• Telemetry from the Malicious Software Removal Tool

    Home » Forums » Newsletter and Homepage topics » Telemetry from the Malicious Software Removal Tool

    Author
    Topic
    #30811

    This is disturbing. From reader CA: While performing a routine audit on one of my machines, I was surprised to discover that MSRT now sends a “Heartbe
    [See the full post at: Telemetry from the Malicious Software Removal Tool]

    Viewing 133 reply threads
    Author
    Replies
    • #30812

      I feel it’s important to point out that when you buy a copy of Windows you’re paying for a license. Just saying.

    • #30813

      But yes I agree. All this telemetry is getting ridiculous. And I’m in Group A. Also have you thought about making a page explaining the different groups for any newcomers to the site?

    • #30814
    • #30815

      See email about Heartbeat Report. Wish I could post here

    • #30816

      The point about this being a license is always brought up, and always the implication is that if only users would read the fine print they would realize that they have no right to complain.

      The joke is on those who assert this. We can stipulate that Microsoft has probably loaded the EULA with enough verbiage to cover anything they want to do. It doesn’t matter. The more one-sided such “agreements” are, the more likely they are to get into court eventually, and when they do, judges are not bound by the text that no one other that Microsoft’s lawyers take seriously.

      Judges are free to step back and inquire into the actual bargain between buyer and seller, and the basic equities that arise therefrom, especially (in this case) whether Microsoft’s aggressive moves to invade user privacy and push new products violate the reasonable expectations that users had when they plunked their money down on the counter–regardless of whether you call it a purchase or a license.

      1 user thanked author for this post.
    • #30817

      Fair enough, however they’re changing the EULA of that license that we paid for and agreed to without our consent. There are no new EULA’s or prompts for a new EULA acceptance when such updates are installed.

    • #30818

      I just checked the log on my laptop, which started in April this year. The August version also phoned home. Not only that, the April version attempted to phone home as well, but failed with an error code. My thanks to CA for finding this and finding the (hopefully) fix!

    • #30819

      Whelp, that’s another update to quit installing going forward. What a joke. MS is making it ever more increasingly difficult to do anything but ‘all’ or ‘nothing’. The lines of Group B are getting blurred to the point that it’s not as worthwhile of a place as it used to be, and it’s more like Group A.

    • #30820

      Hello,
      As I just ran MSRT on this Win7 Pro 64 machine that I write this on, I checked in the Registry and do not see the MSRT entry . . .
      Thoughts?
      Should I add it?
      Thanks!

    • #30821

      I don’t think it’s possible to post a pic in the comments section.

      Yep, I see HKLMSOFTWAREMicrosoftWindowsCurrentVersionDiagnosticksDiagtrack

      ConnectivityHeartBeatSequence DWord value 0

    • #30822

      Naw. It’s just a strange anomaly, more indicative of a lack of sensitivity than anything else.

    • #30823

      I’m telling you. It’s only a matter of time before telemetry is slipped into the security only update.

    • #30824

      Well, that is a bit curious. I am running Win 7 Pro x64 SP1 on my Dell Studio laptop, fully patched through the September patches, as I was going to be a Group A type. the registry subkey HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT does not exist on my machine. The only instance of MRT in my registry is HKEY_LOCAL_MACHINESOFTWAREMicrosoftRemovalToolsMRT, with three data values:
      EULA2, type REG_DWord, value 1;
      GUID, type REG_SZ, value 8FCDD714-DFA2-4156-AAC5-2F85C3E6C5B1;
      Version, type REG_SZ, value 2168C094-1DFC-43A9-B58E-EB323313845B.
      The value for Version matches the entry for September 2016 GUID value identified in KB891716.

      The upshot is, I don’t know how to proceed to successfully kill the phoning home, and am open to suggestions. I suspect that since I am not a member of any domain, I simply have no group policy set for the MSRT process.

    • #30825

      As always with this sort of thing, it isn’t what information is sent back to MS that is the issue for me so much as what they do with it when they receive it. If they’re collating technical information that enables them to improve things then that’s one thing, if they’re selling it on for marketing purposes then that’s something else altogether. I suspect we all think we know the answer to that one!

      I always run MSRT each month but I always get it out of the way before I consider the main updates, given that it’s always been non-contentious and reliable. I’d no idea that it ran automatically if you left it until you’d cleared the updates!

      Still, I’m happy to learn something new every day, and so it seems are MS :)!

    • #30826

      This is the type of telemetry which I would consider to be relatively benign as arguably, it seems primarily concerned with info regarding the types of malware infections detected on users’ systems rather than data mining to target ads. Whether the telemetry reports on the “malware” MS has installed on systems over the past year is a different discussion, I suppose.

    • #30827

      Even better kill MSRT by adding to registry
      [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT]
      “DontOfferThroughWUAU”=dword:00000001

      Then rely on a decent A/V and antimalware package.

      Will also speed up your Windows Updating 🙂

    • #30828

      I have never used the MSRT for one reason only. It requires my acceptance of another legal contract… I look at it this way…. Hey I’ll run the program and if it finds something, let me know, then I can answer yes to let you clean it…. The fact you have to accept up front smelled fishy…

      On another note, every EULA, every privacy statement I’ve ever read, includes a phrase similar to this…. “We reserve the right to makes changes to this agreement at any time without further notice” etc. etc. In other words Anything you read here is full of BS and you give us the right to do whatever we want, whenever we want to! I’m surprised they stand up in court software companies and end users alike will tell you NOBODY reads EULA’s so how can there be a “Meeting of the Minds” (necessary to enforce contracts)

    • #30829

      I just had a thought to do a search for the word telemetry in regedit… try it… C what U find!

    • #30830

      We shall see. We shall see.

    • #30831

      I imagine you mean to say… You Think it’s reliable.

    • #30832

      I went ahead and did the registry edit since I doubt it will cause any problems. However, even though I’ve been running MSRT everytime it’s offered by WU, I couldn’t find any mrt.log files on my computer. Hmmm.

    • #30833

      It’s probably because I use CCleaner and had it set to delete Windows System log files… Doh!

    • #30834

      Just create a new MRT subkey:
      HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT and add the recommended REG_DWORD to it per the instructions above. No idea yet as to whether it will actually stop the phoning home or not.

    • #30835

      And, as another CCleaner user, that would explain why I don’t find “mrt.log” either.

      However, I don’t find a key for “HKLMSOFTWAREMicrosoftWindowsCurrentVersionDiagnosticksDiagtrack” in my registry either.

      1 user thanked author for this post.
    • #30836

      MSRT has a EULA every time it is installed.

    • #30837

      It has been going on since the original release, 2005 maybe?

    • #30838

      @Seff I think you are on Windows 8.1? There it runs automatically during maintenance, while on Windows 7 runs only when it is “installed” or manually by running the .exe.

    • #30839

      As I prophetically predicted.

    • #30840

      U mean u trust ms when they say so?

    • #30841

      I would be interested in what tools you were using to perform the audit and against what standard. Personally I’ve been looking for a means to audit my home and small business client network(s) against the NIST baseline for various software products and network devices:
      https://web.nvd.nist.gov/view/ncp/repository

      Thanks!

    • #30842

      For those looking to do a promising startup: Win7Linux — a Linux distribution that to the user looks and behaves identical to W7. I dk how hard it is to do, but I’m sure there is a serious market.

    • #30843

      Hmmmm..wonder if the time is coming that running Malwarebytes, Super Antispyware or MSRT will remove windows from your computer ? 🙂

    • #30844

      I’m done, done, done, done, done, done with Windows 10 locking up when I’m AFK and done, done, done, done, done with Windows Compatibility Telemetry service sucking the life out of my disk drive. The other candidate for the most annoying thing about Windows 10 is the general, catch-all service system services. It is extremely annoying to wait 10, 20, 30, or 40 minutes waiting for MS’ services to finish their data munching of my hard drive and pegging the I/O bandwidth at 100%. It’s time to exorcise some MS daemons from my system.

      • #108103

        You are so right about the hard drives’ trashing around for ‘nothing’ (at least for us, the computers owners and users). Not to, specially, mention the overuse and life draining of our SSDs.

        Don’t feed me that bullc*** that Windows 8.1 and 10 are optimized for SSDs.

