Windows 7/8/10 Privacy Checklist

This page contains a list of various Windows anti-privacy behaviours and user-modifiable settings that I have run across on various sites, as a follow-up to my initial thoughts. By no means a comprehensive list, this is just scratching the surface of the private data that Windows collects from you. I will update as more information becomes available. Artem’s comprehensive article on Windows 10 is also worth a read.

UPDATE (Jan 2017): The EFF’s take on Windows 10 Privacy issues.

Getting around this page (Prefixes):

  • (All) – This section applies to all versions of Windows
  • (Win <10) – This section only applies to Windows 7/8/8.1, you can skip these sections if you’re on Windows 10
  • (Win10) – This section only applies to Windows 10, you can skip these sections if you’re not on Windows 10

Topics within this article:

  • GWX Tray Installer
  • Telemetry updates in Windows 7/8/8.1
  • Microsoft EULA and collection
  • Outgoing traffic capture
  • Windows 10 installation guide
  • Stopping background Telemetry services
  • Hosts file blocking
  • Windows 10 insecure DNS lookup behaviour
  • Manual route blocking (incl. hardcoded IPs)
  • Removing unwanted Metro/Modern UI apps
  • Scheduled data collection tasks
  • Windows Platform Binary Table (BIOS OEM Backdoor)
  • TPM/Bitlocker/Intel Management Engine
  • Microsoft Customer Experience Improvement Program
  • Windows Root Certificates and Trust List (CTL)
  • Microsoft co-operation with NSA

(All) Preface:

I would not recommend anybody use Windows 10 on a daily basis, or any version of Windows. The anti-consumer, anti-privacy approach implemented is very deliberate and just the latest in a long string of many, indicating how little Microsoft thinks of its users. This is especially important if you work in the healthcare industry that requires HIPAA certification (see here) as Windows 10 has raised concerns in this area.

Even with all user-accessible Privacy Settings set to strictest settings, Windows still uploads telemetry, and users agree to it (as seen in their Privacy Policy). Flipping the switches appears to do little except assuage the naive, albeit slightly less so in the Enterprise edition with Group Policy set. We would not accept this from any other company, but many still let it pass or find justifications, because the effort of learning a new OS is too great for them, or they are trapped in the ecosystem.

Despite all the steps you can take listed below, they could instantly be reverted by a patch that MS rolls at any time. In the Home / Pro versions of Windows 10, the user cannot disable patches, only defer them in the latter case. It’s also worth noting that a full packet capture will not likely yield much useful information, as many connections to MS servers are encrypted, and of course, Windows is closed source. Just imagine a stealthy rootkit, but even more impossible to remove.

UPDATE (23/Oct 2015): Microsoft’s SVP Belfiore indicates data collection really isn’t so bad and also it cannot be switched off. You should know that it’s already been discovered that your unique user identifier is sent in clear text, which then allows snoopers to download your account picture, your name, account details (like creation date) and makes it easier for anybody to match up your machine information with your identity later. There is no such thing as truly anonymous data.

UPDATE (28/Sep 2015): Microsoft has finally responded to the furore surrounding Windows 10. In short – “It’s for your own good.”. Only e-mail and Skype contents are NOT spied on by Windows 10, officially anyway. Those, presumably, are the domain of the NSA/GCHQ.

UPDATE (29/Feb 2016): More details on Microsoft displaying full-screen advertisements as your lockscreen picture and screensaver.

UPDATE (27/Jul 2016): As of the August Windows 10 Anniversary Update, Cortana (and it’s always listening capabilities), can no longer be disabled. So it continues.

(Win <10) Important Note about Windows 7/8/8.1:

Microsoft are also retroactively applying telemetry updates to existing installs of Windows 7 / 8 / 8.1 since about mid-2015 because you can’t escape that easily. You will have to disable or uninstall the following nefarious updates from these versions (refer here, and here) to escape them:

  • KB2952664 (Compatibility update for upgrading Windows 7 to later versions)
  • KB2976978 (Windows Customer Experience Improvement Program update)
  • KB2990214 (Update that enables you to upgrade from Windows 7 to a later version of Windows)
  • KB3021917 (Telemetry additions for Windows 7)
  • KB3022345 (Update for customer experience and diagnostic telemetry)
  • KB3035583 (Windows 10 Upgrade tray reminder)
  • KB3044374 (Update that enables you to upgrade from Windows 8.1 to Windows 10)
  • KB3068708 (Update for customer experience and diagnostic telemetry)
  • KB3075249 (Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7)
  • KB3080149 (Update for customer experience and diagnostic telemetry – includes kernel modifications)

If you want to batch script the removal of the above, copy and paste these into a .bat file and run it from an elevated command prompt. Also be sure to find these updates when they show up again on updates, and hide them. People have reported that sometimes the updates re-enable themselves after hiding, so keep an eye out.

wusa /uninstall /kb:2952664 /norestart /quiet 
wusa /uninstall /kb:2976978 /norestart /quiet 
wusa /uninstall /kb:2990214 /norestart /quiet 
wusa /uninstall /kb:3021917 /norestart /quiet 
wusa /uninstall /kb:3022345 /norestart /quiet 
wusa /uninstall /kb:3035583 /norestart /quiet 
wusa /uninstall /kb:3044374 /norestart /quiet 
wusa /uninstall /kb:3068708 /norestart /quiet 
wusa /uninstall /kb:3075249 /norestart /quiet 
wusa /uninstall /kb:3080149 /norestart /quiet
wusa /uninstall /kb:3035583 /norestart /quiet
wusa /uninstall /kb:2952664 /norestart /quiet
wusa /uninstall /kb:2977759 /norestart /quiet
wusa /uninstall /kb:3083710 /norestart /quiet
wusa /uninstall /kb:2976978 /norestart /quiet
wusa /uninstall /kb:3083711 /norestart /quiet

UPDATE (29/Oct 2015): Faced with a Windows 10 install numbers starting to taper off, even despite extremely aggressive and obnoxious pushing of ‘upgrades’ on users, Microsoft has announced that Windows 10 will become a ‘recommended’ upgrade next year. Translation: If you have auto-updates turned on, Windows 7/8 will upgrade to Windows 10 when you’re not looking. An advertising and data-gathering platform only works well when there’s alot of people on it. Turn off auto-updates and manually check each update before you install it. Ridiculous I know.

UPDATE (21/Oct 2015): If you’re running a pre-10 version of Windows, Microsoft is now automatically pushing a 3.5GB-6GB download of Windows 10 upgrade files to your drive, taking up space even if you have indicated you have no interest in upgrading. The hidden folder is called ‘C:\$Windows.~BT‘ and will be re-downloaded if you delete the contents. Keep this in mind if you have limited disk space or download quotas. You can try taking ownership away from ‘TrustedInstaller’, which may stop it re-downloading. It appears KB3035583 as listed above (GWX Tray task) is the update which causes the folder creation/downloads.

UPDATE (9/Mar 2016): KB3139929 is a ‘security’ update that in fact installs a Windows 10 advertisement in Internet Explorer. Most likely in response to people abandoning ‘optional’ updates altogether and only opting for critical security updates, Microsoft sneaks in Windows 10 via a security patch. There is no longer any doubt everything is intentional.

