Newsletter Archives

  • Martin Brinkmann’s deep dive into removing telemetry in Win7 and 8.1

    On the heels of Günter Born’s discoveries about the just-reissued “snooping” Win7 and 8.1 patches KB 2952664 and KB 2976978, Martin Brinkmann at Ghacks has just posted:

    • A thorough list of telemetry-inspired Win7 and 8.1 patches
    • A list of dozens of Microsoft servers that only exist to snoop
    • Details about disabling the Customer Experience Improvement Program, the Diagnostic Tracking Service, and scheduled tasks that phone the mothership.

    If you’re concerned about Win7 snooping – and you should at least be aware of the, ahem, feature and its manifestations – this is an amazing central repository of information.

  • A way to mediate the telemetry gathering in Win7 and 8.1

    Windows guru Günter Born has just posted an English-language article on his web site about KB 2952664 and KB 2976978, the re-issued snooping patches for Win7 and 8.1 (see entry below).  His article includes a detailed description of how one might cut off the telemetry in those patches.

    The question is “why Microsoft re-releases those updates, although they has been installed on many machines, and why as a extraordinary update on a Thursday?” Microsoft kb articles doesn’t give a clue what’s in.

    He goes through a series of steps to take down a program called compattelrunner.exe, a telemetry data gathering routine that “has been known as a trouble maker driving many systems CPU and RAM load to 100%.” Born admonishes:

    But note, I haven’t tested it – so you are at your own risk – and we don’t know how long this trick will work. But it’s maybe helpful.

    He also includes a list of telemetry related patches that many of you will find interesting.

    Check it out.

  • Microsoft re-releases snooping patches KB 2952664 (for Win7), KB 2976978 (Win 8.1)

    What’s going on?

    InfoWorld Woody on Windows

    UPDATE: The replies here are getting thick and uninformative. Opinions are great, but they belong in the Rants forum, not here.

    I sealed off the replies, and point you to this comment by Mr. Brian:

    I think we have a decent idea of what KB2952664 does (at least the older version that I tested). KB2952664 adds task Microsoft Compatibility Appraiser. Task Microsoft Compatibility Appraiser is a gatherer of information that is sent to Microsoft by service Diagnostics Tracking Service.

    Detailed KB2952664 (older version) test results:

    Method of listing the telemetry data that Diagnostics Tracking Service sends to Microsoft:

    I will test the newer version of KB2952664 when time permits.


    I’ll update this as definitive information arrives.

  • Care to join a Win7 snooping test?

    This from MrBrian:

    I am conducting Windows telemetry technical tests similar to Ed Bott’s tests (, but instead I am testing Windows 7 x64, and I am using Microsoft’s Process Monitor instead of Resource Monitor.

    Background information from Microsoft: “Windows 7, Windows 8 and Windows 10 Telemetry Updates (Diagnostic Tracking)” –

    The October 2016 monthly rollup previews and November 2016 monthly rollups contain the Diagnostics Tracking Service, as did some previous Windows updates. See for more information.

    The first question that I’d like to address is: does participation in the operating system’s Customer Experience Improvement Program change what the Diagnostics Tracking Service does? Background information about the Customer Experience Improvement Program is at

    How to test:

    1. Set the operating system’s Customer Experience Improvement Program participation setting to the desired setting by following the instructions at

    2. We need to know the PID (Process ID) of the instance of process svchost.exe that runs the Diagnostics Tracking Service. We’ll do so by using Resource Monitor. Start Resource Monitor by following the instructions at In the CPU section of the Overview tab, find the row with “svchost.exe (utcsvc)” in the Image column and note its corresponding PID in the PID column. This value changes every time you start the operating system.

    3. If you don’t have Process Monitor, download it from

    4. To reduce memory consumption in Process Monitor, make sure Filter->Drop Filtered Events is ticked. Then exit Process Monitor and start it again to ensure this setting has taken effect.

    5. Add a filter by using Filter->Filter to add filter “PID is <number from step 2> Include”. As an example, my filter is “PID is 472 Include”. Make sure there isn’t more than one filter of type “Include”.

    6. Press the Clear button to clear the output.

    7. Run Process Monitor for at least 70 minutes (and preferably longer) to see patterns that may emerge in the output.

    8. You can toggle capturing of events on or off by pressing the Capture button.

    When Process Monitor has run for a few days on my computer, I’ll report the results here. Feel free to run your own tests and report your findings; be sure to include which operating system you are testing.

  • Windows 8.1 snooping patch KB 2976978 re-re-re-released

    It’s an optional patch, so you won’t get it unless you ask for it.

    The KB article is now up to revision 32.

    Microsoft is careful to note (this time):

    This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. The diagnostics evaluate compatibility on the Windows ecosystem and help Microsoft to ensure application and device compatibility for all updates to Windows. There is no GWX or upgrade functionality contained in this update.

    It’s the Win8.1 analog to the much-discussed Win7 KB 2952664.

    While Microsoft implies that the patch only does its snooping if you enable the Customer Experience Improvement Program, I haven’t found any official confirmation.

  • What do you know/think about KB 2952664?

    We know KB 2952664 snoops – and we’ve known that for more than a year.

    Microsoft re-released it as a standalone patch today – Optional, Recommended.

    Do we have any definitive word on what the patch does, whether it’s actually beneficial (and, if so, how?), or if it’s just a spy that deserves to get ignored and/or uninstalled?

  • Win 7, 8.1 customers getting hit by the old KB 2952664 ‘Get Windows 10’ telemetry patch

    It’s back, tho its purpose isn’t clear.

    Why does Microsoft keep digging itself into the same hole?

    InfoWorld Woody on Windows

    UPDATE: I just got a nudge from SB and have appended this to the comments at the end of that InfoWorld patch:

    I’ve just been told of a significant reason why some folks may want to install this new version of 2952664. It looks like the patch is used by the Windows Update Analytics service – and this is their telemetry hook.

    I stand corrected: If you expect to use the Windows Update Analytics service, you need this patch.

    SECOND UPDATE: Microsoft reached out to me with a statement that

    There is no Get Windows 10 or upgrade functionality contained in this update. This KB article is related to the Windows Update and the appraiser systems that enables us to continue to deliver servicing updates to Windows 7 and Windows 8.1 devices, as well as ensure device and application compatibility.

    The InfoWorld page has been updated, and the update should be propagating even as we speak.

  • Four new Windows patches to avoid: KB 2952664, 2976978, 2977759, 3170735

    It looks to me like Windows Journal has finally gone to the bit bucket in the sky.

    InfoWorld Woody on Windows

  • Two versions of KB 2952664

    I’ve seen several reports from people who have two versions of KB 2952664 sitting on their machines. Yesterday, ch100 sent me this explanation:

    I don’t know how interesting this is for you as it seems to repeat regularly now.

    Here is a screenshot of MU on Windows 7 64-bit Ultimate with 2 versions of KB2952664 on offer – one Recommended dated 12/04/2016, the other Optional dated Yesterday.

    I am expecting that the Optional one will take over next main Patch Tuesday while the Recommended one will be retired at the same time.

    Notice that both are unchecked by default.

    The Important tab has the current Office 2013 Updates unchecked, less the Definitions Update which has already been installed.

    Screenshots are as you would expect, showing two different versions of 2952664.

  • Wednesdays releases: KB 2952664, 2976978, 2977759

    Guess that writing on the book has rolled over my brain – or I’m just getting lazy. You wouldn’t believe how many changes there are in build 1607. Anyway.

    On Tuesday, Microsoft re-re-re-re-re(^16)-released three old familiar faces:

    KB 2952664 – Compatibility update for upgrading Windows 7, version 21

    KB 2976978 – Compatibility update for Windows 8.1 and Windows , version 25

    KB 2977759 – Compatibility update for Windows 7 RTM (that’s the one for people who are still using the original Win7, and haven’t yet applied Service Pack 1), version 21

    They’re all unchecked, optional updates, all related to Win10 marched upgrading, all equally ignorable. No doubt they’ll turn into “recommended” before too long. I last wrote about them two months ago.

    Second verse, same as the first….


  • What are the differences between KB2952664, KB3150513 and the naughty KB3035583?

    A very interesting synopsis from our very own ch100:

    What are the differences between KB2952664, KB3150513, and the naughty “Get Windows 10” patch KB3035583?

    KB2952664 (and its equivalents for other OSes and versions) is the baseline pre-requisite for all the others providing the telemetry baseline. It is mostly useful for the upgrading to Windows 10, but not only as it provides telemetry capabilities in a wider sense.

    KB3150513 is not offered unless the previous one is installed and adds further functionality in relation to making Windows 10 upgrade more reliable. It has specific functionality in relation to applications compatibility and this is why is offered as a different KB number.

    KB3035583 is purely adware/nagware, the bad guy which is neutralised by the Group Policies configured to do that or by Josh’s GWX Control Panel, or Steve Gibson’s tool, or Noel’s procedure.

    What I find relevant is that the first 2 patches are offered to medium/large businesses running Enterprise Version or Enterprise/Pro + WSUS, while the last one KB3035583 is never offered to those businesses. They are the most important customers for Microsoft’s bottom line.

    Which makes me think that, unless overly concerned about the telemetry issues, the other patches are not so damaging or annoying and may actually provide some benefit in certain instances. The larger businesses seem not to pay much attention to the telemetry issues and follow the official line from Microsoft. If anything, the communication back to Microsoft is blocked for network traffic and OS performance reasons and rarely for the content of it. The larger businesses are not typically offered an upgrade in place and are still offered KB2952664 and KB3150513 and maybe there are more to come.

    There is certainly no benefit at all in installing KB3035583 unless and only if interested in doing in-place upgrade to Windows 10.

    Even so, I upgraded long before all those patches mentioned here were released and my upgrade still completed successfully and I did it more than once. The three patches are just risk mitigation patches, not mandatory if upgrading from sources other than Windows Update, like the official ISO image. And it is actually a lot more reliable to use the ISO than Windows Update.

  • Are you having trouble with Win7 patch KB 2952664 and Norton Identity Safe?

    Can you reproduce this? From reader TB:

    Windows 7 update kb2952664 has been around in several versions for about two years now. The latest came to me on 13 April 2016 – and it had a surprise inside!

    First, the routines and applications contained in this update all date from either March or April 2016 – it’s all new stuff.

    What’s REALLY new is that the Microsoft Compatibility Appraiser that’s installed seems to be more aggressive. I use Norton Antivirus and Identity Safe. These products don’t work with Microsoft’s Windows 10 browser, Edge and this is not new news. However, this update seems to take action: when I installed it, I could not access Identity Safe, even though I am running Windows 7. Apparently, the update modifies some of the code that Norton uses.

    Why am I so sure? This was the only update I installed. When I installed it, Norton’s toolbar told me to ‘Access Vault’ in the Identity Safe box. If I pressed on that button, I saw a message: ‘ Reboot needed’. I did that, and nothing changed. There was no way to access the Identity Safe vault. When I uninstalled the update, Identity Safe worked again, the same way as it did before.

    Determining what needs to be done and leaving flags for Windows 10 to use is one thing. Disabling software I paid for and should be able to use while I use Windows 7 is something else.