    • #30845

      Our only hope is that MS gets its butt handed to it by the EU. It may not stop them here, but it would be a sweet victory.

    • #30846

      I do use Ccleaner, but I don’t delete anything in the System category (except for Windows Error Reporting, which I just started deleting last month upon some advice that was given here in a discussion thread) and I don’t delete anything in the Advanced category.

      I do have mrt.log on my computer, and I just checked it using the pathway given in the blogpost above.

      The log goes from early 2014 to early 2016 (I dutifully and compliantly ran MSRT every month between those dates).

      It stops in February 2016 because that’s when I stopped running MSRT via Windows Update after I realized that it didn’t seem to be doing anything helpful for me and it required a suspicious acceptance of terms every single month.

      For those 2 years that I did run MSRT, there was nothing like a “heartbeat report” indicated in my log.

    • #30847

      The funny thing is you cannot completely dismiss that possibility based on their behavior to date.

    • #30848

      billy is an angel and fren hv more $/avenue
      to buy/own (read control) mother earth
      and everything that is in it 7 times over….
      and make all the laws and regulations and NORMS(just4u)
      as per their fancy whims and ‘wisdom’
      its their game and their rules (ur only a user rite?)
      and who’s the winner
      that won it all before the first roll of dice?

      where would the judges land their feet?

      is there any patch of land that billy and fren would let any creature roam free?

      BY the current appearance of ‘reality’…
      … NOT even fate has a chance it seems…

      Hmmmm…. not waken up yet???
      back to dreamland…. user.
      quietly you are at least 50 years too late….
      for some that is a lifetime
      and time to (forced?) check out…. user. (you hvn’t been given/permitted/prototype with any control – other than the perception of the illusion of it)
      thats what you are made for.
      Its fate (proudly certified by billy and frens).

    • #30849

      That resource at NIST is interesting. I am wondering what is the purpose and the scope of that recommendation? Is it for Government Departments and Agencies, for regular end-users or else?
      It may be too much of a hassle for regular users, but for Power Users it may actually be useful.
      Try this resource as well
      Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7
      https://technet.microsoft.com/en-us/library/hh125921%28v=ws.10%29.aspx

    • #30850

      Hope for what in the EU?
      Their politicians have already messed up the web with those warnings about cookies which are now looking more like spam. They also caused the mess called Windows N.

    • #30851

      At this point more a case of “We WILL see.”

    • #30852

      I have had MSRT unchecked from Windows Update for years. MSRT cannot perform scans without calling home!

    • #30853

      @wdburt1;

      “Judges are free to step back and inquire into the actual bargain between buyer and seller….whether Microsoft’s aggressive moves to invade user privacy and push new products violate the reasonable expectations that users had when they plunked their money down on the counter–regardless of whether you call it a purchase or a license.”

      +1000 I’m resident in EU.
      A new law taking effect in two years will bite…hard.

      20 July 2016

      France orders Microsoft to stop collecting excessive user data

      https://www.yahoo.com/tech/france-says-orders-microsoft-stop-collecting-excessive-data-170143107–finance.html

      Excerpt:

      “The French data protection authority on Wednesday ordered Microsoft Corp to stop collecting excessive data on users of its Windows 10 operating system and serving them personalised ads without their consent.”

      “While the fines that can currently be levied by European data protection authorities are paltry compared to the revenues of big U.S. tech companies, a new European Union data protection law set to enter into force in two years provides for fines of up to 4 percent of a company’s annual global turnover.”

      1 user thanked author for this post.
    • #30854

      re ch100;

      ” They also caused the mess called Windows N.”

      “If you reside in and purchase a PC in a country required to use the N and KN editions, you receive a computer without media technologies…
      The ruling was about consumer choice. However, if you choose to, you can still install Windows Media Player and related apps anytime for free by downloading and installing a special Media Feature Pack.”

      http://winsupersite.com/windows-10/what-are-windows-10-n-and-kn-editions

    • #30855

      It is not true, the calling home can be blocked and the way to block it is in Woody’s post.

    • #30856

      (and it’s just been picked up by Martin Brinkmann on ghacks. Thanks, CA!)

      1 user thanked author for this post.
    • #30857

      Well, OK, but Billy hasn’t been in the picture for well over a decade – and, like it or not, he’s doing tremendous work in many fields.

    • #30858

      Ha Ha…. very well … the receiver end from billy may differ greatly … still…. there is only one billy 🙂

      I have learn much in the last decade or so…
      from the ancient teaching of the east…
      fate is … well.. fate…
      good or bad is a matter of opinion
      and definitely a matter of time frame and dimensions (reincarnations and sort)

      if we are all actors on this stage…
      as painted by Shakespeare and many
      i think you agree with me
      bill had a wonderful (or colorful) life (acting part)

      yes billy is off to chase after the moon and the whole universe (aka asteroid mining) and immortality project
      still bill is … well… billy

      and there aint no M$ w/out billy
      – SO if the fruit is rotten –
      is it because the tree is bend and crooked?
      or is it because the seed is bad?

      or is it “fate”? everything dies in the end?

      we are born to be actor on this life stage
      made to be “user” in the ms-wonderland

      where is the free choice?

      sometimes i wonder
      does my left eye/brain see the same with my right eye/brain
      why do I keep coming back with 2cent rant
      when unplugging would bring back peace instantly
      just like pre-birth or post-death
      nothing counts really
      nothing at all “I” get to keep hence nothing is “mine”
      no even this body this hands that type these words…
      it was never a matter of choice…
      its “fate-destiny” – a fixed program of our handler
      (m$ and the user relation is but a microcosm of the universal prototype)

      it seems …. the only way out is…. OUT.

      nuff rant form this old thing 😀
      but i wont ever want to be “billy” this life or next
      would you?

      peace2u woody & all

    • #30859

      Hmmmm… I was never a fan of Gates’s management style – Ballmer’s even less – but billg’s doing a lot of good stuff now.

    • #30860

      I have Ubuntu Linux, and there are a lot of similarities with Windows. I understand that Linux Mint has a lot of similarities with Windows.

      I believe that with the bullying behavior that Microsoft is now doing, there is a window of opportunity for someone to cut into Microsoft’s dominance on the desktop. But there are two problems with Linux: (1) There are several distros, none of them dominant enough (Ubuntu seems like the most dominant one), and (2) Things don’t always work as well or as easy with Linux as they do with Windows.

      There’s not a huge amount of money to be made with Linux, since it is public domain. This hinders the development of Linux.

      I thought that Suse Linux would become dominant, when Novell bought it. Instead, Novell died. I also thought Red Hat Linux would become dominant. They are doing everything needed to become dominant. because they are fully supporting it.

      Oh well; we’ll see.

    • #30861

      @ch100 – No, I’m on Windows 7. That’s fine, I just read the comment here that it runs automatically at the end of the updates and didn’t appreciate that only applied to 8.1 – thanks for the clarification.


      @Bob
      – No, I meant that it had always proved reliable in that I’ve never had any issues with it, can’t recall reading of any (I mean crashes etc rather than this current telemetry issue), and neither Woody nor Susan Bradley ever include it in their monthly reports beyond the occasional mention that it’s fine to install it.

      However, I run MSE and MBAE in the background with twice-weekly manual scans with MBAM so if there’s an issue emerging with MSRT I’ll happily hide it each month.

    • #30862

      I’ve resorted to firewall blocks for spynet2.microsoft.com and spynetalt.microsoft.com under XP (see SpyNetReportingLocation under the HKEY_LOCAL_MACHINESOFTWAREMicrosoftRemovalToolsMpGears key), and just added firewall blocks for wdcp.microsoft.com and wdcpalt.microsoft.com under Win 8.1 (see SpyNetReportingLocation under the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderSpynet key). Also, on Win 8.1, my SpyNetReporting DWORD has a value of 0, which means not a member of Microsoft Spynet (see http://www.ghacks.net/2011/06/02/disabling-microsoft-spynet-in-windows7/).

      On XP, I get a “Failed to submit clean hearbeat MAPS report: 0x80072EFD” error message in the MRT log, but the MSRT run completes okay. (And yes, it is “hearbeat”, not “heartbeat” in the MRT log, and yes, I am retiring my XP machine!)

      A couple of interesting articles: 1) http://www.malwarehelp.org/how-to-block-microsoft-spynet-2009.html, and 2) https://blogs.technet.microsoft.com/clientsecurity/2011/02/22/microsoft-spynet/.

      The first article (written about Microsoft Security Essentials) mentions a trade-off between blocking MSRT telemetry and the benefits of Dynamic Signature Service. I would guess this trade-off also applies to Windows Defender.

    • #30863

      Yes, but we don’t get to see it, especially if one has automatic updates selected. Another example of MS underhandedness. It is an implied EULA. See the long comment in Woody’s InfoWorld article.

      But now smart people won’t use MSRT.

    • #30864
    • #30865

      I don’t have an entry for HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT in my registry, but I DO have HKEY_LOCAL_MACHINESOFTWAREMicrosoftRemovalTools which has sub-keys MpGears and MRT.

      MpGears has a DWORD named HeartbeatTrackingIndex entry with value 7, and a multi-string named SpyNetReportingLocation with the following entries:
      SOAP:https://wdcp.microsoft.com/WdCpSrvc.asmx
      SOAP:https://wdcpalt.microsoft.com/WdCpSrvc.asmx
      REST:https://wdcp.microsoft.com/wdcp.svc/submitReport
      REST:https://wdcpalt.microsoft.com/wdcp.svc/submitReport
      BOND:https://wdcp.microsoft.com/wdcp.svc/bond/submitreport
      BOND:https://wdcpalt.microsoft.com/wdcp.svc/bond/submitreport

      I therefore doubt very much that making an entry for MRT in the other place will do any much good.

      I did put the don’t report line in the MRT sub-key of this registry key. We’ll see.

    • #30866

      @ WOODY Your blocking process is beyond most of us (individual, at home, never been a geek) persons, who are very concerned about telemetry on our computers. And most of us, about 60% , don’t have access to geekdom (not a word), nor can we afford them. Are we to do away with computers? Suggestions would be appreciated. I try but you all are getting way ahead of me.

    • #30867

      +1 for killing
      i never ever used that idiotic tool

      AV/antimalware programs are also in the same perspective for me 🙂

    • #30868

      no he isn’t ,his actions will cause more problems for planet earth in the future.

    • #30869

      I collect all logs in the AV/AM category before doing any system cleanup with tools like CCleaner or Glary Utilities. It’s just safer that way. Copy the logs to the desktop, append the date and time, and archive them along with all other security logs.

    • #30870

      I’ve been using Ubuntu Linux for several years now, and it is not very much like Windows.

      Linux will never mimic Windows, and will never have the look and feel of any version of Windows. The two OSes are simply not cut from the same cloth. They serve different primary audiences, and have different purposes.

      Windows is designed to be a user-friendly consumer oriented OS. Linux was developed by IT pros and does not pay much attention to consumer-friendly features or pretty GUIs. This makes Linux more resource conservative, faster and often more stable than Window, but it also makes Linux lack the familiar look and feel of Windows. No amount of GUI window-dressing can change these and other differences.

      If you want something just like Windows, you must stick with Windows. If you want something which is not Windows just because you dislike Windows or Microsoft or telemetry, be prepared to learn a very different and unfamiliar OS.

      Linux is what it is. And it still does not do WiDi/Miracast, it has severe issues with the Bluetooth Stack, and no, there is no Photoshop for Linux.

    • #30871

      This is a tempest in a teapot.

      MSRT is not collecting personally identifiable info. It does not run for long periods, and does not take up huge amounts of system resources.

      As far as I know, the data collected by MSRT is only used to improve malware detection and general performance of the tool. None of the data are used for advertising purposes, and the data collected would not be suitable for that purpose anyway.

      If anyone can prove otherwise, please post.

    • #30872

      In his post, Woody was careful enough to add: “supposedly”.

    • #30873

      I don’t know much about it certainly, but over the years I’ve noticed that some of the things they are doing, aren’t universally seen as good, or the best way to achieve their aims.

    • #30874

      If all the world’s a stage, I think I’ve gone out the emergency exit door backstage to see if it’s raining (it is) and can’t get back in because there are no handles on the outside.

      @ND60, you infused the word “user” with so much bile that at some points when it appeared, I felt that I was being slapped! (that’s not a criticism)

      I don’t agree that there is nothing that “I” get to keep in the long, long term, and I would even take the quotes off the I; but that is an ancient point of disagreement!

      I know little about it, but in the scheme of things, I don’t see how Bill was such a baddie, compared with some others in that industry/locale/mindset. The ones who are really dangerous, in my opinion (and Stephen Hawkings’, etc.) are the ones going hell for leather with AI.

      (and driverless vehicles, planet colonization, extreme lifespans, constant surveillance, genetic modification, cloning, manipulation of the populace, etc.)

      It fills me with such sorrow that our planet and our civilizations are being so quickly degraded and utterly changed forever.

    • #30875

      “Stephen Hawking says artificial intelligence could be humanity’s greatest disaster”

      in (UK) The Telegraph newspaper
      19 October 2016

      “The invention of artificial intelligence could be the biggest disaster in humanity’s history, Professor Stephen Hawking has said, warning that if they are not properly managed, thinking machines could spell the end for civilisation.

      “The rise of powerful AI will be either the best or the worst thing ever to happen to humanity. We do not know which,” the British physicist said.

      He was speaking at the opening of a new Cambridge centre that will seek to address the potential dangers and conundrums of AI.

      Professor Hawking, a prominent critic of making unchecked advances in AI, said that the technology promised to bring great benefits, such as eradicating disease and poverty, but “will also bring dangers, like powerful autonomous weapons or new ways for the few to oppress the many”.

      “It will bring great disruption to our economy, and in the future AI could develop a will of its own that is in conflict with ours,” he said.

      His comments come amid breakthroughs in artificial intelligence that are being achieved faster than many predicted….

      Professor Hawking has been one of the most high-profile sceptics about AI. He was one of more than 1,000 other experts and researchers to sign an open letter warning of the perils of artificially intelligent weapons last year.

      The Leverhulme Centre for the Future of Intelligence is a collaboration between the Universities of Cambridge, Oxford, Imperial College London and Berkeley in California.”

      http://www.telegraph.co.uk/technology/2016/10/19/stephen-hawking-says-artificial-intelligence-could-be-humanitys/

    • #30876

      The EU has been in the forefront of trying to stand up to corporate behemoths like Microsoft.
      They don’t always succeed, but at least someone is doing something to try to rebalance the power differentials and drastic erosion of rights and privacy.
      Unfortunately on this topic the EU has a lot of opposition from various sectors and areas of the globe, for various reasons.
      It’s complicated when there is a law that covers only certain geographic areas, like the “right to be forgotten” and the right to receive a hard copy of all data that the company has collected on you.
      Not to mention the situation of government spying’s only being allowed on communications that cross borders or don’t cross borders or that go through certain servers or certain undersea cables, but really all of it is (un)fair game.

    • #30877

      The warnings that a site uses cookies and asking the reader if he/she agrees to that or not have been on many EU websites for several years already, people are used to them, and they don’t look like spam to me.

    • #30878

      Another MS program that I always trusted bites the dust!

      In fact, I can remember ONE instance in the last 5 years where MSRT actually found an infection. Quite useless really. No problem not running this one either.

      Group b and even c looking better and better.

      CT

    • #30879

      Woody wrote in the first line of the blogpost that the rest of its contents were not written by Woody, but were sent to him by contributor “CA”.

    • #30880

      @Brian,

      As a fellow non-computer-techie, my non-expert thoughts are–

      Do not worry if you don’t know how to apply the registry-changing instructions given in the blogpost, do not worry if you don’t know how to look into your computer at this level of detail.

      This is not something that is on the top list of things that non-techies need to worry about at this time.

      It is just another example of how Microsoft is engaging in more and more “snooping” of our computer usage.

      The news is of interest to people who thought that the Microsoft Malicious Software Removal Tool (MSRT) was something that was benign and would not be used as an undercover way for Microsoft to get more information about us.

      I already had (totally non-expert, just instinctive) suspicions of the MSRT and I stopped installing/running it in Windows Update in February. I don’t have this “heartbeat” communication feature listed in my MSRT log, the one that people are referring to in this discussion thread.

