Block windows update

Saaglem

Active Member
After all what I have done, this morning on switch on I got the store access icon on my desktop.....meaning crap is still coming in. I have reached the end of my knowledge regarding blocking windows update and has reached out for a corruption trick. It's an old trick but it works. Even the Anti-Virus packages has hidden features to allow windows background updates. Soooo. I have corrupted the wuaueng.dll file with it's proxy stub file to not except updates. Added a schedule to replace the dll at intervals in case it gets replaced and blocked the crap out of windows and almost all of the ports, the firewall ports I now have only 80 and 8080. Nearly broke my foot off in windows ass. Now it is starting to purr like the V12 I know and remember. Will see what new curveball I'm gone get after I through this the box of spanners at it. After that.....I'm using the cutting torch to loosen it up.
 
Last edited:

ahazuarus

Member
Only the Enterprise edition honors any request to simply turn off windows updates. Even then, a handful of group policies have to be set. This is by design.
 

Clanger

Well-Known Member
I dont know if nuhi has a solution already, i dont use 10 at all. MS are making it very difficult to disable WU on the latest builds if not impossible wthout 3rd party tools. There is one i know of but its not straight forward and could affect removals, and i will give nuhi the link if he wants it.
 
Last edited:

Saaglem

Active Member
I'll find something. Got a couple of tricks still in the toolbox....BIG spanners, very-very small hammer, GIGANTIC cutting torch and so forth....you know...then normal tools needed to break any job. hahahaha
 

Clanger

Well-Known Member
My workstation doesnt need tobe online and 3 fm2+ systems worth of gubbins i aint gotta worry about w10 WU or telemetry. :cool::p
 

Saaglem

Active Member
I'm having a brain storm to hook up a Linux sandbox for this WU. If I'm not going to be able to block it I will block the request with a hardware router. Then break my foot off in the router's behind so WU cannot do anything.
 

e_web

Member
I use the built in Group Policy firewall set to "Outbound connections that do not match a rule are blocked." along side "Apply local firewall rules: No" with only DHCP and DNS svchost rules normally enabled(by service name just don't block them later). I also have ONE rule to allow Svchost by path (eg "C:\Windows\System32\svchost.exe" - not service names ~ trying that broke it when attempted) which sits as disabled when not intentionally set to active and in use.

How does that work? I also have a .reg file that (is currently added during the NTLite .reg phase but adding it at anytime should work w a reboot) gets applied with rules for just about every other svchost service on a virgin 1803 (the build I currently use). It then blocks those services by name under, including some non-svchost ones I removed for good measure...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System

Example
Code:
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System]
"{Application-Information-Out}"="v2.10|Action=Block|Active=TRUE|Dir=Out|Svc=Appinfo|Name=svchost-(Application-Information)-Out|"
"{Application-Management-Out}"="v2.10|Action=Block|Active=TRUE|Dir=Out|Svc=AppMgmt|Name=svchost-(Application-Management)-Out|"
"{App-Readiness-Out}"="v2.10|Action=Block|Active=TRUE|Dir=Out|Svc=AppReadiness|Name=svchost-(App-Readiness)-Out|"
There are existing ones there by default (thus my removal of them) so if you are testing on your real machine (PLEASE DON'T) I'd make a backup of that area first though I'd highly recommend testing on a VM if you try it out yourself either way. Also keep in mind they will not take effect until the BFE rebuilds the rules so a reboot would be recommended between tests but there are other ways to force a refresh.

Sure it's not for everyone but I can say I've never had it even connect to Windows Update when I didn't enable those rules or download an update without my input. It requires ME to explicitly add anything via GroupPolicy and none of those rules added under RestrictedServices will show up in Windows Firewall so it can be confusing trying to track down some failures. It may also take quite a bit of time to figure out what you need to allow or don't. It isn't the most user friendly of cases but my pc is fairly static at this point so if I add software I want allowed to phone out I also add a rule via Group Policy. I certainly have never needed to take a blowtorch to WU or break my foot off in anything!

