View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000191 | Windows and other desktop OS | Desktop | public | 2016-07-18 10:33 | 2022-05-23 13:15 |
Reporter | DigitalMy | ||||
Priority | urgent | Severity | major | Reproducibility | always |
Status | progress | Resolution | open | ||
Platform | IBMPC | OS | Windows | OS Version | 10x64 |
Summary | 0000191: Protect personal data on windows 10 station: disable services and block connections with firewall | ||||
Description | There are known and unknown incoming and outgoing connections with Microsoft servers. Need to secure our data. Disable all automatic computer communications over network, except those initiated by user or those from software fully controlled by user wish. | ||||
Steps To Reproduce | For new installation, always choose LTSB edition... | ||||
Tags | No tags attached. | ||||
FinishDate | 2020-04-04 | ||||
StartDate | 2016-07-15 | ||||
WasteTime | |||||
PriorityIndex | 10 | ||||
LaboriousnessIndex | 6 | ||||
|
Disable unwanted services in version 1511: sc stop "diagtrack" sc config "diagtrack" start=disabled sc stop "wuauserv" sc config "wuauserv" start=disabled sc stop "BITS" sc config "BITS" start=disabled |
|
New spyware in Windows 10 version 1607 delete files from folder %AppData%\Microsoft\Windows\AccountPictures edit registry parameters as follows: [HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}] "System.IsPinnedToNameSpaceTree"=dword:00000000 [HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}] "System.IsPinnedToNameSpaceTree"=dword:00000000 taskkill /f /im OneDrive.exe %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall |
|
Disable Skype spam to %SystemRoot%/system32/drivers/etc/hosts add: 127.0.0.1 rad.msn.com 127.0.0.1 live.rads.msn.com 127.0.0.1 ads1.msn.com 127.0.0.1 static.2mdn.net 127.0.0.1 g.msn.com 127.0.0.1 *.ads2.msads.net 127.0.0.1 ac3.msn.com 127.0.0.1 *.adnxs.com 127.0.0.1 *.rad.msn.com 127.0.0.1 *.msads.net 127.0.0.1 flex.msn.com 2019 update: they (Microsoft) made messages non-deliverable in case these connections are locked... unlocked (and skype started to send and receive messages again after that): 127.0.0.1 client-s.gateway.messenger.live.com |
|
disabled DiagTrack service Diagnostics Tracking Service (DiagTrack) is Microsoft spyware renamed to "Connected User Experiences and Telemetry" |
|
|
|
Check network activity with TCPview: C:\Program Files\iTunes\iTunesHelper.exe startup disable , delete from regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
system connection to [fe80:0:0:0:51e3:616f:46de:bdc2]:445 |
|
Windows 10 version 1703 remove apps Get-AppxPackage *People* | Remove-AppxPackage Get-AppxPackage *XboxApp* | Remove-AppxPackage Get-AppxPackage *XboxSpeechToTextOverlay* | Remove-AppxPackage in andvance useless apps to delete with PowerShell Get-AppxPackage *stickynotes* | Remove-AppxPackage Get-AppxPackage *xbox* | Remove-AppxPackage Get-AppxPackage *Sports* | Remove-AppxPackage Get-AppxPackage *Music* | Remove-AppxPackage |
|
CompatTelRunner.exe found active and consume system resources. Block in firewall C:\WINDOWS\system32\CompatTelRunner.exe Task scheduler path: \Microsoft\Windows\Application Experience\ delete tasks: "Microsoft Compatibility Appraiser" and "ProgramDataUpdater" |
|
ngen.exe makes suspicious activity C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe |
|
Antivirus, use old version: allow outgoing ESET NOD32 Antivirus 4 updates %ProgramFiles%\ESET\ESET NOD32 Antivirus\x86\ekrn.exe Delete file C:\Program Files\Common Files\AV\ESET NOD32 Antivirus 4.0\upgrade.exe |
|
Found BAT.Starter.217 with Dr.Web CureIt in file \Windows\system32\hale.exe |
|
|
|
In version W10 1903 they added service WaaSMedicSvc , which cannot be disabled. "Windows Update Medic Service" should be considered as malware made by Microsoft. First of all, do not update to version 1903 or ever install this Windows 10 version. C:\WINDOWS\system32\svchost.exe -k wusvcs -p sc delete WaaSMedicSvc [SC] DeleteService FAILED 5: Access is denied. as well as added protected tasks PerformRemediation in \Microsoft\Windows\WaaSMedic that cannot be disabled or deleted (Helps recover update-related services to the supported configuration) S-1-5-18 Schedule Scan in \Microsoft\Windows\UpdateOrchestrator (run %systemroot%\system32\usoclient.exe StartScan) Backup Scan in \Microsoft\Windows\UpdateOrchestrator (run %systemroot%\system32\usoclient.exe StartScan) Use script to disable services in registry Remove files: C:\Windows\System32\UsoClient.exe and C:\Windows\WinSxS\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.18362.1_none_8146287911f8cbdc\UsoClient.exe but it seems to cause restart OS with BSOD sometimes |
|
net stop BITS net stop DoSvc net stop UsoSvc net stop WaaSMedicSvc net stop wscsvc net stop wuauserv sc config BITS start= disabled sc config DoSvc start= disabled sc config UsoSvc start= disabled sc config WaaSMedicSvc start= disabled sc config wscsvc start= disabled sc config wuauserv start= disabled taskkill /f /IM remsh.exe rd /s /q "c:\Program Files\rempl" del /F /Q /S c:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\*.* del /F /Q /S c:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\*.* del /F /Q /S c:\Windows\SoftwareDistribution\Download\*.* rd /s /q c:\Windows\SoftwareDistribution reg add "HKLM\SYSTEM\CurrentControlSet\Services\BITS" /V "Start" /T REG_DWORD /D "4" /F reg add "HKLM\SYSTEM\CurrentControlSet\Services\DoSvc" /V "Start" /T REG_DWORD /D "4" /F reg add "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /V "Start" /T REG_DWORD /D "4" /F reg add "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /V "Start" /T REG_DWORD /D "4" /F reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /V "Start" /T REG_DWORD /D "4" /F reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /V "Start" /T REG_DWORD /D "4" /F reg add "HKEY_LOCAL_MACHINE\SYSTEM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /V "DisableOSUpgrade" /T REG_DWORD /D "1" /F reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /V "NoAutoUpdate" /T REG_DWORD /D "1" /F reg add "HKEY_LOCAL_MACHINE\SYSTEM\SOFTWARE\Policies\Microsoft\WindowsStore" /V "DisableOSUpgrade" /T REG_DWORD /D "1" /F reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /V "AllowOSUpgrade" /T REG_DWORD /D "0" /F reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /V "ReservationsAllowed" /T REG_DWORD /D "0" /F reg add "HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeNotification" /V "UpgradeAvailable" /T REG_DWORD /D "0" /F reg add "HKLM\SOFTWARE\Мicrosoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /V "AUOptions" /T REG_DWORD /D "4" /F reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /V "Enabled" /T REG_DWORD /D "0" /F |
|
First of all, run compatible DWS.exe tool (destroy windows 10 spying) https://github.com/Wohlstand/Destroy-Windows-10-Spying |
|
Task scheduler delete: all tasks from \Microsoft\Windows\WindowsUpdate\ \Microsoft\Windows\InstallService\ \Microsoft\Windows\UNP\ \Microsoft\Windows\UpdateOrchestrator\ \Microsoft\Windows\UpdateAssistant\ \Microsoft\Windows\WaaSMedic\ Research to delete files: %systemroot%\system32\sihclient.exe %windir%\System32\UNP\UpdateNotificationMgr.exe %systemroot%\system32\MusNotification.exe %systemroot%\system32\usoclient.exe Also delete tasks: XblGameSaveTask |
|
version 1607: Suspicious service with "random" name protected from disabling: CDPUserSvc_bdee98f sc stop CDPUserSvc sc delete CDPUserSvc sc stop CDPUserSvc_bdee98f sc delete CDPUserSvc_bdee98f HKEY_LOCAL_MACHINE - SYSTEM - CurrentControlSet - Services - CDPUserSvc Start = 4 in 1903: sc delete AarSvc_1b8c4a Agent Activation Runtime_1b8c4a svchost.exe -k AarSvcGroup -p |
|
Skype for desktop (Windows) version 8 has no option to disable updates, but you are able to block this updater from startup in current OS (remove rights) in "%appdata%\Microsoft\Skype for Desktop\Skype-Setup.exe" https://answers.microsoft.com/en-us/skype/forum/skype_windesk-skype_startms-skype_installms/how-to-turn-off-skype-automatic-updates-on-pc/cf980eed-d9be-422c-bf0f-3a3871325b26?page=2 |
|
uninstall useless windows 10 apps Get-AppxPackage *YourPhone* | Remove-AppxPackage Get-AppxPackage *xboxapp* | Remove-AppxPackage |