A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #26589  by EP_X0FF
 Mon Aug 24, 2015 7:50 am
Below is the list of "updates" that delivered by Windows Update as "telemetry and customer experience improvements". If you don't want upgrade to Win10 or send your "telemetry" to MS - remove them and do not install again.

Microsoft claims this is "telemetry" and customer expirience blah-blah-blah. Well I call this simple - spyware.

https://support.microsoft.com/en-us/kb/3021917 - "Performance tracker update"
https://support.microsoft.com/en-us/kb/3035583 - "Get Windows 10 App" (delivers ready to use UAC backdoor as bonus)
https://support.microsoft.com/en-us/kb/2990214 - "Upgrade to Windows 10"
https://support.microsoft.com/en-us/kb/3044374 - "Upgrade to Windows 10"
https://support.microsoft.com/en-us/kb/2952664 - "Compatibility update for upgrading Windows 7"
https://support.microsoft.com/en-us/kb/3022345 - "Customer experience and diagnostic telemetry"
https://support.microsoft.com/en-us/kb/3068708 - "Customer experience and diagnostic telemetry"
https://support.microsoft.com/en-us/kb/3080149 - "Customer experience and diagnostic telemetry"
https://support.microsoft.com/en-us/kb/3075249 - "Telemetry points to consent.exe" !!!WARNING!!! this update add spyware functionality to UAC

Run cmd.exe elevated and use this
Code: Select all
wusa.exe /uninstall /kb:ID /norestart

where ID is number of KB to remove.

If KB3035583 failed to completely remove files - go to %systemroot%\System32\GWX and delete GWXUXWorker.exe manually (this is important as this is UAC backdoor file), file and folder is owned by TrustedInstaller see how take ownerships of it https://technet.microsoft.com/en-us/lib ... 53659.aspx

This list is incomplete. If you have more suspicious/spyware KB to add feel free to post.

Updates maybe masqueraded as "important" or as part of Windows Update itself. In future they maybe a silent part of critical fixes.

Edit:

@bartblaze excellent addition:

Disable Windows 10 telemetry
http://pastebin.com/CwKT4Qh5
 #26594  by EP_X0FF
 Mon Aug 24, 2015 1:33 pm
slipstream- wrote:Has anyone reversed completely the telemetry stuff yet?
http://arstechnica.co.uk/information-te ... microsoft/

Now silimar wonderful spyware/zombification functionality from win10 delivered to win7/8.1, for example KB3075249 include updated version of appinfo.dll and consent.exe used to report back to Microsoft about applications YOU elevate. It is just a beginning.
 #27492  by h00key
 Thu Dec 31, 2015 10:02 am
Besides going through the list of bad updates, is there an easy way to check the existence of the spy features? At least these can be done:


1. Check the existence of GWXUXWorker.exe as instructed by EP_X0FF (Windows 7/8/8.1):
EP_X0FF wrote:If KB3035583 failed to completely remove files - go to %systemroot%\System32\GWX and delete GWXUXWorker.exe manually (this is important as this is UAC backdoor file), file and folder is owned by TrustedInstaller see how take ownerships of it https://technet.microsoft.com/en-us/lib ... 53659.aspx

2. Check if the DiagTrack service is installed:
Code: Select all
sc query diagtrack


Is there anything else to do?
 #29681  by h00key
 Sat Dec 03, 2016 10:07 am
Looks like the November 2016 cumulative security update for Windows 7 (KB3197868) installs the diagtrack service.

To check:
Code: Select all
sc query diagtrack
To disable:
Code: Select all
sc config diagtrack start= disabled
(Note the space after "=")

Or, delete:
Code: Select all
sc delete diagtrack

Has anyone found out if it brings other nasty stuff?


Also, there are "preview" updates which are apparently not important and even not recommended:
http://www.infoworld.com/article/314219 ... tches.html