The objective of this work package is the analysis of the functionalities and properties of the Telemetry component of Windows 10. A dedicated document describes how to effectively disable telemetry activity.

• Work Package 4: Telemetry (Version 1.0)
• Tools & Scripts: Telemetry
• Analyse der Telemetriekomponente in Windows 10 - Konfigurations- und Protokollierungsempfehlung (Version 1.2)
• Analyse der Telemetriekomponente in Windows 10 - Konfigurations- und Protokollierungsempfehlung (Version 1.1)
• Analyse der Telemetriekomponente in Windows 10 - Konfigurations- und Protokollierungsempfehlung (Version 1.0)

Due to the long duration of this project, a differential analysis between the original version Windows 10, Build 1607 and Windows 10 Enterprise LTSC 2019 (Build 1809) was carried out for this work package. This version will be supported by Microsoft until 2029.

Some aspects of Telemetry have significantly changed. Although the high-level architecture of Telemetry at process and data source level has not been subject to significant change, the capability of Telemetry to execute executables or functions to gather telemetry data has significantly increased.

Furthermore an instruction to disable telemetry in Windows 10 Build 21H2 is provided (German only) including a list of URLs with telemetry endpoints.

• Download differencial analysis of telemetry
• Download instruction to disable telemetry
• Download of endpoints for Windows 10 Build 1809
• Download of endpoints for Windows 10 Build 21H2

Table of contents analysis document

1 Introduction
1.1 Executive Summary (german)
1.2 Executive Summary (english)
1.3 Event Tracing for Windows
1.3.1 Concepts and Terms
1.3.2 Initialization
2 Technical Analysis of Functionalities
2.1 Telemetry: Architecture
2.2 Telemetry Data: Sources
2.2.1 Telemetry Data: Collection and Processing
2.3 Telemetry: Network Interface
2.4 Telemetry: Monitoring Activities
3 Configuration and Logging Capabilities
3.1 Configuration Capabilities
3.2 Logging Capabilities
Appendix
Reference Documentation
Keywords and Abbreviations

Summary:

The objective of this work package is the analysis of the functionalities and properties of the Telemetry component of Windows 10. As required by the German Federal Office for Information Security, the exact release of the Windows 10 system in focus is build 1607, 64-bit, long-term servicing branch (LTSB), German language. The Telemetry component of this system collects system crash and usage data (referred to as telemetry data) and uploads this data to remote servers operated by Microsoft.

A dedicated document describes how to effectively disable telemetry activity. The core contributions of this work are:

• An overview of system logging functionalities for collecting telemetry data.
• An analysis of the collection and processing of telemetry data
• An analysis of relevant network interfaces
• An approach for monitoring Telemetry activities

Windows 10 leverages "Event Tracing for Windows" (ETW) for the generation of telemetry data. The specific entities which deliver that data (ETW-Provider) are indirectly defined through the active telemetry level. The number of ETW providers which are connected to the telemetry (diagTrack) service's ETW session at any given time is highly dynamic depending on the specific version of Windows 10 and the system state (running processes, installed software, configuration, etc.) at that time.

Telemetry-Level	ETW-Provider
Security	4
Basic	410
Enhanced	418
Full	422

Telemetry levels and number of ETW providers associated with Autologger-Diagtrack-Listener

The conducted analysis did not reveal any dependencies between the number of etw providers and the amount and quality of the telemetry data. A proposal on detection, observation and analysis of the collected telemetry data as well as the behavior of the telemetry component is given in the document.

The definition of the telemetry levels (the slection of etw providers tied to each telemetry level) is controlled by Microsoft. The neccessary metadata (GUID of each etw provider) is contained in %ProgramData%\Microsoft\Diagnosis\DownloadedSettings\utc.app.json. This file is controlled by Microsoft and updated frequently. Therefore, modifications of the telemtry configuration can be done at any time and without notification to the user while the system is running.

Another feature of the Windows 10 telemetry component is the remote execution of additional tools and library functions to retrieve additional Information from the local system. This includes full memory dumps. However, it was not possible to trigger the execution of arbitrary code via this functionality in the observed version of Windows 10. The tools and functions which can be executed by the telemtry component are described in the appendix of the document.