• Martin Brinkmann’s deep dive into removing telemetry in Win7 and 8.1

    Home » Forums » Newsletter and Homepage topics » Martin Brinkmann’s deep dive into removing telemetry in Win7 and 8.1


    On the heels of Günter Born’s discoveries about the just-reissued “snooping” Win7 and 8.1 patches KB 2952664 and KB 2976978, Martin Brinkmann at Ghack
    [See the full post at: Martin Brinkmann’s deep dive into removing telemetry in Win7 and 8.1]

    5 users thanked author for this post.
    Viewing 10 reply threads
    • #93681

      Funnily enough, I have done all of this via various forums and walkthroughs except the firewall blocks.

      Blocking Microsoft Servers

      Caution: Some servers and IP addresses may be used by other Windows services. If you notice that some are not working anymore, disable them one by one until you find the culprit that you need to exclude from the blocking.

      Note: the following servers cannot be blocked using the hosts file. You need to block them using another means, e.g. router firewall or installed firewall.


      Other servers you may want to block:

      Is there a quick method to implement these firewall blocks other than one by one? (using windows firewall) or is it trial and error per device and set-up?

      No problem can be solved from the same level of consciousness that created IT- AE
      3 users thanked author for this post.
      • #93696

        Wish I could thank you twice!

        As for automating it – take a look here


        Anything strike you?

        • #93729

          Thanks for the ‘Hand-Crafted Firewall Rules with PowerShell’ link Woody, will tinker with this on our other machine when time permits.
          Hmm..as for the firewall rule-set scripting posted anonymously,
          I’ll sit on it for now until MrBrian has researched the new patches and posted the findings.
          Thanks guys

          No problem can be solved from the same level of consciousness that created IT- AE
      • #93889

        If you’re really serious about your firewall, check into the Sphinx Windows Firewall product. It’s what I use. It leverages the Windows Base Filtering Engine with a MUCH more manageable configuration interface. A key feature is that you specify sites to block by name, and it manages the ongoing correlation between name and address by watching DNS resolutions.

        There were several in Martin’s list that I hadn’t seen before (onesettings-*.metron.live.com.nsatc.net) . Now they’re in my firewall block list AND DNS server blacklist.

        I’m a little worried that Martin’s blacklist entry, fe2.update.microsoft.com.akadns.net, might ultimately get in the way of completing Windows Updates. That process seems to need fe2.update.microsoft.com (without the CDN name extension).


    • #93692

      My Windows 7 advice, which is based upon my testing at https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/, is gentler, and each action in my advice can be individually undone at a later date if needed. That thread may seem a bit disjointed now because comment nesting levels were lost during Woody’s recent comment migration.

      The first step in my advice is to turn off the operating system’s Customer Experience Improvement Program, as shown in Mr. Brinkmann’s article.

      Turning off the operating system’s Customer Experience Improvement Program isn’t sufficient though; see https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21467 for why. As a result, one should also do the actions at https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21435 and https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21451.

      Note 1: My advice is in regards to only the “bad” Windows 7 updates KB2952664, KB3068708, and KB3080149.

      Note 2: I haven’t yet tested the version of KB2952664 that was released on February 9, 2017. When available, test results will be posted at the first link mentioned in this message.


      7 users thanked author for this post.
      • #93698

        MrBrian –

        Any chance I could convince you to sign up for an account? I promise it’ll be painless and completely anonymous. Email me woody@askwoody.com

        Using an account would make it sooooo much easier to look at all of your posts.

        And, speaking of which, when the dust settles, if you could pull together your findings on this topic and email them to me, I’ll turn them into a Knowledge Base article. Great stuff….

        7 users thanked author for this post.
        • #93726

          Yes MrBrian,
          The forum would be honoured with your presence as a member given the knowledge and help you have supplied previously.
          Go on, sign up!

          No problem can be solved from the same level of consciousness that created IT- AE
          4 users thanked author for this post.
      • #93736

        I believe that you and others have conclusively proved that KB3068708 and KB3080149 are fully compliant with CEIP, so there is no need to take extra steps or avoid those patches or disable services.

