Hiding from Windows 10: Testing Tools to Disable Tracking and Boost Privacy
It’s been over three years since Windows 10 was released, but the issue of user data being sent to Microsoft’s servers remains unresolved. In fact, it’s gotten worse with forced privacy resets and the reactivation of disabled update services. In this article, we compare several utilities designed to manage the “spy” components of Windows 10 and see how effective they are on modern builds.
Microsoft’s Data Collection: The Reality
Microsoft has never hidden the fact that it collects user data, though it used to use vague language about “improving user experience.” After the introduction of the European General Data Protection Regulation (GDPR) and other laws, the company had to disclose more details. You can read about what data is collected, where it’s sent, how it’s processed, and when it’s disclosed on Microsoft’s official resources.
Microsoft claims to give users control over the type and amount of data sent. To do this, you need to install an update package (for builds below 15063.0) and use the privacy settings screen—ideally during installation.
Privacy settings screen during Windows 10 installation
In theory, if you disable everything, your data shouldn’t leak. But this is an intentionally created illusion. Let’s run a network sniffer and see what’s really happening.
Testing Methodology
All tests were conducted in parallel on two Windows 10 Pro builds: 1709 and 1803. Each “anti-spy” program was deployed on cloned virtual machines to ensure identical conditions. Screenshots show results for 1709 first, then 1803 unless otherwise noted. Wireshark 2.6.3 64-bit, TCPView v3.05, and Regshot v2.1.0.17 were used as auxiliary tools.
All tested programs were set to maximum blocking. If any function or app wasn’t blocked, it would be unclear whether data leaks were due to an unblocked item or a program’s failure to disable a feature. The ideal result is a network traffic dump with no Microsoft IP addresses. Let’s see how each tool performs, but first, let’s check Windows’ built-in privacy controls.
Checking Privacy Settings
With default settings, you’ll immediately see a large stream of outgoing traffic to Microsoft addresses after booting the OS.
Network traffic monitoring with default privacy settings
Now, disable everything possible in the privacy screen. The result is clear.
Network traffic monitoring with telemetry transmission reduced
However, even after toggling all switches to “off,” some data is still sent to Microsoft Azure’s cloud platform, including servers in Singapore. Wireshark logs showed Microsoft network node IPs from around the world, likely due to load balancing. Connections are not constant—they connect, send data, and disconnect. The address pool is huge, and most belong to Microsoft or its partner networks.
Comparing Anti-Spy Programs
We tested the following anti-spy tools: Blackbird 1.0.28, Destroy Windows 10 Spying 1.0.1.0, DoNotSpy10 4.0, O&O ShutUp10 1.6.1399, Disable Win Tracking 3.2.1, and WPD 1.2.940. All aim to prevent Microsoft from collecting data via known methods. Many also offer features like blocking updates. Here’s what you should expect from such utilities:
- Disabling user activity logging
- Disabling keyboard input data transmission
- Disabling handwriting sample transmission
- Disabling diagnostic data (telemetry) collection
- Disabling location data collection
- Disabling and resetting Cortana’s personal settings
- Blocking Windows Media DRM’s internet access
- Blocking app access to account info, calendar, messages, camera, mic, and location
- (Optional) Disabling Windows Update for other products
This isn’t a complete list, but it’s a reasonable minimum. All these changes can be made manually, but these tools apply dozens of tweaks with just a few clicks.
How Do These Tools Work?
- Modify registry keys related to privacy settings
- Add known Microsoft data collection URLs to
%WINDIR%\System32\drivers\etc\hosts - Add firewall rules to block known Microsoft IPs
- Stop “tracking” services
- Delete “spy” scheduled tasks
- In extreme cases, delete system files and folders responsible for tracking
Blackbird 1.0.28
Blackbird runs in console mode and offers three main functions: scan the system for issues, launch the blocking manager, and back up settings. The backup feature is especially useful—if something goes wrong, you can restore your settings. The backup is stored in the program folder, and once created, the “Backup” option changes to “Restore from backup.”
After scanning, Blackbird lists many “issues” to fix. However, some are questionable, like blocking the W32Time service, which is needed for time sync in domains.
The blocking list must be configured manually—there are no ready-made profiles, and you have to select each item individually. Notably, Blackbird can’t disable Windows Update. On build 1709, it successfully disabled all tracking features, but on 1803, one function remained active, and the total number of items increased.
After using Blackbird, outgoing traffic dropped significantly. However, on build 1803, the test PC kept sending data to IP 104.25.219.21 (Cloudflare, which Microsoft uses for telemetry). No other suspicious activity was noted, except for updates.
However, both test builds became unusable: the Start menu wouldn’t open, Edge and IE wouldn’t launch, and the Store and Mail apps crashed immediately. Notification panel messages couldn’t be opened. Even restoring from backup didn’t help—activation was lost, and registry errors appeared. On 1803, Blackbird couldn’t even restore from backup due to a file system error.
Conclusion: Blackbird is not recommended due to severe system issues.
Destroy Windows 10 Spying 1.0.1.0
https://github.com/Nummer/Destroy-Windows-10-Spying
This tool is well-known among those wanting to block data transmission to Microsoft. Rumor has it that after version 1.0.1.0, a new developer added a trojan, so we used the last official release by Nummer (April 2018).
All changes are applied by clicking “Destroy Windows Spying NOW!” The process disables tracking services, adds known IPs to the firewall, and writes Microsoft telemetry URLs to the hosts file, followed by a reboot.
