German federal office BSI publishes Telemetry analysis

Martin Brinkmann
Nov 23, 2018
Windows, Windows 10
|
32

The German Federal Office for Information Security, BSI (Bundesamt für Sicherheit in der Informationstechnik) published a detailed Windows 10 Telemetry analysis on November 20, 2018.

The research paper, which is available in English (partially) and German, provides a deep analysis of Telemetry functionality that Microsoft implemented in the company's Windows 10 operating system.

The paper is based on Windows 10 version 1607 Enterprise. It covers:

  • An overview of Windows 10's event tracing functionality for Telemetry.
  • A technical analysis on how Telemetry data is collected and processed.
  • An analysis of the network interfaces and connections used to transfer Telemetry data.
  • A look at configuration and logging capabilities to monitor and control Telemetry data collecting.

The report is quite technical in nature and the first couple of pages are only available in German at the time of writing. You may want to skip ahead to page 9, Executive Summary, if you don't understand German; the English part of the report begins with chapter 1.2.

Tip: An extra, German-only, paper is available that includes system-based and network-based options to limit or block the collection or transfer of Telemetry data to Microsoft.

You find interesting tidbits in the report even if you are not interested in technicalities like the number of Event Tracing for Windows (ETW) providers associated with Autologger-Diagtrack-Listener and Diagtrack Listener for each of the supported Telemetry levels:

  • Security -- 9 and 4 ETW Providers
  • Basic -- 93 and 410 ETW Providers
  • Enhanced -- 105 and 418 ETW Providers
  • Full -- 112 and 422 ETW Providers

The Security telemetry level is reserved to Enterprise editions of Windows 10. Home users may choose between Basic and Full, and the difference in providers is not as large as one would think based on the analysis.

The number of ETW Providers stands in no direct correlation to the amount of data that is collected or its quality according to the researchers.

The report list hostnames and IP addresses that Windows 10's Telemetry service uses for communication based on a connection log of 48 hours.

Hostname IP Address Location
geo.settings-win.data.microsoft.com.akadns.net 40.77.226.249 Ireland, Dublin
db5-eap.settings-win.data.microsoft.com.akadns.net
settings-win.data.microsoft.com
db5.settings-win.data.microsoft.com.akadns.net
asimov-win.settings.data.microsoft.com.akadns.net
db5.vortex.data.microsoft.com.akadns.net 40.77.226.250 Ireland, Dublin
v10-win.vortex.data.microsft.com.akadns.net
geo.vortex.data.microsoft.com.akadns.net
v10.vortex-win.data.microsft.com
us.vortex-win.data.microsft.com 13.92.194.212 United States, Boston
eu.vortex-win.data.microsft.com 52.178.38.151 Netherlands, Amsterdam
vortex-win-sandbox.data.microsoft.com 52.229.39.152 United States, LA
alpha.telemetry.microsft.com 52.183.114.173 United States, LA
oca.telemetry.microsft.com 13.78.232.226 United States, Cheyenne

Last but not least, there is an appendix that list external executable files. Not all of them are used for Telemetry purposes though.

Here is the entire listing:

Executable Description
%SystemRoot%\System32\telsvc.exe No description available
%SystemRoot%\SysWow64\dtdump.exe No description available
%SystemRoot%\SysWow64\RdrLeakDiag.exe No description available
%SystemRoot %system32\RdrLeakDiag.exe No description available
%SystemRoot%\system32\appidtel.exe No description available
%SystemRoot%\system32\disksnapshot.exe No description available
%SystemRoot%\system32\bcdedit.exe A tool for managing the Boot Configuration Database (BCD);
%SystemRoot%\system32\dxdiag.exe A tool for collecting information on devices;
%SystemRoot%\system32\dispdiag.exe A tool for collecting and logging information on displays;
%ProgramFiles%\internet explorer\iediagcmd.exe No description available
%SystemRoot%\system32\icacls.exe A tool for displaying and modifying access control lists;
%SystemRoot%\system32\licensingdiag.exe No description available
%SystemRoot%\system32\ipconfig.exe A tool for displaying network information and configuring network settings
%SystemRoot%\system32\msinfo32.exe A tool for displaying information about the hardware and software enviroment deployed on a platform;
%SystemRoot%\system32\logman.exe A tool for configuring, and displaying information about, the ETW environment;
%SystemRoot%\system32\netsh.exe A tool for displaying network information and configuring network settings;
%SystemRoot%\system32\netcfg.exe A tool for installing the Windows preinstallation environment, a lightweight version of Windows;
%SystemRoot%\system32\route.exe A tool for displaying and modifying the platform’s IP routing table;
%SystemRoot%\system32\powercfg.exe A tool for configuring power settings (e.g., configuring the platform’s standby mode)
%SystemRoot%\system32\stordiag.exe No description available
%SystemRoot%\system32\settingsynchost.exe No description available
%SystemRoot%\system32\verifier.exe A tool for detecting and troubleshooting driver issues;
%SystemRoot%\system32\tracelog.exe A tool for managing ETW environment (e.g., activation and deactivation of ETW sessions);
%SystemRoot%\system32\whoami.exe A tool for displaying information on the user currently logged on to the system; https
%SystemRoot%\system32\wevtutil.exe A tool for managing the EventLog environment;
%SystemRoot%\system32\wscollect.exe No description available

Administrators and researchers may also be interested in a tools and script package that was released as part of the analysis.

Closing Words

The reports provide detailed Telemetry information that is useful to interested Windows users but especially to administrators who want to know more about how Telemetry works on Windows 10 devices.

Related articles:

Summary
German federal office BSI publishes Telemetry analysis
Article Name
German federal office BSI publishes Telemetry analysis
Description
The German Federal Office for Information Security published a detailed Windows 10 Telemetry analysis on November 20, 2018.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on November 28, 2018 at 11:49 pm
    Reply

    Also a fine tool which i used to shut up windoof: https://www.oo-software.com/en/shutup10

  2. AnorKnee Merce said on November 26, 2018 at 12:19 pm
    Reply

    It’s likely that M$ is in cohorts with the NSA/CIA when she imposed forced auto-collection of Telemetry & Data in Win 10 in July 2015, purportedly for National Security reasons, eg to secretly track terrorists online.
    ……. M$ has even backported this “service” to Win 7/8.1 through sneaky Telemetry updates & Patch Rollups since the end of 2015.

    By cooperating with the US government, M$ is given much immunity and favoritism by the govt, eg from Federal anti-trust and consumer class-action lawsuits.

  3. Philip said on November 26, 2018 at 3:52 am
    Reply

    For anyone who wishes to continue using Windows 10 (whichever build you want) and block at least some of the aspects of the new Windows privacy features (Telemetry, Steps Recorder, Inventory Collector, etc.) you can download this software piece:

    https://wpd.app/

    It’s called Windows Provacy Dashboard and offers a list of rules and IP adresses that are updated each month to protect against Microsoft data collection

    There’s another one called Optimizer: https://github.com/hellzerg/optimizer

  4. TelV said on November 24, 2018 at 5:55 pm
    Reply

    That telemetry crap was installed on Windows 8.1 as well even if users opted out of the Microsoft Customer Experience program. I posted my findings on the MS Answers forum back in 2015 and you can find my exhaustive research on the subject in this post: https://answers.microsoft.com/en-us/windows/forum/all/rundllexe-using-whole-cpu-to-run-appraiserdll/b29bdffd-56e2-418f-b0c5-a7f3dfbab2b5?page=3#LastReply

  5. Anonymous said on November 24, 2018 at 3:47 am
    Reply

    How about the data collection and tracking Defender, Cortana, Edge, and Bing are doing? Microsoft 1809 can even upload your files to Microsoft’s “cloud” without your consent if they choose. Windows 10 has zero security.

    1. Anonymous said on November 25, 2018 at 9:00 am
      Reply

      ” Microsoft 1809 can even upload your files to Microsoft’s “cloud” without your consent if they choose ”
      source ?

  6. ULBoom said on November 24, 2018 at 2:51 am
    Reply

    Here at Microsoft we take our users’ privacy seriously. After decades of selling sporadically functioning software, we’re happy customers are delighted if a particular update works; delighted they will still remain customers after experiencing update sadness if their device is trashed.

    A recent set of user focus groups led by a notable marketing firm specializing in aiding Silicon Valley app “developers” sell their lame start ups to Silicon Valley V.C.’s with too much money, concluded that almost all of our Windows users are so absorbed by phone culture, we can track with impunity, everything interaction they have with Windows.

    We thank Google and Apple for effecting the global mindset shift that made privacy soooo last centurayyy! Ads are where it’s at!

    Ads allow MS to play, too, in privacy commerce. We joyously watch money flow back and forth among Valley tech companies. The bubble is warm and sunny. It’s OK customers get nothing; they’ve tacitly allowed us to collect their every thought through a decade or so of smartphone use. Who’s the smart one there, the phone?!

