Decrapify Windows 10 (March 4th 2018 edition)

[ Last major edit: March 4th 2018 ]

This is my research on decrapifying Windows and keeping your privacy. (mine as well as the community’s, please contribute) Written in a way that’s fun and therapeutic. I do hope you can read between the lines, and see things through different perspectives.

This original post was from 2016, it’s updated and upgraded.

A word on Giving Up

    • My browsers, the webpages, my phone, all spy on me. We’re surrounded by billions of cameras and microphones both in our house and outside. The data hoarding and monitoring complex is higher than ever. I feel hopeless.

So you’re one of the masses that has given up? Thinking there’s no safe heaven for your thoughts? What countries does this make you think of? heh

When I’m in public I act and speak accordingly. For instance if I’ve just met you irl, I’m not gonna open the conversation with what color underwear my gf is wearing. I may be able to scan for illegal stingrays and I can firewall and snowdenize my phone. And I can try to inspire change that respects individuals as intelligent private agents.

Regardless, the outside monitoring is irrelevant to the bastion, the extension of my brain, that is my PC. I don’t want ransomware, I don’t want a microsoft 3rd party to get my blockchain data, to get my dick pics etc. That’s why I self-educate and defend myself.

You are still contributing to change through your lack of educated proactiveness. (for evil to triumph it is necessary only for good people to do nothing) You forget how easy it is to trigger a change and how much power you have.

    • Corporations are great though! All they do is technically not illegal. You agree to the TOS, that’s how it works. It protects the poor behemoths and in turn protects You, my delicate consumer. It would be very bad if their models got disrupted.

This kind of thinking is the worst. :frowning:

You’re narrowing your vision on the “purity” of the low level corporate concept loop of it, and don’t apply enough macro level wisdom and monitor societal impact and evolution.

What do you win with these mechanisms? Are the consequences of forcing or conditioning or psychologically manipulating or lobbying the market into making society a dystopia, worth the protecting of the old greed and scarcity based business models of the industrial or digital revolutions from a time long past? Because it’s “Safe for You™”?

Is Comcast also the good guys? What about the Tobacco and Oil industries?

Microsoft’s main driver is greed. Now there’s good consequences of that, e.g. they try to keep their walled garden unbreached and ahead of competition, but they take/abuse too much in the first place without rewarding you fairly for it ( - which will be a huge market with blockchain, just endure this BS a few more years). I’m sure you can argue MS is good guys, Comcast is good guys, but broadly speaking they’re not servants they’re profit mongers, market % mongers. They’re not like Vitalik Buterin, or IBM, or Valve if you will. (Before you say Valve are market % mongers therefore my argument doesn’t make sense, keep in mind they have open discussions, say we’d be right to call them out if they did X, and so instead they’re doing Y in an open way, you can at least see how they’re thinking, trying to be benign, work with you)

Isn’t it better to shift paradigms to open systems and corporations that Prove that they Can’t Do Evil instead of “promise” from behind corporate walls that they “Do No ‘Evil’™”? For one example, maybe a move towards Decentralized Autonomous Organizations, Decentralized Autonomous Apps, Zero-Knowledge Proofs, Oracolized data, encrypted disclosure of info that is tracked irrefutably by a blockchain where they only get the data you have chosen (and you got compensated for), is a less primitive alternative?

Scope of this guide

My research goal is to see what it takes to eliminate “everything” that can be co-opted to spy on you, add customizability to your UX, still allow you to get updates (on your own terms), and overall turn Windows 10 into an OS that works FOR YOU, instead of mainly for M$ and then also sometimes for you. :slight_smile:

I also want to present people with a different PoV, educate, and show what this general surveillance whistleblowing business is all about.

I have a computer science degree but I really don’t consider myself reliable in the departments of information-security and networking. So don’t assume I’ve reliably audited all this stuff or how protected it makes you.

M$'s bullshit / licensing

I know M$'s licence agreement says Windows is a Service Leased from Microsoft, and not in any way a Product you Own, and your Windows machine will be used by M$ in any way it pleases, in addition to perhaps maybe also doing what you yourself ask it to do. :wink:

It’s so egregious it probably also says that if M$ is unable to effortlessly spy on all of your dick pics and mouse movements and keystrokes at any moment, and sell them to any 3rd parties they want without consulting you, then it’s your fault and you should go to jail or some shit. I’m sure that it says that.

So what I’m getting at, this good programming practices and good security practices approach of data disclosure that we’re trying to achieve here, is probably super against the TOS even if you unticked all the checkboxes you could.

