The Windows Insight repository now hosts the Windows Telemetry ETW Monitor framework. The framework monitors and reports on Windows Telemetry ETW (Event Tracing for Windows) activities – ETW activities for providing data to Windows Telemetry. It consists of two components:
- the Windbg Framework: a set of scripts for monitoring Windows Telemetry ETW activities. The scripts are fed to a running windbg instance, connected to the Windows instance whose Windows Telemetry ETW activities are monitored.
- the Telemetry Information Visualization (TIV) framework for visualization of information and statistics. The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page.
The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909.
While on the subject of Windows Telemetry, there are two relevant related documents that we, the Windows team at ERNW, have produced:
- An Analysis of Windows 10 Telemetry – this document provides a detailed overview of the Windows 10 logging functionalities for collecting telemetry data, an in-depth analysis of the collection and procession of telemetry data, and discussions on the network interfaces of Windows Telemetry;
- An Analysis of Windows 10 Telemetry: Configuration and logging guidelines (in German) – this document provides detailed guidelines for configuring Windows Telemetry, with a focus on disabling or reducing Windows Telemetry activities.
The above documents have been created in the course of the SiSyPHus project, contracted by the German Federal Office for Information Security (ger., Bundesamt für Sicherheit in der Informationstechnik – BSI). They are relevant not only for configuring and grasping the details of Windows Telemetry, but also to better understand how the Windows Telemetry ETW Monitor works.
By sharing knowledge on Windows Telemetry, we aim to enable the Windows user community to assess potential privacy implications of Windows Telemetry in an informed and technically correct manner.
Best regards
– Aleksandar Milenkoski