    Yes, at Microsoft we value our customers and are very serious about taking their privacy openly and surreptitiously. That’s one way we make money; our customers and all their contacts work for us free and they should because we’re so smart!

    I want Win NT 3.51 back. It worked. It was designed by adults. Who apparently died and left MS to a bunch of kids with helicopter parents. By Win 2000 with the Dr. Seuss interface (because Macs had it, bah!), the end was near.

  7. Karl said on November 23, 2018 at 11:49 pm
    Reply

    THIS is the reason I do not use Windows 10 – telemetry.

    1. WasHere said on November 24, 2018 at 9:53 pm
      Reply

      Well! Telemetry has been part of Windows for ages and Windows XP was already calling home 24/7.

      1. John Fenderson said on November 27, 2018 at 7:05 pm
        Reply

        @WasHere: The difference with Windows 10 is that you can’t disable the telemetry.

      2. Kris said on November 26, 2018 at 4:22 am
        Reply

        Telemetry was nothing like the avalanche it is today, and we could choose to disable it if we did not want to participate.

    2. Caper said on November 24, 2018 at 8:30 am
      Reply

      This! Period!

  8. Valrobex said on November 23, 2018 at 9:47 pm
    Reply

    Couple what Win 10 does with what Google, Facebook, and all the other “technology companies” do and it’s no wonder that people are starting to get concerned.

    Unfortunately, we are at a time in historical development where technology has outstripped the ethical and legal constraints that are in place. It will take a while but hopefully things will get back in order.

    Analogous situations have occurred in the past. For example the “Robber Baron” era in the United States where the Robber Barons didn’t actually break any laws because there were no written laws at the time that fit what they were doing. And the need to break up the monopolistic practices of some of the pioneering companies that happened a few decades later. Examples of which were the breakup of Standard Oil and AT&T.

    Hopefully our various legal entities enact appropriate legal constraints and the sooner the better.

  9. Cor said on November 23, 2018 at 9:28 pm
    Reply

    I have to admit, while great effort, I wish this analysis was made by an independent international organization. Mostly as I’m not looking forward to yet another per continent censored version of Windows.
    Also, I wonder if they would be able to repeat these tests and have mostly identical results. Which appear to be quite different from the ones recently updated by Microsoft.

    1. Tom Hawack said on November 23, 2018 at 10:43 pm
      Reply

      @Cor, the German BSI is doing its job but indeed there is quite a lot of sleeping otherwise.
      There is no international consensus regarding these major Web companies as there is none all the same regarding the power of banks. Power nowadays has made its way far from democracies’ economies and even justice. And most media, in France anyway, get along with it,, hardly evoke Google’s reluctance to honor GDPR correctly and Microsoft’s refusal of rethinking an OS entirely based on advertisement and tracking.

      It’s up to each of us to try to be lucid and honest. Revolt sometimes blinds but naivety as well.

  10. John said on November 23, 2018 at 7:58 pm
    Reply

    You would think with all the telemetry gathered Windows 10 would be a much better OS stability wise then it is. But you would be wrong and history says all this data collection is not having much benefit at all. Well, at least not for the end users.

    1. NotUrAvgMichael said on November 25, 2018 at 2:13 am
      Reply

      Collection does not necessarily mean it will be analyzed. I think we can all agree that that’s largely the problem with Microsoft, hell with many big tech companies. If they’re collecting vast swathes of data points, at the very least use it for legitimate improvements.

    2. Tom Hawack said on November 23, 2018 at 10:35 pm
      Reply

      @John, if ” this data collection is not having much benefit at all.” it’s maybe because improving the OS (for a better experience!) it’s not it’s first aim. I can imagine other aims far less aimed at a better user experience.

      1. lehnerus2000 said on November 25, 2018 at 1:30 am
        Reply

        @John, @Tom Hawack
        Agreed.

        W10 seems to have the most telemetry of any version of Windows and yet it is the most unreliable and problematic version that I’ve used.

  11. 420 said on November 23, 2018 at 5:19 pm
    Reply

    the other nice thing about 1607 ltsb is that you can really cut it down, I’ve got mine down to 39 processes vs like 150 for pro.

    1. Abdullah said on November 23, 2018 at 9:34 pm
      Reply

      Could you post a guide on how you managed to do that? Would be interested in reading and trying to recreate.