      Whether you have it or not, it’s not a big problem that we have to do something about right now, it’s just another way that Microsoft is pulling more information from our computers.
      It is my understanding that it is more risky for non-techies like us to try to go into the registry and edit it, than it is to leave something like this “heartbeat” thing in the registry.

      I do not know if the advice to the general public is now going to be that people should stop installing the monthly MSRT from Windows Update — stay tuned to see what Woody says about that.

    • #30881

      My log file, which is cumulative, starts in
      April this year. May, June, and July entries make no mention of phoning home. It is only the failed April message, and the successful August and September entries that report successful transmission results. Of course, since M$ is more and more forcing me under the tinfoil hat, they could be transmitting without logging the result.

    • #30882

      @Canadian Tech,

      Just for myself, if I imagine that I’m looking at a paper map of the 3 possible pathways,

      on my map path A has a “no-go” circle with a line through it because there are two past Windows patches (one currently labelled as optional, one labelled as important) that my computer cannot have installed because they screw it up,

      path B has a 100-mile path that squiggles up and down mountains, through streams, on rickety rope bridges across rivers, and after all that, it circles back round to the start of:

      path C, which begins and ends at the beginning, no fuss involved.

      In other words, I have a feeling that, for me, path B might entail a lot of effort but might not result in much measurable progress in the end, so maybe path C would be the most efficient.

      Even though I do see a lot of value in the security updates and I know that I would be taking on risks in “going it alone”, since I cannot have a situation where I do not connect my computer to the internet.

    • #30883

      Correction: My log started in April 2015, with the transmission error. There is no further mention of transmission until August this year.

    • #30884

      I checked my Win 7 SP 1 x64 and found entries under HKEY_LOCAL_MACHINE to wit: files heading Windows then CurrentVersion then folder- Diagnostics then folder Diatrack. Under which is folder telemetry.ASM-WindowsDefault. I am going to go thru the entire registry of this computer because if it is in one place it is bound to be tied to another. DO I DELETE without hurting the rest of windows 7?

    • #30885

      I am pretty sure that Group C would demand a shift away from IE. I have resisted that for years and years on the premise that I wanted to keep a relatively pure MS environment. But alas, that day is just about on me.

      I plan to start with B, but like you, suspect the likelihood of moving to C is high. I will be prepared to move to C at the drop of a hat. Stuff like MSRT turning into a telemetry update pushes me that way.

      My looking at hundreds of PCs and seeing so many which run just fine as far as the user knows but have not been updated in many months, in some cases years, tells me that there may be an experience base that tells me that Group C may not be as risky as instinct tells me.

      CT

    • #30886

      “…e prepared to learn a very different and unfamiliar OS.”

      You mean like transitioning from Windows XP to Windows 7?

    • #30887

      @Brian
      poohsticks advice is very good advice.

    • #30888

      Or 7 to 10? 🙂

    • #30889

      @Woody: As quoted in the above post by Anonymous:

      ” I would guess this trade-off also applies to Windows Defender.”

      Is this a “possibility” too, that Windows Defender is also sending information back to MS when it does its scans? I’ve wondered about this since I read about the MSRT doing this.

      Your opinion on this would be most appreciated.
      Thank you! 🙂

    • #30890

      I have cleaned up quite a few (in fact, many) badly infected computers over the years. People whose AV expired two years ago and they didn’t know the difference because the icon was still in the taskbar, people who click on anything in e-mail or on the Internet – you know the type, the average Joe and Jane User. MSRT didn’t protect them. It has NEVER found anything on ANY of my computers (but I’m, not Joe or Jane User). I have no qualms about not using it each month.

      But I think of the Users (Joes and Janes) I support. They cannot deal with “don’t install these patches” and “get this update from the MS Catalog.” There are only two paths for them: Group A or Group C (unless I personally touch their computers each month). I cannot recommend, in good conscience, Group C for them.

      And where does that leave the few of us here? If MS sabotages our computers with telemetry and bugs in Security-only updates, and only fixes the problems it causes with Monthly Rollups, do we still choose Group B? Does it force us into Group A or C? MS doesn’t care, because our numbers don’t matter.

      And Microsoft runs for the cloud and mobile (what mobile? Surface3? Nokia? Band2? Continum to a light bulb or refriferator?). and it forgets you have to have a way to get to there. Microsoft may not need Windows any longer, but it can’t keep alienating the people who need its products. There’s too much competition where it’s going.

      To quote Lizzyfish (on a completely unrelated matter) who quoted John Dunne (1624 on a completely unrelated matter)

      “No man is an island
      entire of itself …………..

      ….never send to know for whom the bell tolls;
      it tolls for thee. . .”
      Microsoft.

      I have entirely too much time on my hands!

    • #30891

      It is very reliable, there is no reason not to keep scanning once a month for extra peace of mind. It can also be run “on demand” because it actually “installs” which means it places the current version of mrt.exe in the system32 folder.
      In Windows 8.1, it uses the .exe for a scheduled task run during the Windows 8.1 built-in scheduled maintenance, which does not exist in Windows 7.
      If you have concerns about the communication back to Microsoft, there is official documentation about how to block it by configuring the registry and it is in the original post.

    • #30892

      I have a rather special situation. I look after these 150 computers in a much more attentive way than most for-pay companies would ever consider.

      My clients get an email once a month from me (they have for years now) describing exactly how to do their updates. I can easily include the actual link to that month’s Security only updates, and instruct them to use the .net update and Office updates in the regular update. That is easy for Janes and Joes to do. It actually is easier than what they have been doing for the last year.

      For the last year, they have had their setting at Never and when I tell them, they start up WU and then find the Windows section and hide all the non-security ones. Then proceed to do the update.

      Because I check their computers fairly often, if I discover they are not doing updates, I do them for them remotely.

      In effect the Security only single update patch is the same thing but easier.

      My big question is whether I can rely on MS to not sully that category and permit that strategy to work over the longer term. Abodi and Woody seem to think so.

      So, I think I will start them out in B and be very watchful for alerts from you and Woody’s guys to see if I have to switch to C.

      CT

    • #30893

      After the release of the Server 2016 and the realisation that it is the server version of the 10 LTSB (this is documented now by Microsoft), I am looking more and more into LTSB 2016. The only issue is that some of the Store apps (Calculator is good example) will have to be replaced with applications which were already in the previous editions as Win32 applications. As it stands now, IE11 still rules Windows, Edge is a failed product.
      There is obviously the question of how this edition can be used by users not associated with enterprises, as the subscription model seems to apply only to the regular enterprise version. There is the trial version though.
      For now, Windows 7 is still the gold standard for Microsoft Desktop OS.

    • #30894

      MSRT has never found or cleaned anything anywhere, just like MSE and DEFENDER before that. Get rid of them.

    • #30895

      Um……not sure if this has been mentioned before.
      But besides the Heartbeat Report…… there is also mention of a Map Report…… and when I did a search on line the following came up with :

      https://technet.microsoft.com/en-us/library/dd627342.aspx

      Microsoft Assessment and Planning (MAP) Toolkit for Windows 10 ,Windows 8.1, Windows 7 and Internet Explorer

      The Microsoft Assessment and Planning (MAP) Toolkit is an agentless inventory, assessment, and reporting tool that can securely assess IT environments for various platform migrations—including Windows 10, Windows 8.1, Office 2013 and Office 365, Windows Server 2012, SQL Server 2016, Hyper-V, Microsoft Private Cloud Fast Track, and Windows Azure.

      and it goes on…..

      This to me doesn’t look too benign……. can anyone shed any light on this ???

      Ok……. so this has noticeably only been going on for 2 months (at least the reporting) so if one doesn’t install the MSRT tool in future there will be no reporting via this mechanism…. am I right……. or does one need to insert that Registry fix. If the registry fix is needed to…. please could someone in ‘dummy’ speak give us poor mortals the instructions. I know the code is written up in the original post…….. but I think for practical purposes would some kind soul be good enough to start from the beginning… i.e
      the where, the what, etc. so that we poor sods don’t muck it up……. and our computers, and our lives, and whatever!! Ok I’m off to cogitate a bit more about all this. LT

      Never wish life were easier,
      Wish that you are better
      ~ Jim Rohn

    • #30896

      Well poohsticks you say you feel such sorrow for the planets and civilizations being degraded and changed so much……. yes, I do too…… it’s terrible…… but
      Prof. Hawking is somebody who appears to be so ‘secular’ in his thinking…… there is none of the ‘spiritual’ aspect which is needed as well to make a wholeness of everything.

