Windows 10 System Settings App Caught Sending Telemetry Data to Microsoft Servers

Nir Sofer, a well-known developer of Windows utilities, recently discovered that Windows 10 Home Edition, running service pack 20H2 and build 19042.1083, actively monitors user activity through the System Settings app. This investigation was prompted by the release of his new DNS logging program, DNSLookupView, which he used alongside his existing DNSQuerySniffer to compare results. While testing, he noticed that simply viewing System Settings without making any changes generated DNS queries for www.bing.com and cxcs.microsoft.net. The DNS queries were initiated by SystemSettings.exe located at C:\Windows\ImmersiveControlPanel\SystemSettings.exe, and both were of the AAAA type, which is used to resolve IPv6 addresses. The DNS logs showed that www.bing.com resolved to ::ffff:13.107.21.200 and ::ffff:204.79.197.200, while cxcs.microsoft.net resolved to ::ffff:96.17.141.116. Sofer further tested this using TcpLogView, a tool that logs every outbound TCP request. The results confirmed that SystemSettings.exe made outbound connections to both www.bing.com and cxcs.microsoft.net via HTTPS (port 443), which indicates encrypted data transmission. These connections were established and then closed within twenty seconds. To explore the extent of Windows' telemetry, Sofer blocked cxcs.microsoft.net and conducted another test. Despite the block, the System Settings app still functioned, but additional DNS requests were made to ctldl.windowsupdate.com and ecn.dev.virtualearth.net. The latter request came from svchost.exe and was not directly related to the Settings app, though it did connect to an external server. Sofer noted that these findings suggest Windows wants to track every section visited within System Settings. Further testing with the hosts file revealed that blocking www.bing.com on a network-wide basis (through router settings or Pi Hole) is more effective. Modifying the hosts file to block www.bing.com led to mixed results, with nslookup still returning valid IP addresses, ping commands hitting the dummy IP addresses, and various web browsers unable to load the blocked sites. Interestingly, SearchApp.exe and Windows Defender Firewall services also attempted to resolve www.bing.com. Sofer concludes that Microsoft's telemetry efforts are extensive and often overlooked. He suggests several defensive computing measures to stop Windows from spying: Modify Router or Use Pi Hole: Redirect DNS queries for specific domains to an invalid IP address (0.0.0.0) to block them. Use YogaDNS: Install YogaDNS and set up NextDNS to manage blocklists. Install Outbound Firewall: Use a firewall that allows granular outbound control, similar to Little Snitch on macOS. Block Specific Sub-Domains: Add the following domains to your blocklist: browser.events.data.msn.com browser.events.data.microsoft.com config.edge.skype.com cxcs.microsoft.net evoke-windowsservices-tas.msedge.net self.events.data.microsoft.com settings-win.data.microsoft.com settings.data.microsoft.com umwatson.events.data.microsoft.com watson.telemetry.microsoft.com For those not using Microsoft services, blocking login.live.com and login.microsoftonline.com might also be advisable. Additionally, using secure DNS configurations in browsers and a VPN can circumvent some blocks, but these methods primarily affect non-OS communications. Helge Klein’s comprehensive study in March 2021, which found that Windows communicates with 291 hosts and 2,764 unique IP addresses, underscores the pervasive nature of this issue. Industry insiders and security experts argue that while Windows 10's telemetry is often justified as necessary for improving user experience and system reliability, it also raises significant privacy concerns. Transparency about the data collected and how it is used remains a critical issue for users and developers alike. Microsoft, a leading technology company, continues to face scrutiny over its data collection practices, especially in consumer-facing products like Windows 10. The company’s emphasis on telemetry and user data has become a double-edged sword, providing valuable insights for product development but also fuelling privacy debates. As tech users become more aware of these issues, the demand for more robust privacy controls and better communication from Microsoft grows stronger.