A decent firewall will list out individual windows functions but it is the stuff baked into the svchost exe that is a mystery to person such as myself. I do disable certain functions/services that are not in use or going to be used… but some of it is convulated and not understood on my part. 
The keylogger is also in the LTSB versions aswell unfortunatlly.
1 Like
No need for hyperbole, that just weakens your argument. Even Full doesn’t log every key you press, and you need to opt-in to Full. It does track mouse movement, though, which is pretty amazing. But if you opt-in, you presumably accepted all that.
2 Likes
Don’t expect any Firewall Software running inside of Windows 10 to block Windows 10.
A way to do what you ask is:
- install GlassWire (based on Windows Firewall), set it to block all connections by default. (this will not guarantee to cover windows but will cover the programs you installed inside of windows)
- set up a firewall in your Linux Host OS that also blocks everything coming out of the Windows VM by default.
- As soon as a program tries to connect to the internet inside Windows, you’ll get a popup from GlassWire, and you can Accept and it will create a rule in Windows Firewall.
- You can then take that rule and duplicate it in your Host VM Firewall or IP filter etc.
If you eliminate the GlassWire step, you’ll just see a long list of IPs in your Host OS, and will not know which program they came from.
I updated the guide with these sources.
I also just tried and added Shutup10 to the list. It does not add hosts rules or firewall rules, but it did show me I had missed a few minor things with the other programs. It’s nice that it seems to be kept up to date.
not to mention windows ignores local group policy on windows update (other than if you have a wsus server set up).
i set restrictions on windows update so it would “notify for download” and “notify for install” which WU just ignored.
this is due to bandwidth issues and NOT to disable WU.
in short WU would run and consume all the available bandwidth, locking our retail stores out of our cloud based POS server, and thusly unable to do our jobs.
yes windows can be set to do this outside of work hours, but the connection is so slow it takes ~ 1 day to download 1GB (which spills over into working hours).
while this internet speed is in reality unacceptable, corporate has decided to not upgrade the connection, and thus i have to work with what i have, or pay for faster out of my pocket.
Why not get LTSB then? Your scenario is kind of what it was made for.
1 Like
This probably isn’t an accurate way to describe this, and possibly misleading. The “keylogging” feature is the speech, inking, and typing stuff that you get on most platforms. From what I can tell, Windows actually has some of the best controls over this unlike in others like Android where its quite hidden and there isn’t much explanation over it.
(looking up this claim returns level1 techs as the top source and then a couple of questionably written articles, that’s it…)
e.x.
You can read some more about it here.
https://privacy.microsoft.com/en-gb/windows-10-speech-inking-typing-and-privacy-faq
@Ruffalo posted one of the sources.
Here is the information from Microsoft on the full level diagnostic settings
Here is information on how to configure it, what is and isn’t diagnostic data, how its handled etc.
You may also find this article useful on how updates and releases are handled for the various windows options
The above articles including @Ruffalo’s also link to various other related articles which may be useful for people who are interested in this topic area.
3 Likes
Yeah, there’s no supported way to stop Windows 10 from auto-updating or rebooting after an update. For that functionality, I recommend Winaero Tweaker. It can set windows update to notify-only and stop the forced reboots after an update.
https://winaero.com/comment.php?comment.news.1836
I personally approve of Microsoft’s default policy forcing updates and reboots, and think it’s a very good idea for the general public. However, sophisticated users should be able to opt-out, just like telemetry.
The default policy is a good one. The initial implementation has its issues, getting the right time to apply them when its not being used etc.
I would like to see them move to how Google does it with ChromeOS and Android where the updates are installed and applied and the next reboot reboots immediately into an already updated system.
The newer builds with windows though have got it mostly right, there’s plenty of options to set active hours (to not update within), setting additional reminders, delaying updates, etc. They could tweak the defaults a little (active hours defaults to 8-5 for example)
There shouldn’t be much complicated with “update & shutdown” at the end of the night when your done with your PC.
Anyone using specialist systems with windows requiring a stable branch and just security updates shouldn’t be using Windows 10 home or Pro anyway, they should be using the LTSB/LTSC version.
Edit:
No they shouldn’t. updates shouldn’t have an opt-out that’s what caused all the security nightmares in the first place.
If you really need an ‘opt-out’ and your a “sophisticated” user, go implement a WSUS server and run your own updates to your systems.
(You meaning anyone)
I agree, the only people who are allowed to opt-out of updates, should be embedded devices.
1 Like
- The problem is Windows will wake your machine to update it, and then leave it on forever. And if you were Hibernated/Slept, you’ll get restarted and all your shit is lost.
- Windows will also restart your machine to update it even if you’ve left your PC on overnight to do work.
