry on crashes and their causes. They’re too cagey to trust. As Reagan said, trust but verify. How do we do either with todays Windows?

GreatAndPowerfulTech

3 users thanked author for this post.

rc primak, ebrke, wdburt1

Reply | Quote

Big tech companies have a recurring habit of collecting more data than they need for their advertised reasons, and often more data than anyone would comfortably let them have (see recent topic on Apple and Siri). When caught out, they reply with an unconvincing “oops”.

4 users thanked author for this post.

rc primak, Chessie, ebrke, wdburt1

Reply | Quote

Susan Bradley wrote:

If telemetry is there to tell Microsoft that your machine didn’t blue screen Is that too much?  Seriously if a level of telemetry is there to give MS feedback on the quality of updates so that you don’t have to suffer through bad updates and even worse support experience why is that a bad thing?

As an aside I thought this wasn’t the first time telemetry updates were included in security updates but I’m trying to find that post.

You leak data on the web now.  Chrome leaks it.  Firefox leaks it.  It helps developers know when crashes are occurring and to fix their software.  Why is this evil?

 

You are completely missing the point.  If you are naive enough to trust a soulless giant corporation with your private data (and lets be clear, you have no idea what all they’re collecting on you, only vague descriptions of some of what it may be), fine.  Just give ME an option to turn it off.  Why is that so difficult?

10 users thanked author for this post.

rc primak, Elly, Kranium, lanceboil, ebrke, Sessh, FakeNinja, BobT, AlexEiffel, Bluetrix

Reply | Quote

The question is, can you tell us for certain that only “the machine did not blue screen” data was sent or an update install is completed successfully data was sent?

Why must Microsoft add telemetry to our “personal computers” when that telemetry can be added to the installation program itself to report if the install was performed successfully or not? Why isn’t there an opt-out to this computer related telemetry? Why is Microsoft so tight lipped about what is being sent and not more transparent?

These are questions we at Woody’s have. This is *why* we are at Woodys instead of some other forum that caters to these issues, finding justification with an “it’s only smoke, there isn’t any fire, keep working” response. Even Woody said “How big a beast are we talking about?” Thank you Woody, for thinking about that and wanting to know.

The whole concept of AskWoody is the attitude of, “I am not sure about that, let’s investigate”. When it is hard to get an answer or that answer is not clear, we start to wonder what is happening here. Reagan said, “trust but verify”. Our attitude is more like, “uuuhh I don’t know about that. Let me look into this.”

It is thanks to many AskWoody MVPs (PKC, Abbodi86, Microfix, Kirsty, etc.) and people like Günter Born, Martin Brinkman and others, that look deeper into what is taking place. This is why I wait for woody to give his advice and not anyone else.

I would prefer Microsoft act like Mozilla in that if there is a crash, it asks you if you want to send a crash report. That too can be turned off in a checkbox or a config file.

And yes Google Chrome does have a lot of telemetry and makes it harder to delete browsing history, so that is why I don’t use it.

5 users thanked author for this post.

rc primak, Elly, Kranium, Chessie, ebrke

Reply | Quote

Susan: It’s a bad thing if don’t choose to send it. It’s also a bad thing if any system resources are used to collect it if I don’t want to allow it. And it’s definitely a very bad thing if it happens for any other purpose than a crash and includes anything other than data strictly relevant to the crash. And the compatibility appraiser seems to have nothing whatsoever to do with collecting crash data.

— Cavalary

5 users thanked author for this post.

rc primak, Elly, Kranium, ebrke, FakeNinja

Reply | Quote

I really don’t buy this argument. Microsoft doesn’t just collect information about whether or not you get a blue screen or not, they collect information about what processes that caused it, meaning they will know what programs I have open, do you want them to have this information? Because I don’t. They also collect memory dumps meaning they can even see at least fractions of what we are doing on our computers. Are you okay with this? Is it okay because “oh everyone else does it as well”? You are aware that Microsoft has shipped operating systems before Windows 10 without using telemetry that turned out very stable, right? The difference now is that they earn money from their users data, back in the XP/7 days, Microsoft relied on people buying their products, now they are literally giving it away for free, and if you use a pirated copy, nothing even happens, because they earn money from you anyway.

2 users thanked author for this post.

rc primak, ebrke

Reply | Quote

And it hasn’t been investigated.  I don’t have a security only Windows 7 to test this on ergo my question.  Everyone is up in arms that there’s telemetry patching in the July updates…but are they really sending data back?

In this era of fake news, let’s get facts.

Susan Bradley Patch Lady

5 users thanked author for this post.

rc primak, woody, Pepsiboy, des911, jabeattyauditor

Reply | Quote

I’m in the same boat – I don’t have a machine (or even a VM) set up with Security-only patches…

Reply | Quote

Doesn’t matter. If those files and tasks appear after the update and they weren’t there before, it’s not a security-only update, because their presence is not required to plug a known security vulnerability, it’s data collection tools sneakily shoved down the throats of those specifically wanting to avoid them.

3 users thanked author for this post.

rc primak, Elly, ebrke

Reply | Quote

We don’t know. But, since we don’t know, it only makes sense from a security perspective to assume the worst. And thus those who are security minded are going to go out of their way to block the telemetry.

If Microsoft would be transparent, providing both a statement on what they are collecting and why, and a way to verify at least the first part, it would work out a lot better.

There’s also the fundamental issue of not providing what was promised. These were supposed to be security-only updates. as such, no telemetry should be included in that. Security-only means nothing but security.

If they felt they needed telemetry for some sort of security purpose, it still would be proper for it to be a separate update, since what was promised in the security-only updates was the ability to maintain the previous “install what you need” paradigm.

When you’re breaking promises and bundling unwanted “features,” that goes a long way towards eroding trust.

And if you don’t trust Microsoft, then you don’t want them collecting telemetry. You want to cut out the very possibility they can do so.

Reply | Quote

If that telemetry is in a Security Only update then I’m skipping that update and on to the next month where if there is more telemetry in any Security Only update that  update will get skipped as well.

Security Only updates need to be Security Only and any patches of any telemetry related code needs to be made in a different KB/patch. Folks doing the Security Only Patching for Windows 7, and 8/8.1, are doing so for the very reason that there are Security Only patching options.

And there should be no plausible deniability from MS that appears to be cheating the Security Only update system by stating that the telemetry code itself needs a security patch and then shoving a full blown telemetry update down the end users’ throats in the name of “Security”! Folks doing the security only patching should never need to patch what by the very definition of Security Only should never have been installed on their systems with MS “needing” to patch any telemetry code that should never be present if the user has been following that Security Only updating system closely since fall 2016.

2 users thanked author for this post.

Kranium, ebrke

Reply | Quote

Worth noting that many of these observations are addressed in

https://www.computerworld.com/article/3216425/microsoft-patch-alert-welcome-to-the-upside-down.html

4 users thanked author for this post.

rc primak, Elly, Pepsiboy, des911

Reply | Quote

My Win7 computers are Group B. I will do my weekly backups Friday night. Then I will install and test the July security only update.

6 users thanked author for this post.

Bill C., Elly, ebrke, woody, des911, SueW

Reply | Quote

Looking forward to the report!

If the telemetry’s just a trickle, I’m OK with the result – but not with the sneaky way it was distributed.

If it’s a full-on fire hose — full Win7 telemetry — it’s a different story.

1 user thanked author for this post.

ebrke

Reply | Quote

? says:

thank you PatchLady,

who knows? microsoft collects “telemetry” from my IE “SmartScreenFilter” and MSE which i accept in return for their “protection” but baking whatever they really collect into a SECURTIY ONLY monthly patch is crossing a line (for me at least). maybe all the “data” collection is perfectly ok for millenial minded folks (don’t mean to offend) you know the ones who really don’t understand what is going on behind the curtain and\or don’t care as long as everything “works”. MrBrian (haven’t seen him for a while here) ran tests on “telemetry” a few years ago and reported it here at ask woody:

https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21435

so does it really matter how much?

2 users thanked author for this post.

Elly, ebrke

Reply | Quote

I do not run wireshark, but did a pre (and post) check on scheduled tasks when installing the security only July update for Windows 7. I reviewed the following scheduled tasks, those under PerfTrack, Customer Experience, and Application Experience. I had all tasks under those categories disabled. Post install I rechecked to see if any of the tasks were re-enabled. Nothing was re-enabled under PerfTrack and Customer Experience. Two items under Application Experience were re-enabled 1) Compatibility Appraiser and 2) Program Data Updater (The AitAgent under App Experience remained disabled) I re-disabled the Compatibility Appraiser and Program Data Updater tasks and they remain disabled for now. Hope is somewhat helpful.

13 users thanked author for this post.

rc primak, RDRguy, GoneToPlaid, Elly, jburk07, ebrke, HiFlyer, woody, des911, David F, OscarCP, SueW, lanceboil

Reply | Quote

[L95]

I have Windows 7 and I’m not sure I’ll be able to disable the “new scheduled tasks” as recommended by Woody in his ComputerWorld DEFCON-4 posting of August 2, 2019.  This is because my Task Scheduler doesn’t seem to be working properly,  but I don’t know for sure,  because I’ve never used Task Scheduler before.   I contacted Woody by e-mail, and he responded that PKCano is his expert on this, and that I should post my problem on the website.  When I opened up Task Scheduler for the first time (and all subsequent times), it says “The selected task “0” no longer exists. To see the current tasks, click refresh”. But when I click “refresh”, I get that same message all over again. Also, I’m not able to follow the instructions of AJNorth of August 3, 2019  at 10:31 PM shown in the postings in the DEFCON-4 topic at  https://www.askwoody.com/forums/topic/ms-defcon-4-time-to-get-the-july-2019-patches-installed   because the word “Microsoft” does not appear in the white rectangular box on the left as AJNorth says it should. The only thing that appears in that box is the Task Scheduler Library. When I expand the Library, it contains four scheduled tasks, all of which appear to be associated with updating my antivirus program, Adobe Reader, and Google Chrome browser. But I don’t see any of the things discussed by AJNorth on August 3rd. However, I haven’t installed KB4507456 yet, and so maybe they will appear once I install KB4507456. But I’m hesitant to install KB4507456 until I’m sure the Task Scheduler is working properly. So can someone please give me some advice on what I should do? I’m hoping that PKCano can respond, because Woody says he’s an expert on this.

• This reply was modified 3 years, 7 months ago by L95.

Reply | Quote

Please create a topic under the “Questions Windows 7” Forum.
Title it something like “How do I use Task Scheduler in Windows 7?”
Include information how you have been patching (Group A or Group B)
And explain what you need to use Task Scheduler for.

Giving you the instructions would be off topic in this thread.
We can answer your questions there.

2 users thanked author for this post.