(Win10) What is Windows 10 collecting / sending to Microsoft? (Official Page / Service Agreement)

  • Account name, picture and other account info (to 1st/3rd-party apps)
  • Biometric information (including fingerprints)
  • BIOS name, revision, vendor
  • Camera and Microphone information (Cortana / other uses)
  • Contact and Calendar entries (Cortana / other uses)
  • Facebook and other social media accounts (if granted access)
  • Geolocation based on Wifi/GPS if available
  • Handwriting information
  • Hardware GUIDs, manufacturer details
  • History, bookmarks and passwords for cross-device sync
  • Installed language lists (for regional settings)
  • Inventory collector
  • Location History, including sending to third-parties
  • Searches in search box and Edge browser (ala Chrome instant search)
  • Sensor information
  • SMS Messaging (Cortana / other uses)
  • Speech and handwriting patterns (Cortana / other uses)
  • System telemetry information (including crash dumps and logs)
  • Typing history for typing style recognition (Cortana / other uses)
  • Unique Advertising ID (linked to your account), for targeted ads across applications
  • URLs for Smartscreen
  • Wireless network BSSIDs and passwords for sharing (Wifi Sense)
  • Wireless auto-connect to ‘suggested’ open hotspots
  • Probably much more which is not officially disclosed.

Users agree to all of the above when accepting the 45-page EULA, as detailed in this analysis. Microsoft are allowing a far broader reach over your information than any previous version of Windows. Only the ‘Enterprise’ edition (not the Home/Pro editions) allows for usage collection to be toggled off, although it’s likely it still doesn’t switch it off completely. If you’re confused about why so much information is being sent, remember that user Windows licenses are not a long-term money maker, but personal information and advertising is.

UPDATE (15-Oct 2015): Microsoft has added a new page that outlines the differences in the telemetry portion of data collection and what can be toggled. The fact that a spreadsheet and lengthy page is required to explain the huge swath of data collection is even required is mind-boggling. If you’re not technically minded with lots of spare time to spend tweaking, you pay in other ways.

UPDATE (5-Sep 2015): A third-party outgoing traffic analysis citing voice data, user searches, telemetry and keystrokes are uploaded at various intervals, regardless if Cortana is switched off. Note that the results have been unable to be replicated thus far, and the source has an anti-US stance. Take it as you will. The fact that such a thing is even being considered plausible by the security community and debated, should tell you something about how poorly Windows 10 is currently regarded.

UPDATE (29-Feb 2016): The private browsing mode on the Edge browser, may not be so private after all.

(Win10) Privacy settings during install:

  • During install, if no internet connection is detected, the install menus and flow changes significantly. This is the preferred option. Unplug network while installing.
  • During install, press ‘Customize’ instead of ‘Express Settings’, then turn all options off.
  • Use a local account, not a Microsoft account.
  • Settings > Privacy > Disable everything (in all the 13 different screens)
  • Settings > Privacy > Feedback > Choose ‘Never’ and ‘Basic’ respectively
  • Start menu => Press the gear icon => Disable Cortana and ‘Search Online’
  • After installation, stop Windows 10 from sending your Wifi passwords to Microsoft/Facebook friends/Skype contacts for ‘convenience’, instructions here.

By default, Microsoft uses your upload bandwidth via a P2P network to distribute updates, saving them bandwidth and using yours instead. To disable this behaviour, especially if you’re on a metered connection:

  • Settings > Update and Security > Advanced > Choose How Updates Are Delivered > Off

(All) Advanced Privacy Fixes:

Multiple constant telemetry services run, present in Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows 2012 R2 and Windows 10. It is enabled by default, and consists of telemetry.asm-windowsdefault.json, diagtrack.dll,, utcresources.dll. Instructions on how to unpack the MSU file can be found here. Be sure to switch off the service.

From an elevated Command Prompt, disable Telemetry service:

sc stop DiagTrack
sc stop dmwappushservice
sc delete DiagTrack
sc delete dmwappushservice
echo "" > C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl

From Group Policy Editor (gpedit.msc):

Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Telemetry > Disabled
Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent usage of File Storage > Enabled
Computer Configuration > Administrative Templates > Windows Components > Windows Defender > Turn off Windows Defender > Enabled
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Disable

From Registry Editor (regedit):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection > AllowTelemetry > 0

(All) Hosts File / DNS Issues:

