They disabled windows update because it is spyware? Are they providing their own filtered update channel??
Ok, so PSA: if you don't want "Spyware" don't use windows. In Forensics, you learn there are many many ways windows tracks what you do, some of which can be disabled but it is all architectures into the OS. If you looked at a specific folder in explorer, that can be proven in court, executed a specific program? At least 4-5 ways come to mind . Take a peek at c:\windows\system32\winevt\logs\ (equivalent of /var/log/) and that's just one place.
I mean the spyware has measurable and valuable security benefits. If you wanna really test your malware dev skills, leave cloud submission turned on Defender and write any basic malware (harmful not just undesirable) and avoid detection for longer than a day. It was very hard when I tried it (for legit purposes).
I bash on Linux because of all its problems (only because I love it and want to see it improve) but if you want privacy, use Linux, the cliche holds true. You can always use windows in vbox+seamless mode for most things or on a separate device if you can afford it.
Some of us have windows just to play games, sometimes on our tv’s with a controller but that’s impossible when you have garbage popping up constantly. There’s definitely a demand for windows that can play games and do nothing else.
Proton is incredibly impressive nowadays, even when dealing with highly invasive anticheat services. I think there are only a small handful of games in my steam library where it doesn't work well. Within 5 years I think most of the remaining friction to gaming on linux will be gone.
It's what I'll probably end up doing when I have the energy but my wife is a bit techphobic and enjoys playing some games since setting up the PC on the TV but will abandon everything if linux starts getting in the way :D
Yes, but like always this is dependent on hardware and drivers. Which is a reason I'm excited about the Steam Deck and potential future devices. Hardware built by Valve has most likely the best compatibility.
I was the steamlink app on Apple TV and I haven't had any issues with garbage popping up and interrupting me, and I haven't made any tweaks to Windows. Just letting you know in case you'll find it useful.
Yeah, I can't say I've noticed any latency though, as long as I've got an ethernet connection set up. Also a good idea to turn on whatever your "game mode" is on the TV. I use one of those flat ethernet cables and run it under my living room rug to my TV.
I imagine using steam in big picture mode would be equivalent if you're not streaming though. Maybe it's something else, I just can't remember a Windows pop-up ever interrupting my gaming whether I'm playing on my TV or not.
My rudimentary Win10 setup is such a gaming-only system, only Apps installed are Steam, GoG, Epic and Origin. The Spam that comes from those apps aside (mostly sales popup banners/notifications), I still receive the occasional "Your windows is at risk because you don't use OneDrive", or "Windows Defender has not found anything" or "Hey, this is our new Edge browser we installed and placed a shortcut on your desktop, want to make it your default browser now?" spam.
Some of that can be disabled with "O&O ShutUp10" or with some of the debloating scripts various people have created over time also mentioned in this thread.
Yes you can alaways mod the system, but please re-read the thread. I answered to the question what spam windows generates. Saying there is no spam because you can run a script to minimize, is like saying you don't receive spam mails because you run a spamfilter.
I get what you mean. I fought a similar battle back in 2013 when a document was proposed to the IETF, never ratified but yet network engineers everywhere adopted it and the anti-spam industry exploded. I somethings think these things are under-engineered on purpose so that friends of friends can create new business models.
Driver popups. I made the mistake of buying a razer keyboard and microsoft update itself is pushing to download their companion app each time it does an update. It's a thing, look it up. There are workarounds but they don't survive multiple rounds of updates.
Then I envy you. It’s not some big secret but it definitely happens with my keyboard. Maybe it’s loading it from the keyboard itself? Either way it only happens during windows updates
I don't think there's a need to dramatize and exaggerate. Once you get setup on Windows and uninstall the stuff you want to uninstall that’s pretty much the end of it.
So you play games with Windows security updates turned off? Why don't you just post all of your passwords and bank accounts on the internet and save yourself the trouble of waiting to get hacked.
IDK about other folks, but very few of my passwords and nothing that'd get you direct access to any of my bank accounts touches my Window gaming machine (which is also my only Windows machine)
Important account credentials are on macOS or iOS. Local copies of my important files are on a system running Linux, and the Windows machine doesn't have access to that (doesn't need to, all I do on it is play games, if I didn't PC game I wouldn't have Windows at all).
[EDIT] However, mine does have Windows Update turned on.
What bank accounts do you think are on that machine? Perhaps it's risking credentials to ex. Steam and such, but again, if all you run is games where are you getting malware from?
Edit: Actually, to steel man the argument: If you pirate a game and get a keylogger that way, and then type in your credit card to buy a game (ex. on Steam), then you'd have a problem. I maintain that it's perfectly possible to maintain a... "DMZ PC" for games, but there are ways for it to end badly.
Hope there's no microphone or webcam connected to your computer, because an attacker can listen or watch. Also, your firewall is worthless because attackers have a foothold inside your network. Also, hope you don't use the same user/password combination on any windows machines or SMB shares on your network, because those are now pwned too. Buy a game, credit card info stolen.
I run a wire to the unit next door and use my neighbor's internet and all the microphones have been covered with blue tapes and the webcams are pointing at my bird cage.
It's "impossible" to play games on Windows because "you have garbage popping up constantly"? Sorry what are you talking about? I, like millions of people, play games all the time on my Windows PC and don't encounter this problem. It's most certainly not "impossible".
> There’s definitely a demand for windows that can play games and do nothing else.