- You can also find yourself in the middle of a talk/presentation, and you have to reboot to make a demo work, only to be stuck on “Operations are in progress, please don’t touch your computer” screen either on shutdown or startup.
- Less related but true: it will start doing diagnostics and virus checking and other CPU intensive stuff (that freeze me out of for example VR development) while you’re actively doing an intensive task. And you may say in theory we have gaming mode, but there’s no “I’m working leave me alone” mode.
True, but being the nicest out of the people with metadata hoovering and/or surveillance complexes doesn’t deserve a gold medal. This stuff can be co-opted for very bad things and there’s not much out there in terms of systems that prove they Can’t Do Evil instead of promise to Do No ‘Evil’.
Let me fix that for you: No they shouldn’t. SECURITY updates shouldn’t have an opt-out that’s what caused all the security nightmares in the first place.
Oh, and security updates are bundled with all the other kinds of updates.
I’m a sophisticated user, I own my hardware, and I will do whatever the hell I want with it. Users like me should have a supported way to opt-out of forced updates, particularly when combined with forced reboots.
Issues 1 - 2 are solved by getting the proper version for that senario, LTSB.
Issue 3 is solved by setting active hours.
Issue 4 This doesn’t happen.
I believe thats what he meant. Also me.
Cool, but LTSB doesn’t come with many features you may want, like an app store or VR/AR ecosystem etc.
If a configuration didn’t have a chance to be applied, it will be applied at next reboot, whether you want to or not. I’ve experienced this with vanilla wnidows updates (ie not-decrapyfied) at work, and also with 3rd party programs that need to apply modifications at next reboot, or finish backing up - but I guess that’s a tiny bit off the Windows topic.
I don’t know what to tell you mate, I see the processes in process explorer when my engine starts to crawl during work hours.
Private Firewall is a bit interesting… but I get it is better to have the firewall outside the os. Cant influence the firewall so easy :)~
I’ve not had this problem, but I do shutdown my PC rather than just put it to sleep usually.
Im pretty sure that’s probably one of the use cases for “pause updates”
Have you sent them feedback on this?
Sure it can but the solution for that is don’t use Windows. You can say that about anything, at the end of the day, you could just go dig your own grave and put yourself in it, as that’s the only way you can stop putting your self at risk.
There’s a huge gap as far as I can tell in people having any understanding of risk and how it applies to different things and to them.
Anything can be co-opted for bad things, you still wake up every day and go do those things that put you at that exact same risk.
Personally I think in order to have that discussion, there really needs to be a discussion on risk so that people understand it better. It’s all about making appropriate choices. windows may not be the correct choice depending no your use case, but in other cases it may be fine. If you need to disable anything that speaks with the outside world, I think windows its self isn’t the right choice.
This isn’t even clear cut with Linux. Microsoft have I think done a reasonable job laying out how data is handled. With Linux do you even know if they remove PII from bug reports? Last I checked (about a month ago), there was no clear indication that this actually happens. With Microsoft feedback for example, they have people in some cases who go through to remove PII where it wasn’t automatically removed (like when a person provides PII in a feedback box).
You already have your option, run a WSUS server, you can specify exactly what updates you want to apply. Alternatively if your system is one that requires minimal movement (specialist system), that’s what the LTSC is for as well. You can also use SCCM.
@The_Guy See above about LTSB alternatives.
Even most Linux distros don’t let you do this be default. Debian based distros have no option with apt that I can see (requires another application to do so), Fedora does but only in the cli. There isn’t much difference between windows and Linux in this regard these days. (Linux is more configurable of course in that you could just not install any updates… not sure why you would go with that option)
It’s odd that we never see people complaining about why Linux forces you to update all packages or nothing?
Provide feedback. Its probably a bug.
I should have a base Windows that does not suffer from these problems to begin with 
I disagree with that. Your settings should not ever change from month to month without you being the one to change them.
They don’t… settings have never changed for me. I’ve head reports of this happening to some people but I question exactly what the circumstances were for them to change.
On the versioning side. You could argue either way. Windows just like Linux has always had different versions of the same OS. It’s a bit better in windows 10 than it has been historically.
I think the pro version should probably have an option to disable for example basic telemetry however I think the pro version more he consumer products version not corporate. In which case I can see why they keep the option there whether I agree with it not having a disable option or not.
Yeah because Linux’s main driver is not greed. I’m sure you can argue MS is good guys, Comcast is good guys, but broadly speaking they’re not servants they’re profit mongers, market % mongers. They’re not like IBM, or Valve if you will.
(Before you say Valve are market % mongers therefore my argument doesn’t make sense, keep in mind they have open discussions, say we’d be right to call them out if they did X, so instead they’re doing Y in an open way, you can see how they’re trying to be benign instead of posting PR speech like Blizzard for ex.)