NTLite bug to write AutoLogger setting to the registry?

D

devilink

Member
This registry should be written to:
Code: 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

It actually writes to:
Code: 
HKEY_LOCAL_MACHINE\SOFTWARE\ControlSet001

微信截图_20221024100007.png

微信截图_20221024100406.png
 
I don't see a problem. Confirmed the AutoLogger setting was correctly updated in the image. Look in the registry hive's path.
 

Attachments

  • Capture.PNG
    Capture.PNG
    199.7 KB
  • Capture2.PNG
    Capture2.PNG
    195.2 KB
garlin said:
I don't see a problem. Confirmed the AutoLogger setting was correctly updated in the image. Look in the registry hive's path.
Click to expand...
Please save the image with Ntlite first and then observe. ControlSet001\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener will be generated under HKEY_LOCAL_MACHINE\SOFTWARE\
 
Just installed the same image. I don't see HKLM\SOFTWARE\ControlSet001.
 

Attachments

  • Windows 10 x64-2022-10-23-21-40-21.png
    Windows 10 x64-2022-10-23-21-40-21.png
    45.8 KB
  • Windows 10 x64-2022-10-23-21-41-29.png
    Windows 10 x64-2022-10-23-21-41-29.png
    73.9 KB
garlin said:
Just installed the same image. I don't see HKLM\SOFTWARE\ControlSet001.
Click to expand...

I found it, this will cause the registry to do that.

Code: 
    <Tweaks>
        <Settings>
            <TweakGroup name="Privacy">
                <Tweak name="DataCollection\AllowTelemetry">0</Tweak>
            </TweakGroup>
        </Settings>
        <Services></Services>
        <ExtraServices></ExtraServices>
        <ScheduledTasks></ScheduledTasks>
    </Tweaks>
 
Don't understand where this is going. Telemetry is data shared with MS. AutoLogger-Diagtrack-Listener is for logging boot events, like device driver loading. Whether it's shared with MS or not, doesn't impact the local system's log profile.

If you change the GPO policy, it's not going to update other ControlSet keys.

Further, why is only ONE KEY listed in your example when AutoLogger-Diagtrack-Listener owns multiple keys?

Why don't you test this by deleting the HKLM\SOFTWARE\Control001 key, and switch the GPO around. If you're right, then this key will be recreated or updated by itself.
 
garlin said:
Don't understand where this is going. Telemetry is data shared with MS. AutoLogger-Diagtrack-Listener is for logging boot events, like device driver loading. Whether it's shared with MS or not, doesn't impact the local system's log profile.

If you change the GPO policy, it's not going to update other ControlSet keys.

Further, why is only ONE KEY listed in your example when AutoLogger-Diagtrack-Listener owns multiple keys?

Why don't you test this by deleting the HKLM\SOFTWARE\Control001 key, and switch the GPO around. If you're right, then this key will be recreated or updated by itself.
Click to expand...

Code: 
<Tweak name="DataCollection\AllowTelemetry">4</Tweak>

Same problem, it's definitely wrong anyway.

I think, will it be an error generated by Ntlite when outputting regedit.
 
devilink said:
I found it, this will cause the registry to do that.

Code: 
    <Tweaks>
        <Settings>
            <TweakGroup name="Privacy">
                <Tweak name="DataCollection\AllowTelemetry">0</Tweak>
            </TweakGroup>
        </Settings>
        <Services></Services>
        <ExtraServices></ExtraServices>
        <ScheduledTasks></ScheduledTasks>
    </Tweaks>
Click to expand...
Aa yes, thanks! Corrected in the next version.
It was a just_in_case entry anyway, if telemetry comes back via an update or so, but still worth to correct it.

garlin, thanks for helping, it was a big confusing at moments, report could be summarized as:
"There is one entry for the autologger settings at the wrong reg key, AutoLogger-Diagtrack-Listener should be under System, not Software hive."
 
You must log in or register to reply here.
Back
Top