You're right, pure magic, no less :bigsmile:
Before I start to go into the details, this is a test-system which was created solely for these tests, but the HD will be kept in case it is needed for further tests later on. This means that user GUID, OS specific name for machine and other personal information can be passed on without fear of a privacy breach. I do have a valid registration for all installations - serials used however are well in the grey, but all are valid as of today and Windows retail activation went ok (the log for that is with the install). As noted above, a dual port Intel Pro 1000 PT PCI-E network card installed in my general server test-rig serves as the man-in-the-middle logging computer. This makes it impossible for any network traffic to hide from view. The machine will pass through this network card at all times though I will only capture the interesting parts.
Now then, where was I? Oh yes, somewhat more troublesome than I thought as the harddrive with Windows 7 pro retail died on me during the process (quite bad quality for Toshiba 2.5" about 3 years ago? I have replaced 6 during the last year). This means I can not show what the upgrade process calls home about.
Swapped to a Hitachi 2.5" and installed Windows pro retail from scratch this morning.
ISO: en_windows_10_multiple_editions_x64_dvd_6846432.iso | Name: J_CCSA_X64FRE_EN-US_DV5 | 4 083 853 312 bytes
The install is silent at the network card until it boots Windows for the first time. Then it starts the usual stuff:
Destination | Protocol | Info | reverse lookup
220.127.116.11 | TLSv1.2 | Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request | a104-84-140-208.deploy.static.akamaitechnologies.com
18.104.22.168 | NTP | NTP Version 3, client | No ptr Record exist
22.214.171.124 | TLSv1.2 | Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request | a104-95-178-35.deploy.static.akamaitechnologies.com
126.96.36.199 | TLSv1.2 | Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request | a104-95-179-206.deploy.static.akamaitechnologies.com
188.8.131.52 | HTTP | HTTP/1.1 GET | a108-162-232-199.deploy.static.akamaitechnologies.com
Command line: GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAAu8ZFRjK%2BsWa0UAAQAAC7w%3D
184.108.40.206 | HTTP | HTTP/1.1 GET | .....and so on
- There are no local rules for the firewall at this stage and Windows update is free to catch up. I will have to find a program to analyze the installation log as it is 340MB and probably will be retired by the time I finish a manual run. I'll let that pass for now to get going :iagree:
Once up and running, I did a few installation to make it easier for myself to analyze registry and so on. I do not recommend the programs in any way, but the installations are as follows:
Registry WorkShop v4.62 - I am registered since years ago and just knows the ins and outs of it. I would personally be interested in information of a freeware doing the same (more on this later)
RunFromProcess - From time to time it is interesting to run the registry editor in the context of the System account to have access to keys that you normally can't get to.
O&O ShutUp10 - I thought I'd start by showing the registry changes caused by this program.
Windows Firewall Control - Just an extention to the Windows firewall. For a test-system, this is a better choice than applying my settings from scratch as it will report whatever trying to communicate on the net.
TeamViewer (may be present in logs so a note is needed)... and a few more non-essential programs - More essential installations may follow...
Manually configuring the Windows firewall used to be done wia the NetSh command like this:
netsh advfirewall firewall add rule name="descriptive name" dir=out/in action=allow/block program="Full path and name for file" enable=yes, alternatively, it can be done from the controlpanel by selecting Windows Firewall and Advanced Settings
Why Windows Firewall Control you may ask. The reason is that it is supposed to work in conjunction with the man-in-the-middle machine running Wireshark. Together I figure they may give a complete picture and a way to easily pinpoint where in the wireshark-log the communication can be found. There will be no communication taking place before I manually click "Allow this program". That is the sort of control needed for the task of what-when-why.
First of all, let us take a tour and see what happens to the registry when we apply the recommended and limited recommended settings found in O&O ShutUp10. I will do a quick explanation of what I did to produce the result afterwards. The result also show why I prefer to work in Registry WorkShop than in a text editor.
Evidently, the tree-view makes the result more tidy to work with and the program can open many registry files at once and if you add to that the possibility to right-click and add any of the settings from any open registry file and add it to your registry individually and you have a good utility. I do not want to recommend trialware, hence the question of a freeware with the same possibilitiy.
The entire registry file is 414 lines long and is too big for the thread. It can be downloaded here. Only a few settings are reviewed below.
Deny access to list of preferred languages (I prefer english for anything computer related, it is enough that many sites insist on putting up a Norwegian login before realising my settings, I hate that!)
[HKEY_CURRENT_USER\Control Panel\International\User Profile]
Stop giving away Advertising ID (it seems a very good idea )
Let Apps use your account info (fat chance!)
Let Apps use your calendar info (not me)
Let Apps use your camera (could be interesting for som I guess, I have a Post-It in front of the lens when not in use - I never seem to get around to buy a USB one as I use it maybe once a year)
Let Apps use your microphone (could be interesting for some, I have a USB microphone if I need one, the built in is disabled in my BIOS)
Let Apps use your location info (now come on, need my address as well?)
Let Apps use your radios (without my knowledge? Forget it!)
Let Apps use notifikations (I guess even this may be interesting for some)
Stop windows for automatically update your drivers from the internet
Stop Windows automatic update (I like this kind of control)
Windows biometrics (soon you can pop in your blood type on a needle as well I guess - phew!)
Turn off the lockscreen camera (beats me)
Stop Handwriting data sharing (unless there is a good reason to...)
Disable Location and Sensors (unless there is a good reason not to)
Stop One Drive from syncing (may be interesting to those using it, I got my own noone-else-drive)
Stop answering location requests (!)
Stop Password Reveal (general protection, it may or may not be a good idea depending on your own control)
Disable web content evaluation
Deny sync between devices (nice feature until you do one mistake like deleting your contacts, then you'll agree)
Stop automatic WebSearch using Bing (I like to be in charge)
WiFi Sense (and ship your Wi-Fi password to MS - Great!)
Stop Cortana and/or disable Cortana Websearch (mix and match to your preference)
Application Telemetry (info harvesting? Yeah right!)
Genral Telemetry (also in Wow6432Node) - (info harvesting? Yeah right!)
Media Digital Rights Management Internet Access (I do not want any DRM shit on my machine, period.)
Defer Windows Upgrades
Stop Window Update for other Microsoft products
Window Update Sharing (sharing updates through P2P from local machines with the update already downloaded)
For a full view, please download the true .reg file here
Of course, to get the results, I did a snapshot before applying the ShutUp 10 and after. Then I compared the two snapshots and the difference was saved as the downloadable reg-file.
Well, that is all for now, next up will be to look into the ever so slow communication mentioned by Cholla. I still do not know what it will take to get to the truth of that, but we better. The unknown is such a discomforting place to stay. :flower: