Windows 10 PC's phone home even after privacy hardening

Martin Brinkmann
Feb 8, 2016
Updated • Jul 5, 2017
Windows, Windows 10
|
106

When you install Windows 10 on a new PC or upgrade an existing version of Windows to the new operating system, you get the option to customize select preferences or use the defaults instead.

If you select to customize, you get the option to disable three pages full of features related to privacy.

While that is a good start at limiting Windows 10's hunger for data, it is nowhere near sufficient to keep the operating system from talking with Microsoft servers regularly.

A user on Voat analyzed the network traffic of Microsoft's Windows 10 operating system using a DD-WRT router and a Linux Mint laptop with remote logging and Windows 10 Enterprise installed on Virtualbox recently.

He turned off all privacy-related features during custom installation, and let the computer sit idle for eight hours straight afterwards logging network traffic.

In the eight hours Windows 10 made 5508 connection attempts.

Here is the roughly 8-hour network traffic analysis of 5508 connection attempts of an unused, base install of Windows 10 Enterprise

The top 10 sites the operating system tried to establish connections to are:

ip_address nslookup port protocol connection_attempts route origin description
94.245.121.253 3544 UDP 1619 94.245.64.0/18 AS8075 MICROSOFT
65.55.44.108 443 TCP 764 65.52.0.0/14 AS8075 MICROSOFT
65.52.108.92 msnbot-65-52-108-92.search.msn.com 443 TCP 271 65.52.0.0/14 AS8075 MICROSOFT
64.4.54.254 443 TCP 242 64.4.0.0/18 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
65.55.252.43 msnbot-65-55-252-43.search.msn.com 443 TCP 189 65.52.0.0/14 AS8075 MICROSOFT
65.52.108.29 msnbot-65-52-108-29.search.msn.com 443 TCP 158 65.52.0.0/14 AS8075 MICROSOFT
207.46.101.29 80 TCP 107 207.46.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
207.46.7.252 80 TCP 96 207.46.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
64.4.54.253 443 TCP 83 64.4.0.0/18 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
204.79.197.200 a-0001.a-msedge.net 443 TCP 63

He analyzed the network traffic again after 30 hours, and posted his finding on Pastebin as a dump this time. We have uploaded the full dump to our own server, you may download it with a click on the following link: (Download Removed)

After 30 hours of use, Windows 10 attempted to connect to 113 non-private IP addresses.

He then decided to run a privacy tool for Windows 10, DisableWinTracking, and monitor network traffic again for a period of time to see how it affects the connections made during that time.

DisableWinTracking is not the most complete privacy tool for Windows 10, but it enables you to make several changes related to privacy to the system including disabling telemetry, services, blocking domains and IP addresses, and uninstalling applications.

disable windows tracking

After running the tool, he monitored the network traffic for another 30-hour period and noticed a drop in connection attempts (from 5508 to 2758) and a drop in unique IP addresses the operating system tried to connect to (from 95 to 30).

It is likely that tools that programs that offer more options than DisableWinTracking reduce the numbers further.

The takeaway from the test -- which requires verification -- is that Windows 10 will connect to remote sites regularly even if the operating system has been configured for privacy and the computer is idle.

It is unclear why Windows 10 makes that many connections even when idle.

Windows 10 users who don't want any of those connections to be made can use the researcher's recommended list of IP ranges to block in a firewall / router. Please note that doing so may impact functionality such as update checking and downloading as well.

Summary
Windows 10 PC's phone home even after privacy hardening
Article Name
Windows 10 PC's phone home even after privacy hardening
Description
Windows 10 PCs communicate with Microsoft servers regularly even after making all available privacy related changes.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. bjm said on March 5, 2018 at 1:38 pm
    Reply

    How do I know if I need msnbot-65-52-108-92.search.msn.com ?

  2. Johnny Cage said on February 15, 2016 at 4:13 pm
    Reply

    Didn’t microsoft claim late last year , that new patches to Windows 10 removed all privacy invasive features, as well as telemetry collection/sendoff?

    This will continue to blow up, and become main headlines on slashdot, and threatpost.

    ?

  3. Jackson said on February 12, 2016 at 4:02 am
    Reply

    Yet again poor Ed Bott has to expose rubbish like this as the FUD clickbait it actually is. Sad part is, people fall for it.

    http://www.zdnet.com/article/when-it-comes-to-windows-10-privacy-dont-trust-amateur-analysts/#ftag=RSSbaffb68

    1. T J said on February 13, 2016 at 6:13 pm
      Reply

      @Jackson

      Read my response to your last post (Feb 10th).

      Poor Ed Bott ?? He is the highest paid MS shill ever.

    2. Corky said on February 12, 2016 at 8:31 am
      Reply

      TBH Jackson I’m more inclined to believe Mr Kelly than anything Mr Bott says, Mr Bott seems to take any criticism of Microsoft or Windows extremely personal and ends up resorting to ad hominem attacks on people, I’m not going to call it on whose right though as it’s probably best to take a wait and see approach.

  4. Corky said on February 11, 2016 at 8:18 pm
    Reply

    So it looks like this recent furore has prompted a reaction from Microsoft, out caricature they’ve issued a statement, of sorts.
    http://www.forbes.com/sites/gordonkelly/2016/02/11/microsoft-makes-windows-10-u-turn/#36ff7dc13974

    Contacting me again a Microsoft spokesperson explained the company now wanted to speak about the issue. In short: Microsoft is taking action. It has decided to release updates “later this year” which will enable users to fully control all background telemetry and data tracking and, if desired, disable it completely. Microsoft also asked me to stress that disabling these background operations is something it would “strongly recommend against”.

  5. Corky said on February 11, 2016 at 6:36 pm
    Reply

    So it seems after receiving a public castigation from the likes of Mr Bott the user who posted the connection log of Windows 10 has deleted the original post, it’s rather shameful that pressure from certain branches of the media have subjugated this sort of open discussion.

    I guess the likes of Mr please buy my Microsoft books Bott have managed to silence any criticism of his paymasters.

  6. G said on February 11, 2016 at 2:58 pm
    Reply

    Yes, Micro Soft has indeed put spy ware on Win 7 via updates. Am using a software from Spybot Search & Destroy yo block but need to check results, Thanks for posting the IPs to block.

  7. CHEF-KOCH said on February 11, 2016 at 2:04 pm
    Reply
    1. Corky said on February 11, 2016 at 4:11 pm
      Reply

      As long as you’re pally with the American government everything should be fine, maybe, hopefully, fingers crossed.

  8. A said on February 11, 2016 at 2:00 pm
    Reply

    “Windows 10 users who don’t want any of those connections to be made can use the researcher’s recommended list of IP ranges to block in a firewall / router” – a simpler way would be to simply not install Windows 10

    1. lolz said on February 11, 2016 at 2:57 pm
      Reply

      >> not install Windows 10

      if only linux wasnt so ugly
      if only linux has normal fan speed control that works after resume from sleep
      if only linux has decent mass file management software

  9. CHEF-KOCH said on February 11, 2016 at 11:43 am
    Reply
    1. Corky said on February 11, 2016 at 12:43 pm
      Reply

      Never trust the opinion of someone when they make their living from the product or company that their speaking about, it is after all nothing more than Mr Bott’s opinion on what he “thinks” the data gathered from the analysis means, he provides no facts or analysis of his own to backup his assumptions.

      Mr Bott’s opinion is very biased as he directly benefits from promoting Microsoft products.

  10. Johnny Cage said on February 10, 2016 at 5:43 pm
    Reply

    Didn’t microsoft claim late last year, that new patches to Windows 10 removed all privacy invasive features, as well as telemetry collection/sendoff?

    This will continue to blow up, and become main headlines on slashdot, and threatpost

  11. Dave said on February 10, 2016 at 12:52 pm
    Reply

    This was well known fact but good that you pointed that out again.

  12. JasonA said on February 9, 2016 at 6:46 pm
    Reply

    Several months ago: https://tweakhound.com/2015/09/29/looking-at-windows-10-privacy/ They ran Wireshark also. “Local login. All privacy options turned off. I rarely use IE or Edge (and did not before or during this capture). I do not nor has this machine ever used the Microsoft Store. All uninstallable Metro/Windows apps have been uninstalled. Cortana is disabled.
    Hmmmm…
    In this test Win10 only made one connection.”

    1. Corky said on February 9, 2016 at 8:33 pm
      Reply

      Windows 10 only made one connection yes but that was after the guy blocked what seems to be around 50 domain names (I’m not going to count them all) Is that really what people need to do to get Windows 10 to shut the hell up, how many normal users are even going to be aware of all of those domain names, let alone capable of configuring their system to block them.

      If you really want to see how much and the type of connections a virgin install of Windows 10 makes then the following link goes into more details.
      https://hackmag.com/security/what-data-windows-10-sends-to-microsoft-and-how-to-make-it-stop/

      1. Corky said on February 10, 2016 at 9:32 am
        Reply

        @Eric (a.k.a. TweakHound), Nice to see you Eric.
        Forgiven me if i misunderstood but in your article you mention “Since I’ve seen multiple forum posts on what networks Win10 is accused of secretly connecting to I combined a couple of lists and the modified them. After my test I edited out the Windows Update connections (see below). Here is my filter list:”

        Have i misunderstood what you mean by filter list, by the sound of it i may have. As I’m not knowledgeable in the workings of Wireshark and having you saying you didn’t block anything is it safe to assume the the “filter list” is a list of what Wireshark looks for? If so apologies for the misunderstanding.

        Although if I’ve misunderstood and you only looked for connections to the domain names you listed for an hour that kind of, like a lot of other analysis of Windows 10, has a lot of omissions and caveats.

      2. T J said on February 10, 2016 at 12:35 am
        Reply

        @Corky

        How do you find all these great reference sites !

        Don’t stop ! It’s great going off on a tangent and spending 2 hours increasing my knowledge. It’s a good job that I am retired and have time to spare. :-)

        Thanks!

      3. Eric (a.k.a. TweakHound) said on February 9, 2016 at 11:07 pm
        Reply

        JasonA, thanks for the linkage (there is no “they”, just me).
        Corky, I didn’t block anything. There were no tricks in my article. My setup was:

        “Local login. All privacy options turned off. I rarely use IE or Edge (and did not before or during this capture). I do not nor has this machine ever used the Microsoft Store. All uninstallable Metro/Windows apps have been uninstalled. Cortana is disabled.”

        The list you seem to be referring to are the domains I was monitoring. In other words, they were the domains I was watching. In Wireshark you do that via a filter list. If you Google it you will find several for Win10. I combined 2.

  13. b said on February 9, 2016 at 12:06 pm
    Reply

    i really appreciate your responses to my question far behing this post. copy and paste once again. also: great with all these comments and debate in general. they provide knowledge.

  14. someone said on February 9, 2016 at 9:52 am
    Reply

    That’s F-ed up. Wonder how will be the situation after applying some of the more comprehensive privacy tools out there.

  15. lolz said on February 9, 2016 at 9:07 am
    Reply

    thats nice, now waiting for win7, winxp, linux mint, ubuntu

    with no application-level firewall linux has same problems

    1. Corky said on February 9, 2016 at 7:04 pm
      Reply

      Windows 7 doesn’t talk to Microsoft once CEIP (aka:telemetry) has been opted out of, the only exception is when it contacts a NTP server to check the time, something that can also be disabled or configured to connect to any NTP server you want, WinXP is the same.

      Linux Mint doesn’t (afaik) doesn’t contact anything or anyone when sitting idle.

      Can’t speak for Ubuntu as i wouldn’t personally use it.

      1. Anonymous Coward said on February 10, 2016 at 1:30 pm
        Reply

        This may not always be true. Late one night back in April of last year, I discovered something chewing on my hard disk. Turns out it was CEIP, and guess what? It was disabled. This could be an anomaly like Windows 10 installing on some systems without users consent.

  16. jm said on February 9, 2016 at 7:29 am
    Reply

    If you have missed it the “About” section at virustotal.com states
    that, VirusTotal, a subsidiary of Google…
    Probably spying on you as you use the service.
    Just a thought.
    jm

  17. Al McCann said on February 9, 2016 at 3:23 am
    Reply

    A thing to test is to capture the traffic using Wireshark, so that some of the DNS lookups could be captured. Anything not encrypted, such as DNS lookups and port 80 (normal HTTP), should show some interesting data.

  18. Tim said on February 8, 2016 at 10:46 pm
    Reply

    It’s nice that he went to the trouble of capturing network connections, however without decrypting the actual encrypted traffic and viewing what was actually being sent, it’s meaningless.

    The fact that the PC is making outbound connections alone doesn’t this tell us anything and is no indication of anything nefarious. He needs to look to see exactly what was sent/received over those connections in order to prove otherwise.

    Don’t get me wrong, I’m no fan of Microsoft following Apple and Google’s lead with Windows 10, but there needs to be more evidence of wrong doing other than the PC just making outbound connections.

    1. Corky said on February 9, 2016 at 6:36 am
      Reply

      Not disagreeing with you Tim but isn’t this better than what we had previously, that being pretty much nothing.

      Yes it would be nice to do a packet analysis but there’s still a great deal of information that can be gleaned from just knowing what it’s connecting too, such as how Windows 10 makes regular connection to Microsoft’s DNS and Teredo Tunneling servers and why would Windows 10 be (presumably) bypassing the networks already configured DNS server in favor of its own, and why are Microsoft running a Teredo Tunneling server.

  19. S2015 said on February 8, 2016 at 10:27 pm
    Reply

    apparently, again, there ain’t no such thing as a FREE upgrade. Just:
    * try getting the most out of Windows 10;
    * learn how to safeguard your personal info.

  20. Jackson said on February 8, 2016 at 9:05 pm
    Reply

    More FUD being spread by Tin-Foil hat wearers who don’t know any better. It’s just telemetry data, whoopee.

    If you’re *that* concerned about ‘privacy’, you better sure as hell stop using anything made by Google, and Apple too for that matter…hell, just get off the Internet altogether if you’re that paranoid.

    Honestly, some people.

    1. T J said on February 10, 2016 at 12:25 am
      Reply

      @Jackson

      Hello MS troll/shill !!

      How’s the weather in Redmond ?
      Did you enjoy your strategy meeting with Nadella the day before yesterday ?
      Did you get a bonus for using “Tin-Foil hat wearers” in your post ?
      I bet that Steve Ballmer was happy with your Win10 support.
      It must have pushed his MS shares value up above the last reported value of $ 21 billion.
      What a golden parachute for a failed CEO !
      Did he give you a nice tip ?

    2. Jeff said on February 9, 2016 at 5:46 pm
      Reply

      Anyone remember what I wrote last Win 10 post, about how there’s always some guy comes along pimping MS and painting people concerned about their privacy as “tin foil hat” wearing lunatics.

      Just as regular as clockwork. These shills can go F themselves.

    3. Velocity.Wave said on February 9, 2016 at 12:31 pm
      Reply

      I do NOT want my computer’s operating system sending out so called “telemetry” data.

      I do not have to explain why, or justify that wish to you, or Microsoft.

      It’s my computer. It’s my network.

      And I simply do not want telemetry data transmitting against my wishes. If your reaction to that is to be flippant dismissive, and resort to a grade-3 style ad hominem argumentative nature (name-calling, as in “tin foil hat”), well then I guess that’s just the kind of person you are. I don’t think I would like talking with you, or being around someone like you in real life.

      But whatever your own personality flaws are, as for mine, I repeat: I do NOT want my computer sending out telemetry data.

      Like I said, it’s my computer. Not yours. Not Microsoft’s.

      One can only hope that Microsoft gets that message soon through their thick pigheaded corporate skulls.

      1. Guest said on February 16, 2016 at 1:57 am
        Reply

        To Veleocity.Wave

        If its ‘your computer’ then why don’t you build your own Operating System

    4. Corky said on February 9, 2016 at 6:28 am
      Reply

      If there’s Fear, Uncertainty & Doubt then whose to blame for that?

      People like Jackson honestly makes me feel sick when they claim people who are trying to investigate something are Tin-Foil hat wearers and spreading FUD, if people were trying to investigate corrupt politicians, child molesters, or tax fraudsters would you also say that it was FUD being spread by Tin-Foil hat wearers?

      Why exactly are people like Jackson trying to dissuade and ridicule anyone from investigating and learning about what’s happening, would you prefer we all lived in ignorance Jackson?

  21. Vrai said on February 8, 2016 at 8:24 pm
    Reply

    Hey Martin,

    Now may be an opportune time for some articles regarding firewall distros, firewall programs, routers, DD-WRT, Tomato Firmware, building your own router/firewall, etc.

    Keep up the good work!

