• ## Martin Brinkmann’s deep dive into removing telemetry in Win7 and 8.1

Home Forums AskWoody blog Martin Brinkmann’s deep dive into removing telemetry in Win7 and 8.1

This topic contains 34 replies, has 10 voices, and was last updated by  Anonymous 4 months, 1 week ago.

• Author
Posts

woody
Da Boss

On the heels of Günter Born’s discoveries about the just-reissued “snooping” Win7 and 8.1 patches KB 2952664 and KB 2976978, Martin Brinkmann at Ghack
[See the full post at: Martin Brinkmann’s deep dive into removing telemetry in Win7 and 8.1]

###### 5 users thanked author for this post.

Microfix

Funnily enough, I have done all of this via various forums and walkthroughs except the firewall blocks.

Blocking Microsoft Servers

Caution: Some servers and IP addresses may be used by other Windows services. If you notice that some are not working anymore, disable them one by one until you find the culprit that you need to exclude from the blocking.

Note: the following servers cannot be blocked using the hosts file. You need to block them using another means, e.g. router firewall or installed firewall.

onesettings-hk2.metron.live.com.nsatc.net
onesettings-bn2.metron.live.com.nsatc.net
onesettings-cy2.metron.live.com.nsatc.net
vortex-hk2.metron.live.com.nsatc.net
vortex-db5.metron.live.com.nsatc.net

Other servers you may want to block:

134.170.30.202
137.116.81.24
204.79.197.200
23.218.212.69
65.39.117.230
65.55.108.23
a-0001.a-msedge.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
compatexchange.cloudapp.net
corp.sts.microsoft.com
cs1.wpc.v0cdn.net
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
settings-win.data.microsoft.com
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
statsfe1.ws.microsoft.com
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.appex.bing.net:443
telemetry.microsoft.com
telemetry.urs.microsoft.com
vortex.data.microsoft.com
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
wes.df.telemetry.microsoft.com

Is there a quick method to implement these firewall blocks other than one by one? (using windows firewall) or is it trial and error per device and set-up?

| x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids | | x386 Windows XP Pro |
No problem can be solved from the same level of consciousness that created IT - AE
###### 3 users thanked author for this post.

woody
Da Boss

Wish I could thank you twice!

As for automating it – take a look here

http://windowsitpro.com/powershell/hand-crafted-firewall-rules-powershell

Anything strike you?

Microfix

Thanks for the ‘Hand-Crafted Firewall Rules with PowerShell’ link Woody, will tinker with this on our other machine when time permits.
Hmm..as for the firewall rule-set scripting posted anonymously,
I’ll sit on it for now until MrBrian has researched the new patches and posted the findings.
Thanks guys

| x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids | | x386 Windows XP Pro |
No problem can be solved from the same level of consciousness that created IT - AE

Noel Carboni

If you’re really serious about your firewall, check into the Sphinx Windows Firewall product. It’s what I use. It leverages the Windows Base Filtering Engine with a MUCH more manageable configuration interface. A key feature is that you specify sites to block by name, and it manages the ongoing correlation between name and address by watching DNS resolutions.

There were several in Martin’s list that I hadn’t seen before (onesettings-*.metron.live.com.nsatc.net) . Now they’re in my firewall block list AND DNS server blacklist.

I’m a little worried that Martin’s blacklist entry, fe2.update.microsoft.com.akadns.net, might ultimately get in the way of completing Windows Updates. That process seems to need fe2.update.microsoft.com (without the CDN name extension).

-Noel

• This reply was modified 4 months, 1 week ago by  Noel Carboni.

anonymous

My Windows 7 advice, which is based upon my testing at https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/, is gentler, and each action in my advice can be individually undone at a later date if needed. That thread may seem a bit disjointed now because comment nesting levels were lost during Woody’s recent comment migration.

The first step in my advice is to turn off the operating system’s Customer Experience Improvement Program, as shown in Mr. Brinkmann’s article.

Turning off the operating system’s Customer Experience Improvement Program isn’t sufficient though; see https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21467 for why. As a result, one should also do the actions at https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21435 and https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21451.

Note 1: My advice is in regards to only the “bad” Windows 7 updates KB2952664, KB3068708, and KB3080149.

Note 2: I haven’t yet tested the version of KB2952664 that was released on February 9, 2017. When available, test results will be posted at the first link mentioned in this message.

