Microsoft previews telemetry push with new Win7/8.1 patches KB 3192403, 3192404

Microsoft plans to roll out major extensions to its Diagnostic and Telemetry service in November

Yesterday Microsoft released seven new patches through Windows Update. Three of them -- KB 3192403 for Windows 7, KB 3192404 for Windows 8.1, and KB 3192406 for Windows Server 2012 -- confirm a trend we've long expected: Microsoft is adding new telemetry/snooping capabilities to Win7, 8.1, and Server 2012 by growing out its Diagnostic and Telemetry service subsystem, DiagTrack. The big push will come in November.

Much to Microsoft's credit, we have many details about the new subsystem. We also have tools to help you avoid installing this enhancement to DiagTrack. But in order to use those tools effectively, you must start installing Windows 7 and 8.1 updates manually -- using Windows Update will ensure that your PC starts sending more info to the mothership.

What kind of info? We don't know -- and don't have any way of knowing. While there are voluminous lists of privacy-related settings, Microsoft hasn't said what data it's collecting. There is no "Security" level option for Win 7 or 8.1 (or Win10 Pro or Home, for that matter). Data sent to the mothership is encrypted and inaccessible -- as it should be -- so we simply don't know if this new, improved DiagTrack will lead to Google-class snooping.

Before you get worried, be sure you understand the situation. These three patches have been released as a test. They're called "October 2016 Preview of Monthly Quality Rollup" for a reason. If you run Windows Update in Win7 or 8.1, they'll appear as unchecked, optional updates. If you don't check them, they won't be installed. And unless you're testing something specific, you'd be foolish to check and install the updates.

These Third Tuesday patches are a preview of the non-security portion of the monthly rollup that's expected to arrive in November. It's complicated, but in short, you don't want to install them yet.

The KB articles have detailed descriptions of the changes coming in November, but they're quite esoteric -- telemetry receiving locations, proxy servers, and registry entries. The KB articles all point to Microsoft's description of the Customer Experience Improvement Program (CEIP). But the description, which is almost eight years old, doesn't mention DiagTrack.

You might draw the conclusion that you can turn off DiagTrack by turning off CEIP, but as best I can tell that isn't true. I first noticed that telemetry-with-no-off-switch behavior 18 months ago in KB 2952664. A new incarnation of the same patch appeared earlier this month.

Bottom line: Those users who install KB 3192403 or KB 3192404 should expect a greatly enhanced DiagTrack subsystem that provides unknown kinds of telemetry to Microsoft, with no easy way to switch it off.

The obvious way to avoid such a situation is to avoid installing the patches in the first place. I'll step you through that minefield next month, when the patches appear for real.

Tero Alhonen has noticed something uncanny about the patches: The KB 3192403 and KB 3192404 articles include wording that's basically identical to that found in KB 3192441, which is the Oct. 11 cumulative update for Windows 10 version 1511. They have the same telemetry upload points and registry entries. It sure looks like Windows 10-class snooping is coming to Windows 7 and 8.1.

If you have Windows 7 or 8.1, you likely already have a nascent version of DiagTrack running. To see it, go into Control Panel and choose System and Security, Administrative Tools. Double-click on Services and scroll down the list to see if Diagnostic Tracking Service has been started. If you want to disable it (I've seen no reports of adverse side effects in doing so), double-click on Diagnostic Tracking Service. Under General, set Startup type to Disabled and click the Stop button, then OK. After you reboot, DiagTrack will haunt your PC no more -- until the next DiagTrack patch gets applied.

If you want to kill DiagTrack and pour salt on the ground from which it springs, you can run these commands (each on one line) provided by abbodi86 on

sc config DiagTrack start= disabled

sc stop DiagTrack

reg delete HKLM\SYSTEM\ControlSet001\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener /f

reg delete HKLM\SYSTEM\ControlSet001\Control\WMI\AutoLogger\Diagtrack-Listener /f

reg delete HKLM\SYSTEM\ControlSet001\Control\WMI\AutoLogger\SQMLogger /f

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /f

reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection /f

takeown /f %ProgramData%\Microsoft\Diagnosis /A /r /d y

icacls %ProgramData%\Microsoft\Diagnosis /grant:r *S-1-5-32-544:F /T /C

del /f /q %ProgramData%\Microsoft\Diagnosis\*.rbs

del /f /q /s %ProgramData%\Microsoft\Diagnosis\ETLLogs\*

That's a scorched-earth removal of a "service" you're not likely to want.

Stay tuned. There will be lots of bumps ahead, in the aftermath of this month's patchocalypse. I continue to recommend that you NOT install any October updates just yet. Wait for the dust to settle. Later this week I'll have detailed (and easy) step-by-step instructions for safely installing the October updates.

Copyright © 2016 IDG Communications, Inc.

Shop Tech Products at Amazon