I did need to add some 'SC SIDTYPE "servicename" UNRESTRICTED' entries for my setup phase as otherwise BFE would supposedly ignore services with NONE set and there were about 9 left, after the NTLite phase in my build, including things as simple as Appinfo so there are likely more in a virgin install. Also keep in mind that none of this will block those 'random usernumber' svchost instances while the "Generic svchost path" one is enabled as you can't pre-define rules for them as you never know which numbers they will be given upon any boot.

Why is all this required? I'm not exactly sure but I learned early on in my tests coming from Windows 7 that rules which name svchost instances regarding stuff related to Windows Update, even only set as allowed, tended to (but not always right away), actually result in a block instead. So instead I came up with:
  1. Block Everything (My default regardless)
  2. Allow svchost.exe generically by path (Enabled by me only when I want to use MS Store/Update)
  3. Block other, potentially undesirable, svchost instances by name under RestrictedServices (As you can see if it doesn't have a reason on my system it gets blocked but does not take into account things like wi-fi)
  4. Services that are not under RestrictedServices may then be toggled on and off at will via the Generic svchost path rule while still allowing you to keep other (non-update related) things like DNS and DHCP functioning all the time just by adding them under their own short service name rules as allowed!
Of course all of that is only really applicable if you want to use a default deny approach (like me) and retain the ability to Update over the internet. I tend to just use the catalog these days so I suppose I could go back and simplify things a great deal if I also manually update AppX packages...hmm...maybe once my kids over the roblox phase (for sure)!

I'm sure I've forgotten something important (like making sense?) but that's my drunken spiel on that.

Here we are with the (slightly edited) default 1803 .reg that I use on my system.
I warn you all again, it should NOT be used as is on ANY system without in-depth testing beforehand. I suspect many a person will find things wrong with it for use, eg wi-fi , local network stuff and ms accounts standing out as being among the most likely.
 

Attachments

Last edited:

Clanger

Well-Known Member
When it comes to firewall blocking networking and telemetry my brain walks off and leaves me flying solo because there is just so damn much of them my brain cant handle it all. :(
 

e_web

Member
When it comes to firewall blocking networking and telemetry my brain walks off and leaves me flying solo because there is just so damn much of them my brain cant handle it all. :(
Liar ~ You simply choose not to bother but I don't blame you there!
 

Clanger

Well-Known Member
With tellemetry tools coming out the wazoo there is too much choice and the nagging feeling you still aint got it all. 1 defenitive tool to rule them all but there aint. I did bother and i have tried so many times.
 

Saaglem

Active Member
Ok....here's what I did so far. Removed the following from the task scheduler, Windows Update, WaaS and Update Orchestrator. Removed ALL telemetry I could find with NTLite, there is more in registry, removed with reg files. Removed ALL remote options I could find. Then removed the services from the registry. Left some services but disabled it simply if you remove the services you cannot activate windows. Disabled the following services,

BITS
ThunderboltService
dmwappushservice
ibtsiva
SEMgrSvc
iphlpsvc
PhoneSvc
SCardSvr
ScDeviceEnum
SCPolicySvc
SmsRouter
SNMPTRAP
OneSyncSvc_91d81
WFDSConMgrSvc
icssvc
WinRM
OneSyncSvc_33cd1
DevicePickerUserSvc_33cd1
DevicesFlowUserSvc_33cd1
wlidsvc
ClipSVC
MpsSvc

If it is not listed here then it is removed. I completely removed Windows Firewall and only use Eset firewall....thinking in using something else. Then I have dummie website addresses and DNS and DHCP in the Microsoft servers in the update side of Group Policy and adjusted the download limits and the timings in GP....a list of them. Then I run Win Update Stop and run a reg file to delete strings........ then.......I use the host file with a mega list of servers not to use, I use shutup10 and lastly I use Eset to interactively block ports through it's firewall......AND IT STILL FIND A WAY TO UPDATE. Going to remove some crap now in live install and see what I can break......with the very small hammer and the BIG cutting torch.

I am waiting for Bios mods.com to send me new bios firmware....seems there is an injector in the bios with it's own telemetry and update feature....will f....cking remove that along with the rest.....it makes me so mad. Sommer go fishing while the fish is still original. lol

I think there is a heartbeat link between the 3 separate drive creations when windows is installed.....gonna rip that one with it.......

The one windows I could block perfectly was Windows 8.1 but have a driver issue with my motherboard. Windows 10-1511 is and excellent candidate and blocked that one as well but cannot use it since my graphics card is not compatible. Will try you guy's idea's as well......

Uhh....Nuhi....if you want then I can use your help on this please. Thanx

Now.....let me play and see how I can screw this up ROYALLY.....and just to screw everything even better....I will run your registry file on my live machine.....I mean......I can only screw it up, it wouldn't explode......hahahahaha
 

Saaglem

Active Member
OK....... I think......NOTE, THINK I've nicked the crap out of it. Will see in a weeks time. After a live removal of Windows update, BITS, Microsoft account, client licence service and windows optional features and with the Eset firewall still blocking , and it still responding to blocking system response from the web, I now have also disabled IPV6 and disabled some layers in the network stack it is not connecting to the update site anymore....but we will see. Will give update on this later.

Last but not least I will use the reg file posted by e_web as a last resort....oh hell you've twisted my arm I will run it anyway just to see what it does. lol
 

e_web

Member
Last but not least I will use the reg file posted by e_web as a last resort....oh hell you've twisted my arm I will run it anyway just to see what it does. lol
That .reg file will cause you nothing but trouble if you don't understand what it does and does not block. It does block any service listed, quite a few others but none that will help you in blocking windows updates, that's where the Group Policy firewall set to "Outbound connections that do not match a rule are blocked." along side "Apply local firewall rules: No" comes into play. None of that matters if you have removed the Windows Firewall but as that .reg is applied at a higher level than the standard firewall (Domain/Private/Public) weights and I assume ESET uses the BFE like most others it should end up blocking those other services in the list which will likely result in broken functionality unless you first remove services you do need. The rest of that complex setup (including the .reg) is to enable on demand Windows Update over the internet while still maintaining control over most other svchost instances.

If you were to keep the Windows Firewall, and never want to update windows online, you could easily set the Group Policy firewall set to "Outbound connections that do not match a rule are blocked." along side "Apply local firewall rules: No" and only create specific allow rules for those services you do want to be able to connect out but you'd also need to do so for every other program you want to allow so be prepared to spend time building your rules and testing them.
 
Last edited:

Clanger

Well-Known Member
Most people only have 1 pc. Screw up networking and you cant get online to find a solution, your up crap creek without a paddle, its not a nice place to be, so all you can do is reinstall or use a backed up drive clone. If you aint a networking god then its best to leave alone.
 

Clanger

Well-Known Member
Saaglem At what point do you get to use your pc for something other than the operating system itself? We seem to spend very little time in using a pc for the reasons we bought/made em in the 1st place.
 

Saaglem

Active Member
Howzit e_web. I gave up on Windows 10 for now........I'll work on it behind the scene. Thanx for you help anyway. I jumped back to Windows 8.1 since I'm not getting anywhere at this stage with Win10. I did change the ports, rules to the reg file you supplied to the one's I wanted it to work, guess because I've removed the firewall it didn't do the job it was suppose to do. I will make work of it and let you know what I came up with to block it completely. One thing that I forgot....If I'm not mistaken then Windows have a backup hive that is stored on one of the boot partitions it create. It will except changes to the operating hive to an extend, after which it will refresh the operating hive. I will find it and report on that as well. Currently this hive is to big for any motherboard BIOS so it must be stored on of the partitions. Cheers
 

Saaglem

Active Member
I don't want to sound fresh or Big.......but have 7 of them. i9 for gaming, i7 for playing around and stuffing windows up, Dell Dual Xeon Ark server, 2 - i7's for the boys to play with, i7 for the wyffie and a i5 for a sandbox. I retired about 4 months ago and now make time for what I want to do and enjoy. In about 3 months we immigrate to Tasmania so life is the way it is. I like gaming, since 1995 that I touched my first one....and ever since then I couldn't stay away. Build 3 big companies in South Africa out of IT and Electronics and sold them when we moved to the UAE. When I get bored........I break windows. lol....some plates as well apparently. Hahahaha
 
Top