MrBrian

###### 7 users thanked author for this post.

woody
Da Boss

MrBrian –

Any chance I could convince you to sign up for an account? I promise it’ll be painless and completely anonymous. Email me woody@askwoody.com

Using an account would make it sooooo much easier to look at all of your posts.

And, speaking of which, when the dust settles, if you could pull together your findings on this topic and email them to me, I’ll turn them into a Knowledge Base article. Great stuff….

###### 7 users thanked author for this post.

Microfix

Yes MrBrian,
The forum would be honoured with your presence as a member given the knowledge and help you have supplied previously.

| x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids | | x386 Windows XP Pro |
No problem can be solved from the same level of consciousness that created IT - AE
###### 4 users thanked author for this post.

ch100

@mrbrian
I believe that you and others have conclusively proved that KB3068708 and KB3080149 are fully compliant with CEIP, so there is no need to take extra steps or avoid those patches or disable services.

Notes:
1. KB3022345 rarely gets a mention because it was withdrawn for being faulty, but there is a small chance that those who do not have KB3068708 and/or KB3080149 still have KB3022345 which has the same effect with the other 2 better known and currently supported patches which supersede KB3022345.
2. It it still unclear to me what KB3021917 is supposed to do. It is often quoted as a telemetry patch, but like KB2952664 is not offered to Windows Server 2008 R2 and it is unticked by default on Windows Update for Windows 7. Windows Server 2008 R2 receives the DiagTrack service via KB3068708/KB3080149, so it is not a matter of Server OS not getting telemetry updates.
3. If KB30608708/KB3080149 are good enough for Enterprise and Servers, I would suggest that they are good enough for regular end-users.

abbodi86

only extends bult-in WDI Client and adds a Performance Power Tracker
i highly doubt it sends any telemetry data

anyway, it’s related to this task:
“\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor”

###### 1 user thanked author for this post.

anonymous

This batch file may help speed up the disabling of tasks. Save as disabletasks.bat. Right-click and run as administrator. Much faster than browsing task scheduler.


@ECHO OFF
REM --- remember to invoke from ELEVATED command prompt!
REM --- or start the batch with context menu "run as admin".
goto check_Permissions

:check_Permissions
echo Administrative permissions required. Detecting permissions...

net session >nul 2>&1
if %errorLevel% == 0 (
goto getgoing
) else (
echo Close, then right-click file and choose "Run as Administrator"
)

pause >nul
:getgoing
SETLOCAL
echo [ Remove and Block Win10 for Win7 ]
echo.
:prompt
set /p yesno=* create system restore point? (y/n):
if /i "%yesno:~,1%" equ "y" goto rpoint
if /i "%yesno:~,1%" equ "n" goto main
echo.
goto prompt

:main

timeout 5

schtasks /change /disable /tn "\microsoft\windows\application experience\aitagent"
schtasks /change /disable /tn "\microsoft\windows\application experience\microsoft compatibility appraiser"
schtasks /change /disable /tn "\microsoft\windows\application experience\programdataupdater"
schtasks /change /disable /tn "\microsoft\windows\customer experience improvement program\consolidator"
schtasks /change /disable /tn "\microsoft\windows\customer experience improvement program\usbceip"
schtasks /change /disable /tn "\microsoft\windows\media center\activatewindowssearch"
schtasks /change /disable /tn "\microsoft\windows\media center\configureinternettimeservice"
schtasks /change /disable /tn "\microsoft\windows\media center\ehdrminit"
schtasks /change /disable /tn "\microsoft\windows\media center\mcupdate"
schtasks /change /disable /tn "\microsoft\windows\media center\ocuractivate"
schtasks /change /disable /tn "\microsoft\windows\media center\ocurdiscovery"
schtasks /change /disable /tn "\microsoft\windows\media center\registersearch"
schtasks /change /disable /tn "\microsoft\windows\media center\reindexsearchroot"
schtasks /change /disable /tn "\microsoft\windows\media center\updaterecordpath"
schtasks /change /disable /tn "\microsoft\windows\power efficiency diagnostics\analyzeSystem"
schtasks /change /disable /tn "\microsoft\windows\windows error reporting\queuereporting"
echo - done
timeout 5

