In previous versions, its perfectly clear why Windows called home. In Windows 10, its a lot harder to determine why Windows calls home. And do you want it to?
On that subject, I don't know if anyone noticed that explorer.exe dials out every 15 mins. making monitoring of its outbound connections next to impossible.
Its one thing when Windows is trying to download new updates through WU. When its more than that, the line between legitimate connection with home servers and what people consider unwanted invasion of personal privacy becomes blurred. And its an issue.
yes, it is? if some read the new EULA and has a ms live account - too bad. but it is (still) possible to deactivate such "spying" whatever, it has nothing to do with the clb injection if you read the thread at ansers.microsoft. and yes, its injected in build 10240 and build 1511 - and no, not spying. if you care -> uninstall! you cant stop it nor deactivate it.
Apparently you can (probably by disabling some service), since it does not run on every computer, it was never run on mine.
I will say this about the .clb injection, it is being done by svchost.exe since Eset HIPS does detect the injection. The big question is which service is doing it? Perhaps RuntimeBroker.exe since it is running under DCOM? Problem is disabling any service from running can have major system impacts.
I wonder, if WildByDesign disabled any services, since he does not have it either, we could compare our settings and find out. Well it had a major impact on my mom's slow laptop, browser starts in 2 secs compared to 15 sec before.
If you refer to his reply #6, he is getting the .clb. injection. What he said is AppContainer is stopping it in his Chromium defined processes. I could also stop it by just blocking svchost.exe process modification into select processes like the browser. I don't want to do that until I know for sure what that hell the .clb is doing.
Sorry guys, I should have clarified more. Both of my examples were x64 Anniversary Update - Pro. However, the finer details are as follows... 1st example in which I did experience/confirm injection concern: Upgraded throughout several Windows 10 builds Part of Windows Insider program Using Microsoft Account No use of telemetry disabling programs 2nd example, in this case no injections occurring and COM+ database files do not exist: Clean install No Windows Insider program No Microsoft Account Local Accounts only Significantly hindered telemetry with OO Shutup10 (highly recommended, by the way) Hope this clarifies better. In 2nd example, these COM+ databases don't even exist nor is the injections occurring. I am hoping that we are able to figure out exactly what is happening with regard to the injections. I'm leaning more toward telemetry-related now.
Same here, except I do not use OO Shutup10, I apply my own tweaks. So maybe it is not service related, more like telemetry. I wonder, do you have Cortana disabled or even running? When I run OO Shutup10, I get this, so maybe some of those settings are responsible.
Please explain this? This seems to be the common thread between your and TairikuOkami setups. I also believe this .clb usage has sometime to do with RuntimeBroker.exe. Seen postings that if it borks up, users end up with DCOM errors up the wazoo in their event logs. Also the process is only supposed to be running if you are using Windows store apps, but it is constantly running on my Win 10 build although using minimal CPU resources. Never have seen it in a suspended state like the other svchost.exe -DCOM processes are.
Just referring to my typical setup of local user accounts; one Administrator account for admin-related work and also a Standard User Account that I've got locked down considerably more for daily computer user, web surfing, email, etc. Both are local accounts, no Microsoft Accounts in this setup at all. Windows is activated via a digital entitlement. I do have Runtime Broker running on my system as well but I am not very familiar with it nor have experienced any specific issues as of yet. I might have setup a few different VM's if I get some time, with and without Microsoft Accounts, Insider program, etc. and have some logging with Process Monitor or similar and figure out where those .clb files are coming from and with which activities, etc.
Was just checking what processes/services that the .clb file is not injected into with some interesting details. It is injected into both of my AVs service and gui processes, but is not injected into EMET service or gui? It is not injected into nvsvc.exe, Nvidia's graphics driver. Nor, Abode arm's update program? Nor, is it injected into winlogon.exe or system.exe. For everything else that I am not locked out of viewing in Process Explorer, it is injected into.
Like WildByDesign, I don't have M$ account, just local accounts for standard user and for admin user with admin rights. Windows was activated by digital entitlement, possibly because it's on Win7 box and/or because I had to do something about gatherosstate.exe and copy something when I was doing clean install of Win10. The only thing I found so far on the web are technet descriptions of the use of .clb on Server 2008. Go figure. itman, in the .clb file is a long paragraph naming things which might be functions. Might those items help figure out what it's all about? I, too don't see defender injected, but they did hit some anti-malware: Sphinx firewall, MBAM, ERP (I think I put a list in post#7). I don't use any of their store apps, but curiously, explorer constantly wants to go out to something about the weather, and a bunch of other things - frequently. I have it and Cortana blocked from the internet. Might it be that those injections are quick, on-the-fly, dynamic registrations of the com objects for checking if they behave according to some M$ rules?
AFAIK there are some security improvements in Windows 10 but privacy aspect of this OS is just terrible. Also this cloud OS is IMO not appropriate for desktop usage (at least not for me).
I have been monitoring it w/Eset's firewall since I installed the upgrade. There are two persistent connections to *.search.msn.com and *.wns.windows.com. If you try to terminate the *.wns.windows.com, it will just auto reconnect. Today I saw it permanently connected to a MS server in Hong Kong and that was it for me! So I am blocking these connections using Eset network filter that allows for wildcards. I also observed that when I shutdown IE11, explorer.exe dials out to *.twimg.com so I am blocking that also. Appears MS is harvesting Twitter usage telemetry. Presently, I am allowing the Akamai connections but also might just block those also since I believe they have no valid purpose also. -EDIT- Appears *.twing.com is Win 10 location identifier. So by blocking that it will affect the weather app but the plus is that your location is no longer known.
Also a warning for those who use the windows firewall, on my testing machine whenever the build gets updated, all rules against microsoft binaries get reset.
From what I recall, just about everything was injected with the exception of AppContainer sandboxed processes. Although quite a number of apps on Windows 10 utilize AppContainer protection. But any typical win32 programs were all injected.