      1. 420 said on November 24, 2018 at 2:28 am
        Reply

        Well it is a combination of stuff and what works for me might not work for you. Basically I go through all the services with black vipers guide and disable all the tasks with like ccleaner or glary utilities, then go through everything in autoruns and uncheck everything I do not need or use. I think that’s about it. I also like this new wpd program for quickly doing alot of the privacy and telemetry stuff. The nvslimmer program is great too for stripping out all the crap from nvidia drivers. Last thing is go through everything in gpedit and set accordingly. I like speed over functionality, I am sure there is stuff broken but none of it affects what I do. I tend to use wsus for my updating, from what I can tell with 1607 ltsb it does not matter if you use security only updates or not as I have not seen a difference with 2 diff machines also I let a 3rd box just update with windows and it had then same updates as wsus boxes..

  12. Tom Hawack said on November 23, 2018 at 5:15 pm
    Reply

    Germany is undoubtedly very concerned with Web privacy and I’d appreciate France be as much.

    One thought for those who run Windows 10 out of the box, which are the vast majority of users : “Imagine there’s no tracking, it’s easy if you try…” when these users aren’t even aware of the tremendous amount of their privacy withdrawn by Microsoft. If you think about it, it’s really a scandal.

    Thanks Martin for echoing BSI’s Telemetry analysis. I should have chosen German as 1st language when, back in France I opted for English just to easily increase my averages :=)

    1. Wolfgang Keller said on November 25, 2018 at 11:45 pm
      Reply

      > Germany is undoubtedly very concerned with Web privacy and I’d appreciate France be as much.

      As a native German, I believe that the reason is that there existed two surveillance regimes on German soil in the 20th century. One of these two just ceased to exist less than 30 years ago (and the memories are thus still quite alive – in particular in East Germany). And every evening, there is some transmission in German public service television that reminds people that the other surveillance regime existed.

      So is should not be far to seeek that there exist lots of people in Germany that are quite concerned about privacy and surveillance.

      1. Markus said on November 26, 2018 at 1:57 pm
        Reply

        Definitely true, as a foreigner living in Germany you definitely see a big difference when it comes to web privacy. One thing I found surprising is that many German people will use nicknames on social sites like Facebook as to not reveal their identity online.

      2. John Fenderson said on November 27, 2018 at 7:02 pm
        Reply

        @Markus: “One thing I found surprising is that many German people will use nicknames on social sites like Facebook as to not reveal their identity online.”

        That’s not terribly rare in the US, either. Of the people I personally know who use social media, including Facebook, over half do so using a pseudonym. It’s not always obvious that a pseudonym is being used, though — they tend to be like my “John Fenderson” pseudonym here: a fake, but plausible-sounding, name.

      3. Tom Hawack said on November 27, 2018 at 3:42 pm
        Reply

        @Markus, what a funny coincidence : Wolfgang Keller mentioned above an explanation (which I’ve already heard and agree with) and reading him reminded me a notorious spy in whose career I had dug a bit by curiosity : Markus “Mische” Wolf. One of those “spy stars” with a few other Philbys :=)

    2. birmingham said on November 24, 2018 at 1:52 am
      Reply

      “Germany is undoubtedly very concerned with Web privacy …”
      If you’re thinking of something like user privacy and protection that’s a misinterpretation. They just don’t like the data flow is goldmined in the US and not so much under their own control – which they’re working on, as you can see.

      1. gwacks said on November 26, 2018 at 2:52 am
        Reply

        @birmingham

        Totally agree. That’s the truth about Germany, the EU, and even the GDPR.
        If people who care about their privacy have to use Windoze 10 for some reasons, I highly recommend they should *PATCH* all these sh1ts at least with:

        https://github.com/crazy-max/WindowsSpyBlocker
        https://wpd.app/ (optional)

  13. Yuliya said on November 23, 2018 at 3:51 pm
    Reply

    Fokus auf Windows 10, Version 1607, 64 Bit, deutsche Sprache aus dem Long-Term Servicing Branch (LTSB)
    Neat. LTSB1607 does have its bugs which will never be fixed, but it’s as good Windows 10 will ever get. It is a fairly low standard in of itself, though.

  14. Weilan said on November 23, 2018 at 3:34 pm
    Reply

    My condolences to everyone that is running Shitdows 10. T-T

    1. Minty said on November 26, 2018 at 5:22 pm
      Reply

      Here’s hoping Chrome OS grows into a good replacement OS for general use. They steal your data too, but at least it will be pretty and efficient. In the meantime I’ll roll distros.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.