      Things seem to be topsy turvy everywhere….. so much mayhem… that you almost feel like shouting “Stop the World, I want to get off”……

      or perhaps “Take Five” as they say in the cinema world. We need people with ‘heart’ not just ‘brain’ only……… which seems very rare.

      These are just my thoughts that have popped up…. my tuppence worth! LT

      Your vision will become clear only when you can look into your own heart.
      Who looks outside, dreams; who looks inside, awakes.
      C.G. Jung

    • #30897

      @ poohsticks + woody + all

      apology for all if me rant was not quite your taste

      I was, at this stage of life, with all the crazy techno background,
      re-examine the 2 most unanswered question (for all humanity),
      “Who am I” and “What am I doing here”

      and yes for all the ancient teaching and all the modern quest (esp in quantum physic) there is still no DEFINITE answers…
      and why is that?

      we roam around this ball called ‘earth’ and do this and that,
      and yet we know not where we come from and where we will go (or being sent off)

      for the record, I am not anti-billy per say
      but I look at his life and story and often wonder
      what goes through his brains
      how does he feels when this or that happen
      and does he think he is “human”
      and many more

      to me such category of people are history markers
      they are put there for a (known/unknown) purpose
      and there is much to learn from them
      the good bad and ugly

      again poohsticks your “emergency exit door backstage”
      makes me think of The Truman Show
      what if that is all it is?

      we “finish” this life, aka 3rd dimension, and check out to 4th dimension?

      HA HA 😀

      what if all the KBs f-up is but part of the show?

      anyway I must introduce you to this sci-fi
      that totally blows my already-random mind
      it all good clean fun but also very thought provoking
      – We Are Legion (We Are Bob) (Bobiverse, #1)
      – by Dennis E. Taylor

      well we know Ray Kurzweil is all for it
      (thought not sure he will volunteer to be first)
      what if we can have millions of billy?
      would we have a better world?

      anyway sorry for the rant….
      seemingly we are still looking for answers…
      as if everything must have a reason,
      a consequence must have a cause,
      and all things/matter must take it place within the element of time
      yet maybe we are program/made/take this human form “not to know” or “not able to know”
      as if there is a sealer or blinder somewhere
      just like W7 home and prof cannot have access to group policy control

      I sometimes rant alot here
      when I see many still looking for “justice” “freedom” “choice”
      and sort
      what if those were never offered in this creation by the original maker?
      and that our collective sense and want of those attributes can only be obtain in the artificial world they created for us (I call the “user) and they label it “good”?
      Is not this remarkably similar (or the same) as genesis?
      and they have put themselves as our “gods”?

      just 2cent rant…

      its coming to wkend now…
      as the ancient wisdom I have learn the most
      sincerely I wish
      “may you/we be happy with your/our lot”

      there may not be anything else…. out there? 🙂

      Namaste
      peace2u all

    • #30898

      ghacks is also not sure that the registry entry can be a lasting solution.

    • #30899

      You said it brother. May Windows 7 as the gold standard reign on! That is how to defeat this massive threat. I dream on.

      CT

    • #30900

      Not a dream. I bet Win7 runs almost half the Windows usage for at least another year.

    • #30901

      My sense of the big corp IT marketplace is that it would be close to insanity to propose a huge investment to switch to Win10, even assuming it was a better OS, considering the huge investment that was made in 2014 to “upgrade” from XP to 7.

      No IT manager in their right mind would propose an “upgrade” on existing hardware. Too big a task. It would take a whole new set of hardware.

      I just don’t think there is a market for this.

      When you add to that what Win10 actually is, as an IT manager, I would be loathe to propose such a change for at least another 3 years, and more likely 5.

      If Win10 is denied corp IT for that long, it will surely strangle itself.

      CT

    • #30902

      @Bobo: How do you get rid of them – – – Hide them?? Thanks for the information. 🙂

    • #30903

      You know just recently someone in a group I’m in asked why were they getting a window come up just before installation of the Malicious Tool asking if they accept or decline…..

      and I quote:
      “I have updates this morning in W7.
      For the 1st time that I know of I am asked to accept or decline
      before installing.
      Windows Malicious Software Removal Tool x64 October 2016
      KB890836

      Do I accept or decline?”

      I, myself have not had that happen to my knowledge.
      Would this be the EULA you’re talking about ?

    • #30904

      I disabled MSRT Heartbeat reports on one computer. Today I went do disable it on my laptop but when I went to look at the log first, I found that it said for September:

      Successfully Submitted MAPS Report

      and

      Successfully Submitted Heartbeat Report

      What is this MAPS report? Will disabling the heartbeat report also disable the MAPS report? If not how do you also disable the MAPS report?

    • #30905

      @Erik’;

      “…how do you also disable the MAPS report?”

      Open MSE; >Settings >MAPS>Select “I don’t want to join MAPS”

      JF

    • #30906

      I voiced this problem earlier on in this thread and didn’t get any response……. it’s further up in the comments……. but the gist of it was that I also noticed a Maps report being sent to MS together with the Heartbeat one. On looking up on line about this I found it appeared to be something that was collected, or could be collected, and sent to MS re your computer including aspects to do with upgrading and performance. And to me didn’t look v. benign in the least. What importance would that aspect have with relation to the MSRT tool? Nothing in my mind…. merely MS using it to snoop.

      I then asked if one doesn’t install the MSRT tool would that stop this reporting in it’s tracks from here on. If not would someone in ‘dummy speak’ be good enough to instruct how to disable/kill it.
      It is in the MSRT log and think in presuming it wouldn’t be sent if one did NOT install the MSRT patch from here on…. would that be accurate?

      Also @JF……. I do not have MSE installed…… so wouldn’t (I don’t think) be able to use your fix…. but thanks it would be comparatively easier than say a registry fix for us mere mortals!
      LT

      “The problem is not that there are problems. The problem is expecting otherwise and thinking that having problems is a problem.” – Theodore Rubin

    • #30907

      Lizzytish, I just found your post earlier. As far as I can tell I don’t have MSE either. So I wasn’t able to follow Joe’s instructions. I do have windows defender though and Microsoft live essential 2011 (came pre-installed). I saw another earlier post that listed a registry fix. I have never even opened a registry before this week but I followed the directions from another post about the heartbeat report that listed a ghacks article.

      http://www.ghacks.net/2016/10/20/disable-microsoft-windows-malicious-software-removal-tool-heartbeat-telemetry/

      This was very easy to follow. except that the registry entry I was looking for was not found in the same place. Instead of

      Subkey: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT

      it was

      Subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftRemoval toolsMRT

      There is also a “find” function under the edit drop down menu that is very helpful

      I also found an earlier article for the MAPS registry editing:

      http://www.malwarehelp.org/how-to-block-microsoft-spynet-2009.html

      This has a registry edit for the MAPS report:

      HKEY_LOCAL_MACHINESOFTWAREMicrosoftMicrosoft AntimalwareSpyNet

      Again on my computer this was wrong and I found it here:

      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderSpyNet

      Unfortunately, it was already at Value 0 (which the article says should fix it but obviously it didn’t).

      So now I am not sure what to do? anyone have any ideas?

    • #30908

      @Eric@Lizzytish

      Re: MAPS

      For Win Defender (8.1)it’s the same steps as MSE.

      http://www.digitalcitizen.life/introducing-windows-8-how-use-built-windows-defender-antivirus

      Just follow the yellow brick road.

      All the magic will be revealed 🙂

    • #30909

      Thanks for replying Erik……. like you I found the registry key in the same place……. may be this is to do with the fact we don’t actually have MSE installed ?? If it is Program Files … it’s something I am not going to activate……. don’t need it….. don’t want it. The value on my machine was set to 1….. meaning I think ‘basic’… so I changed it to ‘O’. But you know I feel.. could be totally wrong…. that these reports are only being sent once the MSRT patch is installed… and is something new? (at least the reporting of it) from August onwards…. In my mind…… what’s been done already has happened……. but from now on hopefully I/we can stop this in it’s tracks. And I for one will NOT be installing the MSRT patch in future. I have other methods for protecting my machine and will be relying on them.

      I have also added the part Martin Brinkman gave directions for. I think I noticed that he was giving directions for those using WinX – which could explain the difference of where the folders
      were.

      On looking for that I noticed another folder right next to the MRT under Removal Tools and it was called MpGears and when I opened it there was Heartbeat tracking and SpyNet Reporting. Interesting….. wonder how/what one can do to disable all that! any ideas anyone ??

      Having written all the above…. things are falling into place (ha!) Basically those NOT using MSE are now being tracked/spied on with the MSRT tool….. whereas those using MSE would have these reports sent ‘home’ automatically from time to time. Guess by using the program you possibly give MS the right and you expect this action….. and as has been commented on earlier MSRT has a EULA, (and in fact that is also in the MRT Folder under Removal Tools)
      so I guess MS is making use of that too. But of course the biggest thing in my mind is…. what are they collecting and what is it for ??

      But for the moment I think I’m going to give it a miss. LT

      The years just pass like trains. I wave, but they don’t slow down.
      — Steven Wilson

    • #30910

      Hi Folks,

      As many of you have stated that MRT subkey under
      HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft
      is missing – the same applies to me; I decided to create a registry key to be add in.

      These are the instructions:
      Open Notepad, than copy the following lines and paste it onto opened Notepad:

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT]
      “DontReportInfectionInformation”=dword:00000001

      Save the file onto your Desktop like “MRT.reg” (without quotes). Double click on it to run it. Click “Yes/Yes” at the following messages. This is called merging the registry key to the Registry. Now if you look in the Registry at: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft
      you will see MRT entry with corresponding values.
      Reboot the machine.
      Now run MRT tool manually. You can find the file under: C:WINDOWSSystem32.
      The file is MRT.exe. Double click on it to run it and wait to finish.
      When it finish, look at log file – mrt.log – under C:WINDOWSdebug , a new entry into the file appears with results of the manual scanning. But in this entry at the end, the line “Successfully Submitted Heartbeat Report” is missing. I think all of us need this kind of result.

      I hope this will help.

      Additional Info: I have three machines (two laptops and one desktop) running WIN7 Ultimate SP1. Applied this procedure to all of them and got same results.
      Also you can erase “MRT.reg” file previously saved onto your Desktop.

    • #30911

      @Woody;

      FWIW

      Reviewing my Win7SP1 mrt.log today (24 Oct16) this is the only mention (Feb-July 20160 of heartbeat report.

      Note it was in February 2016 and seems to combine hearbeat(sic) and MAPS report???

      Microsoft Windows Malicious Software Removal Tool v5.33, February 2016 (build 5.33.12300.0)
      Started On Sat Feb 27 14:09:19 2016

      Engine: 1.1.12400.0
      Signatures: 1.213.4702.0

      Results Summary:
      —————-
      No infection found.
      Failed to submit MAPS report: 0x83760002
      Failed to submit clean hearbeat(sic) MAPS report: 0x83760002
      Microsoft Windows Malicious Software Removal Tool Finished On Sat Feb 27 16:55:53 2016
      Return code: 0 (0x0)

      =====================================
      In my Registry Editor I found;

      HKEY_LOCAL_MACHINESoftwareMicrosoftMicrosoftAntiMalwareReporting

      LastHeartbeatReportTime REG_BINARY
      fd 6c ab 96 28 25 d2 01

      LastRptAndScanConfigCollectionHeartbeatTime REG_BINARY
      35 d6 b3 6b c4 23 d2 01

      LastRtpHeartbeatReportTime REG-BINARY
      60 c4 14 df36 2d d2 01

      Offered FWIW apropos this thread.

      Looks like this reporting ain’t so new.

    • #30912

      I looked at the, and I found that It was already “I don’t want to joins MAPS, yet I am still getting the MAPS report sent out anyways. I will try the MSRT removal tool again one more time with my registry edit and see if anything gets sent out. If it does, then I will not download another MSRT update again.

      Also can you just remove windows defender off of Windows 7? How would you do this?

    • #30913

      @Erik;

      re: “Also can you just remove windows defender off of Windows 7? How would you do this?”

      1. Just search the net with your favorite browser and favorite search engine.

      “Windows defender Win 7” query brings hundreds of hits and many other suggested queries. Check out a few.

      Here’s one.

      http://www.howtogeek.com/howto/15788/how-to-uninstall-disable-and-remove-windows-defender.-also-how-turn-it-off/

    • #30914

      @EN;

      re. Your “merging the registry key” technique you described in your post at the link below:

      https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/comment-page-2/#comment-104086

      Would that or something like that work for Abbodi’s solution to kill Diagtrack?

      Abbodi86 post

      https://www.askwoody.com/2016/win-7-8-1-c-tuesday-patch-rollup-previews-are-out-kb-3192403-3192404/#comment-102920

    • #30915

      MRT is not related or connected to Diagtrack service

    • #30916

      It dates at least 10 years ago.

    • #30917

      I tried making the registry entry from above and Windows 10 said:

      “you can only import binary registry files from within the editor”

    • #30918

      Since we got the all clear DEFCON 3 I went ahead and installed the MSRT update. Afterwards I checked the MRT Log and sure enough, it still sent the heartbeat report. I followed the instructions for the registry edit, but it didn’t matter. This happened on both computers I have. Maybe Microsoft overrided the registry edit somehow.

      Did anyone get it to work?

    • #30919

      Erik……. I for one did NOT install the MSRT update. So can’t confirm for you……. but there were other instances that I found and commented on in
      my first reply to you…. and I quote:

      “On looking for that I noticed another folder right next to the MRT under Removal Tools and it was called MpGears and when I opened it there was Heartbeat tracking and SpyNet Reporting. Interesting….. wonder how/what one can do to disable all that! any ideas anyone ??”

      Could those be still activated and triggering the reporting home to MS……. even tho’ the other one was disabled. LT

    • #30920

      I actually deleted those tasks, they no longer exist on my computer but yet the report still sent.

      At this point I don’t trust MS enough and I will no longer install MSRT updates (it only runs when you install the updates.

      Looking back at the log it never found anything anyways. I have Symantec and it does a good job.

      Reading some other posts, it sounds like MSRT can remove from your computer stuff you might want (that MS doesn’t want you to have).

    • #30921

      @Lizzytish;

      re: “…MpGears…” you mean MPGear.dll?

      http://www.freefixer.com/library/file/MPGEAR.DLL-106159/

    • #30922

      Clueless (love that name…..we could all be called that!) It’s a sub-folder in Removal Tools in Registry and it sits above MRT. When I was looking to change the setting in MRT I noticed the MPGears folder and went in. And in this folder are Heartbeat and SpyNet with their settings and also a url: https://spynet2.microsoft.com/antimalware

      I went back to GHacks and there are also directions on how to disable the MRT tool through Task Scheduler, which possibly is why Erik for one is still having the reports sent when installing MRST patch…. if he didn’t change that too.
      I did NOT install the MRST patch this time, so there was no reporting.

      So possibly there are several places one needs to alter to stop this reporting completely…. including the Task Scheduler and MpGears and of course MRT.

      Funny thing I did a search for MPGEAR.DLL on my computer and it doesn’t appear to be there!!!
      How nice! May be that is because I’m not running
      Windows Defender…although Defender is in Program Files and there is no mpgear.dll there…. but several other .dlls starting with ‘mp’…..But on
      searching the System32 and SysWOW64 folders I found MRT.Exe sitting in both folders! Ha!

      Like Manual in Fawlty Towers (again) I know nothing………… so am leaving well alone!!
      Happy Days! LT

    • #30923

      Yes……. I saw a comment at GHacks that MSRT removed some files a user wanted and was most upset that it happened without permission. Guess one lives and learns! I left a comment below…. wondering if you followed Ghack advice re the Task Scheduler which could be the link to stopping the reporting.
      That’s if of course you continue to install the MSRT patch which I haven’t this time and won’t be in the future! Good luck! LT

    • #30924

      NIST has various levels of recommendations. Mostly gov’t, but actively branching into the Non-Profit, Small Business, and Financial sectors. Personally, not sure why any end user would want less security than a typical small business or non-profit, once they understand the implications of being “carefree”.

      —New subject—likely poor blog etiquette here—
      The argument “I own a pc, but I’m not a geek” doesn’t hold water with me as an excuse to not contribute to the overall security of the internet, DDOS attacks, the business of information hacking, retrieval, and selling…on and on. I’m not a mechanic, but I own a car (and drive it). I’m not a plumber, electrician, accountant, or carpenter, but have these systems in my home. My advice: “Get a guy”, budget the annual upkeep expense, and move on–knowing simply that you are doing your part to keep your data safe just like locking the doors on your house and car. Nothing is 100%, but don’t make it so easy.

    • #30925

      Unfortunately, the link in the technet article has been moved:
      The downloadable version of this document:
      http://go.microsoft.com/fwlink/?LinkId=220158

      doesn’t appear to be available.

    • #30926

      AuthenticSQL, on your New subject. I think you are on to something, but it runs against the stream of how MS and the now dead Wintel group has been selling PCs for decades.

      I agree with you. It is actually not that difficult for a pro to provide this service and should not be costly. I do it for 150 client Win7 computers and it doesn’t take any where near full time. If I decided to make a business of it, I could likely handle 5 times that number. That gives you an idea of what it should cost to provide such a service.

      The way I do it, it actually extends the life of the PC investment quite dramatically, so there is a payoff beyond just being responsible.

      CT

    • #30927

      Canadian Tech,

      Thanks for the comment!

      Agreed! I am just now retiring (re-purposing to *nix, likely Mint) a 64bit Dell Opti that hit it’s 10 year anniversary and just completed a hardware refresh on a 6 yo Dell Vostro laptap, to take it to it’s 10 year birthday as a client. Both of these have been religiously cleared of ‘WinRot’ every 30-36mos.

      I see security and performance actually maturing into a ‘best practices’ area where security isn’t crippling and performance is more stability enhancing that ‘scorch your eyebrows off’.

    • #30928

      @Erik, @Lizzytish

      re: “I actually deleted those tasks, they no longer exist on my computer but yet the report still sent.”

      Ms. Rashid’s article below casts some light.

      “…collects data for third-party applications using the Application Insights service.”

      “…The data is sent to two hard-coded addresses…”

      “… users can’t block access with a hosts file””

      http://www.infoworld.com/article/2979054/windows-security/windows-7-8-10-now-all-collecting-user-data-for-microsoft.html

    • #30929

      I have verified that adding the registry entry below does indeed stop MRT telemetry and return it to its’ previous behavior.

      MRT triggers/scans after WU, but doesn’t send telemetry (Win 7).

      Subkey:
      HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT

      Entry name: DontReportInfectionInformation
      Type: REG_DWORD
      Value data: 1

    • #30930

      Thank you Clueless for pointing to this article….
      very interesting…….. but I checked my Installed updates and none of those patches had been installed!
      (big sighs of relief!)

      But again I haven’t run MSRT since I changed my settings so can’t confirm if it’s still reporting or not.
      ————–
      In order to save a further posting, would like to add a thank you to CA for confirming that the ‘fix’ Martin Brinkman suggested “Don’tReport….”
      stopped the reporting home for him …….. and hopefully for all of us! LT

      “You may not control all the events that happen to you, but you can decide not to be reduced by them.” – Maya Angelou

    • #30931

      @CA: you say:

      “I have verified that adding the registry
      entry below does indeed stop MRT telemetry
      and return it to its’ previous behavior.”

      “MRT triggers/scans after WU, but doesn’t
      send telemetry (Win 7).”

      but how do you explain the fact that, according to the log file (C:Windowsdebugmrt.log), the “Heartbeat Report” is still sent:

      Microsoft Windows Malicious Software Removal Tool v5.42, November 2016 (build 5.42.13202.0)
      Started On Wed Nov 09 13:14:35 2016

      Engine: 1.1.13202.0
      Signatures: 1.231.682.0
      Run Mode: Interactive Graphical Mode
      Successfully Submitted Heartbeat Report
      Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 09 13:17:43 2016

      Return code: 0 (0x0)

      Did you verify via a network trace (e.g. WireShark) that nothing was actually sent? Because the log says it submitted the “Heartbeat Report” anyway! (Note: I have not run a network trace myself.)

      I’m wondering if maybe the “DontReportInfectionInformation” registry value simply prevents any INFECTION report from being sent (just as its name implies), but does nothing to prevent the “Heartbeat Report” from ALWAYS being sent.

      WHAT IS PERHAPS MOST DISTURBING IS, even if you purposely DECLINE their “End User License Agreement”, the “Heartbeat Report” is STILL SENT ANYWAY each time you run the tool!

      I noticed there was a “EULA2” registry value set to ‘1’, so I changed it to ‘0’ and ran MRT.EXE and, as expected, it presented me with a dialog to accept their License Agreement, but clicking “Cancel” to DECLINE their EULA still nevertheless created a new log entry stating that the “Heartbeat Report” was successfully submitted!

      So apparently it ALWAYS sends the “Heartbeat Report” to Microsoft whether you want it to or not!

      (At least that’s the only logical conclusion that can be drawn based on their log file anyway.)

      Someone needs to perform a WireShark network trace to confirm or deny whether any type of report is actually sent. If one is, then Microsoft can be in a lot of trouble for not honoring the terms of their own license agreement!

    • #30932

      ** UPDATE **

      I have CONFIRMED that the “Heartbeat Report” is ALWAYS SENT EVEN WHEN YOU DECLINE THEIR LICENSE AGREEMENT.

      I did not bother to do a network trace. Instead, I simply disabled my network adapter and physically unplugged my router and powered it off.

      Then I ran MRT.EXE and clicked “Cancel” when it asked me to accept their license agreement.

      Lo and behold the following log entry appeared:

      Microsoft Windows Malicious Software Removal Tool v5.42, November 2016 (build 5.42.13202.0)
      Started On Thu Nov 10 07:21:05 2016

      Engine: 1.1.13202.0
      Signatures: 1.231.682.0
      Run Mode: Interactive Graphical Mode
      Failed to submit clean hearbeat MAPS report: 0x80072EE7
      Microsoft Windows Malicious Software Removal Tool Finished On Thu Nov 10 07:21:17 2016

      Return code: 0 (0x0)

      The line “Failed to submit clean hearbeat MAPS report: 0x80072EE7” says it all. It PROVES that Microsoft is still always sending the “Heartbeat Report” whether you want it to or not.

      This is unacceptable, Microsoft.

    • #30933

      Oy.

    • #30934

      What is MSE? I am trying to follow advice on a computer with a OS in Spanish so I have to figure out what the things are and then translate/find them… Thanks!

    • #30935

      MSE = Microsoft Security Essentials.

    • #30936

      Um… I have known about this since 2014.

      I noticed that MRT.exe connected to the internet during a Windows Update since I watch my network connections in Resource Monitor due to I have to allow all outbound connections with the Windows Firewall to do the update.

      However, I tried looking up MRT and hearbeat but all search engines I tired they only showed results of the Heartbleed bug or medical related to the heart. (Note: it is ‘hear’ not ‘heart’) So I gave up looking and kept mrt.exe blocked in the firewall. The only reason I am here is because I got distracted in the posts by Canadian Tech on the issues with Windows 7 Update being slow.

      Below is a copy from my mrt.log of the first instance of this issue that failed.

      —————————————————————————————
      Microsoft Windows Malicious Software Removal Tool v5.17, October 2014 (build 5.17.10700.0)
      Started On Fri Oct 17 15:15:13 2014

      Engine: 1.1.11005.0
      Signatures: 1.185.2035.0

      Results Summary:
      —————-
      No infection found.
      Failed to submit clean hearbeat MAPS report: 0x80072EE7
      Microsoft Windows Malicious Software Removal Tool Finished On Fri Oct 17 16:56:45 2014

      Return code: 0 (0x0)

      —————————————————————————————

    • #30937

      Fascinating!

    • #30938

      Hi Folks,
      At the day before yesterday I downloaded and installed the latest version of MRT from Windows Update. As you know it runs automatically after installation. The results which I got in the mrt.log file are posted below:

      —————————————————————————————
      Microsoft Windows Malicious Software Removal Tool v5.42, November 2016 (build 5.42.13202.0)
      Started On Thu Nov 10 13:28:10 2016

      Engine: 1.1.13202.0
      Signatures: 1.231.682.0
      Run Mode: Scan Run From Windows Update

      Results Summary:
      —————-
      No infection found.
      Microsoft Windows Malicious Software Removal Tool Finished On Thu Nov 10 13:31:18 2016

      Return code: 0 (0x0)

      As you see the line “Successfully Submitted Heartbeat Report” is missing.
      And to summarize: In my post from October 24, 2016 I described a technique, which leads to these results (at least for me).

      https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/comment-page-2/#comment-104086

      I hope this will help.

      Additional Info: I have three machines (two laptops and one desktop) running WIN7 Ultimate SP1. All of them got same results. I’m posting the log file from one of them.

    • #30939

      (DOH!) Woody? I apologize sincerely for my mistake. “Oy” indeed.

      Somehow during my information gathering phase, “HKLMSOFTWAREPoliciesMicrosoftMRT” got accidentally changed to “HKLMSOFTWAREMicrosoftRemovalToolsMRT”, with the end result of course being that my “DontReportInfectionInformation” DWORD value got inadvertently added to the registry under the wrong key.

      As “EN” states in the previous comment, if you add the “DontReportInfectionInformation” value to the proper registry key (HKLMSOFTWAREPoliciesMicrosoftMRT) then the Microsoft Malicious Software Removal Tool (MRT.exe) indeed does NOT send any type of report back to Microsoft.

      Again, I offer my most sincere apology for my error.

    • #30940

      Thanks for the update!

    • #30941

      @abbod186

      “MRT is not related or connected to Diagtrack service”

      Yes, I understand that.

      In my post

      https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/comment-page-2/#comment-104231

      I was asking if “Your “merging the registry key” TECHNIQUE would that or something like that work for Abbodi’s solution to kill Diagtrack?”

    • #30942

      I see

      sure it works, registry values can be added/changed in both ways, using .reg file or through command line

      for me i used the command line way, to accompany the other commands to disable service and deleting residual files

    • #235131

      Hi Folks, As many of you have stated that MRT subkey under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft is missing – the same applies to me; I decided to create a registry key to be add in. These are the instructions: Open Notepad, than copy the following lines and paste it onto opened Notepad:

      Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT] “DontReportInfectionInformation”=dword:00000001

      Save the file onto your Desktop like “MRT.reg” (without quotes). Double click on it to run it. Click “Yes/Yes” at the following messages. This is called merging the registry key to the Registry. Now if you look in the Registry at: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft you will see MRT entry with corresponding values. Reboot the machine. Now run MRT tool manually. You can find the file under: C:WINDOWSSystem32. The file is MRT.exe. Double click on it to run it and wait to finish. When it finish, look at log file – mrt.log – under C:WINDOWSdebug , a new entry into the file appears with results of the manual scanning. But in this entry at the end, the line “Successfully Submitted Heartbeat Report” is missing. I think all of us need this kind of result. I hope this will help. Additional Info: I have three machines (two laptops and one desktop) running WIN7 Ultimate SP1. Applied this procedure to all of them and got same results. Also you can erase “MRT.reg” file previously saved onto your Desktop.

      https://i.imgur.com/1pFQm9C.jpg
      Above copied into Programmer’s Notepad and Run as you stated BUT failed to produce MRT Addon. Search for – MRT – and – DontReportInfectionInformation – in HKLM produced nothing although Reg Editor states Reg Mod Occurred when desktop – MRT.reg – opened to View.

      Image back or leave as is?  MANY THANKS!
      (I tried to PM – EN – or – *EN – in the To Box and I’m definitely not in on the PM How-To. Search for – How to PM – = 0. If anyone sees this – Where is the How to PM ?)

      W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / Macrium Pd v8 / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

    • #235251

      Hi Folks, As many of you have stated that MRT subkey under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft is missing – the same applies to me; I decided to create a registry key to be add in. These are the instructions: Open Notepad, than copy the following lines and paste it onto opened Notepad: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT] “DontReportInfectionInformation”=dword:00000001 Save the file onto your Desktop like “MRT.reg” (without quotes). Double click on it to run it. Click “Yes/Yes” at the following messages. This is called merging the registry key to the Registry. Now if you look in the Registry at: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft you will see MRT entry with corresponding values. Reboot the machine. Now run MRT tool manually. You can find the file under: C:WINDOWSSystem32. The file is MRT.exe. Double click on it to run it and wait to finish. When it finish, look at log file – mrt.log – under C:WINDOWSdebug , a new entry into the file appears with results of the manual scanning. But in this entry at the end, the line “Successfully Submitted Heartbeat Report” is missing. I think all of us need this kind of result. I hope this will help. Additional Info: I have three machines (two laptops and one desktop) running WIN7 Ultimate SP1. Applied this procedure to all of them and got same results. Also you can erase “MRT.reg” file previously saved onto your Desktop.

      https://i.imgur.com/1pFQm9C.jpg Above copied into Programmer’s Notepad and Run as you stated BUT failed to produce MRT Addon. Search for – MRT – and – DontReportInfectionInformation – in HKLM produced nothing although Reg Editor states Reg Mod Occurred when desktop – MRT.reg – opened to View. Image back or leave as is? MANY THANKS! 

      To punctuate that Edit is Too Short a period I have to Quote this to say I see the Directory List for PMs but wish you could Enter a Letter and it move to THAT section instead of turtle crawling thru the offered pg #s to finally reach E’s or X’s. Search Directory does Nothing apparently.

      I Deleted the How to PM question in the 1st post above.

      W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / Macrium Pd v8 / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

    • #238357

      Hi Folks, As many of you have stated that MRT subkey under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft is missing – the same applies to me; I decided to create a registry key to be add in. These are the instructions: Open Notepad, than copy the following lines and paste it onto opened Notepad: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT] “DontReportInfectionInformation”=dword:00000001 Save the file onto your Desktop like “MRT.reg” (without quotes). Double click on it to run it. Click “Yes/Yes” at the following messages. This is called merging the registry key to the Registry. Now if you look in the Registry at: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft you will see MRT entry with corresponding values. Reboot the machine. Now run MRT tool manually. You can find the file under: C:WINDOWSSystem32. The file is MRT.exe. Double click on it to run it and wait to finish. When it finish, look at log file – mrt.log – under C:WINDOWSdebug , a new entry into the file appears with results of the manual scanning. But in this entry at the end, the line “Successfully Submitted Heartbeat Report” is missing. I think all of us need this kind of result. I hope this will help. Additional Info: I have three machines (two laptops and one desktop) running WIN7 Ultimate SP1. Applied this procedure to all of them and got same results. Also you can erase “MRT.reg” file previously saved onto your Desktop.

      https://i.imgur.com/1pFQm9C.jpg Above copied into Programmer’s Notepad and Run as you stated BUT failed to produce MRT Addon. Search for – MRT – and – DontReportInfectionInformation – in HKLM produced nothing although Reg Editor states Reg Mod Occurred when desktop – MRT.reg – opened to View. Image back or leave as is? MANY THANKS! (I tried to PM – EN – or – *EN – in the To Box and I’m definitely not in on the PM How-To. Search for – How to PM – = 0. If anyone sees this – Where is the How to PM ?)

      After Hans at Eileen’s Lounge confirmed my question that — \’s – – should have been in the HKLM String (EN’s “COPY BELOW” was without them) I tried the Save As again with — \’s — but when the MRT2.reg folder was Opened with Registry Editor it stated the Keys Edit had occurred WITHOUT me even Clk’ing on the New .reg Folder. I DID see an – MRT – Folder where it should be. Problem is NONE of the Instructions are there, and I’m Not going to test the Registry’s patience.

      If you’re going to post ‘COPY THIS” instructions pls do your best to Not Supply FAULTY ones. Images are great but I don’t want to back date that far now. Computer OK but a good learning experience.

      W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / Macrium Pd v8 / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

    Viewing 133 reply threads
    Reply To: Telemetry from the Malicious Software Removal Tool

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: