Disable Microsoft Windows Malicious Software Removal Tool Heartbeat Telemetry

[Batu69]

If you have the Microsoft Windows Malicious Software Removal Tool installed on your machine, either by having installed it manually or because it shipped with Windows, you may have noticed already that it is sending out so called Heartbeat Reports after certain scans.

 

These reports are not linked to any of the major telemetry services or tasks that you may or may not have disabled on your machine.

On Windows 10, the Heartbeat report gets sent out to Microsoft even if you have disabled the Customer Experience Program and the majority of other telemetry related services or tasks, and made sure to set all privacy related settings to maximum privacy.

How to disable Heartbeat Telemetry

 

First thing you may want to do is check whether the installed copy of the Windows Malicious Software Removal Toll (MRT) sents Heartbeat telemetry reports.

The easiest way to check that is to load the MRT log. Open File Explorer or Windows Explorer on your Windows machine, and load the following by pasting it in the address bar and hitting the Enter-key: C:\Windows\debug\mrt.log

 

This opens the MRT log. Scroll down to the last entries and check for Heartbeat Telemetry there. You may also hit F3 to open the search to jump to the first Heartbeat entry in the log.

 

Heartbeat Telemetry data is not sent out each day according to the log, but only every five or six days. You can verify that in the log as you will find "Heartbeat Will be Sent in x Days" entries there.

 

Microsoft notes in its privacy statement that the Malicious Software Removal Tool will sent a report to Microsoft with "specific data about malware detected, errors, and other data about your device" but fails to go into details.

 

We don't know what is sent to Microsoft as part of Heartbeat other than the information that Microsoft revealed in its privacy statement.

Option 1: Registry Key

 

The Knowledgebase support article KB891716, Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment, lists a Registry key to block the sending of reports of the MRT to Microsoft.

An administrator can choose to disable the infection-reporting component of the tool by adding the following registry key value to computers. If this registry key value is set, the tool will not report infection information back to Microsoft.

Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT

Entry name: \DontReportInfectionInformation
Type: REG_DWORD
Value data: 1

Note: Since Heartbeat is only triggered when automatic scans are run, it is too early to say if setting the key disables the sending of reports completely. I will monitor the situation and will update the article with my findings later.

1. Tap on the Windows-key, type regedit.exe and hit the Enter-key.
2. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
3. Right-click on MRT and select New > Dword (32-bit) Value from the context menu.
4. Name the name Dword DontReportInfectionInformation
5. Double-click the newly created Dword and set its value to 1.

Option 2: Disable the MRT Task, or Disable Heartbeat Telemetry

 

Since MRT is run automatically, it must be triggered somewhere. If you check the Task Scheduler for MRT related tasks, you will eventually find the one task that Windows uses for that.

 

Note: Disabling the task disables automatic MRT scans on the system. Make sure you have proper antivirus software installed on the device.

1. Tap on the Windows-key, type Task Scheduler, and hit the Enter-key.
2. Use the sidebar folder structure and go to Task Scheduler Library > Microsoft > Windows > RemovalTools.
3. Right-click on MRT_HB and select disable from the context menu.

If you compare the last run time with the Malicious Software Removal Tool log, you will notice that they match. Also, the _HB part is a strong indicator that this is what is triggering the Heartbeat reports.

 

If you check the command switches used, you will notice the undocumented switch /EHB. You could remove the switch from the command to keep automatic scans without Heartbeat report generation enabled.

 

I verified that /EHB is indeed the trigger for Heartbeat Telemetry. If you remove it, no Heartbeat reports are created when the scan runs.

You may need to check back regularly though as Windows Updates may replace the custom task with the default one.

 

Article source

[steven36]

Lol here is were  Martin posted about it in 2007 I been blocking  it in my firewall  for many years.

http://www.ghacks.net/2007/12/16/prevent-malicious-software-removal-tool-from-phoning-home/

Why do you need to edit the registry  when you have it blocked ?

[Pete 12]

This key was already 1, on my machine............

[steven36]

57 minutes ago, Pete 12 said:

This key was already 1, on my machine............

It runs a scan and calls home every time you update it its been like that for years ,  When I apply Registry  hacks for some stuff,  I already block everything  with a firewall  .. All Microsoft has too do is send out a update  that reverses it so tweaking the registry want  get you but so far and if you don’t  monitor you’re internet 24/7  you never know .  Tell a  site or person post about it . Registry  hacking  cant take the place  of a good interactive firewall.

 

For years people install Anti-virus programs and they collect info about you’re computer and you’re  programs ,they even delete you’re  cracks many have false positives for many  years and never fix them .  The more a App calls home the more data it collects . Many people trust these programs with there life  but when Microsoft does it they have a duck? Ether you block it  or you don’t it's got too with do you trust a company with you’re data or not? they could be selling it for profit  or use it  too kill software and cracks they don’t like.

 

[Ice Frog]

like steve i use fw too, registry negate by update possible.

[straycat19]

Make sure you read the comments on the source pages, there is some interesting information in them also.

[steven36]

Martian  just reads post  somewhere  else  and writes a story  about it  he read here and posted about it again

https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/

Just like the other day when those  sites made a big deal about  KB 3199209 about Microsoft not posting changelog it was nothing  but a  Servicing Stack  update they posted the changelog 10 hours latter  all these sites looked like morons  because if you want to  be able to get updates  you need that update .

 

RS 1 is  buggy  we need all the bug fixes we can get . Bugs are still in RS1  that have  existed  in windows 10 since July 2015 like drives appearing twice in navigation pane of Windows 10 Explorer. You apply the registry hack  it fixes tell you update then you have to apply it again  that's how dependable these hacks are

 

Another Bug is every time you change programs  it changes it  to default .  these bugs have always existed in windows 10 and effect most everyone  but news sites want to write articles about bugs that dont effect but a small group of users . These sites lurk other sites  and when someone post something  they all post the same story no  original content.

 

And why would I find anything interesting  about what people say in those blogs comments about  something I  have been blocking a firewall since I was on XP ?  Most of those sites comments  are full of FUD  .  It's like some say stay on Windows 10 TH2  it still full of bugs that will never get fixed  if you too want stay  on a O/S without any bug fixes  use Windows 7  Or Windows 8.1  ..Windows 7 is  nice and stable  but it has bugs in it still too .

 

One  bug a lot has with windows 7 was there USB ports  stopped  working  another thing  is many things work in windows 10 and  windows 8 without installing 3rd party drivers. When you install drivers there's a chance of botching something up. My Nephew  installed windows 10  because he could no longer get Minecraft to work in windows 7 and updating to windows 10 fixed it lol. To reinstall Windows 7 from auto updates takes a day or 2  . Maybe a week  if you have slow internet .

 

 

[straycat19]

2 hours ago, steven36 said:

Martian  just reads post  somewhere  else  and writes a story  about it  he read here and posted about it again

 

That's true about the majority of sites.  One site releases the information and then ALL the tech sites have to write their own article putting their own spin on it.  Some of the most useful information actually comes from the comments made by the sites readers that have additional information or even links to other relevant posts on the subject.  Generally people have their favorite sites they visit for information every day and just stick with those, so the uptake may be different based upon the bias of the writer.  I use to say I preferred getting my information from the 'horses mouth'  but with Microsoft being what it is today it is more like getting it from the 'horses ass'.  They aren't very forthcoming and based upon what they are saying depends on which department is doing the reporting.  

 

For example, when Windows 2000 came out it had a recommended system qualification for installing.  One of our departments had an old system that met the recommendations published by Microsoft but I refused to install it because it was just too old.  So they installed it themselves and then submitted a help desk ticket because it took 26 minutes to load.  I could find nothing wrong, so using our help desk account I contacted Microsoft, at which point I was informed that the minimum system recommendations were produced by marketing and not the system developers.  The tech I was talking to said that the ACTUAL minimum requirements were twice that which marketing had decided on stating.  

 

New versions of Windows have nothing to do with the security of the system, which is obviously a true statement based on the number of updates released for Windows 10.  It is all money driven.  The old adage of 'if it isn't broke don't fix it' applies to software to a very great extent.  How many times has an 'updated' version taken away what you liked best about a program or introduced things you don't even need or use?  It is even said about Microsoft Office that 99% of the users don't use over 5% of the capabilities/functions of the software.  Somewhere, in storage,  I still have a Zenith 8086 with windows 1.03 installed on it.  I always keep an old system for posterity.  And if there was something I needed that only ran on that machine then it is still relevant and useful today.  Like Harvard Graphics 3 for Windows 3.  I still have disks with slides made in HG3 from the early 90s and an old Windows system that has the software installed on it so I can access the data in those slides if it is needed.  Old yes, but not obsolete, which is a marketing term to separate a person from their money.

[steven36]

11 minutes ago, straycat19 said:

That's true about the majority of sites.  One site releases the information and then ALL the tech sites have to write their own article putting their own spin on it.  Some of the most useful information actually comes from the comments made by the sites readers that have additional information or even links to other relevant posts on the subject.  Generally people have their favorite sites they visit for information every day and just stick with those, so the uptake may be different based upon the bias of the writer.  I use to say I preferred getting my information from the 'horses mouth'  but with Microsoft being what it is today it is more like getting it from the 'horses ass'.  They aren't very forthcoming and based upon what they are saying depends on which department is doing the reporting.  

 

LOL , I don't even think I started reading the PC centric news tell around 2014 ,  I find it interesting at times but i find it boring more times than not a lot of the news  if it was not posted on here i would not read it at all . I'm bored of it  most of it is repetitious just saying same stuff over and over and people  in comments  put me to sleep i read a  lot comments at Rededit but not about windows i be falling off to sleep  by the time im done.

 

On windows blogs its the sos the haters say windows 10 sucks and the fanboys say it don’t  . Its a waste of time nothing but fud ,  if i  need to know something i just do web search and find the answer if it exist