Results were disappointing: while outgoing traffic to “unwanted” addresses decreased, there was still active communication with Microsoft IPs. The tool is outdated and doesn’t work well on newer Windows builds, but at least it doesn’t break the OS like Blackbird. However, Windows Update blocking was unreliable, and the system found alternative ways to send data.
DoNotSpy10 4.0
https://pxc-coding.com/donotspy10
This popular tool has a user-friendly interface with descriptions for each option. It can create a system restore point before applying changes. However, it has too many features, and after applying all settings, the systems began rebooting themselves after a few hours. “Blocked” updates were silently installed, and Wireshark captured nearly 400,000 packets in an hour—most sent to addresses that should have been blocked. Both OS licenses were deactivated.
Conclusion: DoNotSpy10 may appeal to masochists but will disappoint most users.
O&O ShutUp10 1.6.1399
https://www.oo-software.com/en/shutup10
This German tool offers a convenient interface and several setting profiles. You can apply only recommended settings or all at once. It also supports importing/exporting registry parameters. The program warns if system restore is disabled—a nice touch.
On build 1709, it offers 97 settings; on 1803, 100 (the extra three block app access to documents, pictures, and videos). After applying “ultra” settings, the program warns that updates may still install and you’ll need to reapply settings. It can’t reboot the system automatically, so you’ll need to do it manually.
After reboot, some processes still communicated with Microsoft addresses, and Wireshark showed session establishment and data transfer, though fewer packets were sent. Updates were still downloaded despite being disabled. After several hours, internet access was lost and had to be restored by resetting the network adapter. Some settings reverted themselves after a day, especially on build 1803.
Conclusion: O&O ShutUp10 works well on build 1709, less so on 1803. It doesn’t break the OS, and performance may even improve.
Disable Win Tracking 3.2.1
https://github.com/10se1ucgo/DisableWinTracking
This simple utility offers two modes for services: delete or disable (we chose delete). It targets DiagTrack (diagnostic data collection) and dmwappushsvc (WAP Push Message routing). The tool warns that disabling some features may break apps.
After three days, updates were installed, and dmwappushsvc reappeared (disabled). Microsoft and Akamai addresses remained in network logs, but traffic was reduced. The tool didn’t affect OS stability, but Skype stopped working. Changes were minimal: firewall rules and a few registry tweaks.
Windows Privacy Dashboard (WPD) 1.2.940
WPD’s current release (as of October 2018) supports Windows 10 up to build 1809. It has three sections: privacy management, firewall rules, and app removal (“junk” as labeled by the developers). Privacy management disables scheduled tasks, some services, and makes registry changes. Firewall rules are based on privacy mode: Spy or Extra (the latter blocks OneDrive, Skype, Live, etc.).
After four days, both test OSes were stable. WPD left minimal connections to Microsoft and partner servers, with very small packets. Most changes were in the registry, and it created a single firewall rule with many IPs.
Conclusion: WPD performed very well.
Manual Tracking Disabling
You can manually perform many of the actions these tools automate. Proceed at your own risk! Always back up your registry before making changes.
- Disable user activity logging (Timeline): In
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System, create a 32-bit DWORD namedEnableActivityFeedwith value0. - Disable keylogger (dmwappushsvc): In
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushsvc, set value to4(also disable DiagTrack here). - Disable telemetry: In
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection, create a 32-bit DWORD namedAllowTelemetrywith value1(minimum level). - Disable location data collection: In
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}, set value toAllow. - Disable Cortana: In
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search, setAllow Cortanato0. - Disable OneDrive: In
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive, create a 32-bit DWORD namedDisableFileSyncwith value1.
Disable Telemetry Tasks in Task Scheduler
Many default tasks collect telemetry for “user experience improvement” and SmartScreen cloud protection. Disable them with these commands:
schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /Disable schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable
Block Data Transmission to Microsoft Servers
Many websites regularly update lists of Microsoft “spy” server addresses (e.g., aeronet.cz). Add these to your hosts file and create firewall rules to block them.
Some security experts believe Windows system processes can bypass hosts and firewall restrictions, but in this test, no parasitic traffic was observed. After blocking, connection attempts continued, but outgoing packets were empty and no incoming packets were received.
Blocking Updates: StopUpdates10
As a bonus, here’s a small tool designed solely to block updates: StopUpdates10 2.0.32. The interface has a single button—click, reboot, and test. Over two days, the program prevented updates from downloading, though Windows kept trying. Error messages about component installation appeared, but no updates were installed after the tool was activated.
Conclusions
We reviewed six programs for disabling tracking and improving privacy in current Windows 10 builds. There are many such utilities, and their authors often copy each other’s work, aiming to expand the list of tweakable settings and blockable addresses. They rarely test thoroughly, and problems may not appear immediately—these are “time bombs.”
Most anti-spy tools for Windows 10 stopped development in 2016–2017 due to the constant “arms race.” Microsoft frequently changes server IPs, rents cloud space from Cloudflare, and routes traffic through Akamai. It owns a dynamic pool of IPs and several large networks, making it impossible to block everything. One URL may connect to multiple IPs or multifunctional servers needed for other Windows components.
You can manually add Microsoft data collection addresses by finding lists on GitHub and forums, merging, editing, and verifying them (the hardest part), then applying the final list. But Windows updates will add new addresses, making your list obsolete, and you’ll have to start over.
Of the tested programs, only O&O ShutUp10 and WPD performed reasonably well, though not perfectly. Some privacy settings can be changed via Windows 10’s interface, but not all are visible. If a utility can tweak additional or “deep” settings, it’s worth considering—just use it carefully, choose blocked parameters wisely, and always back up before applying changes.