231 comments

[ 3.2 ms ] story [ 261 ms ] thread
How to perform actual download ??
Usually a pinned message with a torrent in the Telegram group or channel
Ah yes, because running a patched OS from a torrent someone posted on Telegram is clearly the epitome of security.
FUD is what you’re doing right now. Review the changes or claim your spot in the peanut gallery. HN isn’t for whatever you want to call what you’re doing.
Just click "preview channel" on the telegram page they link to and download the .torrent file with a bittorrent cient.
It’s been 4 days since the last remote-exploitable, no-auth-needed RCE hole in Windows. If you were running this version of Windows, you would not get the patch automatically delivered to your device.
Bonus thought experiment: this same criticism applies to most Chromium and Firefox forks. (Especially the ones that describe "no automatic updates" as a feature.)
I wouldn't call it criticism. Software at this scale and complexity will have vulnerabilities. I'd be a lot more concerned about someone who claims that their code is fully secure and doesn't need any patching ever.
> Software at this scale and complexity will have vulnerabilities.

Certainly. The question is what provisions the software has made to mitigate those potential vulnerabilities by notifying users that a patch is available and allowing them to automatically apply that patch.

Deliberately removing these mitigations from a piece of software which is highly exposed to exploits, like a web browser or an operating system, is nothing short of irresponsible.

What was the vulnerability? Was it in a component that is stripped in this project?
Windows Ameliorated ships with a non-administrator user, thereby requiring a password for temporary admin privilages.

Most no-auth exploits take advantage of the user already being an administrator, and then bypassing UAC for example. The configuration mentioned above would likely mitigate this issue, although I'm not educated enough on this subject to say for sure

The hole is in SMB (Windows remote file&printing services), which run as SYSTEM, not the currently logged-in user.
I see, thank you for the information.
"With added security", but from the FAQ, no security updates, and no way to add them.

I can't imagine this is more secure than standard Windows 10.

Secure from PII telemetry phoning home: perhaps, likely better than stock Win10 or even LTSB/LTSC in that regard

Secure in literally any other way: outside the scope of the project

Telemetry is a non issue if your network has a good nat in front… software updates on the other hand…
>"has a good NAT"

What is a good NAT as opposed to a bad one?

"Dude the DHCP on this network is AWESOME" lol

the configuration? what the fuck is this comment.
What configuration is there? You're either NATing or you're not. There's no "good". It's on or off. What situations have you been in where you weren't NATing between LAN and WAN?
Does VPN subnet translation count as NAT? Because I've definitely seen some footguns come from that.... I've also seen instances where poorly configured NATs ended up allowing victims to be used as proxies. So I'd say there are definite security questions to take into account.
Do you understand why people might get confused? They don't qualify what they mean by "more secure," and it seems reasonable to criticize the project if their idiosyncratic definition of "secure" actually excludes one of the biggest advances in consumer software security in the last 20 years...
I’m not a dev on the project, fwiw.

In any case, if you wanted security in the way you describe, how would you justify running Windows 10 at all? The onus isn’t on this project to secure Windows when they had no part in making it insecure to begin with. If Windows were open source, these measures wouldn’t be necessary, and wouldn’t result in less security. This is the current best effort that the devs can do to accomplish their goals. It’s fair to criticize the goal or the results, but issues you’re describing are present in stock Windows 10 to begin with.

I’m sure that some kind of auto build script could be created, so that whenever new Windows Updates are released, a new build is created.

The biggest advance I can think of is using security as an excuse to gather and monetize data.

Different people have different attacker models. I can imagine something like this would be perfect for keeping a mostly airgapped machine to access archives of documents created by Windows. (Or to use legitimately licensed, pre-everything as a service software in perpetuity)

This is what happens when people don't understand group policy and are a little too paranoid. This is just a broken version of Windows 10 as far as I'm concerned. You will have far more problems with this than any "forced" Windows update people love to complain about.
It’s an educational release, and one that raises awareness about the issues of Microsoft collecting PII and other telemetry. Even if it’s provably broken in the ways you say, it still serves the stated goals of the creators in these ways.
That's not at all what they say. It's advertised as "a stable, non-intrusive yet fully functional build of Windows 10 to anyone that requires [it]" in which "great effort has been invested in maintaining the subsequent system’s stability, bug-free operation and user experience".

The entire site screams "download this and use it in production". They have big friendly ISO download buttons front and center, with absolutely no disclaimer anywhere that it might be a terrible idea. If it truly is merely "educational", then this is highly irresponsible.

It [being an education release of Win10] is exactly what they say.

> AME is developed for educational purposes only, which emphasizes an effort to reverse engineer, disable or replace components of the Microsoft Windows 10 operating system. The goal is an endeavour to better understand and mitigate the collection of Personally identifiable information (PII), as has been clearly outlined by numerous outlets covering the topic, including comments by famed whistle-blower Edward Snowden. Another goal is to replace included proprietary Windows software, such as the Edge web-browser, with ethically verifiable alternatives using open-source licenses.

https://wiki.ameliorated.info/doku.php?id=faq#legal_consider...

Yeah my cracked version of Logic is an educational release too, lmao
DMCA literally has an exemption for reverse engineering for educational and interoperability purposes.

This isn’t the pwn you think it is, lol

Releasing a cracked version of an application is not covered under that exemption. I'm honestly flabbergasted to hear you suggest it might be.
There is literally a link titled "ISO Download" at the top of the web site.

Claiming that "oh, that web site isn't actually offering the download, it's actually a torrent file hosted on a Telegram channel" is not the defense you think it is.

You literally can’t download any content from that site: neither ISOs nor torrents. You’re reaching.
> Your legal argument is clearly false, or else torrent sites themselves wouldn’t exist. The Pirate Bay is legal!

Yes, so legal that Gottfrid, Fredrik and three more guys who founded the site got a fine of roughly 3 million USD and one year in jail for helping people commit copyright infringement. So very legal. Wtf dude?

If you think the existence of a site is proof of legality then I don't know what to tell you. Do you believe child porn is legal as well because such sites exists?

As for personal attacks, I'm sorry but this is not a debate. I'm sharing facts with you and you're sharing your ignorance.

It's a cracked version of Windows with updates disabled, there's nothing "educational" about it.
It'll probably still work better than some of the insane and dubious things my Citrix customers manage to do to windows in the name of stability and privacy...
Using group policy or registry edits does NOT fully remove Windows spyware or telemetry. Windows Ameliorated is different in this regard, as it actually gets rid of the spyware on an executable level, meaning the functionality of the spyware is not just disabled, but completely removed.

Also, as a personal testimony, my whole family and I have been running AME as a daily driver for awhile now, and haven't run into any significant issues (funnily enough, I've had less issues with Windows Ameliorated than I have with Windows). From my experience it really is stable, and IMO even more stable than stock Windows.

I ask that you actually try out a project before making claims about it.

I do agree removing Windows Update does pose some security risk, however I don't think said risk is nearly as bad as some make it out to be, and I personally think the benefits of Windows Ameliorated greatly outweigh any security downsides.

Also, AME does greatly help to mitigate the attack surface of Windows:

Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.

It’s called LTSB!
It’s not quite the same thing, but as a fellow LTSB/LTSC user I agree that’s the better solution! (And the best way to run Windows, when you have to.)
I wish I could legally get a copy of it...
It's hard. I got mine because MS gave me a free Visual Studio Enterprise subscription, which seems like one of the only ways to get it. But I think that thing runs to $3000/year if you're paying for it.
Curios, what makes you prefer LTSC over Windows Ameliorated?
There's still spyware on LTSC. Windows Ameliorated removes said spyware on an executable level, not just by using policy or registry edits.
What's Microsoft's take on this?

Are there any companies that deploy this internally? I would expect that some law firms adverse to Microsoft, and Microsoft competitors, might want to do so.

Fuck no. You'd be nuts to run this in production. Normal people in an enterprise world use group policy and scripting, they don't rip Windows apart breaking God knows what.
Couple of issues with this, the first being a "rudimentarily activated using a Generic Key" ISO that's not from Microsoft. Can you really trust this source and technically at this point, it's piracy. Secondly, once the Microsoft lawyer's get wind of this, expect it to be shut down rather quickly.

I'm okay with providing documentation, tools and scripts to remove the cruft and increase privacy within Windows 10, but the ISO linked from a Telegram channel is dubious at best.

I think you are right, it's piracy;

However i had to chuckle at "is dubious at best", since all the spyware shipped with Windows nowadays... is perhaps equally dubious.

Yeah, my question was around legality too. The FAQ seems to imply that because it was educational or improves interoperability, that it's somehow legal. Not sure how that's supposed to work, but it would be interesting to learn about.
I personally don’t use questionable software because I worry about having ransomware installed but had to laugh at your comment. My question would be who gives a shit if it it piracy especially against Microsoft. They have become so hostile I would argue they no longer have the right to say I’ve taken anything after taking my money for a product then using that product against me to steal my personal information. I’ve given them enough money so I won’t feel bad using this and removing the unwanted stuff they are raping me with. One day I will move to Linux instead of complaining but until then me and Microsoft are not friends. I change a setting and suddenly it comes back. They don’t take no for an answer. Rapist mentality
Consider finding some interests other than having a strong opinion on 1 of 3 OSs. Life's too short man.
I prefer the old nLite approach of instead letting the user supply their own ISO to patch.
Isn't that what the second option does?
I looked over the second option and it's a pretty extensive patching process. The 2-3 hours they give for it is generous. Also it appears that they do do windows update manually, so it's still a fully up to date Windows 10 installation. I suspect you could get away with just running their script on a legit, fully updated, Windows 10 install, with presumably the UI modifications they want you to do (says the scripts need you to do that).
I never really looked too deep into Ameliorated Windows, just saw that they have their own ISOs. From memory, nLite came with a slick installer that you just supplied an ISO to and chose some options, and it did everything for you.
This. In light of the holiday weekend I'd say this will be gone by Tuesday the 19th at the latest.
This project has been around for years now lol
OK, I was wrong about today.
Sorry to beat a dead horse, but please use "copyright infringement" or "unauthorized copying" instead of "piracy". Actual pirates commit or threaten physical violence, so this meaning-slippage is just propaganda.
Language evolves. Trying to fight that is a losing battle.
The ISO was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. Also, Microsoft already tried without success to shut it down in the past, after Linus made a video on Windows Ameliorated.

There is detailed documentation for performing a manual amelioration, it uses fully open-source scripts. (https://wiki.ameliorated.info/doku.php?id=documentation_21h1)

If you are really that paranoid just get a LTSC license or use a different OS. The whole „cleaning up and shutting up“ windows craze kickstarted a whole new industry of snake oil and malware.
Yeah, take a serious look at desktop Linux instead of this thing.
Using LTSC or using policy changes never truly gets rid of the telemetry/spyware.

The main goal of Windows Ameliorated is to restore privacy, and it does this by removing said spyware on an executable level, not by just simply using registry edits or what have you.

Some people desire or require Windows, but they don't want the included spyware. Windows Ameliorated is for those people.

Spyware on an executable level? Are you sure you know what you are talking about?
I can imagine the script they've created removes certain DLLs/EXEs (and disables Windows Updates - which is a red bloody flag) but there are numerous ways in which this can break Windows down, so the whole topic is a load of poo and nothing else.

Do not use, do not download, do not touch.

It's based on the premise that Windows is spying on you which has never been proven/shown in the first place. Yes, Windows 10/11 send a ton of DNS queries - it's _not_ spying. Yes, Windows 10/11 send mini crash dumps and EXE files hash sums to Microsoft - that's _not_ spying.

It removes certain executables, instead of just changing some settings or registry values.
AME is about as extreme as you can go. Almost anybody would be better off running LTSB, or even Ninjutsu OS.
There's still spyware on LTSC. Windows Ameliorated removes said spyware on an executable level, not just by using policy or registry edits.

What makes you think most people would be better off running LTSC? For privacy, Windows Ameliorated is by far the best option.

I like AME especially as a statement, but after a few months of running it on my desktop I found it wasn't worth the trouble. Weird things kept not working and most of the time I couldn't figure out why.
If you ever try it out again and run into issues, consider asking for help in the group chat: https://t.me/+QQO5yu0wJxwyOGVh

If you have the time, I am curios about what stopped working. Thanks for your input nonetheless

It's been quite a while so my memory's a bit hazy, but as I recall the biggest issue was the Start menu behaving oddly. On my typical computers I run OpenShell, but certain things don't show up in the search result list so I have to open the Windows Start and search from there. AME's start menu is very stripped-down and very little shows up with it, though that could've changed since I used it. Now I'm certain there are two or three different ways to do all the things I wanted to do but breaking the habit of "push button, type, hit enter" was tough. If I were going to try it now my concern would be a lack of control over updating. Sure, AME strips WU out so you have perfect negative control, but running LTSC with Windows Update Manager makes it very easy to install the updates I actually want.
I see, thank you for the detailed reply. One solution could have been uninstalling open-shell, that way the start menu would be normal again. Some of open-shells search behavior can be changed, although it can be a pain.

As far as WU goes, personally I think it is overrated. The only real use for them is security, however I've found that even that is really not necessary at all. Just from my own experience I've never seen anyone run into issues/get infected purely because they didn't update, and I think that if you're tech literate it really is unnecessary, to a certain point that is.

It is still a tradeoff, but I personally find the benefits and peace of mind more valuable than missing out on security updates.

(comment deleted)
Doesn't Tron solve this the legal way? https://old.reddit.com/r/TronScript/
Tron is very different from Windows Ameliorated, and doesn't remove all the spyware on an executable level like Ameliorated does.

Windows can be ameliorated completely legally by doing the amelioration process manually and entering the key before running the scripts. (Guide on the ameliorated.info site)

I was today years old when I learned about "generic keys", "ltsb" and "ltsc". So this post was useful after all.

For everyone else: Chris Titus Tech's debloat script is what you want especially if you thought for a millisecond installing Windows from this ISO is a good idea.

Windows Ameliorated does not require installing from an ISO. That was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. There is detailed documentation for performing a manual amelioration, and it's all open-source. (https://wiki.ameliorated.info/doku.php?id=documentation_21h1)

The script you mentioned does NOT fully disable or remove the spyware within Windows. Windows Ameliorated gets rid of the spyware on an executable level, meaning the functionality of the spyware is not just disabled, but completely removed.

Microsoft is evil and tracks your actions. So you should totally trust a patched version of Windows published by ameliorated.info.

I'll take my chances with Microsoft-sanctioned telemetry over whatever this is.

I've no idea what this crap is doing here.

It's also warez and no one but microsoft can distribute Windows ISO images.

Windows Ameliorated does not require installing from an ISO. That was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. There is detailed documentation for performing a manual amelioration, it uses fully open-source scripts.(https://wiki.ameliorated.info/doku.php?id=documentation_21h1)

The ISO has been used by hundreds of people, with no sign of malicious intent, so personally I'm willing to trust that as well.

At this point I think we better accept that each operating system has its flaws. Instead of forcing the OS to change, imo it’s better to choose the OS according to the job. I don’t see why anyone would install this and not even consider Linux..
Especially considering how trivially easy it is to run Windows programs in Wine these days.
Some people require Windows, or prefer to use it over Linux. And some of those don't want the included spyware that comes with it. Windows Ameliorated is for those people.

It's not always as simple as "want privacy? Switch to Linux!". Some people want Windows as well as privacy.

Does anyone know how this differs from the LTSC version?
There's still spyware on LTSC. Windows Ameliorated removes said spyware on an executable level, not just by using policy or registry edits.
From the FAQ:

  -In order to secure the system properly, it is strongly advised to revoke administrator privileges from the default user. 

  -By using any of these images you agree that you have obtained a genuine product key or are able to activate by an other authorized method.

  -Can AME be activated with a legit key, like normal Windows? No.
This is ludicrous.
There is good reason for all of those.

1. ~70% of the Windows attack surface as of 2020 is caused by using an administrator user (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). This does not mean you cannot do administrator actions, it only requires the admin password on each UAC prompt.

2. This is for legal reasons. You're not going to get in trouble if you don't follow it, and many people don't. (Unless you're a business)

3. Windows activation has telemetry, and there's no real reason to have it in the first place. If you still wish to activate with a license key, you can activate Windows before performing a manual amelioration (Guide here: https://wiki.ameliorated.info/doku.php?id=documentation_21h1)

They disabled windows update because it is spyware? Are they providing their own filtered update channel??

Ok, so PSA: if you don't want "Spyware" don't use windows. In Forensics, you learn there are many many ways windows tracks what you do, some of which can be disabled but it is all architectures into the OS. If you looked at a specific folder in explorer, that can be proven in court, executed a specific program? At least 4-5 ways come to mind . Take a peek at c:\windows\system32\winevt\logs\ (equivalent of /var/log/) and that's just one place.

I mean the spyware has measurable and valuable security benefits. If you wanna really test your malware dev skills, leave cloud submission turned on Defender and write any basic malware (harmful not just undesirable) and avoid detection for longer than a day. It was very hard when I tried it (for legit purposes).

I bash on Linux because of all its problems (only because I love it and want to see it improve) but if you want privacy, use Linux, the cliche holds true. You can always use windows in vbox+seamless mode for most things or on a separate device if you can afford it.

Not defending this thing, but logging events and uploading them to the mothership are two very different things. To your own admission /var/log on linux.
Depends on your definition I suppose. The fact that it is sitting there to be accessed by any program is a problem for some but I agree, sending it over the network is what most people worry about. Most evtx logs are not sent to the "mothership" but other telmetry and security logs like defender logs might be by default. There is also cloud submission which sends MS random suspect files for analysis.

Also, closed source means it is hard for me to be sure which of those logs are sent to MS.

I'd have to check, but I'm pretty sure particular logs are NOT accessible by Builtin\Users. Particularly Security log.

But comparing logging to spyware is nuts.

Event logs are just one of endpoints for event tracing mechanism and event viewer is just one crappy UI for that. You can turn on/off various logging to your hearts desire, including various diagnostic/tracing info. You can go all the way to capture stack traces, cpu context switches and whatnot. Windows is pretty configurable in this regard.

Also telemetry is well documented and configurable: https://docs.microsoft.com/en-us/windows/privacy/configure-w...

Defender doesn't hide option for cloud based scanning and it is up-front in settings. I dunno if it is enabled by default or not, but in our org, we had to explicitly rollout changes to enable it (we are pretty locked down by default)

First, I never said any of this was hidden or in secret. Second, event logs are just one of many places where activity is tracked. Most of them are harmless but many will keep a record of what is being done on the system in a way that isn't obvious to the user of the system. Lastly, installed programs don't need to be builtin\users they can run elevated or in any group, you are assuming only accidentally opened programs are risky?

The subject here is personal use, not corporate use. For example you might torrent a movie and then uninstall the torrent application, files and downloaded content. If you get sued and (i know it is rare) your windows install is submitted as evidence it can be proven that you executed the torrent program, the torrent program transferred so many bytes and that you opened the folder of the torrented content without looking at any file directly related to the torrent app or windows event logs. Or let's say you downloaded content from a site but then cleared your browing history and uninstalled your browser. Thanks to motw the downloaded files on your pc show the sites frol where you downloaded them and the referrer that lead to you visiting the download link. These are only some examples.

Most operating systems log things —- it’s a feature. Most consumer software collects telemetry —- irrespective of platform.

Have a look at what a typical Android phone sends out! Including your GPS location! Apple isn’t immune either because the Facebook SDK that’s included with everything would make the NSA blush. TikTok even tracks your phone motion sensor.

IMHO raging about 30-year old diagnostic features is misplaced anger. Be angry about how every piece of software now goes through these stages:

1) Opt-out telemetry only collecting the important stuff, we promise!

2) Okay, collecting it synchronously was a mistake and it slowed down everything for everyone that’s not sitting in our head office. We fixed it though, don’t worry!

3) Umm.. apparently some people are behind corporate web proxies which makes the async code leak threads and melt CPUs. We fixed it though!

4) Some people have used the newly added proxy support to inspect the encrypted blob. We promise that it was an honest mistake collecting every single point of information we possibly could about your system including mouse movements and key presses. Don’t worry, we fixed it! We now “anonymise” the information. Don’t worry about why that’s in quotes.

5) Those socialist Europeans sued us when we said we deleted their data but it was still there when they reactivated their accounts. Oopsie! Our bad. We promise to “wipe” your data including telemetry when you request this form. Fill it out in triplicate and fax it to this Cayman Islands number please.

6) We can no longer sell our software in some jurisdictions. Don’t ask why or what that implies about how we treat our customers in other jurisdictions with weaker legal protections.

I was not raging. Doesn't matter what the reasons are (hard to prove either way), foe the unassuming user there are serious and even fatal implications if removing specific files or clearing history or logs does not have the expected effect. I am aware (I hope everyone else is) that mobile operating systems are magnitudes of order worse.

Your list of complaints is whataboutism and is not directly related to OS privacy expectations and reality.

Linux is better at this because it gives you more control over what is logged and the code is open source.

Some of us have windows just to play games, sometimes on our tv’s with a controller but that’s impossible when you have garbage popping up constantly. There’s definitely a demand for windows that can play games and do nothing else.
Proton is incredibly impressive nowadays, even when dealing with highly invasive anticheat services. I think there are only a small handful of games in my steam library where it doesn't work well. Within 5 years I think most of the remaining friction to gaming on linux will be gone.
It's what I'll probably end up doing when I have the energy but my wife is a bit techphobic and enjoys playing some games since setting up the PC on the TV but will abandon everything if linux starts getting in the way :D
Will she abandon everything if Windows starts getting in the way?
Yes, but like always this is dependent on hardware and drivers. Which is a reason I'm excited about the Steam Deck and potential future devices. Hardware built by Valve has most likely the best compatibility.
It's "impossible" to play games on Windows because "you have garbage popping up constantly"? Sorry what are you talking about? I, like millions of people, play games all the time on my Windows PC and don't encounter this problem. It's most certainly not "impossible".

> There’s definitely a demand for windows that can play games and do nothing else.

It's called a "games console". Microsoft makes one called XBox.

I like being able to play without needing a cloud account. Can XBox do that?

I like being able to use emulators. Can XBox do that?

I like being able to use mod's for any given game. Can XBox do that?

I use Linux for my gaming these days because I just don't like Windows, but even Windows is much more powerful for gaming than a console.

There's a place for console's, but they don't replace everything.

> I like being able to play without needing a cloud account. Can XBox do that?

I suspect XBox isn't good for this, but the Nintendo Switch is actually probably better than a PC for this particular usecase.

The general-purpose stuff (emulators, mods) I agree with, though.

Good point on the Switch, I own both and would agree there. PC is defintely better than XBox (Account on PC is frequently required to purchase, but not to play).

XBox I actually called out specifically because when we got an XBox 1, we discovered there is no way to do anything - setup of the console, launching a game, etc - without having an XBox Live account per user of the machine.

I say this as a console guy since the 1980s: There’s also a huge chunk of PC games that have not and will not find their way across to console. Classic games, indie titles, niche tastes, etc. If I want to play Stalker, CDDA, Cogmind, Caves of Qud, DCS World or even the (extremely popular) Escape from Tarkov, I can’t do any of that on Xbox.

PC gaming is a weird and wonderful ocean; console gaming more like a highly curated pond.

I only have ps5 and a switch. I never knew microsoft got into gaming recently. Cool thanks. /s
I was the steamlink app on Apple TV and I haven't had any issues with garbage popping up and interrupting me, and I haven't made any tweaks to Windows. Just letting you know in case you'll find it useful.
Isn't that a streaming solution?
Yeah, I can't say I've noticed any latency though, as long as I've got an ethernet connection set up. Also a good idea to turn on whatever your "game mode" is on the TV. I use one of those flat ethernet cables and run it under my living room rug to my TV.

I imagine using steam in big picture mode would be equivalent if you're not streaming though. Maybe it's something else, I just can't remember a Windows pop-up ever interrupting my gaming whether I'm playing on my TV or not.

Garbage popping up constantly? No idea what you're talking about.
Probably push notification spam enabled by some laptop makers by default.
My rudimentary Win10 setup is such a gaming-only system, only Apps installed are Steam, GoG, Epic and Origin. The Spam that comes from those apps aside (mostly sales popup banners/notifications), I still receive the occasional "Your windows is at risk because you don't use OneDrive", or "Windows Defender has not found anything" or "Hey, this is our new Edge browser we installed and placed a shortcut on your desktop, want to make it your default browser now?" spam.
Some of that can be disabled with "O&O ShutUp10" or with some of the debloating scripts various people have created over time also mentioned in this thread.
Yes you can alaways mod the system, but please re-read the thread. I answered to the question what spam windows generates. Saying there is no spam because you can run a script to minimize, is like saying you don't receive spam mails because you run a spamfilter.
I get what you mean. I fought a similar battle back in 2013 when a document was proposed to the IETF, never ratified but yet network engineers everywhere adopted it and the anti-spam industry exploded. I somethings think these things are under-engineered on purpose so that friends of friends can create new business models.
Driver popups. I made the mistake of buying a razer keyboard and microsoft update itself is pushing to download their companion app each time it does an update. It's a thing, look it up. There are workarounds but they don't survive multiple rounds of updates.
I roughly followed the steps comment "NuttyX" mentioned about disabling autorun years ago and I haven't seen a Razer nag since.

Bonus: disabling autorun is better security!

I’ll try it. I followed the advice of a razer employee who messaged me on Reddit and it worked for a while.
I have a razor mouse and this has never happened to me.
Then I envy you. It’s not some big secret but it definitely happens with my keyboard. Maybe it’s loading it from the keyboard itself? Either way it only happens during windows updates
So you play games with Windows security updates turned off? Why don't you just post all of your passwords and bank accounts on the internet and save yourself the trouble of waiting to get hacked.
Hope there's no microphone or webcam connected to your computer, because an attacker can listen or watch. Also, your firewall is worthless because attackers have a foothold inside your network. Also, hope you don't use the same user/password combination on any windows machines or SMB shares on your network, because those are now pwned too. Buy a game, credit card info stolen.

This is just such a preposterous way to operate.

I run a wire to the unit next door and use my neighbor's internet and all the microphones have been covered with blue tapes and the webcams are pointing at my bird cage.

I can't wait to install this.

IDK about other folks, but very few of my passwords and nothing that'd get you direct access to any of my bank accounts touches my Window gaming machine (which is also my only Windows machine)

Important account credentials are on macOS or iOS. Local copies of my important files are on a system running Linux, and the Windows machine doesn't have access to that (doesn't need to, all I do on it is play games, if I didn't PC game I wouldn't have Windows at all).

[EDIT] However, mine does have Windows Update turned on.

They specifically said

>> Some of us have windows just to play games

What bank accounts do you think are on that machine? Perhaps it's risking credentials to ex. Steam and such, but again, if all you run is games where are you getting malware from?

Edit: Actually, to steel man the argument: If you pirate a game and get a keylogger that way, and then type in your credit card to buy a game (ex. on Steam), then you'd have a problem. I maintain that it's perfectly possible to maintain a... "DMZ PC" for games, but there are ways for it to end badly.

(comment deleted)
I think you severely overestimate how important security updates are.
> garbage popping up constantly

I don't think there's a need to dramatize and exaggerate. Once you get setup on Windows and uninstall the stuff you want to uninstall that’s pretty much the end of it.

Can you give some more examples of the file browsing tracking ? I have timeline off
Object access auditing has been around in NT since the mid-1990s, if not from the beginning. It's not some secret spyware, it is literally a feature that is widely used and is a requirement for high-security environments (e.g. government systems) when you need to be able to log or prove if someone did or did not access some sensitive information. E.g. insider threat scenario.

https://docs.microsoft.com/en-us/windows/security/threat-pro...

Others also seem to think I am pointing out some secret feature. None of this is a secret, just not obvious to people who didn't think to look for it. Defaults matter.
It’s off by default! (Only the domain controllers enable a subset of it.)

You can make it log everything, but the performance hit is noticeable.

Next thing you’re going to start complaining about dtrace spying on you.

(comment deleted)
Your comment is Interesting to me

Im a Dev. But outside of reversing games for hacks and cheats I havent done anything with Windows specifically.

Any links, books, articles, etc.. you can provide to learn more about this?

How would looking at a specific folder in explorer be proven in court?
History clearly shows us about tenth of all updates from Microsoft are bogus, if not malicious. I only install those I downloaded and checked manually.
Maybe automatic update, but entirely?
I don't agree that not keeping up with Windows Update is always a security risk, if one is behind NAT and only browses trusted websites (which rules out webmail, BTW.)

I do agree that trying to make a consensual OS out of Windows is an uphill battle. If you're stuck using it, however, for whatever reason, a patchkit like this is better than nothing.

Good luck if there is any single malicious device on your network.

Good luck if explorer previewed wrong file.

Good luck if trusted website has been hacked and serves malicious content.

Good luck if you do npm install.

You can disable auto update and manually check/approve. Standard enterprise practice too.
"Just don't use windows" is not a solution. Ameliorated works, whether you believe in security whataboutism or not.
It's not whataboutism. Windows has a ton features spanning decades and privacy was never a priority given their paying customers' priority. Linux on the other hand was made by individuals and allows a lot more control and input from users. If privacy is your priority then Linux wind the race. If managable corporate workstation is your priority then windows wins the race.
And these scripts allow me to mold Windows into something more usable, no need to jump ship.
>> If you looked at a specific folder in explorer, that can be proven in court, executed a specific program?...

You'll find most if not all of these in `.bash_history`, wouldn't you?

Probably, it's possible to setup an install of Linux in such a way, that the user won't leave any traces in the system, but this is definitely not the default behavior. And the system setup in this way is likely a pain to use. But if you have a specific need, by all means, go for it. After all, with Linux you're in control.

But saying Windows is spyware because it logs your activity locally is stretching it.

The OP called it spyware, not I. I pointed those out as examples of what artifacts windows logs. Bash_history much like your browing history you can clear it and be done with it. But due to the seemingly endless subsystems (new ones get discovered all the time, see my other replies) if you clear security.evtx and your browsing history there are still many reliable (as in court tested) artifacts that can prove you browsed specific sites and ran specific programs.

I don't know how much of this MS collects and anyone who says they do, I would challenge them for evidence because there are many plausibly deniable and benign reasons to extract this information from the host.

I would say at best windows is spyware-friendly.

If I workes for the CCP and was instructed to get a list of people that used Signal so they can be sent for re-education, I would not even look to see if Signal.exe is installed in windows, I would just check prefetch and srum.

I do agree removing Windows Update does pose some security risk, however I don't think said risk is nearly as bad as some make it out to be, and I personally think the benefits of Windows Ameliorated greatly outweigh any security downsides.

Spyware is not the same as local system logs. Spyware in this case is software that sends unnecessary or intrusive information to Microsoft. The goal of Windows Ameliorated is to remove spyware, not prove your innocence in court.

You used Windows Defender as an example of a security benefit. There are alternatives to Windows Defender, and IMO If you're a tech literate power user, an AV isn't useful in most cases. If you have the time, consider reading this: https://wiki.ameliorated.info/doku.php?id=antivirus Personally I believe antivirus software in general does more harm than good, as they are generally quite resource hungry and privacy intrusive.

Also, AME does greatly help to mitigate the attack surface of Windows:

Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.

> Are they providing their own filtered update channel??

You can even update Windows offline if you want to.[0]

It's quite refreshing to be able to prep a USB stick containing all the updates for a clean install of a certain build of Windows and be able to deploy them without needing to connect to the internet.

[0] https://download.wsusoffline.net/

Because they're using telegram as their website it is impossible to even access the .torrent file. That kind of defeats the point of having a torrent.
How is it impossible to access? Telegram is a pretty popular messaging app, and if you don't already have an account it's easy to make one. You can use a google voice number or similar to sign up if you prefer not to give your real one.
No. This sounds like a sales pitch for Telegram.

Forcing people to create or sign in with an account is bad, particularly when one considers that the ISO is of questionable legality.

What would be infinitely more useful would be a program which directly modifies an ISO image that the end user can download herself directly from Microsoft.

It's not that deep. I agree it is definitely not ideal, and in future this will no longer be required.
This probably deserves the new top spot in the 'security theater' competition.

Cracked Windows, no security updates since 2018, iso distributed through some telegram channel. This is the software equivalent of trying to buy a homemade vaccine from craigslist because you're afraid that Bill Gates is going to microchip you.

If this is the most viable alternative, what does it say about the official version?
It isn't, so nothing.
What more viable option achieves the goals of this project?
A WFP firewall like simplewall (by henry++, not the corporate one) can block everything by default, including services like Windows Update, and is IMO the most straightforward option.
(comment deleted)
The irony is that Windows is literally all about Bill Gates trying to microchip you.
There are adults old enough to drink in the USA who were born after Bill Gates stopped being CEO of Microsoft.
It has all of the SSU and cumulative updates since 21H1. But anyway I doubt they put anything in there, should be easy enough to look at the scripts on the ISO or just patch it yourself. The ISO is just an 'easy' way to distribute it.
Windows Ameliorated does not require installing from an ISO. That was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. There is detailed documentation for performing a manual amelioration, it uses fully open-source scripts, and is legal if you use a license key before running the scripts. (https://wiki.ameliorated.info/doku.php?id=documentation_21h1)

I do agree removing Windows Update does pose some security risk, however I don't think said risk is nearly as bad as some make it out to be, and I personally think the benefits of Windows Ameliorated greatly outweigh any security downsides.

Also, AME does greatly help to mitigate the attack surface of Windows:

Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.

What about license issues? If I download this, do I get to use Windows for free, because if so, wouldn't running this be illegal?

Also since it disables updates, doesn't this mean I run a vulnerable system 'frozen in time', as it were, impervious to the latest patches?

Technically using AME from the pre-built ISO is illegal, however realistically no one will ever go after you for it, unless you're a business. You can however legally do it by self-ameliorating and entering a key before the amelioration process.

It does lack Windows Update yes, as WU is a threat to privacy. Windows Ameliorated helps mitigate this by shipping a non-administrator user account by default. Of course you can still do admin actions, it just requires the admin password. ~70% of Windows vulnerabilities are caused by using an admin user (Source: https://web.archive.org/web/20210618023509/https://www.beyon...)

P.S. Personally I think security updates are a bit overrated, as in all practicality, there's extremely little chance of getting attacked unless you download FreeFortniteVbucks.exe

When you feel you have to do this to a product you have to ask yourself if you should be using it in the first place.
For some it is necessary to use Windows. Windows Ameliorated is for those who both need (or desire) Windows, but don't want the intrusive spyware that comes with it.
Why would someone use this rather than just doing a clean install and running O&O ShutUp?!
Windows Ameliorated does much more than what O&O ShutUp does. It completely removes spyware on an executable level, not by just using registry or policy edits.
The only way to use Windows 10 truly securely is by running it in a QEMU virtual machine as a guest with local-only networking for QEMU native Samba file sharing between host and guest. Zero internet connectivity. Booted off what QEMU calls a temporary snapshot after setting everything up on the base QCOW2 image. This way any changes to the virtual drive after boot are trashed after shutdown. This solution is robust and reliable.
Can you actually do an airgapped Windows install these days? I used to work in the defence sector in the days of Windows 2000 and that was easy but I have no idea how it works since. Our corporate stuff is all remotely managed with InTune and all sorts of horrible shit that hammers the network all day.
The Windows 10 installation ISO downloaded directly from microsoft.com does not need the internet to install correctly under any circumstances.

You also don't need to do anything special to get it working. However, I opted for the inclusion of a completely optional disk driver during install time to improve performance and sustainability.

You can provide a QEMU virtual CDROM with drivers during installation if necessary, and do the rest of your setup with QEMU native Samba file transfers followed by software installation.

I use the QEMU virtual CDROM to provide VirtIO drivers during Windows installation for super fast virtual drive I/O and DISCARD support.

-drive file=windows.qcow2,index=0,media=disk,if=virtio,discard=unmap

discard=unmap is absolutely essential to keep your QEMU QCOW2 file on your host from growing excessively as you delete stuff in your Windows guest. This is the main reason I use VirtIO.

To learn more about QEMU I recommend the Arch Wiki page on it

Microsoft will have to maintain Win10 perpetually, unless it gets the ability to ungroup the taskbar again. Keeping me and thousands of others from updating to Win11.

But I don't see how this version is more secure? Yes, no telemetry and lots of services disabled. But will lack updates, right?

I mean, I stuck on Vista for forever even while Microsoft incentivized my university to install 7 on student laptops for free, just because 7's taskbar forced windows to be grouped (*), but that didn't stop Vista from dying.

(*): To be precise since "grouped" means different things: In 7's taskbar, multiple windows of the same application would be forced to be adjacent. I preferred my windows to be ordered by context, not by which application they belonged to, eg VS-terminal-explorer-browser for project 1, then VS-terminal-explorer-browser for project 2, and so on. Eventually 7 Taskbar Tweaker became a thing that allowed this, so I switched.