Posted on March 14th, 2017 at 06:10 Comment on the AskWoody Lounge
Günter Born has details on Borncity.
Long and short of it, the two notorious Win7/8.1 snooping patches, KB 2952664 and KB 2976978, which were re-re-… released last week, have been pulled.
I fully expect to see them back later today as part of the St Patrick’s Patch Tuesday festivities. When the re-appear, they may well be marked as “Recommended” – which means you may get them installed if you aren’t careful.
There’s a big crop of patches waiting in the wings. Now’s a good time to make sure you’re at MS-DEFCON 2, automatic updates are turned off, and your system’s braced for winter weather.
Posted on March 7th, 2017 at 13:22 Comment on the AskWoody Lounge
We’re seeing a replay of February’s Patch Tuesday run –
… except this time it isn’t Patch Tuesday. No idea what’s been changed in those two proto-snooping patches. No idea why they’re being re-re-…-released on the first Tuesday of the month. But they are coming out as Optional, which means they won’t get installed unless you check the corresponding box in Windows Update.
Anyway, best to get locked down. We’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.
Oh and, yes, it looks like Windows Update is working again, after taking a month off.
Full story in InfoWorld Woody on Windows
Posted on February 21st, 2017 at 12:16 Comment on the AskWoody Lounge
These are the two patches implicated with various snooping proclivities, and tied into upgrading from Windows 7 to Win10, or Win8.1 to Win10 — which should be a non-starter tat this point.
I can see them in the Microsoft Update Catalog:
They’re both listed as “Last Updated 2/17/2017.”
They aren’t listed on the Windows Update official page, but PKCano reports that she’s seeing the Win 8.1 patch, released today, optional and unchecked.
Of course you should avoid them.
Posted on February 15th, 2017 at 10:17 Comment on the AskWoody Lounge
There’s a lot of conjecture. I haven’t seen any Feb “Patch Tuesday” style patches. Have you?
Hard to believe all of the patches – Vista, Win7, 8.1, various 10s, the Offices including Click-to-Run, IE, .NET, and all the weird supporting patches have all gone missing.
The only conclusion I can draw – and it’s 100% speculation – is that Windows Update is broken. Or maybe compromised.
Do you have any better info – or a contrary opinion?
UPDATE: Gregg Keizer at Computerworld just posted an interview with a security expert who, amazingly, seems to say exactly what I’m saying.
Posted on February 11th, 2017 at 08:05 Comment on the AskWoody Lounge
- A thorough list of telemetry-inspired Win7 and 8.1 patches
- A list of dozens of Microsoft servers that only exist to snoop
- Details about disabling the Customer Experience Improvement Program, the Diagnostic Tracking Service, and scheduled tasks that phone the mothership.
If you’re concerned about Win7 snooping – and you should at least be aware of the, ahem, feature and its manifestations – this is an amazing central repository of information.
Posted on February 10th, 2017 at 22:02 Comment on the AskWoody Lounge
Windows guru Günter Born has just posted an English-language article on his web site about KB 2952664 and KB 2976978, the re-issued snooping patches for Win7 and 8.1 (see entry below). His article includes a detailed description of how one might cut off the telemetry in those patches.
The question is “why Microsoft re-releases those updates, although they has been installed on many machines, and why as a extraordinary update on a Thursday?” Microsoft kb articles doesn’t give a clue what’s in.
He goes through a series of steps to take down a program called compattelrunner.exe, a telemetry data gathering routine that “has been known as a trouble maker driving many systems CPU and RAM load to 100%.” Born admonishes:
But note, I haven’t tested it – so you are at your own risk – and we don’t know how long this trick will work. But it’s maybe helpful.
He also includes a list of telemetry related patches that many of you will find interesting.
Check it out.
Posted on February 9th, 2017 at 15:14 Comment on the AskWoody Lounge
What’s going on?
InfoWorld Woody on Windows
UPDATE: The replies here are getting thick and uninformative. Opinions are great, but they belong in the Rants forum, not here.
I sealed off the replies, and point you to this comment by Mr. Brian:
I think we have a decent idea of what KB2952664 does (at least the older version that I tested). KB2952664 adds task Microsoft Compatibility Appraiser. Task Microsoft Compatibility Appraiser is a gatherer of information that is sent to Microsoft by service Diagnostics Tracking Service.
Detailed KB2952664 (older version) test results: https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21407.
Method of listing the telemetry data that Diagnostics Tracking Service sends to Microsoft: https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21414.
I will test the newer version of KB2952664 when time permits.
I’ll update this as definitive information arrives.
Posted on November 23rd, 2016 at 05:42 Comment on the AskWoody Lounge
This from MrBrian:
I am conducting Windows telemetry technical tests similar to Ed Bott’s tests (https://www.askwoody.com/
2016/the-inside-scoop-on- windows-snooping/), but instead I am testing Windows 7 x64, and I am using Microsoft’s Process Monitor instead of Resource Monitor.
Background information from Microsoft: “Windows 7, Windows 8 and Windows 10 Telemetry Updates (Diagnostic Tracking)” – https://blogs.technet.
microsoft.com/netro/2015/09/ 09/windows-7-windows-8-and- windows-10-telemetry-updates- diagnostic-tracking/.
The October 2016 monthly rollup previews and November 2016 monthly rollups contain the Diagnostics Tracking Service, as did some previous Windows updates. See http://www.infoworld.com/
article/3132377/microsoft- windows/microsoft-previews- telemetry-push-with-new- win781-patches-kb-3192403- 3192404.html for more information.
The first question that I’d like to address is: does participation in the operating system’s Customer Experience Improvement Program change what the Diagnostics Tracking Service does? Background information about the Customer Experience Improvement Program is at https://www.microsoft.com/
How to test:
1. Set the operating system’s Customer Experience Improvement Program participation setting to the desired setting by following the instructions at http://www.infoworld.com/
article/2981947/microsoft- windows/the-truth-about- windows-7-and-81-spy-patches- kb-3068708-3022345-3075249- and-3080149.html.
2. We need to know the PID (Process ID) of the instance of process svchost.exe that runs the Diagnostics Tracking Service. We’ll do so by using Resource Monitor. Start Resource Monitor by following the instructions at http://www.digitalcitizen.
life/how-use-resource-monitor- windows-7. In the CPU section of the Overview tab, find the row with “svchost.exe (utcsvc)” in the Image column and note its corresponding PID in the PID column. This value changes every time you start the operating system.
3. If you don’t have Process Monitor, download it from https://technet.microsoft.com/
4. To reduce memory consumption in Process Monitor, make sure Filter->Drop Filtered Events is ticked. Then exit Process Monitor and start it again to ensure this setting has taken effect.
5. Add a filter by using Filter->Filter to add filter “PID is <number from step 2> Include”. As an example, my filter is “PID is 472 Include”. Make sure there isn’t more than one filter of type “Include”.
6. Press the Clear button to clear the output.
7. Run Process Monitor for at least 70 minutes (and preferably longer) to see patterns that may emerge in the output.
8. You can toggle capturing of events on or off by pressing the Capture button.
When Process Monitor has run for a few days on my computer, I’ll report the results here. Feel free to run your own tests and report your findings; be sure to include which operating system you are testing.