        1. KB3022345 rarely gets a mention because it was withdrawn for being faulty, but there is a small chance that those who do not have KB3068708 and/or KB3080149 still have KB3022345 which has the same effect with the other 2 better known and currently supported patches which supersede KB3022345.
        2. It it still unclear to me what KB3021917 is supposed to do. It is often quoted as a telemetry patch, but like KB2952664 is not offered to Windows Server 2008 R2 and it is unticked by default on Windows Update for Windows 7. Windows Server 2008 R2 receives the DiagTrack service via KB3068708/KB3080149, so it is not a matter of Server OS not getting telemetry updates.
        3. If KB30608708/KB3080149 are good enough for Enterprise and Servers, I would suggest that they are good enough for regular end-users.

        • #93764

          only extends bult-in WDI Client and adds a Performance Power Tracker
          i highly doubt it sends any telemetry data

          anyway, it’s related to this task:

          1 user thanked author for this post.
    • #93709

      This batch file may help speed up the disabling of tasks. Save as disabletasks.bat. Right-click and run as administrator. Much faster than browsing task scheduler.

      @ECHO OFF
      REM --- remember to invoke from ELEVATED command prompt!
      REM --- or start the batch with context menu "run as admin".
      goto check_Permissions
          echo Administrative permissions required. Detecting permissions...
          net session >nul 2>&1
          if %errorLevel% == 0 (
              goto getgoing
          ) else (
              echo Failure: Current permissions inadequate.
      	echo Close, then right-click file and choose "Run as Administrator"
          pause >nul
      echo [ Remove and Block Win10 for Win7 ]
         set /p yesno=* create system restore point? (y/n):  
         if /i "%yesno:~,1%" equ "y" goto rpoint
         if /i "%yesno:~,1%" equ "n" goto main
         goto prompt
      timeout 5
      REM --- Disable tasks
      echo Disabling tasks...
      schtasks /change /disable /tn "\microsoft\windows\application experience\aitagent"
      schtasks /change /disable /tn "\microsoft\windows\application experience\microsoft compatibility appraiser"
      schtasks /change /disable /tn "\microsoft\windows\application experience\programdataupdater"
      schtasks /change /disable /tn "\microsoft\windows\autochk\proxy"
      schtasks /change /disable /tn "\microsoft\windows\customer experience improvement program\consolidator"
      schtasks /change /disable /tn "\microsoft\windows\customer experience improvement program\kernelceiptask"
      schtasks /change /disable /tn "\microsoft\windows\customer experience improvement program\usbceip"
      schtasks /change /disable /tn "\microsoft\windows\diskdiagnostic\microsoft-windows-diskdiagnosticdatacollector"
      schtasks /change /disable /tn "\microsoft\windows\maintenance\winsat"
      schtasks /change /disable /tn "\microsoft\windows\media center\activatewindowssearch"
      schtasks /change /disable /tn "\microsoft\windows\media center\configureinternettimeservice"
      schtasks /change /disable /tn "\microsoft\windows\media center\dispatchrecoverytasks"
      schtasks /change /disable /tn "\microsoft\windows\media center\ehdrminit"
      schtasks /change /disable /tn "\microsoft\windows\media center\installplayready"
      schtasks /change /disable /tn "\microsoft\windows\media center\mcupdate"
      schtasks /change /disable /tn "\microsoft\windows\media center\mediacenterrecoverytask"
      schtasks /change /disable /tn "\microsoft\windows\media center\objectstorerecoverytask"
      schtasks /change /disable /tn "\microsoft\windows\media center\ocuractivate"
      schtasks /change /disable /tn "\microsoft\windows\media center\ocurdiscovery"
      schtasks /change /disable /tn "\microsoft\windows\media center\pbdadiscovery"
      schtasks /change /disable /tn "\microsoft\windows\media center\pbdadiscoveryw1"
      schtasks /change /disable /tn "\microsoft\windows\media center\pbdadiscoveryw2"
      schtasks /change /disable /tn "\microsoft\windows\media center\pvrrecoverytask"
      schtasks /change /disable /tn "\microsoft\windows\media center\pvrscheduletask"
      schtasks /change /disable /tn "\microsoft\windows\media center\registersearch"
      schtasks /change /disable /tn "\microsoft\windows\media center\reindexsearchroot"
      schtasks /change /disable /tn "\microsoft\windows\media center\sqlliterecoverytask"
      schtasks /change /disable /tn "\microsoft\windows\media center\updaterecordpath"
      schtasks /change /disable /tn "\microsoft\windows\pi\sqm-tasks"
      schtasks /change /disable /tn "\microsoft\windows\power efficiency diagnostics\analyzeSystem"
      schtasks /change /disable /tn "\microsoft\windows\setup\gwx\refreshgwxconfigandcontent"
      schtasks /change /disable /tn "\microsoft\windows\windows error reporting\queuereporting"
      echo - done
      timeout 5
      REM --- Kill services
      echo Killing Diagtrack-service (if it still exists)...
      sc config DiagTrack start= disabled
      net stop DiagTrack
      echo - done
         echo [ Complete - Remove and Block Win10 for Win7 %date% %time% ]
         echo [ Press any key to exit ]
         pause >nul
      shutdown /r /f /t 00
         wmic.exe /namespace:\\root\default path systemrestore call createrestorepoint "Remove and Block 10", 100, 12
         if %errorlevel% == 0 goto main
         set /p yesno=" failed to create system restore point. continue? (y/n):  "
         if /i "%yesno:~,1%" equ "y" goto main
         if /i "%yesno:~,1%" equ "n" (
            echo [ done - any key to exit ]
            pause >nul
      goto prompt
      REM --- EOF
    • #93711

      Another bad practice guide
      most of these “aggressive” steps are not required in Windows 7/8.1
      they belong to paranoial Windows 10, which have built-in telemetry

      a real “deep diver” into Appraiser/Diagtrack patches would have found a simpler walkthrough

      and why a very old pre-telemetry era patch like KB971033 is related?

      well, i guess the “confusion” must be fed to keep it going 🙂

      3 users thanked author for this post.
      • #93717

        Hmmmm… So Win7 and 8.1, even with these “snooping” KBs isn’t sending personally identifiable details to Microsoft?

        If that’s the case, why on earth doesn’t Microsoft come out and say it? Promise it?

        You’re as skeptical of Microsoft as I am. 🙂

        • #93722

          I think @abbodi86 pointed that the script covers a lot more than it should (for Win7/8.1), while rolling back becomes difficult once the damage is done.
          There are a lot less issues to be addressed than those in the script to control telemetry and @abbodi86 posted in the past and I think the analysis done separately by @MrBrian on the old site also addressed those issues comprehensively.
          Those less technical have to understand that Windows is a very complex SYSTEM and rarely one setting does not have influence over the behaviour of the whole. This is even more important for those settings and configurations not exposed in the GUI.

          I post here all that is to control telemetry completely without keeping lists and using
          extreme solutions.

          1. Do not install KB2952664 (I install it, but this is really a very good example of an entirely optional patch, regardless of how it is classified by WU)
          2. Disable CEIP

          There is nothing more to do and it is all supported in full

          2 users thanked author for this post.
        • #93759

          That’s not what i ment or want to discuss, the type/amount of data they send is debatable

          what i mean, for Windows 7/8.1 it’s very easily to isolate or prevent these KBs effects without all those FUD-type steps

          Compatibility Appraiser (aka KB2952664/KB2976978)
          it only add/interact with these schedule tasks:
          “\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser”
          “\Microsoft\Windows\Application Experience\ProgramDataUpdater”
          “\Microsoft\Windows\Application Experience\AitAgent”

          Diagnostics Tracking (aka Unified Telemetry Client / Asimov)
          not avoidable for Monthly Quality Rollup model, but it only adds these components:
          “DiagTrack” service
          “AutoLogger-Diagtrack-Listener” event trace session
          “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack” registry

          the other updates (aka telemetry points) are not affective without active DiagTrack/AutoLogger

          1 user thanked author for this post.
      • #93737

        abbodi86, I agree with you on this as, once these scripts are initiated, how do you know which are the offending ones to the system? (on a relative tangent to your observations)
        There is no undo for a batch script file, which is why I am going to wait for now.
        Thanks for the reminder.

        No problem can be solved from the same level of consciousness that created IT- AE
        • #93786

          Deleting files and services, offending

          blocking all those urls is just superfluous, MSFT documents the telemetry endpoints
          other urls are either Windows 10 related, or forks for official urls

          • #93897

            blocking all those urls is just superfluous…

            Microsoft documents the official DNS Endpoints that is used for telemetry:

            basically they are:

            I guess it depends on whether you consider your system “private” if it isn’t contacting the official telemetry servers. I personally don’t care to have anyone know when I’m at my computer at all, unless I initiate the online connection.

            Make no mistake, Windows contacts a lot of other servers online all on its own. There are more than you listed that indirectly spill the beans.

            Just a few examples:

            • iecvlist.microsoft.com
            • ieonline.microsoft.com
            • r20swj13mr.microsoft.com
            • spynet2.microsoft.com
            • spynetalt.microsoft.com

            And many more.

            There is nothing simple about Windows’ online chattiness. It’s been developed over decades. To be fair, that’s what a “cloud-integrated” system is about. But the simple fact is that some people prefer NOT to be “cloud-integrated”.


      • #93894

        I tend to agree about blocking the various updates in complex ways. A fully updated system can be generally protected from spilling the beans online. Creating what Microsoft calls a “fragmented” system is NOT a good idea, unless you’re sure the pieces you’re blocking from being installed are entirely separate and well-isolated from everything else. That being said, this is MICROSOFT we’re talking about. What are the chances that ANYTHING is perfectly modular? Especially now in the day and age of them not doing system testing any more.

        Regarding the blacklists… I’ve watched systems contact many sites. Initially a system’s online activity is quite daunting in its complexity, and lists such as what Mr. Brinkman has gathered are helpful for those trying to get a handle on what their systems do.

        I’m glad he listed ALL of Microsoft’s snooping servers, even though Windows 7 or 8 may not be known to contact them today. Microsoft is currently busy making “cumulative updates” for our older systems now, right? Who’s to say they’re not going to shoehorn software in there that contacts today’s “Windows 10-only” servers in the future?

        Also, I have a single DNS blacklist for my entire network, so I was able to compare his entire list with mine (I had a few more Microsoft servers, actually, in my list, but I didn’t have the onesettings-*.metron.live.com.nsatc.net entries he posted).

        Wanting multiple layers of protection from the things you don’t want your computer doing is NOT “paranoia”. It’s simply wanting multiple layers of protection. I suggest keeping an open mind about labeling those who might be more concerned than you are with names they might not appreciate. FUD stands for fear, uncertainty, and doubt – something that’s quite to be expected of folks who haven’t spent a lifetime studying how Windows works.

        MY only worry with publishing this kind of information for all to see is that if enough users follow it, Microsoft will likely notice and up their game, making things worse for everyone. Let’s hope it doesn’t come to that.


        • #93898

          A few months ago, on a similar thread, someone mentioned that M$ regularly change or “update” the URL’s of their snooping servers, likely bc M$ know that some Win 7/8.1 users are blocking their snooping servers with firewalls.
          So, it may be better to use the whitelisting method for the firewall, instead of the blacklisting method.

          Bear in mind that blocking a M$ snooping server may disable a M$ program or feature.

    • #93712

      As for Mr. Brinkmann’s suggestions, I found I had already installed KB2976978 and KB3080149. I uninstalled them today. The Diagnostic Tracking Service is already disabled and the other KB’s he recommends I can’t find that they’re installed on my 8.1 machine. If I discover them later, I’ll get rid of them. As for KB3044374 (to upgrade from 8.1 to 10); I’ll keep that for now. I still want to upgrade to Windows 10 (hopefully for free). I’m not in the CEIP, so that peeper is taken care of… for now.
      UPDATE: After I uninstalled the updates above, KB3080149 reappeared; Recommended but unchecked. Not letting Windows Update the ability to install anything but Important. However, KB3121461 reappeared as Important. Not part of the list; a Security Update published on 1/11/2016.

      Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
      Wild Bill Rides Again...

      • #93714

        The Win10 upgrade from Win7/8.1 is still free as a breeze and working fine. I tested it on Thursday.

        3 users thanked author for this post.
        • #93716

          Wonderful, woody! Still interested in Cortana, the nosy babe… but my Android phone doesn’t have enough storage to update my apps or add her. Unless I uninstalled Pokemon GO… would like to update that & play some again.

          Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
          Wild Bill Rides Again...

    • #93727

      Many files are at version 10.0.14393.0 which brings the patch at the Windows 10 1607 level, but some are at 10.0.14979.1011.
      Which version of Windows 10 is 10.0.14979.1011?


      • #93742

        Very likely RS2 = Creators Update

        the build lab string rs_fun_compat_dev1_apr:
        rs = redstone
        fun = fundamentals
        compat = compatibility
        dev = develpoment
        apr = appraiser

        1 user thanked author for this post.
    • #93735

      On a related side note to this topic,
      I have mentioned this utility before which helps immensely.