It's called a "games console". Microsoft makes one called XBox.
I say this as a console guy since the 1980s: There’s also a huge chunk of PC games that have not and will not find their way across to console. Classic games, indie titles, niche tastes, etc. If I want to play Stalker, CDDA, Cogmind, Caves of Qud, DCS World or even the (extremely popular) Escape from Tarkov, I can’t do any of that on Xbox.
PC gaming is a weird and wonderful ocean; console gaming more like a highly curated pond.
Good point on the Switch, I own both and would agree there. PC is defintely better than XBox (Account on PC is frequently required to purchase, but not to play).
XBox I actually called out specifically because when we got an XBox 1, we discovered there is no way to do anything - setup of the console, launching a game, etc - without having an XBox Live account per user of the machine.
Not defending this thing, but logging events and uploading them to the mothership are two very different things. To your own admission /var/log on linux.
Depends on your definition I suppose. The fact that it is sitting there to be accessed by any program is a problem for some but I agree, sending it over the network is what most people worry about. Most evtx logs are not sent to the "mothership" but other telmetry and security logs like defender logs might be by default. There is also cloud submission which sends MS random suspect files for analysis.
Also, closed source means it is hard for me to be sure which of those logs are sent to MS.
I'd have to check, but I'm pretty sure particular logs are NOT accessible by Builtin\Users. Particularly Security log.
But comparing logging to spyware is nuts.
Event logs are just one of endpoints for event tracing mechanism and event viewer is just one crappy UI for that. You can turn on/off various logging to your hearts desire, including various diagnostic/tracing info. You can go all the way to capture stack traces, cpu context switches and whatnot. Windows is pretty configurable in this regard.
Defender doesn't hide option for cloud based scanning and it is up-front in settings. I dunno if it is enabled by default or not, but in our org, we had to explicitly rollout changes to enable it (we are pretty locked down by default)
First, I never said any of this was hidden or in secret. Second, event logs are just one of many places where activity is tracked. Most of them are harmless but many will keep a record of what is being done on the system in a way that isn't obvious to the user of the system. Lastly, installed programs don't need to be builtin\users they can run elevated or in any group, you are assuming only accidentally opened programs are risky?
The subject here is personal use, not corporate use. For example you might torrent a movie and then uninstall the torrent application, files and downloaded content. If you get sued and (i know it is rare) your windows install is submitted as evidence it can be proven that you executed the torrent program, the torrent program transferred so many bytes and that you opened the folder of the torrented content without looking at any file directly related to the torrent app or windows event logs. Or let's say you downloaded content from a site but then cleared your browing history and uninstalled your browser. Thanks to motw the downloaded files on your pc show the sites frol where you downloaded them and the referrer that lead to you visiting the download link. These are only some examples.
Most operating systems log things —- it’s a feature. Most consumer software collects telemetry —- irrespective of platform.
Have a look at what a typical Android phone sends out! Including your GPS location! Apple isn’t immune either because the Facebook SDK that’s included with everything would make the NSA blush. TikTok even tracks your phone motion sensor.
IMHO raging about 30-year old diagnostic features is misplaced anger. Be angry about how every piece of software now goes through these stages:
1) Opt-out telemetry only collecting the important stuff, we promise!
2) Okay, collecting it synchronously was a mistake and it slowed down everything for everyone that’s not sitting in our head office. We fixed it though, don’t worry!
3) Umm.. apparently some people are behind corporate web proxies which makes the async code leak threads and melt CPUs. We fixed it though!
4) Some people have used the newly added proxy support to inspect the encrypted blob. We promise that it was an honest mistake collecting every single point of information we possibly could about your system including mouse movements and key presses. Don’t worry, we fixed it! We now “anonymise” the information. Don’t worry about why that’s in quotes.
5) Those socialist Europeans sued us when we said we deleted their data but it was still there when they reactivated their accounts. Oopsie! Our bad. We promise to “wipe” your data including telemetry when you request this form. Fill it out in triplicate and fax it to this Cayman Islands number please.
6) We can no longer sell our software in some jurisdictions. Don’t ask why or what that implies about how we treat our customers in other jurisdictions with weaker legal protections.
I was not raging. Doesn't matter what the reasons are (hard to prove either way), foe the unassuming user there are serious and even fatal implications if removing specific files or clearing history or logs does not have the expected effect. I am aware (I hope everyone else is) that mobile operating systems are magnitudes of order worse.
Your list of complaints is whataboutism and is not directly related to OS privacy expectations and reality.
Linux is better at this because it gives you more control over what is logged and the code is open source.
I do agree removing Windows Update does pose some security risk, however I don't think said risk is nearly as bad as some make it out to be, and I personally think the benefits of Windows Ameliorated greatly outweigh any security downsides.
Spyware is not the same as local system logs. Spyware in this case is software that sends unnecessary or intrusive information to Microsoft. The goal of Windows Ameliorated is to remove spyware, not prove your innocence in court.
You used Windows Defender as an example of a security benefit. There are alternatives to Windows Defender, and IMO If you're a tech literate power user, an AV isn't useful in most cases.
If you have the time, consider reading this: https://wiki.ameliorated.info/doku.php?id=antivirus
Personally I believe antivirus software in general does more harm than good, as they are generally quite resource hungry and privacy intrusive.
Also, AME does greatly help to mitigate the attack surface of Windows:
Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.
> Are they providing their own filtered update channel??
You can even update Windows offline if you want to.[0]
It's quite refreshing to be able to prep a USB stick containing all the updates for a clean install of a certain build of Windows and be able to deploy them without needing to connect to the internet.
Object access auditing has been around in NT since the mid-1990s, if not from the beginning. It's not some secret spyware, it is literally a feature that is widely used and is a requirement for high-security environments (e.g. government systems) when you need to be able to log or prove if someone did or did not access some sensitive information. E.g. insider threat scenario.
Others also seem to think I am pointing out some secret feature. None of this is a secret, just not obvious to people who didn't think to look for it. Defaults matter.
>> If you looked at a specific folder in explorer, that can be proven in court, executed a specific program?...
You'll find most if not all of these in `.bash_history`, wouldn't you?
Probably, it's possible to setup an install of Linux in such a way, that the user won't leave any traces in the system, but this is definitely not the default behavior. And the system setup in this way is likely a pain to use. But if you have a specific need, by all means, go for it. After all, with Linux you're in control.
But saying Windows is spyware because it logs your activity locally is stretching it.
The OP called it spyware, not I. I pointed those out as examples of what artifacts windows logs. Bash_history much like your browing history you can clear it and be done with it. But due to the seemingly endless subsystems (new ones get discovered all the time, see my other replies) if you clear security.evtx and your browsing history there are still many reliable (as in court tested) artifacts that can prove you browsed specific sites and ran specific programs.
I don't know how much of this MS collects and anyone who says they do, I would challenge them for evidence because there are many plausibly deniable and benign reasons to extract this information from the host.
I would say at best windows is spyware-friendly.
If I workes for the CCP and was instructed to get a list of people that used Signal so they can be sent for re-education, I would not even look to see if Signal.exe is installed in windows, I would just check prefetch and srum.
It's not whataboutism. Windows has a ton features spanning decades and privacy was never a priority given their paying customers' priority. Linux on the other hand was made by individuals and allows a lot more control and input from users. If privacy is your priority then Linux wind the race. If managable corporate workstation is your priority then windows wins the race.
History clearly shows us about tenth of all updates from Microsoft are bogus, if not malicious. I only install those I downloaded and checked manually.
I don't agree that not keeping up with Windows Update is always a security risk, if one is behind NAT and only browses trusted websites (which rules out webmail, BTW.)
I do agree that trying to make a consensual OS out of Windows is an uphill battle. If you're stuck using it, however, for whatever reason, a patchkit like this is better than nothing.
This probably deserves the new top spot in the 'security theater' competition.
Cracked Windows, no security updates since 2018, iso distributed through some telegram channel. This is the software equivalent of trying to buy a homemade vaccine from craigslist because you're afraid that Bill Gates is going to microchip you.
Windows Ameliorated does not require installing from an ISO. That was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. There is detailed documentation for performing a manual amelioration, it uses fully open-source scripts, and is legal if you use a license key before running the scripts. (https://wiki.ameliorated.info/doku.php?id=documentation_21h1)
I do agree removing Windows Update does pose some security risk, however I don't think said risk is nearly as bad as some make it out to be, and I personally think the benefits of Windows Ameliorated greatly outweigh any security downsides.
Also, AME does greatly help to mitigate the attack surface of Windows:
Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.
It has all of the SSU and cumulative updates since 21H1. But anyway I doubt they put anything in there, should be easy enough to look at the scripts on the ISO or just patch it yourself. The ISO is just an 'easy' way to distribute it.
A WFP firewall like simplewall (by henry++, not the corporate one) can block everything by default, including services like Windows Update, and is IMO the most straightforward option.
Couple of issues with this, the first being a "rudimentarily activated using a Generic Key" ISO that's not from Microsoft. Can you really trust this source and technically at this point, it's piracy. Secondly, once the Microsoft lawyer's get wind of this, expect it to be shut down rather quickly.
I'm okay with providing documentation, tools and scripts to remove the cruft and increase privacy within Windows 10, but the ISO linked from a Telegram channel is dubious at best.
I personally don’t use questionable software because I worry about having ransomware installed but had to laugh at your comment. My question would be who gives a shit if it it piracy especially against Microsoft. They have become so hostile I would argue they no longer have the right to say I’ve taken anything after taking my money for a product then using that product against me to steal my personal information. I’ve given them enough money so I won’t feel bad using this and removing the unwanted stuff they are raping me with. One day I will move to Linux instead of complaining but until then me and Microsoft are not friends. I change a setting and suddenly it comes back. They don’t take no for an answer. Rapist mentality
I looked over the second option and it's a pretty extensive patching process. The 2-3 hours they give for it is generous. Also it appears that they do do windows update manually, so it's still a fully up to date Windows 10 installation. I suspect you could get away with just running their script on a legit, fully updated, Windows 10 install, with presumably the UI modifications they want you to do (says the scripts need you to do that).
I never really looked too deep into Ameliorated Windows, just saw that they have their own ISOs. From memory, nLite came with a slick installer that you just supplied an ISO to and chose some options, and it did everything for you.
The ISO was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. Also, Microsoft already tried without success to shut it down in the past, after Linus made a video on Windows Ameliorated.
Yeah, my question was around legality too. The FAQ seems to imply that because it was educational or improves interoperability, that it's somehow legal. Not sure how that's supposed to work, but it would be interesting to learn about.
