09 September 2016

A rather quiet traffic for Windows 10 Rs1

Finally replacing Windows 8.1 with Windows 10! Within my first three days I need to make sure  that my internet connection didn't abused by Windows and under my control. Having experienced Windows 8.1 before, where explorer, rundll32 and svchost acted as ping bot or downloader this time there is more coming in Windows 10 despite during installation I've opted to turn off "sharing my stuff" with MS features.

Note the following tips are completely favor "bandwidth saving" over "security"

Let's start with services.msc
In XP, I just need to disable Windows Update and BITS, now we get telemetry (note every apps compiled with VS 2015? seems to inherit this ability, intended or not, managed or unmanaged)

- Background Intelligent Transfer Service (BITS)
"supposedly" and used to be the main downloader, but no longer

- Windows Update (wuauserv)
this need tuned on when installing offline update files

- Connected User Experiences and Telemetry (DiagTrack)
why I still need to disable this? well it still popped out sometime.

- Program Compatibility Assistant Service
this one is unrelated, but I need to mention here as this thing keep get in the way, choked up, and eventually dying and bring down system resources. Especially when I do three parallel sessions of mingw compilation script for 24 hours. Additionally in this case, using exclusion for Defender will help too.

Move to gpedit.msc
Contrary to usual mantra of dumbed-down Windows: "We (SYSTEM) will manage it for you", gpedit.msc give us tons of rules that SYSTEM will ahem.. *supposedly* obey. But I don't know why they sometime get telepathy with Redmond to do something else.

Disabled:
Allow definition updates from Microsoft Update
Allow real-time definition updates based on reports to Microsoft MAPS
Allow search and Cortana to use location
Allow Telemetry
Check for the latest virus and spyware definitions on startup
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates (err, this claimed not apply to W10, but just in case)
Initiate definition update on startup

Enabled:
Define the order of sources for downloading definition updates
Disable all apps from Windows Store *Enterprise/Education only
Do not allow web search
Don't search the web or display web results in Search
Turn off access to the Store
Turn off Application Telemetry
Turn off Automatic Download and Update of Map Data
Turn off game updates
Turn off Help and Support Center Microsoft Knowledge Base search
Turn off Search Companion content file updates
Turn off the offer to update to the latest version of Windows
Turn off Windows Update device driver search prompt

Windows Update advanced options:
defer feature updates (like LTSB ?)

Into Windows Firewall rules:
Programs Inbound/Outbound:

%SystemRoot%\explorer.exe

Others:
- Service  (Background Tasks Infrastructure Service, I think) that spawn BackgroundTransferHost.exe

  Within a logon session, it activated during the first-time the internet connected. I ca't find any reference reference from registry. Firewall is impotent to block it. I think this is modern app version of BITS. I need to kill BackgroundTransferHost manually.
- Spawned Rundll32 that spawn svchost (uh oh, or something like that),  there is ping activity but not bandwidth intensive. I need to kill rundll32 manually.

At the moment that's all I can do and it's considerable quiet for dial-up user like me.
I recommend ProcessHacker to monitor process and network activity.

Update:
There are several  BackgroundTransferHost.exe, in System32(or SysWOW64) and deep inside subdir of winsxs (or winsxs\wow64) so include them all in firewall might works, if not put it on Applocker?