Even if there was a checkbox you ticked that said “Microsoft is not allowed to sue me.”, the TOS probably would still say “no, but we can still sue you tho”.

[ Linus summarizes the Win10 TOS in this unbiased 2018 video ]

The Guyde

Windows Flavors

Security & Privacy wise, Windows Enterprise is the new Windows Professional, and Windows Professional is the new Windows Home, and Windows Home is the new creepy man living in your house taking notes.

  1. There’s the beta testers preview windows, which gets you everything M$ wants super fast.

  2. Then Home and Pro get all these updates after a couple of months, and can’t delay them too much and won’t receive security updates for their branch if they refuse to upgrade to a new Feature update.

  3. Enterprise is same as above except you can configure it to never install Feature upgrades and also delay or stop any other updates. It also gets security patches (for older Feature update versions) for longer.

[ check out what versions / builds are supported for how long, here ]

[ features that Enterprise has that Home and Pro don’t: here ]

[ “Feature Update” means e.g. the “Fall Creators Update” ]

[ check out what windows version you have by running winver in cmd ]

[ manually download an update (e.g. security update) from the microsoft update catalog that M$ keeps on the downlow online because you don’t own the right to pick your updates, remember? ]

  1. As @Hako pointed out, there is a more conservative version of Win 10 for governments, businesses, ATMs (lol) etc. called LTSC (formerly known as LTSB) - Long Term Servicing Channel / Branch. It’s a version of win 10 Enterprise that’s on the slow development track, gets new Feature updates every 2-3 years, and one Feature version is supported for 10 years (for ex security patch wise). This also doesn’t include things like Store, Cortana, Edge - but may also exclude nice things like VR/AR tools or the 1% of UX improvements you want that are actually not a step backwards into a chasm.

Note: LTSC still comes with all the telemetry tools installed just as well as the rest.

  1. The Windows 10 China Government Edition is the god tier unicorn we all want, and hopefully some brave savior one day will fly back from China with a ISO of this creature with English localization added to it. It’s basically a fully working Windows 10 Enterprise without any of the “crucial core systems that totally don’t spy on you” removed by Microsoft because otherwise China wouldn’t buy it.

Installing

Microsoft doesn’t want you using Windows 10 LTSB nor Enterprise. But any other versions of Windows 10 are more or less out of the question privacy wise (no or not enough ability to customize / neuter).

So we’re acquiring Win 10 Enterprise. You can of course follow along with Win 10 Pro too, but you may not get satisfactory reasults / support all the changes, depending on what you want.

Now as @Hako said in the comments, get https://www.ntlite.com/ and customize your ISO to remove things (components, drivers, services, apps) you don’t want to install in the first place (like OneDrive or Apps). It’s also meant to check for cross-module dependencies, and the update dependencies.

You can also install windows first and then run NTLite afterwards (if you have a license, $40, worth it unless you’re a starving student (so, any student)).

If you want to be airtight about windows phoning home, check the Networking Privacy section before connecting your mahcine to a network during or after the windows install.

Cutting cancer

Now to figure out what are the modules, domains, IPs we need to stop or nuke or perform brain surgery on.

Anti-Spying, Privacy

[ If you’re in the mood for whistleblowers, read https://www.privacytools.io/#win10 ]
[ related: https://www.gnu.org/proprietary/malware-microsoft.html ]

Microsoft is releasing a Diagnostic Data Viewer, but as Linus points out it’s not easy to understand the payloads. Plus they have no way of transparently proving that no data/backdoors circumvent this Diagnostic Data Viewer. (the same with windows firewall) And historically they’ve given us the opposite of reasons to trust them: [raisins 1], [raisins 2], [raisins 3], raisins given on L1T News etc.

Here’s what data Microsoft claims to collect for the main checkboxes of telemetry. Note these checkboxes do not include other random checkboxes (e.g. ads, location etc.), or checkboxes for apps, or tracking in the Windows Games ecosystem, App Store, VR/AR/MR ecosystem, Cortana’s base behaviour etc.:

NOTE: Every new Feature Update, MS seems to “reset” the telemetry settings, and also it constantly checks if it’s connected to the internet (even before user log on). It even force-enables your network adapters after a Feature update.

Personally I’d like an OS that proves the telemetry modules are not present on the machine until I (or some open source community I approve of, or the EFF or smth) explicitly vet them and I download them myself. Though even that’s not super reliable without most of the OS being open source.

Here’s how to automate turning off the spying, the ads, the things you didn’t ask for:

  • First up, get and run the Destroy Windows 10 Spying by Nummer from github. [ Newer fork: Windows-10-Privatizer ] . It does an excellent job nuking doezens of invasive things from orbit, and blocks hundreds of IPs and Domains using Windows Firewall and the Hosts domains file.

  • W10Privacy complements DW10S and is my favourite. If offers all the granularity you want for removing crap, explains why (to the best of those folks’ knowledge). You can block things you didn’t even know Edge was capable of doing (or nuke it), you can block IE things you didn’t know Windows was still using outside of IE, kill One Drive, kill Cortana, change behaviour of apps (e.g. running in bg), disables forced/auto updates, and even helps you manually pick and install Windows Updates.

  • Shutup10 is another great (and kept up to date) tool made by ze germans. Explains what everything does. I ran it after running the previous 2 tools, and noticed there were still a couple of things I had missed, so run all 3 for good measure. (note this tool does not seem to create dns hosts or firewall rules)

  • The cherry on the phoning home neutering cake is Spybot Anti-Beacon. These guys monitored all the IPs coming out of Windows 10, saw where they’re going, and offer options to block by category/service. @PendragonUK’s post in this thread shows a Wireshark comparison vid. Can’t tell if these guys are still doing active research on this or not.

Someone complained that wireshark video is old. Here’s Linus’ unbiased video on Feb 6th 2018 explaining the systems built into M$ for spying and what they collect. It is up to us to believe that unticking a checkbox turns all that infrastructure off, or that those systems don’t have back doors.

See a list of available decrapifying tools here: comparison-of-windows-10-privacy-tools (article was updated for 2018).
Please tell me if you find another tool complementary to what I have included (or better), or you can also look for esoteric (and perhaps more updated) github forks of the open source ones.

Note:

  • these decrapifying programs and scripts work best if you have windows 10 Pro or Enterprise, for company policy support and deeper access.
  • be sure to read all the options in every tab or top bar menu of these programs. For ex in W10Privacy -> Extras you can hand pick, download and install windows updates.

Network Security: PFSense / OPNSense

The tools mentioned so far, block the thing that phones home if they can, else they use the Hosts file and windows Firewall rules - which maybe you can’t trust since it’s made by M$ and is closed source.

Wendell and Ryan have posted videos on the L1T Linux channel about the BSD based PFSense :slight_smile:. This is an enterprise grade open source OS that acts as your router + firewall + always on VPN + adblocker + antivirus + all of the things ever. It’s the kind of thing you pay Cisco $10.000+ to set up & maintain.

I’ve determined I prefer OPNSense, which is better in its UX (I’m not a dinosaur) and handles security with a bit more common sense.

[ I’m working on writing a separate post for how to set up your Laptop/PC such that you can connect to a starbucks wifi using proper OPNSense/PFSense running on your same laptop using <3% CPU on average. [EDIT]: here’s the post for that]

I have a list of 13,310 IPs, domains, and IP ranges most of which tied to M$ telemetry and 3rd parties: Windows Firewall Outbound rules - _Block - PFSense Formatted.txt (197.2 KB). This is what you want on PFSense/OPNSense. You probably also want to copy pasta your Hosts file into OPNSense/PFSense.
But you probably don’t want to use my exact file:

Updating Windows still works with the methods used in the Updates section below, and you always have the option of turning (automatic) updates back on with one of the anti-spying tools.

Even with these you probably don’t want to disable Windows Firewall (just disable the rules you migrate to OPNSense/PFSense), and also install GlassWire (a wrapper for win firewall that makes it not-shit and adds funcitonality) (thanks MasterNurmi) and set everything to Ask To Connect - you’ll find out about so many things trying to connect to the internet you never new you had lol.

And even if you add some adblocking lists in OPNSense/PFSense, you absolutely still need to install various anti-tracking, privacy, anti-fingerprinting extensions and tweaks to your Browsers. I wrote a separate guide on that a while back:

You probably don’t want an antivirus except for Malwarebytes. As John McAffee puts it, at the time an AV detected or didn’t detect something, it’s already too late. So invest in OPNSense/PFSense and Suricata, and behavioral changes AI protection systems.

Finally, the best way to run Windows in the first place is as a Virtualbox Guest within a Linux Host, using Hardware Passthrough - pretty sure Wendell will post a video on that as soon as it becomes friendly enough.

Windows Updates

As mentioned in the Scope of the guide, yes you can still update windows after all this. Plus now you’ll have control over which updates you don’t want and when you want to install.

Having control is important not just to avoid Microsoft’s hubris of pushing bundles of (possibly spying) updates down your throat whether you want them or not. It also allows you to roll back or avoid updates that break your computer (e.g. incompatibility between a random combo of 2 windows updates on your machine: like a driver update from one time + a random new microsoft update). You used to be able to do that in Windows 7. Now you have to hope that M$'s fast track windows as a service updates don’t cause you problems on your enterprise machines -_-".

With the tools above you can block the auto update servers, (and the built-in Settings > Windows Update won’t connect any more), and you can instead use the following:

  • NTLite has a neat Update manger and it checks them for compatibility against what you have installed or nuked from your windows installation. But as far as I can tell, it doesn’t download the updates for you, you have to get them manually from the update catalog.

  • W10Privacy by the good folks at winprivacy.de has a builtin update picker & downloader which fetches and lists all updates for your version, you can select what you want and install only those. Find it under the Extras menu up top next to Configuration. [ Step by step guide ]

  • If all else fails you can always see your Update History in windows “Settings -> Windows Update -> Update history” and manually (or with a script) download all subsequent updates for your winver from the microsoft update catalog website.

  • If you’re a Sys Admin and need to deploy updates to multiple machines, you can set up some shenanigans with a custom WSUS server so all your network PCs get the updates you’ve placed on the “fake” WSUS server through their default Settings -> Windows Update scheme. - Didn’t try myself.

I’m generally scared of new windows Feature updates. The guide covers the 1709 Fall Creators Update (though I’m still on 1703 for now), and should continue to work beyond 1709, but generally wait for anti-spying software to update before installing a new Feature update.
(You now have the power to continue to install (Security) Updates without being forced to install Feature Updates.)

Tweaking the UX Nightmares

Fixing Windows 10 so that you’ll no longer be enraged with the fury of 1000 suns and want to punch every single M$ employee in the crotch until the heat death of the universe. (or until Linux takes over Desktop (so, the heat death of the universe :slight_smile: :frowning: ))

First of all, you’ll see you can remove a lot of crap with the anti-spying tools. Like the builtin microsoft advertisements about other microsoft products. Or the lockscreen internet ads or bluetooth ads.

I tried a few start menu replacements / customizers (like classicshell or start10), but Startisback++ still looks and animates the best. It merges the search bar into start, it force closes Apps for realzies, it has pinned links and can bring the old win XP style side-navigating of All Programs.

Now to get windows looking good and uninfuriating, you still need to:

Also read https://www.privacytools.io/#win10 and the rest of that page - it has the nice bonus of web / browser / password manager / disk encryption privacy help. (thanks binarynoodle)

Extra: Always use disk backups kids! Use stuff like DriveImage XML (free) or Acronis (paid), back up sector by sector, backup often, and have air-gapped backups at least every few months.

Also check out Freaksmacker’s thread (it’s old but useful and holds up) and Barnacules’s video(s) which includes extra goodies you may want and need (like Rainmeter, Plex).

The End.


A fun fact I found on reddit: Apparently if you have any unlegit windows 7 + the DAZ Loader / Activator, the free windows 10 upgrade (expired) will think you are legit and you’re good for the free upgrade.
This is interesting because it explains how the licensing works. When you upgrade to win 10, it sees that 7 was licensed to your mobo, and in turn win 10 generates its own serial key based on a hash of your mobo. You can extract this key, and store it. You can then reformat and reinstall win 10 directly, from scratch, using this key, even after august 2016. I also suspect that if you change your mobo, you can call microsoft, give them your key and they will migrate it to your new mobo (as is the standard procedure).



What’s your favourite disgusting thing about windows 10?
Mine are:

  • mouse logger and keylogger with no warning/visual feedback.
  • all Apps: they don’t close on close (android behaviour ie all the spying), and they are mandated by microsoft to have a splashscreen (even the calculator)
  • the edge of screen stops your mouse when travelling between monitors and maximizes your window (why didn’t they do it like linux?)
  • the clumsy, forced and contradictory interaction paradigms:
    The lockscreen (with targeted ads) that swipes vertically (to get to another lockscreen) and other bullshit tablet behaviours, paddings, sizes; while other things are at the same time small and touchscreen unfriendly and don’t support swipes etc. which are all there by default whether or not you have touch capabilities!
    The window resize cursor area is centered way outside of the actual border of the window.
  • maps, contacts, calendar, outlook, cortana all desperately hungry for your dickpicks

Instead of a potato for reaching the end of this post, you get freedom.

22 Likes

for one drive...

taskkill /f /im OneDrive.exe
%SystemRoot%\System32\OneDriveSetup.exe /uninstall

and this will remove all windows apps including store etc.
Get-AppxPackage -AllUsers | Remove-AppxPackage

once its done, there's also task-scheduler (once you see it, it creeps me out)
To remove cortana completely you need to bootup from separate system, and remove her modules. (previous cmd doesn't fully removes cortana)

Everytime i look at something it creeps me the fck out... i find more and more things. Including explorer built-in sub routines to send "Hi" home.

4 Likes

For your picture viewer: http://www.irfanview.com

Everything

1 Like

*remove modules one by one* "What are you doing, Dave?"

And I might actually have used cortana if it hadn't been an instrument of customer data abuse... A paying customer...

The annoying thing is also that it's an arms race for us to find all the new malicious updates or config changes that microsoft might do over time.
It's straight up like having your system be under attack constantly. I mean, KEYLOGGER, ffs.

3 Likes

Yep, thank god we have linux as an alternative.

Short answer to solve this: never install windows 10

9 Likes

Only way to fix Windows 10 would be to format C:\ honestly

3 Likes

delete windows 32

Thats something I've been trying to do with most win10 every time I go to a computer store but those damn things need the admin password :(

1 Like

I remember seeing instructions on the net somewhere from powershell you could remove all of the Metro apps with the infrastructure that supports them. When I was testing Windows 10 I did this and it cured a lot of what ills Win10. Last week quidsup did a video about Spybot Anti-Beacon and he was impressed how much it stopped the Win10 spying crap. So if you must run Win10 then I would install that along with removing all of the Metro BS.

Personally I nuked the Windows partition and I'm happily running Ubuntu-Mate on my desktop rig.

2 Likes

MS just doesn't care anymore:

  • Online/SaaS Connected-ness Platform incl "Microsoft" login accounts (vs local) -opt out + local account
  • Modern App framework -can be uninstalled or just use the LTSB
  • no graphical way to disable UAC -can still be disabled
  • Still no usable Start Menu by default (broken since win 8 rtm) -classic shell/start++
  • Lack of built in granularity for Windows Updates (WUB is a pain) -just disable them
  • Telemetry options always on non enterprise editions -use enterprise edition
  • The Push-Button Reset features are extremely difficult to work with -use VHD instead

So all of the gripes can be fixed via neutering the OS and tweaking.

Stuff Win 10 gets right (and that linux doesn't have):

  • Backwards compatibility
  • scanstate /capture /apps
  • Group policy
  • Win32 compatible WinRE/PE
  • dism /apply-image || dism /capture-image
1 Like

If you have a pro or enterprise version, you could use the mmc group policy editor to configure the auto update settings as they were before on windows7 and 8.x.

1 Like

if there was better app support for linux i would be on that now but this will help me for now. also i had to install start is back right after getting windows 10 because the search never worked i dont want to re install

Posting here for my future reference. Thanks :)

I'm working on installing Linux on my laptops, my workstation laptop and my light netbook one aswell. Sadly I cannot leave windows on the Desktop. I'm a gamer and the games I want to play do not have good support on linux and neither does my gpu, the r9 390. There's also the fact that my college requires a few proprietary windows-mac only applications.

Check out https://www.privacytools.io/ it's a good website and near the bottom it has a few articles that explain how to further deshitify windows 10. I feel after doing all of that, this, and watching barnacles's video on how to do it I've thoroughly locked windows 10 down and it's not sending anything at all to microsoft.

Damn you game developers for not putting everything on linux and leaving me stranded using this shitfest that windows and microsoft has become. I tried installing windows 7 again but it just won't work on my desktop, no idea why. There's also the fact that it feels so old.. With a bit of effort windows 10 can be decent just like windows 8. There's a lot more effort needed now but that's alright it was just a one time thing after I made my system restore points and a full disk backup.

2 Likes

https://forum.teksyndicate.com/t/how-to-make-windows-10-not-suck-as-bad/85393 Still compiling :)
Bare with me. lol What i really need is some really useful networking stuff as i am not a network person.

1 Like

Yeah i think the original idea for this was to add a guide to our wiki.

Yes. I definitely aimed to log the steps I took to fully decrapify win 10.
And you guys just gave me quite a bit more material to go through, but I'm busy with work until the weekend at least.

The idea was also to figure out which of these things overlap, or which of these things are obsolete.

PS: We have a wiki?

https://forum.teksyndicate.com/t/official-community-experimental-wiki/98034

2 Likes

Somethings overlap and others are obsolete. Other things will be different by the next MS update horror day.