The German federal government posted an analysis of Windows 10 telemetry:
https://www.ghacks.net/2018/11/23/german-federal-office-bsi-publishes-telemetry-analysis/
It included a list of known telemetry servers, which I am including in alphabetical order here:
alpha.telemetry.microsft.com
asimov-win.settings.data.microsoft.com.akadns.net
db5-eap.settings-win.data.microsoft.com.akadns.net
db5.settings-win.data.microsoft.com.akadns.net
db5.vortex.data.microsoft.com.akadns.net
eu.vortex-win.data.microsft.com
geo.settings-win.data.microsoft.com.akadns.net
geo.vortex.data.microsoft.com.akadns.net
oca.telemetry.microsft.com
settings-win.data.microsoft.com
us.vortex-win.data.microsft.com
v10-win.vortex.data.microsft.com.akadns.net
v10.vortex-win.data.microsft.com
vortex-win-sandbox.data.microsoft.com
This was an analysis of an older version of Windows 10 so this list is certainly not complete, nor up to date. (Some of these names no longer resolve.) The names seem to have been extracted from diagtrack.dll - perhaps someone with a more modern version of Windows 10 could compare.
Currently only one of these, settings-win.data.microsoft.com, is included in the blacklist.
Personally I think it's quite suspicious of Microsoft to use intentionally mis-spelled domain names, like "microsft". That's usually something that malware does.
Is there a canonical list of Windows 10 telemetry servers, and should it be included in the blacklist?
DavidCWGA
All 17 comments
Hacker News discusses the German report here: https://news.ycombinator.com/item?id=18527997
DavidCWGA
on 26 Nov 2018
Thanks @DavidCWGA. Interesting.
StevenBlack
on 26 Nov 2018
I'm inclined to summarily block all those microsft.com (misspelled) domains, right now, on principle.
StevenBlack
on 26 Nov 2018
I took diagtrack.dll from a current Windows 10 install and ran it through "strings", but could not find any hostnames at all. If they're in there, they're encoded somehow.
DavidCWGA
on 26 Nov 2018
Microsoft has their list of endpoints documented here: https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1809-endpoints
project-administrator
on 7 Mar 2019
found in C:\Windows\Temp
name: WERECDC.tmp.WERDataCollectionStatus.txt
Snapshot Dumper
- Snapshot available : 0
- Snapshots disabled : 00
- Snapshot status : c0000001
- Dumper status : 00000001
- Process WER flags : 00000000
- Watson request dump : 001201a4
MiniDumpWriteDump took:
- Ticks : 1 ms.
- Cycles : 3133346.
MiniDumpWriteDump I/O counters: - Reads : 0 ops, 0 bytes, 0 KB/sec.
- Writes : 0 ops, 0 bytes, 0 KB/sec.
- Other : 0 ops, 0 bytes, 0 KB/sec.
Page faults (local) : 86.
Page faults (remote): 0.
MiniDumpWriteDump read memory failures: 0.
Write buffer:
- Buffer size : 524288 bytes.
- Flushes (full+partial): 0 + 0.
MiniDumpWriteDump failed: 8007012B.
Process terminated unexpectedly. Exit code: 00000000
What is that? Connected to Watson telemetry ?
ghost
on 25 May 2019
It's Windows Error Reporting.
The Windows Error Reporting Service can be disabled.
Atavic
on 25 May 2019
Yes, FIREWALL is excluded from being monitored by windows error reporting, see:
https://www.windows-security.org/8586e62112bb89e28a32ed1f535438e1/list-of-applications-to-be-excluded
Atavic
on 30 May 2019
There is a good and regularly updated list of Windows telemetry servers:
https://github.com/crazy-max/WindowsSpyBlocker/tree/master/data/hosts
lopatoid
on 17 Sep 2019
Dumb question here.
can you not just simplify the domains like?
akadns.net
data.microsft.com
telemetry.microsft.com
And what's the point of adding "www" to the front of the domain,(in some of the host's file entries)
The reason to shorten the domains like this is to future proof it a bit and catch new sub sub domains.
Look i get it maybe you want to go to microsoft .com and look at the adds. but i cannot imagine visiting telemetry.microsft.com
DonovanPhoenix
on 21 Oct 2019
Dumb question here.
can you not just simplify the domains like?
akadns.net
data.microsft.com
telemetry.microsft.comAnd what's the point of adding "www" to the front of the domain,(in some of the host's file entries)
The reason to shorten the domains like this is to future proof it a bit and catch new sub sub domains.
Look i get it maybe you want to go to microsoft .com and look at the adds. but i cannot imagine visiting telemetry.microsft.com
/hmm simplify? that cannot be.
Hosts file blocking is straight-forward as you might think.
Just a sample:
Blocking:
akadns.net
will not block:
asimov-win.settings.data.microsoft.com.akadns.net
db5-eap.settings-win.data.microsoft.com.akadns.net
db5.settings-win.data.microsoft.com.akadns.net
db5.vortex.data.microsoft.com.akadns.net
www.akadns.net
hosts file does not "auto-wildcard" your entries.
What you put is what you block. And nothing else fancy.
and about the telemetry.microsoft.com, it is being accessed by Windows _back-end_.
Not literally being accessed by the user through web browsers and such.
Laicure
on 21 Oct 2019
/hmm simplify? that cannot be.
Hosts file blocking is straight-forward as you might think.Just a sample:
Blocking:
akadns.net
will not block:
asimov-win.settings.data.microsoft.com.akadns.net
db5-eap.settings-win.data.microsoft.com.akadns.net
db5.settings-win.data.microsoft.com.akadns.net
db5.vortex.data.microsoft.com.akadns.net
www.akadns.nethosts file does not "auto-wildcard" your entries.
What you put is what you block. And nothing else fancy.and about the telemetry.microsoft.com, it is being accessed by Windows back-end.
Not literally being accessed by the user through web browsers and such.
Thanks, i did not know it worked that way.
i guess i will block domains on my router then based on the urls in the host file collection. and just simplify them a bit. for future proofing.
then add some of these host files to my PC for when i'm roaming.
DonovanPhoenix
on 21 Oct 2019
no worries. ;)
also, you may want to, at least, ping them a bit before simplifying as you may miss those "Live" domains that supposed to be blocked.
Laicure
on 21 Oct 2019
Dumb question here.
can you not just simplify the domains like?
akadns.net
data.microsft.com
telemetry.microsft.comAnd what's the point of adding "www" to the front of the domain,(in some of the host's file entries)
The reason to shorten the domains like this is to future proof it a bit and catch new sub sub domains.
Look i get it maybe you want to go to microsoft .com and look at the adds. but i cannot imagine visiting telemetry.microsft.com
Hi @DonovanPhoenix you might be interested in this thread https://github.com/StevenBlack/hosts/issues/1057 since what you are asking about is working on DNS recursors like Unbound and Powerdns/Recursor.
But please read that thread for collecting some upfront simple knowledge. Then you shall be very welcome to ask any questions either here or in my Unbound project folder at gitlab
If you are on a Linux platform, or have one availeble to be used as the DNS recursor, I would however recommand a combination of Dnsdist and Recurosr both from www.powerdns.com depending on your skills and needs.
Cheers
spirillen
on 22 Oct 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 daysif no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 24 Feb 2020
Closing.
stale[bot]
on 9 Mar 2020
Related issues
OkazakiLeir
路
20Comments
timkgh
路
20Comments
mitchellkrogza
路
55Comments
Tobias-B-Besemer
路
32Comments
dcramer
路
26Comments
Most helpful comment
I'm inclined to summarily block all those
microsft.com(misspelled) domains, right now, on principle.