  22. DJ said on February 8, 2016 at 8:00 pm
    Reply

    I can now confirm that at least msnbot**.search.msn.com IP addresses are hardcoded. I block *.search.msn.com on my router/firewall (should point to 0.0.0.0), yet I’ve noticed in tcpview list that explorer.exe was connecting to several msnbot*.search.msn.com addresses (if I tried resolving them in command prompt window, they would show 0.0.0.0).

    I block explorer.exe with Comodo for now. That is, until Microsoft decides to speak up and break with vague terms when it comes to privacy and security, and gives a sufficient explanation as to which processes connect to which hosts, how often, and why.

  23. Corky said on February 8, 2016 at 7:44 pm
    Reply

    I decided to look into the next IP on Martins top 10 (65.55.44.108), it’s Microsoft’s DNS server apparently and at first i thought that’s innocent enough and then it occurred to me, why is Windows 10 trying to connect to Microsoft’s DNS server?

    Did the guy carrying out these test not have a DHCP server and Windows 10 didn’t know what DNS server to use? That seems rather unlikely and even if it couldn’t find a DNS server shouldn’t any DNS requests just fail?

    Or is Microsoft performing a DNS poisoning attack and bypassing network settings, shouldn’t a network or machine only ever use the DNS servers its been configured with, why would Microsoft even need a public facing DNS server?

  24. Wayfarer said on February 8, 2016 at 7:30 pm
    Reply

    My Lumia 435 has consistently declined to upgrade to Win10 – I’m not sure it’s even capable of supporting it. I was a bit disappointed until I read this – perhaps not so much now.

  25. Chen said on February 8, 2016 at 7:19 pm
    Reply

    There are lots of huge IP blocklists out there for P2P, ads, countries, etc. I don’t really need any of those. I’m looking for a blocklist specifically for chatty devices and operating systems phoning home? Something that blocks Google, Apple, Samsung, LG, Microsoft, Sony, and so on specifically. Would love to see a comprehensive write up and analysis on all these companies, it would be very useful.

  26. Jeff said on February 8, 2016 at 7:12 pm
    Reply

    I repeat myself dear Martin
    You should stick a permanent post about this never-ending issue; and update it constantly ‘course.
    Good job.
    Jeff

  27. CHEF-KOCH said on February 8, 2016 at 5:19 pm
    Reply

    ;)

  28. Katy said on February 8, 2016 at 4:42 pm
    Reply

    does anyone know if there is a list like this for android? IOS? I would like to block all of this.

    1. Corky said on February 8, 2016 at 6:12 pm
      Reply

      If you want to block all of this when using a smart phone you’re out of luck, personally I’d never buy a smart phone as they’re renowned for taking a highly permissive stance when it comes to privacy and tracking their customers.

      Sadly it looks like Microsoft have gone down the same road with desktop devices, at least there’s an alternative to Microsoft and Apples Eye of Sauron on the desktop.

  29. Rotten Scoundrel said on February 8, 2016 at 4:01 pm
    Reply

    and… Don’t think for a second that win7 and win8 don’t do very much similar. Maybe not as much but my testing of win7 now has it’s static-IP and MAC address blocked from the Internet in the router, allowing only internal use of it as the network server. I would guess, win7 might be as bad as the report suggests for win10. Msoft cleaned up their act a little with win8, so, people, as I all too often say, “Wireshark is your best friend.”

    Only a fool would think this is the first time msoft has done this. Trust no one. But, we are 99% Linux here now so I can rest easier. The win7 network server is nobbled for access to the outside World, so it can stay. :)

    1. Jeff said on February 8, 2016 at 6:44 pm
      Reply

      Which is Why people should run Destroy Windows Spying, which works in Win 7 and 8.1 as well as 10. It sets up the HOSTS to block all the outbound MS telemetry calls, among other great privacy fixes.

      1. Jeff said on February 8, 2016 at 10:50 pm
        Reply

        @Wayfarer, I wasn’t as clear as I should have been. I primarily meant that Win 7 and 8.1 users should be running it. DWS is called “Destroy Windows 10 Spying” which isn’t the best name for it, because it does a huge amount of good in Win 7 and 8.1 as well. I was really just saying 7 and 8.1 users should run it to block as much as possible in hosts and firewall settings. Many think that DWS is *only* meant to be used in Win 10 but it isn’t.

      2. Corky said on February 8, 2016 at 7:57 pm
        Reply

        @Wayfarer, All version of Windows since XP have some hardcoded domain names in the dnsapi.dll that will bypass the HOSTS file, you can check what domain names are in it yourself by making a copy of it, opening it in notepad and searching for “msdn” and “microsoft”

        There were around 17 domain names listed in it when it was first discovered that Microsoft were doing this, maybe they’ve added more since the days of XP though.

      3. Wayfarer said on February 8, 2016 at 7:32 pm
        Reply

        I don’t know enough to swear to this, but I’m sure I’ve read somewhere that Win10 bypasses the hosts file to phone home.

  30. CHEF-KOCH said on February 8, 2016 at 3:55 pm
    Reply

    Not fully true, there exist alternatives + some coming without OS or just format/reinstall the OS.

    I agree with you but there exist even live CD’s/DVD’s or hardened OS like Tails and and and. The benefit is that you can but not must install it which wipes then all data after shutdown more security is not possible. The distros are normally made for noobs and you not need much to know even if it’s linux, just install or start from cd/DVD/usb and browse the web secured by default.

    In fact every OS communicates to search for updates, MS (several years ago) was blamed because they not ‘listening’ to people and now they did and it’s called telemetry/spying without any proof which data really are send to them and how many. There are only people which trying to hype the story by playing with fears of other newbie users to say Linux is better, even if it’s not. As I said every OS want’s to communicate that isn’t the problem but it should be an opt-in/opt-out I agree but since Windows is improving a lot we may get an fully opt-out soon, it’s a learning thing we talking about.

    1. Corky said on February 8, 2016 at 5:08 pm
      Reply

      @CHEF-KOCH, Says the noob that can’t even work out how to reply to his own previous comment. ;)

  31. FortBri said on February 8, 2016 at 3:48 pm
    Reply

    This hosts file seems to be updated : https://github.com/crazy-max/HostsWindowsBlocker

  32. CHEF-KOCH said on February 8, 2016 at 3:00 pm
    Reply

    BS, this shows connection attempts but not telling anything about which and how many data are send, so a full capture of this traffic is necessary to come to an conclusion. You get also random attempts on every other OS too but that doesn’t mean the connection is established the entire time or if this is just listening. This entire ‘tracking’ or whatever thing is also not new and exists since win 2k but no one ever did a real capture because the hype …

    This also not showing any relevant information because the important ones are hardcode within .dll so this isn’t that easy blockable via e.g. hosts method. And of course there are several connections for OneDrive, Cortana and others which also are pre-installed with Windows Entp. So what’s next, trolling of random connections from Android OS because Google Play Services/Store want to get updates in background, excuse me but such topics are coming from trolls and don’t know anything about the OS or how to deal with such things, you really complain about MS then why you install the OS? …

    1. Corky said on February 8, 2016 at 3:42 pm
      Reply

      Well feel free to do your own traffic analysis and provide an alternate theory, until then, as with most theories, we’ll use the best currently available information, that’s how scientific theories works BTW.

      Yes other OS’s make random attempts, but AFAIK Windows 10 is the first desktop OS to make so many to different IP addresses mostly belonging to the developer of the OS, and on such a scale.

      Lastly you seem to have misunderstood how the person testing this actually tested it, any hardcoded IP addresses would’ve been logged as it was routing ALL the Windows 10 traffic via an external device, and lastly test were also carried out with OneDrive, Cortana and others disabled or removed using DisableWinTracking, as you would’ve read if you read the entire article instead of just jumping to Microsoft’s defense.

    2. T J said on February 8, 2016 at 3:36 pm
      Reply

      @CHEF-KOCH

      Why install the OS ?? What a dumb question.
      It is installed on just about every PC/Laptop which is sold.
      I know that you could suggest installing one of the Linux flavours.
      Many people just want to access email, Facebook, etc, and browse the Internet.
      They do NOT want to go through the learning curve of using Linux, and it is a pretty steep learning curve for the average user.

      1. MdN said on February 8, 2016 at 8:00 pm
        Reply

        What’s so steep abut it? You get someone to install it, then you use your browser and most programs just like you did before, and also when an update notice appears you have to click “yes”. Apart from that, it’s a computer. You know, you click on stuff and it does what you want. ;-)

  33. Jeff said on February 8, 2016 at 2:21 pm
    Reply

    Cue 2 or 3 people telling us how wonderful Win 10 is in 3…2…1…

    1. Gary D said on February 8, 2016 at 5:48 pm
      Reply

      @ Jeff

      OF COURSE Win 10 is wonderful.
      It is the best thing since the discovery of fire, the invention of the wheel and sliced bread, intercontinental plane travel NOT!!! :-)
      NB I am a Win 7 Troll :-)

      1. Jeff said on February 9, 2016 at 5:52 pm
        Reply

        And just as I suspected, a new user with an unknown name shows up (below) calling those of us with concerns “tin foil hat” wearers and “paranoid”. It never fails.

    2. Decent60 said on February 8, 2016 at 3:09 pm
      Reply

      Windows 10, itself, is actually great…..The data collection that Microsoft is trying to upgrade all of it’s OS’s to have is what is preventing me from upgrading to it (at least, until I finish building/setting up my custom router to block such privacy collection).
      Of course, according to Microsoft, you have the freedom of opting out of any telemetry settings at any time….Tho when you directly question them about it, they give you a standardized statement that doesn’t even cover what you asked but sounds great!

  34. Henk van Setten said on February 8, 2016 at 2:02 pm
    Reply

    Yes, this is worrying, to say the least. But it’s more or less what was to be expected.

    I wish some techie would do the very same “idle connections” test with a Linux system too, so we could compare the Linux and the Win10 results. Perhaps this might also help a little in separating “innocent” connections from the “suspect” ones.

    Some related news from my own Windows 8.1 front:

    (1) I’ve set GPedit to block Windows 10 installation through Windows Update, and I’ve blocked (hidden) all Windows updates related to upgrading to Win10, such as the notoriously re-appearing KB3112336 relating to “Windows 10 upgrade scenarios”.
    But of course Microsoft keeps trying. Two days ago and sneaking in outside the regular monthly updates batch, suddenly a new one (one that I hadn’t seen before) appeared in my Windows Updates list: KB3123862, bringing “Updated capabilities to upgrade Windows 8.1 and Windows 7”. If like me you hadn’t put this one on your block list yet, then look out for it!

    (2) I’ve set my system (through GPedit) to absolutely never use Microsoft’s OneDrive cloud service. I’ve also deleted the OneDrive data folder. But unlike in Windows 7, in Windows 8.1 it is not possible to simply uninstall the OneDrive software.
    Today, my firewall notified me that the OneDrive program had updated itself (an update I never asked for, of course) and was already connecting to Microsoft online.
    I’ve now deleted the complete program folder with the OneDrive executable (Microsoft stuck it under Appdata in the main User folder, not under Program Files where programs ought to be). So now I’m curious to see if and how this little bugger will re-install itself again!

    1. Ann said on February 8, 2016 at 3:59 pm
      Reply

      never delete the folder and think that the problem is gone for ever.

      Beter is to delete the content and deny “system” & “trusted installer” access to it.
      in that way MSFT can’t re install it.

      1. Gary D said on February 8, 2016 at 5:51 pm
        Reply

        @Ann

        Make it read only as well. Even MS can’t change that.

      2. Henk van Setten said on February 8, 2016 at 5:14 pm
        Reply

        Thanks Ann, will try that next time…

  35. archuser said on February 8, 2016 at 1:55 pm
    Reply

    I use NUC and avoid laptops.

  36. b said on February 8, 2016 at 12:09 pm
    Reply

    Hi Martin
    I read somewhere that all new pc’s come with windows 10 by default.Does it mean, that it’s build-in and cannot be “deleted” in order to use linux instead?

    1. Loss of Freedom said on February 8, 2016 at 4:02 pm
      Reply

      Your real privacy issues (not the anonymous aggregated telemetry done by Microsoft and Apple) still exist under Linux. The advertising infrastructure of websites and trackers will continue, even if you block ads with an ad-blocker. Information you freely provide is matched to you, not your computer, and is sold to others in thousands of available lists (for a price) to personally identify you, and the things you look at, buy, sell, like, dislike, etc. Windows 10 isn’t the culprit. The internet, and the convenience it brings, is.

      1. Corky said on February 8, 2016 at 5:05 pm
        Reply

        @Loss of Freedom, There’s no doubting you’ll still be tracked by certain websites but most of those are doing just that, tracking what sites you visit, maybe what you buy, or what you search for, but these are single companies and the scope of their tracking is limited, the same can’t be said of an operating system that has the capability to track everything from what sites you visit all the way up to what files are on your PC, what you’re typing, who your contacts are, and even where you live.

    2. Anonymous said on February 8, 2016 at 12:29 pm
      Reply

      oh shit.

      1. Anon said on February 8, 2016 at 11:26 pm
        Reply

        Just FYI, I have Ubuntu 14.04 running on a skylake just fine.

    3. Yuliya said on February 8, 2016 at 12:26 pm
      Reply

      No. You should be able if, let’s say you buy a laptop that has Windows 10, to format the drive and install Windows 7 or Linux Mint, or your preferred OS.

      1. Decent60 said on February 8, 2016 at 3:02 pm
        Reply

        Should also note that changing your OS does often void many warranties offered by companies, as stupid as it sounds.

      2. Anonymous Coward said on February 8, 2016 at 2:21 pm
        Reply

        That’s what Skylake is for mwahahahaha!!

      3. Corky said on February 8, 2016 at 1:33 pm
        Reply

        You have to watch out when upgrading a newly bought Windows 10 PC to Linux as Microsoft changed the requirements to gain the “certified for Windows 10” label from Windows 8, for Windows 10 they changed the option in the BIOS to disable secure boot from mandatory to optional so you would either need a version of Linux that supports Secure Boot or the OEM would need to include the option in the BIOS to disable it.

  37. smaragdus said on February 8, 2016 at 11:41 am
    Reply

    All this proves one thing I already knew:
    It is impossible to stop Windows 10 to gather data and phone home. All these so called privacy tools for Windows 10 are not just useless- they are dangerous placebos which lull the users into a false sense of security. With Windows 10 privacy and security are simply impossible because it was created with the intent to collect private data and to spy on users, that’s why Mictosoft is so desperate to find more and more ways to deceive users to “upgrade” to Windows 10 “for free”.

    1. Loss of Freedom said on February 8, 2016 at 3:56 pm
      Reply

      That’s quite a jump. Just because Microsoft is collecting data (telemetry and opt-in enhancements such as Cortana who keeps preference data), it doesn’t mean any “private” data is being collected. Microsoft has explained several times what is being collected, which is similar to what Apple does as well. It’s all in their privacy notices, EULA, etc. Including both opt-in services, such as cloud-based email, voice assistant, etc., and the telemetry (anonymous aggregated data), it’s almost the same story between Windows 10 and OSX. A careful reading of the legal disclaimers actually shows the potential for more types of data (a little more than telemetry) possible under OSX. It’s ironic how many times this has to be discussed with Microsoft, but not with Apple. It’s also ironic how people get so fired up about this, when real privacy issues exist through online advertising infrastructures built into nearly all websites. Even with a bunch of add blockers, your computer gives out much more information about you (personal info that you supply by browsing and buying, not telemetry) and aggregates it across all of the sites and services you visit. Want to buy a list of people (and email addresses) with Type-2 Diabetes? It’s readily available, and there are many companies that will sell it. Microsoft does no such thing.

      1. Stephan said on February 13, 2016 at 1:18 am
        Reply

        Thank you man!!! This is what i´m talking about my whole life.. YES, every word.
        I did like you – i read the legal disclaimers.. and found well described (technically necessarry), every used bit aaand NOTHING. And after that, i thought – lets ne a little bit crazy – and i read the apple one´s :D :D :D (you know…)
        aaand the ironic people, “fired up by this – but are using much more critical apps/suppliers)… and so on…
        I think they maybe not know that apps and their doing on the system are – MAYBE – other companies, endpoints… hey, they won´t realize the real-bad-traffic because they are just eval the MS Traffic…

        Greets, Stephan :)

      2. Jeff said on February 9, 2016 at 3:35 pm
        Reply

        All of *MY* data is private.

      3. Corky said on February 8, 2016 at 4:58 pm
        Reply

        @Loss of Freedom, You say “it doesn’t mean any “private” data is being collected” but it also doesn’t mean it’s not, yes Microsoft have explained what’s being collected but if you knew anything about Microsoft’s history you’d know their not above breaking the law, let alone their word.

        And yes Apple has a similar attitude to privacy and data collection but then again OSX isn’t used on 90% of desktop PC’s, whatever the reasons are for OSX having such a small market share in the desktop space it seems to me Microsoft are intent on copying Apple’s business model, if it hasn’t worked for Apple who’ve had a lot longer to get things right what makes you think this new, for Microsoft, direction is going to work?

    2. Tom Hawack said on February 8, 2016 at 12:23 pm
      Reply

      Why a take-it-all or forget-it-all attitude? I believe cyber reality is somewhat comparable to that of life, of our lives: a blend, a mixture between the best and the worst. Perhaps this applies as well as to what we can achieve, in our defense against Web as well as System intruders : we can limit the intrusion, it’ll never be totally effective but we can achieve already quite a lot. When very large amounts, arrays of data are processed we can imagine rules of prioritization filtering the less uncovered data from the most, and we can help get our data more complicated to being cross-reference assembled.

      Of course there’s a price to pay, in this that privacy is not a symmetrical option to no-privacy, it requires effort to conciliate the best you can obtain with awareness as to not strive so high that you’d loose the baby with the bath water. Freedom is, always has been and always will be a continuous effort of balance, of equilibrium and as such incompatible with a radical approach of concepts leading our lives.

      So, let’s make it tougher even if we cannot be as tough as the toughest :) Never surrender, man, never.

      1. Power On said on February 10, 2016 at 11:09 pm
        Reply

        ‘And just don’t use Windows 10 – the telemetry is easily shut off in Windows 7 and 8.x so they make more than suitable alternatives.

    3. as said on February 8, 2016 at 11:58 am
      Reply

      Just dont install this crap. It’s that simple. If something is too good to be true and it’s free…probably you pay a high price on it but you just don’t know

  38. Marti Martz said on February 8, 2016 at 11:36 am
    Reply

    The logging appears to be IPv4 traffic only… any news on IPv6 traffic?

    I am very glad to see some eMachines distributing Linux based distro’s lately instead of Microsoft products… I’ve even seen some elderly women using it effectively. :)

    1. Mike J. said on February 8, 2016 at 2:37 pm
      Reply

      eMachines are still extant??

      1. Ashrak007 said on February 8, 2016 at 3:41 pm
        Reply

        They were acquired by Acer I believe…

    2. Corky said on February 8, 2016 at 11:47 am
      Reply

      From the investigating I’ve done that’s what number one in Martins top 10 does (94.245.121.253)
      It seems Microsoft have a server doing NAT too and from IPv6 to IPv4 and vice versa, what i found most disturbing is that VirusTotal has a report listed for that IP address and it seems to be routing BitTorrent traffic, does BitTorrent default to using IPv6?

      1. Corky said on February 9, 2016 at 6:13 am
        Reply

        @Decent60, I knew i shouldn’t have mentioned Bittorrent. :)

        The only reason VirusTotal lists BitTorrent clients, both as infected and clean clients, as having sent traffic to that IP address is, as far as i can tell, because they were using IPv6 on a IPv4 network so, by the look of things, Microsoft’s Teredo tunneling protocol attempts to send that encapsulated IPv6 packet to a Teredo tunneling server that can either route the IPv6 packet onto a IPv6 network or translate the IPv6 packet into a IPv4 packet and presumably send it on its way.

        That the IP address lists BitTorrent client as having sent packets to it is unrelated, the only reason (afaik) that it lists them is because BitTorrent clients and Windows are setup to use IPv6 by default, any other application could have been use to send the IPv6 packets it just so happens that VirusTotal list BitTorrent clients.

        It seems if you’re not connected to an IPv6 network that Microsoft have setup a Teredo tunneling server to do IPv6 to IPv4 translation, much like how a NAT router works, the only reason i mentioned BitTorrent clients was because (afaik) they have IPv6 enabled by default.

      2. Decent60 said on February 9, 2016 at 1:35 am
        Reply

        @Corky

        When I click on the ones that were detected, it comes back with Malware or Trojans. Probably zombie computers trying to infect other computers by going through open connections, possibly using the uTorrent client as a means to do or those people downloaded an infected uTorrent client (thus why it was registered as uTorrent client). The problem is, we don’t which direction the information was communicated. Whether it was pre-programmed to go there, whether it was set to search out open connections and to follow/hijack or coming from that IP address. Would be a bit helpful if they stated how the communication was started.

        As for the IPv6, that situation is possible, as you described it.
        Further investigation is needed and it would be nice if they captured the packets and recompiled them to find out what information was actually being sent (if possible as it might be encrypted).

      3. Corky said on February 8, 2016 at 3:25 pm
        Reply

        @Decent60, Sorry maybe i confused the subject by mentioning BitTorrent, VirusTotal has the IP address in question listed not as BitTorrent traffic but as the executable, have a look for yourself.
        https://www.virustotal.com/en/ip-address/94.245.121.253/information/
        The section that was of interest to me was the hashes for the “detected files that communicate with this IP address” section, if you follow the links for each hash you can see all the files listed that communicated with that IP are BitTorrent clients.

        I maybe wrong but that seems to indicate to me that peoples BitTorrent clients are broadcasting IPv6 traffic and as their not on an IPv6 network the Teredo tunneling protocol is packaging the IPv6 packet into a IPv4 packet, sending it to Microsoft’s Teredo tunneling server, and then that server either unpack the IPv6 packet and sends it on a IPv6 network, or it performs a NAT from IPv6 to IPv4.

        Microsoft have in the past stated that this is, as you say, their Customer Experience Program (aka:telemetry) but the thing that raises questions is that the port number 3544 is what Teredo servers listen on, and that other IP tools report that’s what it’s being used for.

        Either way it defiantly needs more investigating.

      4. Decent60 said on February 8, 2016 at 2:56 pm
        Reply

        @Corky

        Windows Update on Windows 10 is, by default, a torrent setup. However BitTorrent, by default, doesn’t care if it’s IPv4 or IPv6. It uses whatever connection is setup.

        The 94.245.121.253 address relates to a server in Ireland, at one point it was related to the Microsoft Customer Experience Program (which is on by default. Search for CEIP on your computer you’ll fine that option; this is for Vista and Up).
        However, it might not actually be doing an IPv6 call-out, but rather IPv6 or IPv4, which goes to a server that routes either connection to the proper server info.
        I saw the VirusTotal page concerning that particular IP address. It also seems that it’s a revolving address, meaning Microsoft changes what server is pointing to periodically. One of the more recent ones, relating to a company called MarkMonitor. They do a plethora of services, one that caught my eye was Domain Management.
        Hard to tell exactly what the server is being used for. From the amount of call-outs it listed as doing, it’s more than likely something to do with the Microsoft Store app.

      5. Corky said on February 8, 2016 at 1:43 pm
        Reply

        I’m guessing the person who carried out these tests was on a IPv4 network, when Windows attempted to route IPv6 traffic (IPv6 is built into Windows and automatically enabled) but couldn’t it automatically routed the traffic to Microsoft’s Teredo tunneling server and performed a translation.

        The question is what part of Windows 10 is using IPv6?

      6. Marti Martz said on February 8, 2016 at 1:28 pm
        Reply

        There are some IPv6 trackers out there although all of the clients in *nix appear to be IPv4 based… but I think I’ve seen a couple of IPv6 peer connections but very rarely.

        I am rarely on Windows but I know some versions have IPv6 typically enabled by default… so if everything through an intranet is IPv6 ready then that may be missed in the logging report. As you pointed out can NAT, can “upmix”, and it can also “downmix”… so I believe both should be captured in privacy and security logs from enabled platforms.

  39. Anonymous Coward said on February 8, 2016 at 10:53 am
    Reply

    And now that CISA was passed in December, companies have zero liability when handling your personal data. Something that irks me and I never see it mentioned, is the increased wear and tear, additional electrical consumption involved in running data collection tasks on the end user’s PC. We’re essentially paying for this on our electric bill, replacing fans and hard drives, etc.

  40. Corky said on February 8, 2016 at 9:53 am
    Reply

    It’s good to see someone taking the time to do a proper analysis of the connection Windows 10 makes even though it seems rather incomplete and possibility open to criticism from pro-Microsoft people it’s better than previous attempts, it would be interesting to know how quiet Windows 10 is when its fully hardened via group policy and such.

    To think that these sorts of test have to be done on Windows saddens me and i fear most people lack a proper understanding of what the possible implications are of having a desktop operating system with such data gathering potential, i shudder to think of the day when Governments, Doctors, Hospitals, Banks, and other organisations start rolling out Windows 10, how many of those organisations are going to properly harden their systems against Microsoft’s data gathering?

  41. Bill said on February 8, 2016 at 9:41 am
    Reply

    Apparently, there are addresses that bypass Hosts blocking by being hardcoded into dnsapi.dll…

    1. Bob Bobson said on February 8, 2016 at 9:42 pm
      Reply

      Which is why you need to block them at the router. Microsoft (and other companies) can bypass the HOSTS file and other software firewalls, but they cannot bypass the router (at least not nearly as easily).

      1. Jason said on February 9, 2016 at 7:44 pm
        Reply

        Very good point, Bob. The router is really the only surefire way to control your internet connections.

        Unfortunately it is also beyond the technical abilities of most users. I can just imagine my parents editing their router settings…. Nightmare. This is why the only real option is to just not use Windows 10 at all. If you cannot trust your operating system and constantly have to fight with it, what’s the point of owning a computer? I can do without that stress.

  42. Anonymous Coward said on February 8, 2016 at 9:27 am
    Reply

    I’ve been experimenting with these DNS addresses in my router.. Blocking entries with “aka” or “atdmt” seems to effectively break the Internet. I haven’t tested each one, but removing them all makes everything work again. I couldn’t even ping yahoo.com, search Google, nothing! If you use Google shopping – doubleclick

  43. koe said on February 8, 2016 at 8:16 am
    Reply

    Wow, that is really quite a lot. I’d like to use the HostsWindowsBlocker but I also want automatic updates. I wish there was a tool that automatically allowed only the connections needed for updates and only for scheduled time every day.

  44. FortBri said on February 8, 2016 at 7:43 am
    Reply

    Ans someone seems to keep an updated hosts file blocker here : https://github.com/crazy-max/HostsWindowsBlocker

  45. Anonymous Coward said on February 8, 2016 at 7:41 am
    Reply

    Thanks Martin for the ongoing security analysis of Windows 10. I’m worried recent updates to Windows 7 might have also introduced “telemetry” data collection and other eavesdropping features. Please keep us posted.

    1. Anonymous said on February 8, 2016 at 8:05 am
      Reply

      Don’t worry about it, be sure about it! Do a google search, and you’ll find which KB’s you should avoid. And for privacy’s shake, turn off automatic updating.

      1. Ashrak007 said on February 8, 2016 at 3:39 pm
        Reply

        So to avoid invasions of my privacy by MS I have to have my privacy invaded by Google. That makes so much sense I wanna puke.

  46. Paranam Kid said on February 8, 2016 at 7:17 am
    Reply

    The developer of DisableWinTracking is no longer working on it – see https://goo.gl/g4tp1D. For completeness’ sake that should be mentioned in your text too, Martin.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.