10

I've been reading about Windows 10 and its incessant desire to call home. I've tried putting some firewall rules in place. I am sure they are working but I got to thinking that many events probably happen before my firewall kicks in.

What I'd like to do, if it is possible, is to get a list of IPs my stand-alone PC calls starting at boot time. I have WireShark - although not installed - and have been reading the manual but it is not clear yet what I have to do. I've tried playing around with my router (Netgear AC1450) but while I can turn on logging the router produces no logs.

So I have a ways to go in this learning curve. I've been playing around with Tails and that seems to work ok but then I realized I had the same question. With whom is my PC communicating with before I get control of the PC? I really get tired of everything I do on the internet becoming public property and have decided to learn enough about it that maybe I can stop or at least control the flood.

pacoverflow
  • 262
  • 1
  • 10
Joesph
  • 101
  • 3
  • This may provide some information: https://security.stackexchange.com/questions/96713/how-does-windows-10-allow-microsoft-to-spy-on-you – Vilican Nov 15 '15 at 13:51
  • 3
    The only way to prevent Windows 10 from snooping is not using Windows 10. Alternatives are downgrading to Windows 7 or 8 or switching to a Linux distribution. – Philipp Nov 15 '15 at 13:54
  • 4
    Set up your firewall on another machine instead of relying on the Windows local firewall. – schroeder Nov 15 '15 at 17:57
  • 1
    Note that Windows 10 Threshold 2 (aka the November Update aka the Fall Update) now has a "disable telemetry" setting. You have to decide how much you trust it, but it is there. – Moshe Katz Nov 17 '15 at 23:31
  • Running Wireshark on a Windows machine can be a bit challenging. If you have access to another machine on which you can put a Linux desktop such as Ubuntu, you'll find installation and configuration much easier. The biggest note if you do this is that you need to put your network card in promiscuous mode to pick up the packets from your Win 10 machine. – Rick Chatham Nov 19 '15 at 22:13

3 Answers3

9

Here is a suggestion for your case. You need an extra laptop with both cable connection and wifi connection. You, then bridge the two connection and enable the Internet Connection sharing function from the cable to the wifi. By that way, your laptop's wifi become an access point. Next, you install Wireshark on this computer and set it to monitor the wifi interface. You now connect the computer that you want to monitor to this access point and log all the packets. You will know all the IPs that your computer talks to.

Since you mention Tails, I also suggest that If you have some time, you can have a look at this paper:(A Tor-Based Anonymous Communication Approach to Secure Smart Home Appliances). In the paper, there are some experiments done exactly in the manner that I just explained above with WireShark.

匿名柴棍
  • 303
  • 1
  • 7
  • 5
    You can generalize this answer by simply suggesting putting another machine between the client machines and the perimeter router. There are lots of ways to do that, and your suggestion is one of them. – schroeder Nov 15 '15 at 18:00
  • @schroeder Yeah, seems people don't know any more what a hub is ... – Hagen von Eitzen Nov 15 '15 at 22:50
0

so a little information on the telemetry runner:

Name: Microsoft Compatibility Telemetry Version: 10.0.10576.0 File Path: C:\Windows\System32\CompatTelRunner.exe

Connection Origin: local initiated Protocol: TCP Local Address: 10.RED.ACT.ED Local Port: 9950 Remote Name: settings-win.data.microsoft.com Remote Address: 65.55.44.108 Remote Port: 443 (HTTPS - HTTP protocol over TLS/SSL)

I've found that using a third party firewall(in this case Symantec Endpoint Protection) and blocking these specific connections is all you need to stop it.

Unfortunatley I tried to change the filename of the CompatTelRunner.exe to CompatTelRunner.exe.disabled TrustedInstaller has the permissions locked up tight, and even trying to take ownership fails...you could boot to a linux disro and change the name but...

I have been activley blocking settings-win.data.microsoft.com for a while and haven't noticed any instability with the system.

I was very curious what sort of responses I'd get from settings-win.data.microsoft.com because it uses HTTPS to transfer the telemetry data. If you try to make a connection without the proper auth it just drops your connection.

Chad Baxter
  • 632
  • 4
  • 8
0

This site:

Stop WIN10 from spying.

Is basically covering exactly what you want to do yourself, sometimes google is a good choice my friend.

Chad Baxter
  • 632
  • 4
  • 8