Strange IE11 telemetry files - Win 10

Discussion in 'privacy problems' started by itman, Oct 13, 2016.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    After a cumulative Win 10 update a couple of months ago, I noticed telemetry files showing up in the %LocalAppData%\Temp directory. I known these are telemetry files since I opened them up in a hex editor and the have the wording "telemetry" toward the end of the file along with some metering parm data and the like.

    The files always are always named URLxxxx.tmp where xxxx are random alpha and numeric characters. Using Eset HIPS for monitoring, I have traced file creators to be iexplore.exe - usually - and dllhost.exe DCOM -occasionally. What is strange is the files are never deleted by anything, so they are cluttering up the Temp directory.

    My take on this is MS is harvesting search history from IE11. The file sizes are not small being around 145K or so but sometimes the files contain zip i.e. 0K in size.

    Anyone else using IE11 on Win 10 notice like file creation activity?
     
    Last edited: Oct 14, 2016
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,169
    itman I have two screen shots. one if after cleaning with ccrapcleaner and the other is what is still left after using CC
     

    Attached Files:

  3. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,169
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Thanks for replying, boredog.

    The TechNet article refers to files w/all random numbers. So, not applicable here.

    I did a bit more research and suspect these files might have something to do w/SmartScreen cache. In Win 10, MS states that the cache file is periodically updated w/web search history. I have "web caching and database" storage disabled in IE11. I suspect this is where SmartScreen would normally store web cache history. So it may be creating these URLxxxx.tmp files as a substitute.

    The bugger is that the URLxxx.tmp files are not being auto deleted on my PC. So for the time being, I have created a scheduled task to run a .bat script I created at system startup to delete the files.

    Another possibility is that I noticed Win Update snuck in an install of Vulkan runtime libraries in the Sept. cum. update. There might be a telemetry component to this. I would not be surprised if this were the case since the Win Update Nvidia drivers install telemetry crap. Check if you had the Vulcan runtime libraries installed in Sept. Although this might only apply to Win 10?
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,169
    as you can see from my screen shots I have those url files also. what I don't understand is why CC doesn't delete them all. I am running win 10 insider build preview build.
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,169
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Depends how you have CCleaner set-up. By default, it will not delete any temp files that are less than 24 hours old.

    I am seriously considering uninstalling the Vulkan runtimes since their installation corresponds time-wise of when these temp files started to appear. Again, the Win Update delivered NVidia drivers have telemetry "up the wazoo." So it is fair to assume MS also snuck in the same with these Vulkan runtime libraries.
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,169
    I think you are right. those that were not deleted were created with my win update yesterday the way it looks.
    I don't think one needs the vulkan runtimes unless you are a big gammer anyway.

    itman

    where are seeing them installed?
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    OK. Believe I am getting close.

    Go to this directory, C:\Users\xxx\AppData\Local\Microsoft\Internet Explorer\UrlBlock, and open one of the recent .bin files using a hex editor. File details look almost identical to one of URLxxxx.tmp files. My assumption is the .bin files in this directory are a blacklist SmartScreen uses.

    So the question is why are like URLxxxx.tmp files being created?
     
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,169
    on my machine adguard usually blocks web pages before smart screen.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Win10 -> Control Panel -> Installed Programs
     
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,169
    wow that is the long way to get there lol

    I just right click start go to top and it reads programs and features. I don't see anything in there that says Vulkan.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Click on "uninstall programs." If you don't see Vulkan Runtimes listed, then you don't have it installed. If same is not installed on your PC, then we can rule it out as the source of these URLxxxx.tmp files.

    BTW - I am almost 100% sure these .tmp files are really .bin files containing your browsing history. The problem is I can't find the source that is uploading them to MS.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    A bit more info.

    These URL****.tmp file are indeed IE URL Block directory .bin files. I verified this by doing a file compare against both files. See below screen shot:

    URL_Temp_File_10-19-2016.png

    Appears IE downloads the .tmp file to %LocalUserAppData%\Temp directory. Then initiates a DCOM process using dllhost.exe to load the file as a .bin in the URL Block directory. Appears this has been going on for sometime; since Win 10 was installed. The "bug" appears to be that the DCOM process is not deleting the URL***.tmp file after it has been copied. I don't have a TechNet subscription but hope someone clues in MS on the problem.

    BTW - I search high and wide for any ref. to what the telemetry files in URL Block directory are used for and could find nothing.

    Also this might have something to do with IE's "webcache and databases" storage which I have disabled. The file download might normally go there but when it is not available, IE just creates it in the %LocalUserAppData%\Temp directory.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Hum....... Could have sworn it posted this. Anyway these URL****.tmp files are definitely updates to C:\Users\xxx\AppData\Local\Microsoft\Internet Explorer\UrlBlock .bin files. I ran a file compare between both and they are identical. Appears the most recent URL****.tmp replaces the most recent .bin file in the UrlBlock directory.

    If someone has a TechNet subscription, perhaps they can clue in Microsoft and get them to fix the copy procedure to delete the downloaded URL****.tmp file.
     
Loading...