REM --- Kill services
echo Killing Diagtrack-service (if it still exists)...
sc config DiagTrack start= disabled
net stop DiagTrack
echo - done

echo [ Complete - Remove and Block Win10 for Win7 %date% %time% ]
echo [ Press any key to exit ]
echo.
pause >nul
shutdown /r /f /t 00
exit

:rpoint
wmic.exe /namespace:\\root\default path systemrestore call createrestorepoint "Remove and Block 10", 100, 12
if %errorlevel% == 0 goto main
echo.
set /p yesno=" failed to create system restore point. continue? (y/n):  "
if /i "%yesno:~,1%" equ "y" goto main
if /i "%yesno:~,1%" equ "n" (
echo.
echo [ done - any key to exit ]
echo.
pause >nul
exit
)

goto prompt
REM --- EOF


abbodi86

most of these “aggressive” steps are not required in Windows 7/8.1
they belong to paranoial Windows 10, which have built-in telemetry

a real “deep diver” into Appraiser/Diagtrack patches would have found a simpler walkthrough

and why a very old pre-telemetry era patch like KB971033 is related?

well, i guess the “confusion” must be fed to keep it going 🙂

###### 3 users thanked author for this post.

woody
Da Boss

Hmmmm… So Win7 and 8.1, even with these “snooping” KBs isn’t sending personally identifiable details to Microsoft?

If that’s the case, why on earth doesn’t Microsoft come out and say it? Promise it?

You’re as skeptical of Microsoft as I am. 🙂

ch100

I think @abbodi86 pointed that the script covers a lot more than it should (for Win7/8.1), while rolling back becomes difficult once the damage is done.
There are a lot less issues to be addressed than those in the script to control telemetry and @abbodi86 posted in the past and I think the analysis done separately by @mrbrian on the old site also addressed those issues comprehensively.
Those less technical have to understand that Windows is a very complex SYSTEM and rarely one setting does not have influence over the behaviour of the whole. This is even more important for those settings and configurations not exposed in the GUI.

I post here all that is to control telemetry completely without keeping lists and using
extreme solutions.

1. Do not install KB2952664 (I install it, but this is really a very good example of an entirely optional patch, regardless of how it is classified by WU)
2. Disable CEIP

There is nothing more to do and it is all supported in full

###### 2 users thanked author for this post.

abbodi86

That’s not what i ment or want to discuss, the type/amount of data they send is debatable

what i mean, for Windows 7/8.1 it’s very easily to isolate or prevent these KBs effects without all those FUD-type steps

Compatibility Appraiser (aka KB2952664/KB2976978)
“\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser”
“\Microsoft\Windows\Application Experience\ProgramDataUpdater”
“\Microsoft\Windows\Application Experience\AitAgent”

Diagnostics Tracking (aka Unified Telemetry Client / Asimov)
not avoidable for Monthly Quality Rollup model, but it only adds these components:
“DiagTrack” service
“AutoLogger-Diagtrack-Listener” event trace session
“HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack” registry

the other updates (aka telemetry points) are not affective without active DiagTrack/AutoLogger

###### 1 user thanked author for this post.

Microfix

abbodi86, I agree with you on this as, once these scripts are initiated, how do you know which are the offending ones to the system? (on a relative tangent to your observations)
There is no undo for a batch script file, which is why I am going to wait for now.
Thanks for the reminder.

| x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids | | x386 Windows XP Pro |
No problem can be solved from the same level of consciousness that created IT - AE

abbodi86

Deleting files and services, offending

blocking all those urls is just superfluous, MSFT documents the telemetry endpoints
other urls are either Windows 10 related, or forks for official urls

Noel Carboni

blocking all those urls is just superfluous…

Microsoft documents the official DNS Endpoints that is used for telemetry:

basically they are:
vortex.data.microsoft.com
vortex-win.data.microsoft.com
settings-win.data.microsoft.com
oca.telemetry.microsoft.com
sqm.telemetry.microsoft.com
watson.telemetry.microsoft.com

I guess it depends on whether you consider your system “private” if it isn’t contacting the official telemetry servers. I personally don’t care to have anyone know when I’m at my computer at all, unless I initiate the online connection.

Make no mistake, Windows contacts a lot of other servers online all on its own. There are more than you listed that indirectly spill the beans.

Just a few examples:

• iecvlist.microsoft.com
• ieonline.microsoft.com
• r20swj13mr.microsoft.com
• spynet2.microsoft.com
• spynetalt.microsoft.com

And many more.

There is nothing simple about Windows’ online chattiness. It’s been developed over decades. To be fair, that’s what a “cloud-integrated” system is about. But the simple fact is that some people prefer NOT to be “cloud-integrated”.

-Noel

Noel Carboni

I tend to agree about blocking the various updates in complex ways. A fully updated system can be generally protected from spilling the beans online. Creating what Microsoft calls a “fragmented” system is NOT a good idea, unless you’re sure the pieces you’re blocking from being installed are entirely separate and well-isolated from everything else. That being said, this is MICROSOFT we’re talking about. What are the chances that ANYTHING is perfectly modular? Especially now in the day and age of them not doing system testing any more.

Regarding the blacklists… I’ve watched systems contact many sites. Initially a system’s online activity is quite daunting in its complexity, and lists such as what Mr. Brinkman has gathered are helpful for those trying to get a handle on what their systems do.

I’m glad he listed ALL of Microsoft’s snooping servers, even though Windows 7 or 8 may not be known to contact them today. Microsoft is currently busy making “cumulative updates” for our older systems now, right? Who’s to say they’re not going to shoehorn software in there that contacts today’s “Windows 10-only” servers in the future?

Also, I have a single DNS blacklist for my entire network, so I was able to compare his entire list with mine (I had a few more Microsoft servers, actually, in my list, but I didn’t have the onesettings-*.metron.live.com.nsatc.net entries he posted).

Wanting multiple layers of protection from the things you don’t want your computer doing is NOT “paranoia”. It’s simply wanting multiple layers of protection. I suggest keeping an open mind about labeling those who might be more concerned than you are with names they might not appreciate. FUD stands for fear, uncertainty, and doubt – something that’s quite to be expected of folks who haven’t spent a lifetime studying how Windows works.

MY only worry with publishing this kind of information for all to see is that if enough users follow it, Microsoft will likely notice and up their game, making things worse for everyone. Let’s hope it doesn’t come to that.

-Noel

anonymous

A few months ago, on a similar thread, someone mentioned that M$regularly change or “update” the URL’s of their snooping servers, likely bc M$ know that some Win 7/8.1 users are blocking their snooping servers with firewalls.
So, it may be better to use the whitelisting method for the firewall, instead of the blacklisting method.

Bear in mind that blocking a M$snooping server may disable a M$ program or feature.

WildBill

As for Mr. Brinkmann’s suggestions, I found I had already installed KB2976978 and KB3080149. I uninstalled them today. The Diagnostic Tracking Service is already disabled and the other KB’s he recommends I can’t find that they’re installed on my 8.1 machine. If I discover them later, I’ll get rid of them. As for KB3044374 (to upgrade from 8.1 to 10); I’ll keep that for now. I still want to upgrade to Windows 10 (hopefully for free). I’m not in the CEIP, so that peeper is taken care of… for now.
UPDATE: After I uninstalled the updates above, KB3080149 reappeared; Recommended but unchecked. Not letting Windows Update the ability to install anything but Important. However, KB3121461 reappeared as Important. Not part of the list; a Security Update published on 1/11/2016.

Wild Bill Rides Again...

• This reply was modified 4 months, 1 week ago by  WildBill.

woody
Da Boss

The Win10 upgrade from Win7/8.1 is still free as a breeze and working fine. I tested it on Thursday.

###### 3 users thanked author for this post.

WildBill

Wonderful, woody! Still interested in Cortana, the nosy babe… but my Android phone doesn’t have enough storage to update my apps or add her. Unless I uninstalled Pokemon GO… would like to update that & play some again.

Wild Bill Rides Again...

ch100

Many files are at version 10.0.14393.0 which brings the patch at the Windows 10 1607 level, but some are at 10.0.14979.1011.
Which version of Windows 10 is 10.0.14979.1011?

https://support.microsoft.com/en-us/help/2952664/compatibility-update-for-keeping-windows-up-to-date-in-windows-7

abbodi86

Very likely RS2 = Creators Update

the build lab string rs_fun_compat_dev1_apr:
rs = redstone
fun = fundamentals
compat = compatibility
dev = develpoment
apr = appraiser

###### 1 user thanked author for this post.

Microfix

On a related side note to this topic,
I have mentioned this utility before which helps immensely.
https://www.safer-networking.org/spybot-anti-beacon/

Tip: Use the portable free edition.