L95, Elly

Reply | Quote

Thanks,  PKCano.   I did as you suggested,  and posted it in the Windows 7 Questions Forum.   I will appreciate if you could respond there.

1 user thanked author for this post.

woody

Reply | Quote

Is this type of alternative a solution to the telemetry vs vulnerability conundrum?

https://0patch.com/

Reply | Quote

0patch is a great company, and everything I’ve seen from them works well, but…

(You knew there would be a “but,” right?)

Installing one-off patches from non-Microsoft sources is inherently risky. You need to decide for yourself if that risk is greater than the risk of  installing the Microsoft patch (when it eventually appears) or not patching altogether.

2 users thanked author for this post.

rc primak, geekdom

Reply | Quote

Yeah, always a but.

Patch free here since spectre patches rolled out.

A 3rd party going to the trouble of putting out patches to avoid the microsoft ones speaks volumes, IF their intentions are honorable.

Reply | Quote

Susan Bradley wrote:

If telemetry is there to tell Microsoft that your machine didn’t blue screen Is that too much?  Seriously if a level of telemetry is there to give MS feedback on the quality of updates so that you don’t have to suffer through bad updates and even worse support experience why is that a bad thing?

As an aside I thought this wasn’t the first time telemetry updates were included in security updates but I’m trying to find that post.

You leak data on the web now.  Chrome leaks it.  Firefox leaks it.  It helps developers know when crashes are occurring and to fix their software.  Why is this evil?

 

I get what you are saying, and maybe 20 years ago it would be passable.  But not in today’s world.

Just because so many entities on the web currently leak & slurp up user data doesn’t mean consumers should just relent and let it happen to them.  In fact the notion of “user data rights” is enjoying growing public support, evidenced by what Facebook/Google/Apple/etc are dealing with right now.  MS should be on that list too, as they seem to be flying under consumer privacy/data radar since Win 10 launched.  I remain hopeful.

Regardless of operating system, I require the option to turn updates on/off whenever I wish and opt out of telemetry for as long as I want.  Nothing less.

 

4 users thanked author for this post.

rc primak, Kranium, ebrke, AlexEiffel

Reply | Quote

To be honest, Microsoft was possibly going to have to include some of those parts at some point. As in if they ever found any security issues in the telemetry components.

Because, the security-only patch also needs to apply to installations that already have installed one of the intermediate rollups with telemetry but not the latest rollup.

The right thing would’ve been to only update those parts IF the telemetry base component was already installed, and not change enable/disable state, but…

1 user thanked author for this post.

AlexEiffel

Reply | Quote

[BobT]

Susan Bradley wrote:

If telemetry is there to tell Microsoft that your machine didn’t blue screen Is that too much?  Seriously if a level of telemetry is there to give MS feedback on the quality of updates so that you don’t have to suffer through bad updates and even worse support experience why is that a bad thing?

As an aside I thought this wasn’t the first time telemetry updates were included in security updates but I’m trying to find that post.

You leak data on the web now.  Chrome leaks it.  Firefox leaks it.  It helps developers know when crashes are occurring and to fix their software.  Why is this evil?

 

It’s evil because of the sneaky way of doing it, and MY COMPUTER, MY CHOICE. I do absolutely agree with finding out just how much though (even though any amount is “too much”), as knowledge is power.

Hypothetically, I’m sure the benevolent company Amazon would just love to “assess” my house to ensure a “smooth delivery experience” too, of course how nice and non-evil of them it would be to help me out with that, all off their own backs, if they gave me the option (and made it VERY clear what it entailed) then, no problem. (I’d say no, but still).

However, it would be another story altogether if the next time I had a delivery from them, their deliveryman forged a key to my house (unbeknown to myself), and then let themselves in while I was out or upstairs, having a good snoop round, categorising everything, taking pictures, sending it all back to Amazon HQ for them to sort through and optimise my deliveries and make sure no delivery man would ever hurt himself coming to my door etc (though how the contents of my house would affect that, no idea, but besides the point, it’s all to help me of course!).

Everyone else is doing it too! Rando’s peeping in my windows, and burglers would just break in if they wanted as well, so what’s wrong with Amazon doing the same, eh? The couple down the street don’t mind at all, too, they even installed Amazon cameras inside their house as well! So why should ‘I’ feel any different? It’s just what everyone’s doing now, so that makes it ok!

Now I’d probably just be paranoid if I thought they’d really sent all that data off to a foreign country (with potentially untrustworthy staff) to be manually examined and sorted through. The type of door and lock I have, whether I have steps or not, and everything inside my house of course. I’d likely especially be paranoid if they were found to then be selling all that information on to advertisers and who knows what dodgy company. But nahh, they couldn’t possibly only be focused on MAKING MONEY from this sort of thing could they?

…Could they?

“The Sun discovered earlier this week that an English-speaking Amazon team in Bucharest, Romania, monitors thousands of Alexa recordings — and has heard private moments including family rows, money and health discussions — and couples “making love”.”
https://www.mirror.co.uk/tech/amazon-staff-listen-users-having-18798294

“Amazon reportedly employs thousands of people to listen to your Alexa conversations.”
https://edition.cnn.com/2019/04/11/tech/amazon-alexa-listening/index.html

“Ring used its Ukrainian “data operators” as a crutch for its lackluster artificial intelligence efforts, manually tagging and labeling objects in a given video as part of a “training” process to teach software with the hope that it might be able to detect such things on its own in the near future.”
https://theintercept.com/2019/01/10/amazon-ring-security-camera/

Erm.. Well I’m sure it’s not for evil purposes!