Sorry to beat a dead horse, but please use "copyright infringement" or "unauthorized copying" instead of "piracy". Actual pirates commit or threaten physical violence, so this meaning-slippage is just propaganda.
This is what happens when people don't understand group policy and are a little too paranoid. This is just a broken version of Windows 10 as far as I'm concerned. You will have far more problems with this than any "forced" Windows update people love to complain about.
It’s an educational release, and one that raises awareness about the issues of Microsoft collecting PII and other telemetry. Even if it’s provably broken in the ways you say, it still serves the stated goals of the creators in these ways.
That's not at all what they say. It's advertised as "a stable, non-intrusive yet fully functional build of Windows 10 to anyone that requires [it]" in which "great effort has been invested in maintaining the subsequent system’s stability, bug-free operation and user experience".
The entire site screams "download this and use it in production". They have big friendly ISO download buttons front and center, with absolutely no disclaimer anywhere that it might be a terrible idea. If it truly is merely "educational", then this is highly irresponsible.
It [being an education release of Win10] is exactly what they say.
> AME is developed for educational purposes only, which emphasizes an effort to reverse engineer, disable or replace components of the Microsoft Windows 10 operating system. The goal is an endeavour to better understand and mitigate the collection of Personally identifiable information (PII), as has been clearly outlined by numerous outlets covering the topic, including comments by famed whistle-blower Edward Snowden. Another goal is to replace included proprietary Windows software, such as the Edge web-browser, with ethically verifiable alternatives using open-source licenses.
There is literally a link titled "ISO Download" at the top of the web site.
Claiming that "oh, that web site isn't actually offering the download, it's actually a torrent file hosted on a Telegram channel" is not the defense you think it is.
> Your legal argument is clearly false, or else torrent sites themselves wouldn’t exist. The Pirate Bay is legal!
Yes, so legal that Gottfrid, Fredrik and three more guys who founded the site got a fine of roughly 3 million USD and one year in jail for helping people commit copyright infringement. So very legal. Wtf dude?
If you think the existence of a site is proof of legality then I don't know what to tell you. Do you believe child porn is legal as well because such sites exists?
As for personal attacks, I'm sorry but this is not a debate. I'm sharing facts with you and you're sharing your ignorance.
Using group policy or registry edits does NOT fully remove Windows spyware or telemetry. Windows Ameliorated is different in this regard, as it actually gets rid of the spyware on an executable level, meaning the functionality of the spyware is not just disabled, but completely removed.
Also, as a personal testimony, my whole family and I have been running AME as a daily driver for awhile now, and haven't run into any significant issues (funnily enough, I've had less issues with Windows Ameliorated than I have with Windows). From my experience it really is stable, and IMO even more stable than stock Windows.
I ask that you actually try out a project before making claims about it.
It'll probably still work better than some of the insane and dubious things my Citrix customers manage to do to windows in the name of stability and privacy...
Do you understand why people might get confused? They don't qualify what they mean by "more secure," and it seems reasonable to criticize the project if their idiosyncratic definition of "secure" actually excludes one of the biggest advances in consumer software security in the last 20 years...
The biggest advance I can think of is using security as an excuse to gather and monetize data.
Different people have different attacker models. I can imagine something like this would be perfect for keeping a mostly airgapped machine to access archives of documents created by Windows. (Or to use legitimately licensed, pre-everything as a service software in perpetuity)
In any case, if you wanted security in the way you describe, how would you justify running Windows 10 at all? The onus isn’t on this project to secure Windows when they had no part in making it insecure to begin with. If Windows were open source, these measures wouldn’t be necessary, and wouldn’t result in less security. This is the current best effort that the devs can do to accomplish their goals. It’s fair to criticize the goal or the results, but issues you’re describing are present in stock Windows 10 to begin with.
I’m sure that some kind of auto build script could be created, so that whenever new Windows Updates are released, a new build is created.
What configuration is there? You're either NATing or you're not. There's no "good". It's on or off. What situations have you been in where you weren't NATing between LAN and WAN?
Does VPN subnet translation count as NAT? Because I've definitely seen some footguns come from that.... I've also seen instances where poorly configured NATs ended up allowing victims to be used as proxies. So I'd say there are definite security questions to take into account.
I do agree removing Windows Update does pose some security risk, however I don't think said risk is nearly as bad as some make it out to be, and I personally think the benefits of Windows Ameliorated greatly outweigh any security downsides.
Also, AME does greatly help to mitigate the attack surface of Windows:
Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.
Windows Ameliorated does not require installing from an ISO. That was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. There is detailed documentation for performing a manual amelioration, it uses fully open-source scripts.(https://wiki.ameliorated.info/doku.php?id=documentation_21h1)
The ISO has been used by hundreds of people, with no sign of malicious intent, so personally I'm willing to trust that as well.
-In order to secure the system properly, it is strongly advised to revoke administrator privileges from the default user.
-By using any of these images you agree that you have obtained a genuine product key or are able to activate by an other authorized method.
-Can AME be activated with a legit key, like normal Windows? No.
1. ~70% of the Windows attack surface as of 2020 is caused by using an administrator user (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). This does not mean you cannot do administrator actions, it only requires the admin password on each UAC prompt.
2. This is for legal reasons. You're not going to get in trouble if you don't follow it, and many people don't. (Unless you're a business)
3. Windows activation has telemetry, and there's no real reason to have it in the first place.
If you still wish to activate with a license key, you can activate Windows before performing a manual amelioration (Guide here: https://wiki.ameliorated.info/doku.php?id=documentation_21h1)
I was today years old when I learned about "generic keys", "ltsb" and "ltsc". So this post was useful after all.
For everyone else: Chris Titus Tech's debloat script is what you want especially if you thought for a millisecond installing Windows from this ISO is a good idea.
Windows Ameliorated does not require installing from an ISO. That was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. There is detailed documentation for performing a manual amelioration, and it's all open-source. (https://wiki.ameliorated.info/doku.php?id=documentation_21h1)
The script you mentioned does NOT fully disable or remove the spyware within Windows. Windows Ameliorated gets rid of the spyware on an executable level, meaning the functionality of the spyware is not just disabled, but completely removed.
These types of "optimized" images are notorious for having viruses and other changes that compromise the entire system. Just disabling updates is a huge red flag. If this stuff bothers people, there are viable alternatives. Even if this effort means well, it's a terrible solution to a problem that's only fixable by eliminating any and all dependencies on Microsoft.
It’s been 4 days since the last remote-exploitable, no-auth-needed RCE hole in Windows. If you were running this version of Windows, you would not get the patch automatically delivered to your device.
Bonus thought experiment: this same criticism applies to most Chromium and Firefox forks. (Especially the ones that describe "no automatic updates" as a feature.)
I wouldn't call it criticism. Software at this scale and complexity will have vulnerabilities. I'd be a lot more concerned about someone who claims that their code is fully secure and doesn't need any patching ever.
> Software at this scale and complexity will have vulnerabilities.
Certainly. The question is what provisions the software has made to mitigate those potential vulnerabilities by notifying users that a patch is available and allowing them to automatically apply that patch.
Deliberately removing these mitigations from a piece of software which is highly exposed to exploits, like a web browser or an operating system, is nothing short of irresponsible.
Windows Ameliorated ships with a non-administrator user, thereby requiring a password for temporary admin privilages.
Most no-auth exploits take advantage of the user already being an administrator, and then bypassing UAC for example. The configuration mentioned above would likely mitigate this issue, although I'm not educated enough on this subject to say for sure
Tron is very different from Windows Ameliorated, and doesn't remove all the spyware on an executable level like Ameliorated does.
Windows can be ameliorated completely legally by doing the amelioration process manually and entering the key before running the scripts. (Guide on the ameliorated.info site)
This thing is not on the list, because it's obviously extremely sketchy (in addition to it being illegal / piracy / etc. the actual "functionality" of removing Windows Update and Windows Defender is bonkers).
It's not illegal if you enter a Windows key before a manual amelioration, and even if you use the pre-made ISO, it's extremely unlikely anyone is going to go after you for it, unless you're a business.
I disagree that it is "bonkers" to remove those. Both are a threat to privacy.
As far as Windows Defender goes, I believe antivirus software in general does more harm than good. They are generally quite resource hungry, and won't prevent most zero-days or unknown malware. If you're a tech literate power user, I don't think an AV is useful to you.
I do agree removing Windows Update does pose some security risk, however I don't think said risk is nearly as bad as some make it out to be, and I personally think the benefits of Windows Ameliorated greatly outweigh any security downsides.
Also, AME does greatly help to mitigate the attack surface of Windows:
Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...).
Of course you can still do admin actions, it just requires the admin password.
All these complaints about security and stuff that's "for our own good", I'm just happy to have a well documented source for my mostly offline windows VMs which is
- < v11
- easy to find (versus looking on torrent sites for ...)
- debloated
- will not update and restart itself if granted internet access temporarily!
The last one has really screwed me when setting up fiddly product demos on win environments the night before an early morning meeting.
Not at all, please do research into projects before making unfounded claims. Windows can be ameliorated completely legally by doing the amelioration process manually and entering the key before running the scripts. (Guide on the ameliorated.info site)
At this point I think we better accept that each operating system has its flaws. Instead of forcing the OS to change, imo it’s better to choose the OS according to the job. I don’t see why anyone would install this and not even consider Linux..
Some people require Windows, or prefer to use it over Linux. And some of those don't want the included spyware that comes with it. Windows Ameliorated is for those people.
It's not always as simple as "want privacy? Switch to Linux!". Some people want Windows as well as privacy.
Pretty much what we've been doing to Windows since... always?
At least I did it to win7 (last winblows I used), it was totaly legit, but I love the idea of a working totally offline machine.
Way simpler solution is go grab yourself a copy of WPD - https://wpd.app/
I've found that to be a very simple, well documented antidote to Windows constant desire to violate my privacy
I run it every time you see a new windows update roll through and it has constantly kept up with their most egregious attempts - feels like a good middle ground
Cool project, and a good middle ground. Keep in mind it's goals are different compared to Windows Ameliorated, and I highly doubt it truly gets rid of all the spyware.
For some it is necessary to use Windows. Windows Ameliorated is for those who both need (or desire) Windows, but don't want the intrusive spyware that comes with it.
It's funny, on a fresh W10 install there's a toggle for weather telemetry for "Location", which the description describes as being used for weather data.
Even if it's un-toggled the weather feature in the taskbar works fine. At this point I've given up, need Edge unfortunately so can't use LTSC.
Give Windows Ameliorated a shot man, it truly does get rid of the BS. Not just with some registry edits and cosmetic settings options, but it actually gets rid of the spyware on an executable level, meaning the functionality of the spyware is not just disabled, but completely removed.
My whole family and I have been running AME as a daily driver for awhile now, and haven't run into any significant issues (funnily enough, I've had less issues with Windows Ameliorated than I have with Windows). From my experience it really is stable, and IMO even more stable than stock Windows.
I like AME especially as a statement, but after a few months of running it on my desktop I found it wasn't worth the trouble. Weird things kept not working and most of the time I couldn't figure out why.
It's been quite a while so my memory's a bit hazy, but as I recall the biggest issue was the Start menu behaving oddly. On my typical computers I run OpenShell, but certain things don't show up in the search result list so I have to open the Windows Start and search from there. AME's start menu is very stripped-down and very little shows up with it, though that could've changed since I used it. Now I'm certain there are two or three different ways to do all the things I wanted to do but breaking the habit of "push button, type, hit enter" was tough. If I were going to try it now my concern would be a lack of control over updating. Sure, AME strips WU out so you have perfect negative control, but running LTSC with Windows Update Manager makes it very easy to install the updates I actually want.
I see, thank you for the detailed reply. One solution could have been uninstalling open-shell, that way the start menu would be normal again. Some of open-shells search behavior can be changed, although it can be a pain.
As far as WU goes, personally I think it is overrated. The only real use for them is security, however I've found that even that is really not necessary at all. Just from my own experience I've never seen anyone run into issues/get infected purely because they didn't update, and I think that if you're tech literate it really is unnecessary, to a certain point that is.
It is still a tradeoff, but I personally find the benefits and peace of mind more valuable than missing out on security updates.
Microsoft will have to maintain Win10 perpetually, unless it gets the ability to ungroup the taskbar again. Keeping me and thousands of others from updating to Win11.
But I don't see how this version is more secure? Yes, no telemetry and lots of services disabled. But will lack updates, right?
I mean, I stuck on Vista for forever even while Microsoft incentivized my university to install 7 on student laptops for free, just because 7's taskbar forced windows to be grouped (*), but that didn't stop Vista from dying.
(*): To be precise since "grouped" means different things: In 7's taskbar, multiple windows of the same application would be forced to be adjacent. I preferred my windows to be ordered by context, not by which application they belonged to, eg VS-terminal-explorer-browser for project 1, then VS-terminal-explorer-browser for project 2, and so on. Eventually 7 Taskbar Tweaker became a thing that allowed this, so I switched.
Technically using AME from the pre-built ISO is illegal, however realistically no one will ever go after you for it, unless you're a business.
You can however legally do it by self-ameliorating and entering a key before the amelioration process.
It does lack Windows Update yes, as WU is a threat to privacy. Windows Ameliorated helps mitigate this by shipping a non-administrator user account by default. Of course you can still do admin actions, it just requires the admin password. ~70% of Windows vulnerabilities are caused by using an admin user (Source: https://web.archive.org/web/20210618023509/https://www.beyon...)
P.S. Personally I think security updates are a bit overrated, as in all practicality, there's extremely little chance of getting attacked unless you download FreeFortniteVbucks.exe
FUD is what you’re doing right now. Review the changes or claim your spot in the peanut gallery. HN isn’t for whatever you want to call what you’re doing.
It's hard. I got mine because MS gave me a free Visual Studio Enterprise subscription, which seems like one of the only ways to get it. But I think that thing runs to $3000/year if you're paying for it.
Are there any companies that deploy this internally? I would expect that some law firms adverse to Microsoft, and Microsoft competitors, might want to do so.
> Are there any companies that deploy this internally?
I should hope not. This is a cracked copy of Windows. The FAQ explains that it can't even be activated properly, as some of the components required for that process have been removed.
Fuck no. You'd be nuts to run this in production. Normal people in an enterprise world use group policy and scripting, they don't rip Windows apart breaking God knows what.
NTLite (www.ntlite.com) should be mentioned itt - it's a nice tool for stripping functionality from the Windows installation media and can be used to produce a stripped down ISO like this.
How is it impossible to access? Telegram is a pretty popular messaging app, and if you don't already have an account it's easy to make one. You can use a google voice number or similar to sign up if you prefer not to give your real one.
Forcing people to create or sign in with an account is bad, particularly when one considers that the ISO is of questionable legality.
What would be infinitely more useful would be a program which directly modifies an ISO image that the end user can download herself directly from Microsoft.
Windows Ameliorated does much more than what O&O ShutUp does. It completely removes spyware on an executable level, not by just using registry or policy edits.
Hundreds if not thousands of people have installed it, with no sign of malicious intent.
If you still don't trust it, you can manually ameliorate using the open source scripts. (Located on the ameliorated.info site)
> Windows 7 is becoming very outdated, both in usability and security.
Usability? What's wrong with its usability? There have been a lot of BS claims in this topic but this one looks the most egregious. Anyways, the topic was hidden from the main page and can only by found by a direct link.
Usability and security are really
important topics. Here I describe what
I've done about them and, in particular,
why I'm considering depending Windows 7
Professional for a lot more.
Recently I've spent many hours using
Windows 7 on one computer and Windows 10
on another.
So far, I prefer Windows 7. For the
difference in "usability", maybe you mean
the changes and/or additions since Windows
7.
To me it seems that there are some people
at Microsoft who have a vision of user
interface, user experience, usability
they want and want Windows to move to
that. The early, seed example of their
vision is the GUI, graphical user
interface, but I am guessing they want to
move to hand gestures, eyeball tracking,
special 3D goggles, lots of inferencing
to guess, anticipate what a user wants,
etc.
Some people can really like that vision,
especially if it is done well, but that
seems difficult.
For some parts of computing, versions of
such a vision might be the right things to
pursue.
For me, for a computer I would use, I
don't want the vision. The changes I
saw from Windows 7 to Windows 10 seem to
be part of the vision, and, whatever
they are, I don't like them. One big
issue is, I don't know what all the
changes are: Apparently I'm supposed just
to discover the changes. Well, maybe
I've discovered less than half of the
changes.
Some of the changes I really hate: E.g.,
with Windows 10 too often suddenly all the
open windows disappear! And too often I'm
trying to work quickly, by accident hit
some strange key combinations, and
suddenly big, goofy things happen.
For me, personally, my main used of a
computer are just (a) typing text, (b) Web
browsing, (c) watching movies on DVDs, (d)
occasionally printing some letters or
addressing envelopes.
So, my most heavily used program is the
one I use for nearly all my typing, my
favorite text editor, Kedit -- right,
trying Emacs is on my TODO list.
Otherwise, I use Firefox and Chrome for
Web browsing and VLC or PowerDVD for
movies (or music CDs).
Otherwise my favorite part of Windows is
the hierarchical file system NTFS (new
technology file system), and to help me
use that I use the scripting language
Rexx, have written a lot of macros, and
have written a simple shell (runs in
console windows and gets my typing and
does the right things with it).
Windows 10, 7 and maybe even still XP and
2000 are all plenty good at all of that.
So, point: For me, personally, for the
parts of Windows 7 I use, usability is
fine; I don't want to be bothered with
changes; in Windows 10 I'd welcome a big
OFF switch so that I could get rid of the
results of the vision.
For me, my car is not my destination and
is just a tool I use to get to some
destinations. For my personal usage, my
computer is not my destination but just
a tool. For me, the goals of the vision
make bad tools.
I should insert: For me, often GUIs are
inefficient because it is tough to
script such programs, that is, run one
of them 200,000 times to automate some
work.
For the rest of my interest in
"usability":
I'm trying to do an Internet startup, that
is, a Web site. For that I've done some
programming, appear to have the code
working as intended, but no doubt will
need to do more. And I will need to
handle some dozens of terabytes of data.
I settled on Visual Basic .NET for the
programming language, ASP.NET for the Web
pages, ADO.NET and SQL Server for the data
base.
For .NET, it looks quite capable. Also,
Microsoft seems to be taking it very
seriously, and a lot of important work is
being done with it. So, it seem like a
good choice for my startup.
Visual Basic .NET (VB)? It appears to be
a perfectly good way to get to the .NET
framework and the CLR (common language
runtime). C# seems to have borrowed some
of the C syntax that, as I recall from
Kernighan and Ritchie, was deliberately
idiosyncratic. To me, the VB syntax is
more traditional, more like Basic,
Fortran, Algol, PL/I, Pascal, etc. and is
easier to teach, learn, read, and write
and less error prone. My understanding is
that the semantics of VB and C# are (or
long were) essentially the same, and that
there is a program to translate from
either one to the other. So, the
difference is syntactic sugar.
For .NET? I welcome the work on managed
code, garbage collection (management of
dynamic memory allocation and freeing),
etc. If managed code is a little slower
than C, C++, or assembler, fine with me:
Current processors with 8, 10, 16, etc.
cores and clock speeds 4+ GHz seem plenty
up to running managed code for the Web
site of my startup. And for servers
processors with, what, 256 cores are
coming?
For the last time I checked ad rates, a
day my Web site with a 4.0 GHz 8 core
processor gets busy should be a good day
for my bank account.
For Visual Studio, once I tried it for
about an hour, could make no sense out of
it, and never tried it again. I type my
code into Kedit. So far, it's worked
fine. Then I wrote a few little macros
that make Kedit work even better. Happy
camper time. I know; likely Emacs could
be still better.
For my business, writing and running .NET
code as above is the "usability" I want.
If Microsoft wants some improvements, then
okay:
(1) Copying files for backup: Robocopy
seems to work, and it is what I use.
Getting all the options set took a while.
The log file it writes is ugly, and I
can't make any sense out of a lot of it.
To me, XCOPY has some serious problems
with how it handles dates and times.
For Microsoft's "Windows 7 backup", for
Acronis, etc., I can make little or no
sense out of them.
So, for a step forward, I'd like a better
backup program. Right, no vision thing.
No GUI. Command line only. Excellent
design. Good documentation.
(2) List of the names in a file system
directory tree.
Commands DIR and ATTRIB are ways to get a
good list. I have a command SUBDIR from
Rexx that is my favorite. But a better
program would be welcome. Right, no
vision thing. No GUI. Command line
only. Excellent design. Good
documentation.
(3) Check two files for equality.
I just want to see if two files are equal
or not. Don't assume anything about the
contents of the files -- don't assume that
they are lines of text, from Office Word,
etc. Don't try to find all the places the
two files are different or the same.
So, COMP is the wrong tool. And FC can't
handle legal file tree names.
So need a program that will compare two
files for being equal, yes or no, and with
the output only the first byte where they
are not equal. Right, no vision thing.
No GUI. Command line only. Excellent
design. Good documentation.
I wrote my own using Rexx and its function
Charin.
Now for the important topic of security:
Some months ago I did download that last
update for Windows 7 Professional. Then I
noticed that apparently that update also
is for the corresponding edition of
Windows Server, apparently 2008.
Uh, I should interject here: In my
startup, I will need some simple, routine,
lightly used file sharing among a few
computers. From my information gathering,
I conclude that such file sharing will be
a lot easier with Windows 7 Professional
than with any version of Windows Server.
So, at least for the early months of my
startup going live, it appears that it
will be easier to use Windows 7
Professional than Windows Server.
So, I begin to conclude that with that
last update Windows 7 Professional is as
secure as Windows Server 2008.
Then I have to assume that for some years
many of the most important companies in
the world ran fine on Windows Server 2008.
Gathering information for my planning for
the first months of going live with my Web
site, I learned
(1) For updates, e.g., for security,
Microsoft seems to be cooperating with
customers who are still using versions of
Windows Server that go way back, to 2008
and before.
(2) Microsoft has announced that they will
continue to have security updates for
Windows Professional into 2023.
So, from my need to make decisions based
on limited information, I'm concluding
that:
(a) Basically Windows, just the
(apparently at most slowly changing)
operating system itself is and has for 10+
years been quite, maybe rock solidly,
secure. Maybe the US NSA (National
Security Agency, the main US organization
for communications security) knows better,
but as just a startup entrepreneur I'm
f'getting about such things. Sure, some
hacker in North Korea might send goofy UDP
packets at my IP address, but Microsoft
needed to have Windows Server 2008 protect
against those packets already 10+ years
ago. So, let the goofy packets come;
Windows should throw them into the trash
bit bucket. If there really is a DoS
(denial of service) attack or some such,
maybe I should call CloudFlare.
(b) The security problems Windows 10, 11,
etc. struggle with are caused not by
Windows itself but by some of the common
applications, maybe Web browsers, browser
add ons, various programs distributed as
EXE files, and some actions of careless
users.
Point: Using Windows 7 Professional for
my personal computing, startup software
development, and startup Web servers seems
fine with no worries about usability or
security.
The only way to use Windows 10 truly securely is by running it in a QEMU virtual machine as a guest with local-only networking for QEMU native Samba file sharing between host and guest. Zero internet connectivity. Booted off what QEMU calls a temporary snapshot after setting everything up on the base QCOW2 image. This way any changes to the virtual drive after boot are trashed after shutdown. This solution is robust and reliable.
Can you actually do an airgapped Windows install these days? I used to work in the defence sector in the days of Windows 2000 and that was easy but I have no idea how it works since. Our corporate stuff is all remotely managed with InTune and all sorts of horrible shit that hammers the network all day.
The Windows 10 installation ISO downloaded directly from microsoft.com does not need the internet to install correctly under any circumstances.
You also don't need to do anything special to get it working. However, I opted for the inclusion of a completely optional disk driver during install time to improve performance and sustainability.
You can provide a QEMU virtual CDROM with drivers during installation if necessary, and do the rest of your setup with QEMU native Samba file transfers followed by software installation.
I use the QEMU virtual CDROM to provide VirtIO drivers during Windows installation for super fast virtual drive I/O and DISCARD support.
discard=unmap is absolutely essential to keep your QEMU QCOW2 file on your host from growing excessively as you delete stuff in your Windows guest. This is the main reason I use VirtIO.
To learn more about QEMU I recommend the Arch Wiki page on it
If you are really that paranoid just get a LTSC license or use a different OS. The whole „cleaning up and shutting up“ windows craze kickstarted a whole new industry of snake oil and malware.
Using LTSC or using policy changes never truly gets rid of the telemetry/spyware.
The main goal of Windows Ameliorated is to restore privacy, and it does this by removing said spyware on an executable level, not by just simply using registry edits or what have you.
Some people desire or require Windows, but they don't want the included spyware. Windows Ameliorated is for those people.
I can imagine the script they've created removes certain DLLs/EXEs (and disables Windows Updates - which is a red bloody flag) but there are numerous ways in which this can break Windows down, so the whole topic is a load of poo and nothing else.
Do not use, do not download, do not touch.
It's based on the premise that Windows is spying on you which has never been proven/shown in the first place. Yes, Windows 10/11 send a ton of DNS queries - it's _not_ spying. Yes, Windows 10/11 send mini crash dumps and EXE files hash sums to Microsoft - that's _not_ spying.
Ok, so PSA: if you don't want "Spyware" don't use windows. In Forensics, you learn there are many many ways windows tracks what you do, some of which can be disabled but it is all architectures into the OS. If you looked at a specific folder in explorer, that can be proven in court, executed a specific program? At least 4-5 ways come to mind . Take a peek at c:\windows\system32\winevt\logs\ (equivalent of /var/log/) and that's just one place.
I mean the spyware has measurable and valuable security benefits. If you wanna really test your malware dev skills, leave cloud submission turned on Defender and write any basic malware (harmful not just undesirable) and avoid detection for longer than a day. It was very hard when I tried it (for legit purposes).
I bash on Linux because of all its problems (only because I love it and want to see it improve) but if you want privacy, use Linux, the cliche holds true. You can always use windows in vbox+seamless mode for most things or on a separate device if you can afford it.