  • Telemetry – One traditional way to reduce outgoing connections to specific hosts replace Hosts File (C:\Windows\System32\Drivers\Etc\hosts) with this one. You may need to take ownership of the file first. This prevents Windows from resolving most of it’s telemetry and data-gathering servers to feed information back to. The hosts file is a ‘quick address lookup’ that pre-empts a DNS server lookup.
  • Blocking these addresses in a pre-Windows 10 version is not a bad idea, especially if Microsoft has already retroactively installed telemetry on your machine.
  • BUT, as it turns out, Microsoft has partially disabled hosts file functionality and hardcoded Microsoft telemetry and spying IPs for Windows to send information back to, rendering hosts files useless. The hardcoded IPs are located in dnsapi.dll since Windows XP (more info here). An outgoing firewall or router level blocking may be required, as the machine itself will probably ignore any workarounds.
  • If this fails, you can always manually set routes to the resolved IPs of MS servers back to Even better if you can do it at router level. Here are some suggested routes, but by no means comprehensive:
route -p add MASK 
route -p add MASK 
route -p add MASK 
route -p add MASK 
route -p add MASK 
route -p add MASK 
route -p add MASK

UPDATE (11-Aug 2015): Important note, Windows 10 DNS default behaviour is to poll ALL DNS methods at the same time, and automatically pick the quickest. This goes against traditional DNS behaviour (sequential) and good security practice, as it exposes the machine to the possibility of DNS poisoning (especially on public hotspots), and could bypass your VPN’s DNS server, revealing your DNS lookups and traffic to an insecure server. Not to mention, it causes a large amount of unnecessary traffic, especially in enterprise networks. US government CERT (Computer Emergency Response Team) has issued an urgent advisory about this Windows-specific behaviour, as it could compromise security, suggestions within. No solution at this time.

(Win10) Remove unwanted apps:

Windows 10 comes with a bunch of Metro (new-style) apps which nobody asked for, including OneNote, Groove Music, Xbox, Film & TV, Weather, People and Maps, amongst others. They cannot be removed via the ‘App’ menu, to remove them, do the following:

  • Right-click Start Button > Powershell (Admin), then:
To Remove all Modern UI apps from the system account:
Get-AppXProvisionedPackage -online | Remove-AppxProvisionedPackage -online

To Remove all Modern UI apps from the currently signed in account:
Get-AppXPackage | Remove-AppxPackage

To Remove all Modern UI apps from a specific user account:
Get-AppXPackage -User  | Remove-AppxPackage

To Remove all Metro UI apps installed for all users:
Get-AppxPackage -AllUsers | Remove-AppxPackage

Nuclear option to remove all bloat:
Get-AppxPackage -AllUsers | where {$ -notlike "*calc*" -AND $ -notlike "*store*" -AND $ -notlike "*onenote*" -AND $ -notlike "*NET.*" -AND $ -notlike "*VCLibs*" -AND $ -notlike "*Host*" -AND $ -notlike "*AccountsControl*"} | Remove-AppxPackage

To List Default Apps:
Get-AppxPackage | Select Name,PackageFullName

To remove individual Apps:

To remove pre-installed Candy Crush Saga (which doesn't show on Add/Remove Programs):
Get-AppxPackage -Name
  • If you lose the Windows Store and for some reason want to re-install it, read here.
  • To completely remove OneNote, use this .bat file.
  • To remove OneDrive integration, read here. If you use full-disk encryption (Bitlocker), your unique encryption key is uploaded to OneDrive. From there, it’s trivial for authorities to obtain a warrant to access that key.
  • More reading on Metro app removal here.
  • If you want the Classic non-box Start Menu back, use Classic Shell or similar.
  • More reading on fixing Windows 10 leaks here, with screenshots.

UPDATE (10-Mar 2016): For system administrators, your users may be receiving unwarranted nag screens indicating Windows 10 updates have been blocked and informing them to request a Windows 10 update.

(All) Removing Scheduled Tasks / Services:

There are a bunch of scheduled tasks which run automatically on a timer. You can disable them from an elevated prompt like so:

schtasks /Change /TN "\Microsoft\Windows\Application Experience\AitAgent" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Autochk\Proxy" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Maintenance\WinSAT" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\ActivateWindowsSearch" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\ConfigureInternetTimeService" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\DispatchRecoveryTasks" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\ehDRMInit" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\InstallPlayReady" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\mcupdate" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\MediaCenterRecoveryTask" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\OCURActivate" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\OCURDiscovery" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscovery" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW1" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW2" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\PvrRecoveryTask" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\PvrScheduleTask" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\RegisterSearch" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\ReindexSearchRoot" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\SqlLiteRecoveryTask" /DISABLE 
schtasks /Change /TN "\Microsoft\Windows\Media Center\UpdateRecordPath" /DISABLE

(All) BIOS Backdoors (WPBT):

  • Even if you re-format and re-install Windows from scratch, Microsoft has implemented (since Windows 8) a function named ‘Windows Platform Binary Table’ (official documentation).
  • Officially: “The WPBT is a fixed Advanced Configuration and Power Interface (ACPI) table that enables boot firmware to provide Windows with a platform binary that the operating system can execute.”
  • This function is not described anywhere except in a remote part of the Windows Hardware Dev Center.
  • WPBT allows hardware vendors to implement OS binary modifications from the BIOS. This includes programs, files and settings at the vendor’s discretion. In short, it allows a third-party vendor to REMOTELY alter system files or install unsigned programs or rootkits silently, at any time and without verification. Naturally, this breaks every model of a secure system.
  • One hardware vendor, Lenovo, has already been using this inappropriately, packaged as Lenovo Service Engine, on newer models. Assume that all hardware vendors are doing the same, or will at some stage. A post-install remotely triggered install or modification capability is a powerful tool for many reasons.
  • A similar behaviour can be found in the ‘Computrace’ function on some older BIOS, as outlined in this HP document. The original use is for anti-theft, but it can be used for remote system monitoring by the vendor (with / without a warrant).
  • The BIOS portion of WPBT is designed to find and replace Windows 8/Windows 10 files, however it is unknown whether it works on non-NTFS partitions. Presumably, encrypting with Bitlocker will serve little purpose, as Bitlocker relies on the TPM chip, also tightly tied into the BIOS/hardware. It’s worth noting that TPM in many machines post-2006 is tied to the Intel Management Engine, which allows for remote access to the machine.
  • It wasn’t that long ago when we were discussing the NSA using a similar technique, as well as Hacking Team – the ability to continually drop new rootkits and spyware on all machines, even across re-installs (note that this applies to pre-Win 8 machines as well).

Partial Solution:

  • As far as I know, there is no way to completely disable WPBT capability in Windows. At any time, a vendor could take advantage of it to modify system files or basically do anything on your system, on a whim. Naturally, this means anybody on the internet can technically also use this as an attack vector. Think of it as a critical Windows flaw, by design.
  • If you’re using an affected Lenovo machine, assume the machine is in a compromised state, even with FDE. Apply the Lenovo WPBT removal tool (which modifies the BIOS to disable WPBT), then re-format and re-install the compromised machine, preferably with a thorough wipe in between.
  • Disable any BIOS functions which reference anti-theft,  Computrace, remote management or Intel Management Engine. If you are not planning to use TPM, disable it in BIOS too, along with any BIOS options referencing biometrics.
  • TPM contains a unique RSA key and builds a unforgeable hash of your entire hardware profile for signature purposes. It adds security, but this unique identifier could be used to de-anonymize you. Note that you will not be able to use Bitlocker, which brings me neatly to my next point.
  • Don’t use Windows. With each iteration or patch rollout, more and more privacy and security holes are being implemented, often by design. Switch to a Linux distro and use full-disk encryption with a strong password and good security hygiene. At this time, it does not appear GRUB bootloader is affected by the BIOS backdoor.
  • It’s important to note that if your BIOS is compromised (officially or not), there is no guaranteed way of un-infecting it, apart from destroying the physical chip and replacing it. Even then, the number of closed binary blobs on modern BIOS’s makes it a game of roulette.

(All) Other Issues:

  • Even with all of the above settings, URLs that are visited are still sent to ‘’ and any text in the search bar initiates an HTTPS connection to ‘’ and transmits a cookie. The cookie contains screen resolution, install date and unique system ID at the very least.
  • If Smartscreen is not disabled, the ID of all applications which are run are hashed and sent to ‘’. Presumably, anti-piracy features and remote locking are incoming. Or at the very least, 3rd-party analytics so developers can check piracy stats. Also, be sure to switch off any reference to ‘Microsoft Customer Experience Improvement Program‘, as Telemetry components are included.
  • Resuming the system from sleep, opens a connection to ‘’ and ‘’. The licensing service, along with Update/Defender/Store and Account service, run at all times, they cannot be switched off.
  • It would be worthwhile to use an OUTGOING firewall as there are likely many more undiscovered information leaks. Windows uploads a bunch of information in TLS connections, rendering some packet sniffing ineffective. Protip: If ussers have to use an outgoing firewall on your machine, think about what that says about what trust they have in their own OS.
  • Microsoft has a built-in list of root certificates it trusts, including Microsoft’s own. The chain of trust then allows Microsoft to drop other certificates into it’s CTL (Certificate Trust List), going to additional lengths to obscure it, read more here. At any time, certificates for any number of sites can be granted by Microsoft.
  • It’s important to note that even after all of the above, there is still no way to verify that more information is not being collected since source code is not, and most likely will never be, open source. At any time, Microsoft could also rollout a Windows update which undoes all of the above.
  • Regarding the often quoted comparison Windows 10 with the data collection methods of Google and Facebook, it’s important to note that this is your entire OS. Where a webpage can be closed at any time, the OS is constantly aware of all your keystrokes, camera/audio inputs, usage history/patterns, files, passwords for everything, and much more. They’ve cleverly put some toggles in to make people ‘feel’ like they have control, but as we have seen, the toggles don’t really stop anything.
  • Having to go to such lengths to prevent your own OS from leaking information about you (the same applies to closed-source portions of Android), can be quite daunting for a non-technical user, not to mention it’s morally wrong.
  • Based on Microsoft’s history with the NSA, Skype and their Windows-as-a-Service approach, going back to Windows 8 and before, intentionally building in backdoors, it’s fairly safe to say that users will be logged and mined at every opportunity, either willingly or not. From here it just goes further downhill.
  • UPDATE (Sep 2015): Microsoft has recently stopped publishing changelogs for their updates, for no apparent reason. Internal leaks show the changelogs are still being written, but they are withholding them, I can only presume to prevent closer analysis of the updates by the public. This does not bode well.

7 thoughts on “Windows 7/8/10 Privacy Checklist

  1. I’m on Win 8.1 with Auto Updates and “Recommended” updates disabled in Windows Update. I carefully check each update which arrives and religiously avoid installing any telemetry patches.I don’t have diagtrack.exe or diagtrack.dll installed either. And yet I still have Autologger-Diagtrack-Listener.etl updating itself daily. I tracked down the registry key for the ETL file to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener but nothing in there provides any clues as to what’s causing it to update every day. I’ve tried opening the ETL file in Event Viewer, but it appears to be blank in spite of being 64KB. I’m wondering now if it’s a image of some kind or other which Event Viewer can’t open. I tested opening other ETL files which didn’t present any problems. All very mysterious.

  2. thanks dude, even if I won’t be upgrading to windows 10, this is still useful for me, it helped me to get rid of that fucking GWX.exe process that keeps popping up and that nasty telemetry updates, fucking spyware.

    1. MS are retroactively rolling out a bunch of patches to Win 7/8 that enables telemetry/spying. I have just updated the article to show which ones should be avoided/uninstalled.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s