“At the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of Ring leadership’s “sense that encryption would make the company less valuable.”

…Oh.

Either way even if Amazon were being absolutely benevolent and ONLY using all this data to “help my experience”, it’s besides the point isn’t it, because it’s MY HOUSE! It’s not up to some random company to decide what is “ok” or “not evil” when it comes to invading my privacy, and tampering with my own personal possessions or data without my knowledge, or worse, explicitly telling me they’re NOT doing so (“Security ONLY”), but then doing it anyway.

So in conclusion the actual result matters not (though thanks for investigating anyway), it’s the principle that matters. Why do people trust corporations so much with their own personal stuff? I grew up being told to never share your personal info or real name etc online, and now everything “encourages” you to do so, as well as loads of other personal stuff, all for “benevolent” reasons, of course.

Either way, my house, my personal computer, my data. Give me a very clear and transparent OPTION, or get out.

• This reply was modified 3 years, 7 months ago by BobT.

6 users thanked author for this post.

rc primak, Bill C., Elly, Kranium, David F, ebrke

Reply | Quote

Who cares if it’s a foreign country. We have plenty to worry about if the recipients of snooped data are our fellow Americans!

-- rc primak

Reply | Quote

To address this posted by Susan Bradley:

As an aside I thought this wasn’t the first time telemetry updates were included in Security updates

I have four computers running Windows 7 and have done security only updates since bundling started in October 2016. I have yet to install July 2019 and probably will not. Looking in services, there is no telemetry listed. So telemetry was never put into security only updates.

Got coffee?

5 users thanked author for this post.

Elly, des911, ebrke, woody, PKCano

Reply | Quote

Yep. That matches everything I’ve heard.

We also know that the July Security-only patch installs the plumbing – and we weren’t warned. (I think that’s unconscionable.)

The big question is whether the plumbing is hooked up to Microsoft, whether data’s being sent. Still don’t know yet, but I’m hoping GoneToPlaid’s test will tell us.

3 users thanked author for this post.

walker, Elly, des911

Reply | Quote

Looking in services, there is no telemetry listed.

Microsoft is not simple. Given the kinds of information which could be collected, Microsoft would not normally put all methods into a service module named Telemetry. Microsoft favors use of diverse fancy obscure terminology for the telemetry service names and programs.

In the future if a service name Telemetry does show up the result will be worth a long discussion beginning with a question, ‘Is it really legitimate software from Microsoft?’

1 user thanked author for this post.

EstherD

Reply | Quote

I have had CEIP and other tasks disabled since the GWX and other telemetry info surfaced. I found it has not transmitted data, HOWEVER, it has run scans as indicated in the task manager. The way to disable the scans it to disable the triggers in the task properties. As such, my AIT and CEIP now show the last scans were in 2017 and 2016 respectively.

Way back after I removed GWX and its partners in crime, I also searched for the related files and storage locations (for Appraiser data, etc.) and deleted those locations and files.

Once I read GoneToPlaid’s report, I may try the July 2019 SO patch and see what it changes, and/or what it actually adds, since I do not have the GWX beginnings (removed) and never installed any of the following telemetry or appraiser updates and patches.

I do see Susan Bradley’s points, but whenever I have looked at a crashdump file using a text editor, I always found readable text from whatever I had open on my machine. It also included file names, dates and file locations. Due to that, and the fact that I never got any feedback from the reliabilty monitor, I turned off the crash reporting even before GWX and telemetry.

7 users thanked author for this post.

rc primak, jburk07, Elly, SueW, des911, ebrke, woody

Reply | Quote

I appreciate the information on this subject available here. I maintain a win7 laptop for an elderly parent, but don’t use windows OS myself and need a good source of info. Reason I stopped using windows 15 years ago relates to the beginnings of the issues being debated here. I moved to another OS after win2K.

Reply | Quote

I’m not in group “B”, yet this IS troubling.

IS MSFT evil? Depends on your time frame.

Back in the day (Gates1.0, pre-Melinda)  when they were paying retail outlets NOT to install Netscape, and was engaging in other anti-competitive practices, I’d have a hard time saying no.

These days, they seem less malignant, but more disregardful of the home or small biz user.

IS neglect and carelessness a form of bad behavior? Grist for the mill.

In the meantime, I’m waiting to see what tattletale stuff is in the July Rollups…(puts on helmet, dives into trench)

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"...all the people, all the time..."Peter Ustinov ad-lib in "Logan's Run"

2 users thanked author for this post.

jburk07, Myst

Reply | Quote

It looks like Microsoft is also introducing new telemetry in the July Windows 7 Rollup (KB4507449).  I installed the update on 7/31/2019, and the day after I noticed CompatTelRunner.exe running on my PC for the first time ever.

I see that I now have a version of CompatTelRunner.exe dated 06/12/2019.  There were two new scheduled tasks in the Microsoft Windows Application Experience folder called Microsoft Compatibility Appraiser and ProgramDataUpdater.  I disabled both tasks.

2 users thanked author for this post.

jburk07, des911

Reply | Quote

The telemetry has been in the Monthly Rollups since Oct. 2018. That is when MS added the KB2952664 functionality to the Rollups. If you have been patching Group A, maybe you just haven’t noticed it before.

4 users thanked author for this post.

alpha128, woody, Chessie, des911

Reply | Quote

[alpha128]

PKCano wrote:

The telemetry has been in the Monthly Rollups since Oct. 2018. That is when MS added the KB2952664 functionality to the Rollups. If you have been patching Group A, maybe you just haven’t noticed it before.

I took steps to disable telemetry on 10/07/2018 when I installed the rollup you’re referring to. My most recent .etl file is from that date.

I also remember either disabling or deleting the scheduled tasks at that time. Apparently the 2019-07 rollup (KB4507449) reinstated them.

Believe me, if CompatTelRunner.exe had been running since October 2018, I would have noticed it long before now.

• This reply was modified 3 years, 7 months ago by alpha128.

Reply | Quote

The Rollups are cumulative. What was Oct 2018, was in Nov 2018, and Dec 2018…… and June 2019.
They didn’t put it in one month, then take out the next.
The Compatibility Appraiser has been there.
See @abbodi86 ‘s post #1873305.

abbodi86 wrote:

The monthly rollup had been carrying already
the “Unified Telemetry Client” since since October 2016 preview rollup, and the “Compatibility Appraiser” since September 2018 preview rollup

security-only update KB4507456 only have the second payload (Appraiser)

Reply | Quote

Scenario tested

– Windows 7 Professional x86, VMware Workstation

– Installed updates: KB4507456 (July security only), KB4474419 (SHA-2 signing support)

– Monitoring program: Telerik Fiddler (Wireshark is too noisy and cannot decrypt SSL/TLS traffic anyway)

– Result
https://m.put.re/VyY91zNs.zip

registry files represent the changed/added values after running the schedule tasks (Amcache.reg contain most info about installed devices, programs, drivers…)

AppCompat folder is deducted copy of C:\Windows\AppCompat to show the gathered binary files

SessionsFiddler.saz is the traffic capture file
you can load it in Fiddler program for easy reading and analysis
or just rename it as .zip file and extract it, open _index.htm, then press on the C, M, S links on the left (C for client request, S for server response)

the first 5 sessions “settings-win.data.microsoft.com” are the requested telemetry settings

the other sessions “vortex-win.data.microsoft.com” contain the data sent to Microsoft (the most interested part of the test)

a quick read of the sent data reveal that at least 95% are ment to measure the OS compatibility to upgrade to Windows 10
but i didn’t see any too “personal” data included

so, to answer the topic question, the amount of sent data with KB4507456 telemetry components is not different from the rollup or the standalone superseded KB2952664

17 users thanked author for this post.

rc primak, RDRguy, jburk07, Lori, Elly, rowrbazzle, Bill C., SueW, bifido, AlexEiffel, plodr, Chessie, woody, jabeattyauditor, des911, PKCano, Kirsty

Reply | Quote

? says:

great work, thank you abbodi86! i see the AppCompat folder is 4.1 MB, do you know how big the whole program is? system resources used by the program, also if not “upgrading,” to windowsX how this program enhances a windows 7 installation and if this program has any “security” value?
again, thank you for doing the work

1 user thanked author for this post.

des911

Reply | Quote

You can add about 4 MB for Amcache.hve and AlternativeAppraiser data cab file

the size will be a little different per system, depending on installed drivers and programs

CompatTelRunner.exe consume notable amount of resources the first time it runs, but the follow up runs almost not notable

i don’t know what would be the security value, but the collected data cover the CPU vulnerabilities (for spectre and meltdown)
and maybe other things, it’s hard to decode or understand all the data meanings

2 users thanked author for this post.

Chessie, des911

Reply | Quote

[abbodi86]

I forgot to mention that the test was made with default CEIP enabled

i now redid the test from clean status with CEIP disabled
the data is still collected, but i can confirm that nothing is reported or sent to vortex-win.data.microsoft.com

that’s a good thing, at least

• This reply was modified 3 years, 7 months ago by abbodi86.

11 users thanked author for this post.

rc primak, RDRguy, jburk07, Lori, rowrbazzle, Bill C., SueW, bifido, AlexEiffel, PKCano, des911

Reply | Quote

Thank you!

So you’re saying that by installing the July Security-only patch, your machine basically starts sending the same amount of telemetry that it would send if you installed the Monthly Rollup?

Reply | Quote

Yes, as long as CEIP is enabled

2 users thanked author for this post.

rc primak, woody

Reply | Quote

From @abbodi86 post above

“so, to answer the topic question, the amount of sent data with KB4507456 telemetry components is not different from the rollup or the standalone superseded KB2952664”

And, those in Group B avoided KB2952664 at the time (and since).

Maybe, Susan Bradley’s original question could be turned on its head. Is there anything in KB4507456 other than the telemetry that is of security value for GroupB?

4 users thanked author for this post.

Lori, Elly, Kranium, lanceboil

Reply | Quote

[abbodi86]

KB4507456 contain the security fixes for July 2019, of course it’s valuable and should be installed

it’s enough to turn off CEIP and disable the schedule tasks to avoid the telemetry thing included

• This reply was modified 3 years, 7 months ago by abbodi86.

12 users thanked author for this post.

rc primak, RDRguy, jburk07, Lori, OscarCP, rowrbazzle, Nibbled To Death By Ducks, SueW, Lars220, jabeattyauditor, PKCano, woody

Reply | Quote

? says:

again, thank you for your invaluable work. i do not want any of these added components in my win7 installations at the risk of missing the real security patches so i have cloned copies ready to install in the event of any catastrophic events between now and 1/2020. i will leave the data collection and protection to IE SmartScreenFilter and MSE…

Reply | Quote

“It’s enough to turn off CEIP and disable the schedule tasks to avoid the telemetry thing included.”

Abbod, Thank You 1000 times, may you live forever!!

It’s nice to know the whole thing can be killed by two simple actions, (one of which I  had thrown long ago), instead of port blocking, registry hacking, script running, a four-day fasting quest, Geomantic Incantations and running around the PC clockwise three times while holding a branch from a sacred oak tree while chanting, “Redmond, Washington, ooga-codswallop, rama-lama-ding dong”!

I think we should all get SOME kind of medal after all this, don’t you? (TWO medals with Galactic Clusters for Abbod.)

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"...all the people, all the time..."Peter Ustinov ad-lib in "Logan's Run"

1 user thanked author for this post.

SueW

Reply | Quote

abbodi86 wrote:

it’s enough to turn off CEIP and disable the schedule tasks to avoid the telemetry thing included

Could you please clarify what you mean by “… disable the scheduled tasks …”? Do you mean run W10Tel.cmd (or alternatively perform the manual tasks described in AKB 2000003)?

Woody’s ComputerWorld article also states “… disable the new scheduled tasks.” and links to a post in this thread by Sueska (#1899427). Is Woody suggesting doing what Sueska did? Or does running W10Tel.cmd achieve the same thing (and possibly a lot more)?

Reply | Quote

Sorry, I meant AKB 2000012, not AKB 2000003.

Reply | Quote

W10Tel.cmd already do that and it’s enough

but for who want the manual limited way, these are the schedule tasks added/changed by Telemetry Appraiser:
“Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser”
“Microsoft\Windows\Application Experience\ProgramDataUpdater”

2 users thanked author for this post.

rc primak, TonyC

Reply | Quote

@abbodi86:  Without either the “CEIP and disable the schedule tasks” I don’t know yet what to do, if anything.  I’ve always kept anything extraneous away from the computer, so hoping I can bungle my way through this “mess”.  Thank you for all of the information you provide for all of us!

Reply | Quote

Years ago there was an article listing every service sending data to Microsoft from a Vista PC, long before Windows 7, 10 Telemetry. I am sure this type of data in being sent now as well, if not more.

https://news.softpedia.com/news/Forget-about-the-WGA-20-Windows-Vista-Features-and-Services-Harvest-User-Data-for-Microsoft-58752.shtml

Reply | Quote

With nVidea video cards telemetry can be uninstalled using the RUNDLL32 and command. Can’t something similar be done with this Security Only patch or even with the Monthly patch?

A poster said, “…you can simply install nVidia drivers as normal. Once installed open an elevated command prompt and run the following:
rundll32 “%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL”,UninstallPackage NvTelemetryContainer
This will remove all telemetry, logs, services and tasks. I use it all the time now and it’s a very clean way of removing nVidia telemetry.” https://forums.geforce.com/default/topic/1056140/geforce-drivers/defeating-nvidias-telemetry/1/

So I ask if the same could be done for this patch?

If not, does anyone know the name of the EXE or DLL which causes the telemetry and could that file be deleted or renamed to prevent it from running?

Reply | Quote

[abbodi86]

You cannot remove OS components (whether inbox or added with updates) without breaking SFC integrity

however, you can simply turn OFF the Appraiser:

reg add HKLM\SOFTWARE\Microsoft\SQMClient\Windows /v CEIPEnable /t REG_DWORD /d 0 /f

schtasks /Change /DISABLE /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"

schtasks /Change /DISABLE /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater"

.

• This reply was modified 3 years, 7 months ago by abbodi86.
• This reply was modified 3 years, 7 months ago by abbodi86.

Reply | Quote

? says:

abbodi86,

since the dust has settled a bit, does it help to disable (edit) the triggers in the task scheduler for these? i have been disabling and (unticking) the triggers using the edit window for Application Experience, Autochk, CEIP and others since 2007 Vista era. i know the snooping patches simply reenable them anyway (learned the Surprise hard way) before i had help from askwoody and expert members like you!

Reply | Quote

It’s easier to disable the task at whole

Reply | Quote

? says:

thank you, abbodi86

i guess (they) can’t stop me from using the power off switch and taking a walk…

Reply | Quote

Thank you abbodi86 for the good information.

I do not have all the switches memorized and have always used either a .reg file or opening regedit and manually typing in. For the registry change, so one could use:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows]
“CEIPEnable”=dword:00000000

Also please look at this site. The poster has many items he is wanting to disable in Windows 10 and wanted a one click method. Some are interesting.
https://www.tenforums.com/general-support/74639-all-registry-commands-privacy-settings.html

Reply | Quote

Stopping Windows 10 telemetry is lost cause

4 users thanked author for this post.

Lori, rc primak, Elly, PKCano

Reply | Quote

I have two, clean, Group B Win 7 Ult machines available for testing. Both have CEIP disabled and all telemetry related stuff disabled or removed. All unnecessary OS/application services and tasks are disabled (e.g. Remote registry, Adobe LM).

In addition to disabling OS telemetry, I always disable telemetry for the following:

1) Firefox (portable)
2) Adobe (Reader, Flash)
3) nVidia (drivers)
4) Samsung Magician (really ticks me off)
5) MS Office (2010)
6) Intel (services, utils, etc.)
7) Norton Security (watching this closely)

I use an application firewall to block egress from specific applications/services (i.e. Windows gadgets, Media Player).

Since abbodi86 has already conducted some excellent research, I’m not going to duplicate his findings. I have completed a thorough machine state assessment and will do the same after installing KB4507456 and disabling any nasties I discover.

There are two, free, stand-alone tools that even the less experienced here can try for themselves:

1) Nirsoft TaskSchedulerView
http://www.nirsoft.net/utils/task_scheduler_view.html

This tool lists all scheduled tasks (including hidden) and allows one to save lists in both text and html table format. Run the tool as Admin or switch to Admin inside the app (click Help on menu bar). Generate pre-patch and post-patch lists. Use a diff tool to compare before and after for additions/changes.

2) Nirsoft RegistryChangesView
http://www.nirsoft.net/utils/registry_changes_view.html

With this tool, you can take snapshots of the registry pre and post patch and compare for changes.

Note:
Nir Sofer (Nirsoft) has been around for many years. He’s accessible and I can vouch for the integrity of his tools. Since his tools are low level, it’s possible that your anti-virus heuristics may trigger false positives (especially password tools and ProduKey) even though the apps are digitally signed. Quite a few tools require running as Admin.

Best of luck fellow Group B diehards.

– Carl –

5 users thanked author for this post.

Lori, GoneToPlaid, Elly, rowrbazzle, SueW

Reply | Quote

? says:

looking forward to your experiments. the Nir tools are cool, as usual and drill down in a hurry. Rick Corbett posted USBDview the other day. Another good tool with the right click show all. i especially enjoyed the go to .ini function. the only thing i didn’t enjoy was the new reg line after saving a snap and then comapiring it to current on the registychangesview unit. i’m freakish about having a squeeky clean machine and the unannounced snooping package kept me busy chasing all the changes when microsoft slipped it in a few years ago in one of the random KB’s. i found the changes during one of my random trips around the os, and was unpleasantly surprised to find all the extra telemetry running (that i had previously disabled and\or deleted.) i used to take the time to look through all the individual file lists in the update packages for stuff i knew i did not want prior to applying an update. then i got lazy. woody and company has made staying out of patch trouble so much easier especially after the super bundle in the jungle started in November ’16.

Reply | Quote

I couldn’t agree with you more.

Some claims made in other forums about the patch are highly suspect (e.g. registry reversal changes). I am concerned that MS may have injected undocumented hidden services, tasks, or event triggers. I’ll also be ticked if CEIP settings are no longer being properly respected. I know, tin-hat and all. But the fact that MS dropped telemetry into a security-only patch and its’ lack of transparency deserves our scrutiny.

I’ve become weary as of late regarding the practices of vendors.

Samsung Magician now installs telemetry that executes on every boot. During initial drive detection, it won’t work unless outbound connections are allowed. Although easy to disable, I only use it for OP and trim (Win 7), so why is this necessary?

The past few versions of Norton were dropping (tracking?) cookies upon almost every domain change. The latest version doesn’t do this, but there’s still small data drips being sent to Symantec servers on a continual basis while browsing. Is this a heartbeat or something more nefarious? Wireshark won’t help, well “because encryption”.

nVidia dropped the option to disable telemetry in Control Panel. Why? I refuse to use MS programming tools/IDE because I can’t agree to the draconian, privacy depriving TOS. And Firefox, while at least transparent, should provide a simple kill switch that disables all data/telemetry collecting settings and APIs. Don’t even mention the CCleaner debacle.

I’m tired of the endless diagnose, clean, rinse, repeat cycles one has to undertake to maintain privacy and security upon every patch, driver update, etc. I fear a nervous breakdown when I’m finally forced to use Win 10 on my daily driver due to simulation and photo editing applications that aren’t available natively on Linux.

– Carl –

Reply | Quote

? says:

thanks Carl! i’m burned out from wasting years working to keep a clean and properly running windows system. i’m also grateful for woody and all who help to achieve this goal since it is usually one stop shopping in order to know what new badness is coming down the pipe. prior to coming here i used to spend many hours trolling google trying to find solutions for the many and varied problems i’ve encountered running windows. i installed the July IE SO patch, the July MSRT (sans Heartbeat) and the July .Net rollup and called it good. i’m betting the added telemetry will be included for the remainder of win7’s monthly patches. i have noticed that my shutdown time is taking longer since installing the July patches and the Sunday MSE quick scans seemed to dewll in system32 longer than usual and was looking in Task Scheduler also. thanks again for the Nir tools they are great and i’ve been having fun running them.

Reply | Quote

Hello anonymous -Carl-, anonymous #1901560 here. Thank you for your comments and the NirSoft suggestions. I agree with you and hope you will reveal other ways to circumvent telemetry. I too use a 3rd party firewall and it does a fine job of stopping unwanted outbound data transmissions. I am curious to what others do to successfully eliminate telemetry for the July 2019 Security Only Windows 7 Patch.

You mentioned Firefox. I have an older version but this is supposed to be the “master switch” for telemetry and data archiving:
toolkit.telemetry.unified to false, stops telemetry and file/folders.
also
toolkit.telemetry.enabled to false
toolkit.telemetry.archive.enabled to false, stops file archive on hard disk.

Also see:
https://www.askwoody.com/forums/topic/telemetry-on-firefox/
https://www.askwoody.com/forums/topic/preventing-firefox-telemetry-data-collection/
https://www.askwoody.com/forums/topic/3000003-firefox-additional-security-telemetry-and-privacy-tweaks/

Thanks to all here.

Reply | Quote

? says:

about the “longer shutdown after july updates,” post# 1903240, after spotting shutdown errors (long times) in EventViewer>Diagnosis-Preformance I took a trip to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management and the ClearPageFileatShutdown was set to 1 which equals on.

When I set the value to 0 and then ran CMD>GPUpate /Force and then refreshed the registry the value 0 held. Shutdown is now back to 1-2 seconds from desktop to black. So, it was probably operator error while performing post patch clean up routine, not one of the patches…

Reply | Quote

I’ve put the Win7 telemetry issue into the wastebasket. For now. I recently installed Norton360, which has a great firewall. I set the firewall to alert me when anything tries to access the internet and my computer.  After installing all the July updates, I got pop-ups from Norton throughout the process. There must have been six or seven windows files that wanted access. One was ‘NETBios and file sharing.’ ZAP! Blocked that one. Another was a program that clearly said ‘Telemetry’ within the name. ZAP! Blocked that one too. And a half dozen others that I didn’t feel were necessary to have internet access. The only thing I did allow was the MSRT, which I may still end up blocking since Norton can probably take care of that.

Seems to me that MS telemetry (read; data collection) practices can be (partially?) circumvented by simply using your firewall properly and configuring it to alert you. But if I’m overlooking anything, well …. that’s why we’re all here.

Edit to remove HTML. Please use the “Text” tab in the entry box when you copy/paste.

"War is the remedy our enemies have chosen. And I say let us give them all they want" ----- William T. Sherman

1 user thanked author for this post.

bassmanzam

Reply | Quote

Windows 7 July  KB2952664 was a new install. It was an update to already installed feature.

Compatibility Appraiser
To see whether the July patch truly pushed a naughty bit onto Windows 7 users, I checked the status of one of my Windows 7 machines, which had last been updated on May 22, i.e. it has not been subjected to the July round of patches. Lo and behold, it had the exact same entries under the Task Scheduler as referenced in the latest series of articles.

So no, this wasn’t added in July – merely updated. For what reason? I do not know. However, these tasks do not do anything unless you’re opted-in the Customer Experience Improvement Program (CEIP). And you can check whether you’re opted-in the CEIP. By default, Windows 7 is NOT opted-in CEIP.

See the full article at:

https://www.dedoimedo.com/computers/windows-7-security-only-updates-telemetry.html

Reply | Quote

It’s not an update, Appraiser is completely different component that hijack the inbox Program Compatibilty Experience
this is the first time it’s added to security-only update

KB2952664 was changed to important update back in February 2018 with the Spectre/Meltdown mess

the schedule tasks do “collect” the data and appraise the installed programs, drivers
but the data is not sent unless CEIP is opted-in

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

Hi everyone,

In Task Manager, I now see two instances of Taskeng.exe. I don’t see them on my other Win7 computer. See the attached 01 image.

I see the same as @Sueska in Task Scheduler, yet I do see one additional item which I do not recall seeing before. See the attached 02 image.

I am going to leave these new things enabled to see what happens. So far, no telemetry is going out. Its not like KB2952664 which was sending stuff as I typed or every time I opened a program. It will be interesting to see what gets sent tonight after 3 AM.

Best regards,

–GTP

 

4 users thanked author for this post.

Lori, jburk07, samak, SueW

Reply | Quote

On two Win7 Group B computers, no data was sent to MS after installing the July security only update since the disabled CEIP settings were honored. I am simply going to disable these two tasks.

7 users thanked author for this post.

Lori, RDRguy, Bill C., jburk07, samak, SueW, abbodi86

Reply | Quote

Maybe this has some useful info for others, so for what it’s worth…

I have 3 nearly identical HP G62 64 bit Win 7 laptops.

I came late to the party only because I didn’t know about the awesome resources available here, but I probably became aware of the site because of patching problems.

I liked the group “b” paradigm, and have tried to keep all the machines on that path to varying degrees of purity depending on when I started applying S O patches.

The machine I use most infrequently I think has the most useful information.

Looking back, I patched infrequently also. Most recently (for the PC of note) in July 2015, Feb 2016, July 2016, then did a cumulative security rollup in May 2017, then S O from the group B list after that until the present.

In preparation for July 2019 I found some interesting dates and settings. CEIP was off, and the “patches to avoid” in the group B instructions were installed prior to October 2016 when the group B list was available.

I found 2952664 was installed 3 times: July 2015, Feb 2016, and July 2016 ( Also matching version dates I found for Compattelrunner.exe).
3068708 was installed July 2015.

So I had telemetry installed on this PC from July 2015 (unknowingly and inadvertently) already ahead of October 2016. (No “patches to avoid” after July 2016, or after security rollup in May 2017, or after the monthly S O after that.)

The two tasks in scheduler, “appraiser” and “program data updater” were enabled and had been running. (I don’t know if data had been sent.) I disabled the two tasks, and with CEIP still off, installed the July 2019 S O patch.

On restart, CEIP was still off, the two tasks were ENABLED, and Compattelrunner.exe was updated to 10.0.18362.1013 (6/12/19). Diagtrackrunner.exe was unchanged from an 11/16/2015 version. I disabled the two tasks again, and they have remained so through many reboots.

So for this PC the one component (Compattelrunner) was updated and the tasks re enabled. I must have installed the components in July 2015, and the July 2019 S O patch updated Compattelrunner for the first time since July 2016, and re enabled the tasks.

Reply | Quote