Ran this 2-3 months ago and never had a problem at all.
For Win 7,8,& 8.1 but no mention of windows 10 although the scripts cover windows 10 telemetry.

| x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids | | x386 Windows XP Pro |
No problem can be solved from the same level of consciousness that created IT - AE
###### 1 user thanked author for this post.

LoneWolf

Like Rob, I too use Spybot Anti-Beacon for home systems. Easy to set up, easy to reverse and remove. It also can update itself, and works on Windows 7 – 10.

woody
Da Boss

I just got a message from Eric Vaughan, over at Tweakhound.

He’s just resurrected and dusted off a script for blocking telemetry in Win7. Worth a look, to compare and contrast.

https://tweakhound.com/2017/02/11/blocking-windows-7-telemetry/

abbodi86

I still see the dust over the script 😀
GWX KB3035583 is ended/removed, likewise KB3123862
KB3068708/KB3075249/KB3080149 are already covered by Monthly rollup, no point of uninstalling/hiding them

###### 1 user thanked author for this post.

Microfix

Cool Woody and thanks to Eric at tweakhound.

abbodi86, there is nothing stopping anyone downloading/editing/removing non existent paths in the .bat file for their system.
i.e. all the GWX related data which no longer exists.
The same applies for .reg files.

Hmmm…noticed that Windows media player is mentioned, although I don’t use it, I take it that pulse telemetry is still being sent to MS?

On my tux m/c as I type but, will do surgery on this later this weekend.

| x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids | | x386 Windows XP Pro |
No problem can be solved from the same level of consciousness that created IT - AE

abbodi86

How should i know 🙂
WMP/Media Center/CEIP stuff exist in Windows 7 since 2009-RTM
suddenly, the fear makers are seeing them as 2014-telemetry related 😀

abbodi86

Make no mistake, Windows contacts a lot of other servers online all on its own. There are more than you listed that indirectly spill the beans.

Just a few examples:

• iecvlist.microsoft.com
• ieonline.microsoft.com
• r20swj13mr.microsoft.com
• spynet2.microsoft.com
• spynetalt.microsoft.com

And many more.

There is nothing simple about Windows’ online chattiness. It’s been developed over decades. To be fair, that’s what a “cloud-integrated” system is about. But the simple fact is that some people prefer NOT to be “cloud-integrated”.

-Noel

Of course it is
but i’m not discussing all Windows phone-home contacts, the topic is specific about telemetry patches

mising thing with so-called “snooping” that precede telemetry era doesn’t help except in feeding the FUD

###### 1 user thanked author for this post.

anonymous

W7 x64 SP1 non-techie.
I see some people in the comments recommended disabling WebCache in the Task Scheduler. What do our resident experts think?

Anonymous

Recently I was given a rather old (from 2013) Lenovo nettop with Windows 10. After some service, including cleaning from the dust, restoring the original configuration (Windows 8 Single Language) and making snapshot of the clean system, I decided to perform a clean installation of Windows 8.1 Single Language. So, I prepared the USB installation media using the Microsoft Media Creation Tool. After installation and activation, the system was updated using the WSUS Offline tool.
Just in case, I checked the list of installed updates looking for the telemetry updates. Surprisingly, KB2976978 was found in the system with the install date 21.11.2014. It is impossible to uninstall it.
It should be noted that:
1) No other telemetry updates (at least from the list presented in Martin Brinkmann’s post) were found in the system.
2) The DiagTrack service is absent in the system.
3) According to the Task Scheduler, the system seems to respect the CEIP opt out choice – even with the corresponding “telemetry” tasks enabled and the triggers set, the “Last Run Time” is “Never” for CEIP tasks (except for Consolidator, which is expected), DiskDiagnosticDataCollector and WinSAT.
Hope this information can be useful.

• This reply was modified 4 months, 1 week ago by  Kirsty.
• This reply was modified 4 months, 1 week ago by  Kirsty.

Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

Reply To: Martin Brinkmann’s deep dive into removing telemetry in Win7 and 8.1

You can use BBCodes to format your content.
Your account can't use Advanced BBCodes, they will be stripped before saving.