      Tip: Use the portable free edition.

      Ran this 2-3 months ago and never had a problem at all.
      For Win 7,8,& 8.1 but no mention of windows 10 although the scripts cover windows 10 telemetry.

      No problem can be solved from the same level of consciousness that created IT- AE
      1 user thanked author for this post.
      • #94013

        Like Rob, I too use Spybot Anti-Beacon for home systems. Easy to set up, easy to reverse and remove. It also can update itself, and works on Windows 7 – 10.

        We are SysAdmins.
        We walk in the wiring closets no others will enter.
        We stand on the bridge, and no malware may pass.
        We engage in support, we do not retreat.
        We live for the LAN.
        We die for the LAN.

    • #93762

      I just got a message from Eric Vaughan, over at Tweakhound.

      He’s just resurrected and dusted off a script for blocking telemetry in Win7. Worth a look, to compare and contrast.


      • #93792

        I still see the dust over the script 😀
        GWX KB3035583 is ended/removed, likewise KB3123862
        KB3068708/KB3075249/KB3080149 are already covered by Monthly rollup, no point of uninstalling/hiding them

        1 user thanked author for this post.
        • #93812

          Cool Woody and thanks to Eric at tweakhound.

          abbodi86, there is nothing stopping anyone downloading/editing/removing non existent paths in the .bat file for their system.
          i.e. all the GWX related data which no longer exists.
          The same applies for .reg files.

          Hmmm…noticed that Windows media player is mentioned, although I don’t use it, I take it that pulse telemetry is still being sent to MS?

          On my tux m/c as I type but, will do surgery on this later this weekend.

          No problem can be solved from the same level of consciousness that created IT- AE
          • #93905

            How should i know 🙂
            WMP/Media Center/CEIP stuff exist in Windows 7 since 2009-RTM
            suddenly, the fear makers are seeing them as 2014-telemetry related 😀

    • #93904

      Make no mistake, Windows contacts a lot of other servers online all on its own. There are more than you listed that indirectly spill the beans.

      Just a few examples:

      • iecvlist.microsoft.com
      • ieonline.microsoft.com
      • r20swj13mr.microsoft.com
      • spynet2.microsoft.com
      • spynetalt.microsoft.com

      And many more.

      There is nothing simple about Windows’ online chattiness. It’s been developed over decades. To be fair, that’s what a “cloud-integrated” system is about. But the simple fact is that some people prefer NOT to be “cloud-integrated”.


      Of course it is
      but i’m not discussing all Windows phone-home contacts, the topic is specific about telemetry patches

      mising thing with so-called “snooping” that precede telemetry era doesn’t help except in feeding the FUD

      1 user thanked author for this post.
    • #94122

      W7 x64 SP1 non-techie.
      I see some people in the comments recommended disabling WebCache in the Task Scheduler. What do our resident experts think?

    • #94251

      Recently I was given a rather old (from 2013) Lenovo nettop with Windows 10. After some service, including cleaning from the dust, restoring the original configuration (Windows 8 Single Language) and making snapshot of the clean system, I decided to perform a clean installation of Windows 8.1 Single Language. So, I prepared the USB installation media using the Microsoft Media Creation Tool. After installation and activation, the system was updated using the WSUS Offline tool.
      Just in case, I checked the list of installed updates looking for the telemetry updates. Surprisingly, KB2976978 was found in the system with the install date 21.11.2014. It is impossible to uninstall it.
      The WSUS Offline is known not to contain this update, but I additionally checked the updates downloaded by WSUS Offline and KB2976978 was not found. So, the only explanation is that KB2976978 was included to the installation image downloaded from Microsoft.
      It should be noted that:
      1) No other telemetry updates (at least from the list presented in Martin Brinkmann’s post) were found in the system.
      2) The DiagTrack service is absent in the system.
      3) According to the Task Scheduler, the system seems to respect the CEIP opt out choice – even with the corresponding “telemetry” tasks enabled and the triggers set, the “Last Run Time” is “Never” for CEIP tasks (except for Consolidator, which is expected), DiskDiagnosticDataCollector and WinSAT.
      Hope this information can be useful.

    Viewing 10 reply threads
    Reply To: Martin Brinkmann’s deep dive into removing telemetry in Win7 and 8.1

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: