Windows 8 tells Microsoft about everything you install

Known computer security researcher Nadim Kobeissi has posted up some interesting information on the behavior of Windows 8 whenever you install an application. According to some quick researching he did, the Windows SmartScreen feature reports every application a user installs to Microsoft, and does so in a way that could be intercepted by malicious hackers.

The Windows SmartScreen feature is enabled by default and is designed to tell end users whether the application they have downloaded from the internet is safe to install on their machine. It does this by gathering some info upon opening the installer, sending it to Microsoft and then waiting for a response to see if said installer has a valid certificate. As Kobeissi mentions, this means information about every single application downloaded and installed is sent to Microsoft.

He dug further to discover the information sent could potentially be intercepted by a malicious hacker, as Microsoft uses an "outdated and insecure" method of HTTPS encrypted communications. If a hacker did manage to steal all the information on a user's application installation habits, they could make a profile of the user and use that to find other exploitable weaknesses.

The issue with SmartScreen is currently only prevalent in Windows 8 as it's the first time Microsoft has integrated SmartScreen at an OS level (Windows 7 only features SmartScreen in applications like Internet Explorer). You can disable SmartScreen so you are no longer reporting your installation habits to Microsoft, but this is apparently not easy to do and results in periodic nags to re-enable it.

Chances are Microsoft will not do anything about their implementation of SmartScreen, so as it stands now it could be a privacy and security risk.

Source: Nadim Kobeissi's Blog
"Security concept: Lock on"  image via Shutterstock

Report a problem with article
Previous Story

Infographic: You are not safe online

Next Story

Windows 95 released 17 years ago today

73 Comments

Commenting is disabled on this article.

Let me state that I'm trying (again) the Windows 8 evaluation copy, and whenever I attempt to open a .zip or self-extracting archive, the nagging SmartScreen comes up to try and block it. This is, of course, annoying to me but to the average user who might be trying to install a game or an application that uses a self-extracting package it'll be a nightmare. Just as the nagging UAC in Vista was, this will be just as self-defeating and eventually users will simply turn it off (once they can find where to turn it off.)

Gotta admit this doesn't seem like a big deal to me and
combine that with the fact that the feature can be disabled
then i don't see what the big deal is.
I know MS has a lot of avenues to collect info
and they do it everywhere.. for example i have seen a bunch of requests
on MS sites asking if i want to do surveys. Also stuff like Security Esentials
and Office and Visual Studio collect info while running or during setup
and i have seen disable options for those too

bah big fuss over nothing..
And i will admit if this was a valid reason to hate on Win 8 i would lol
But fair is fair

Tim Shiesser said,
You can disable SmartScreen so you are no longer reporting your installation habits to Microsoft, but this is apparently not easy to do and results in periodic nags to re-enable it.

Go to Action Center, click "Change Windows SmartScreen settings", select "Don't do anything (Turn off Windows SmartScreen)", click OK. In the Action Center warning message click "Disable messages about Windows SmartScreen".

Disabled, and no "nags". Is that really difficult?

Edited by thomastmc, Aug 24 2012, 11:30pm :

Heh, you people get up in arms over just about anything these days. Apple this, Microsoft that.

You know you can just toggle the switch that says "Turn on Windows SmartScreen filter to check files and apps with Microsoft" that literally appears in front of your face during Windows 8 setup, right? It's really not that hard.

See: http://i.imgur.com/TXr7f.png

I don't know why this hoopla over the fact that Smart Screen is gonna phone home about every software I am going to install on my PC. As long as that information is kept secret and not used in any way against me, I am ok with this. What I am more worried about is the possibility of a hacker to intercept the information in transmission. Now I wont want that to happen at all...

Please stop reporting this as news or some type of violent scary thing. The security researcher has something against Microsoft. All they did was take the Smart Screen technology they have in IE and put it across the OS because of their app store. They have integrity and now they know if anything has been messed with or if there is any form of malware. It's all to help the end user; and you can disable it at install time. All that's sent off to Microsoft is an md5 hash of the application, along with some generic information. They are NOT spying on you. Stop it, you look bad.

TBH, a couple of times SmartScreen & UAC would pop up for the application, & lemee tell ya, it's been annoying. I was okay with that, but having to deal with this also, goodbye SmartScreen!

MASTER260 said,
TBH, a couple of times SmartScreen & UAC would pop up for the application, & lemee tell ya, it's been annoying. I was okay with that, but having to deal with this also, goodbye SmartScreen!

*for the same application.

New feature just in...Windows 8 can turn on your camera and babysit your child while you're away. Data is sent back to Microsoft for processing.

absolutely another reason to stay away from this PoS..it also illustrates the inherent surrendering of control with cloud based OSes ..which is win8 is the first step towards.. we need to reject the idea that big brother knows best..

HAHAHA. Another nail in the coffin and counting. Yet another reason to stay with windows 7. Not only the stupid interface but this??. This is too much. How about the companies/goverments/etc? They agree with this?, they agree to be traced by m$ in the name of security??. Benjamin Franklin, WHERE ARE YOU?

ThePitt said,
Benjamin Franklin, WHERE ARE YOU?

It's much easier to just turn the thing off (it does give you the option during installation) than contacting the spirit of a dead president.

Microsoft have antivirus to protec your computer for been infect with virus and spyware but Microsoft hide spyware on your computer . so what kinda protection Microsoft is giving me ,

Gaara sama said,
Microsoft have antivirus to protec your computer for been infect with virus and spyware but Microsoft hide spyware on your computer . so what kinda protection Microsoft is giving me ,

If they ask you if you want to enable it or not during the OS installation then it's not hidden from you now is it?

Great just what i need to Microsoft spying on me. .. well its a big issues nobody need to know what im doing in my computer ,

Gaara sama said,
Great just what i need to Microsoft spying on me. .. well its a big issues nobody need to know what im doing in my computer ,

That's pretty ironic considering you're seemingly a Google fan..

I prefer Google knowing what i do all the time on the web, that way they know exactly what and how to advertise to me.

im positive none of you even tried using the OS before commenting,because if you did, you would know that when you're setting up the PC for the first time, it specifically lets you either enable or disable the feature. it tells you exactly what it is(send information to Microsoft of the applications I install so they can be verified) or something like that,and you have the option of turning it on or off.

Aethec said,
A good read: http://www.withinwindows.com/2...-windows-smartscreen-scare/
It's a hash, not a file name.

In fact if you read well, it's a hash AND a name. Even if the name is encoded and not in clear. In fact it make sense as the hash will tell exactly what version of the executable name is. If the hash does not check with any version of this exe, then SmartScreen will tell you it's not safe. It will be a problem with new software, as it takes few days to Microsoft to add new version hash to its database.

"Chances are Microsoft will not do anything about their implementation of SmartScreen, so as it stands now it could be a privacy and security risk."

WTF is this based on. If there is a security hole in the system, of course they will upgrade it. This isn't some backyard Linux OS. This is the latest version of the biggest and most used piece of software in the world.

I can only assume this will somehow work in with installation of "apps" on tablets and things. And if it makes it safer for my parents and non computer savvy friends, so I don't have to fix their **** ups when they install every bit of malware known to man on their PC, I love this thing.

Nashy said,
If there is a security hole in the system, of course they will upgrade it. This isn't some backyard Linux OS. This is the latest version of the biggest and most used piece of software in the world.
This also isn't Windows XP which is the same as a Linux distro with no active development. Since XP isn't supported by MS anymore. Again, remind me here, how many companies and people use XP still? A lot from what I see.

I understand what you're saying. MS is fairly good at patching most issues however, only if they deem them as something that needs to be patched. This may be something that they don't feel needs to be patched (until something bad happens). Unlike an actively developed Linux distribution which can be patched by anyone at anytime. No need to wait for the company to decide if it needs to be patched or not.

If SmartScreen reports to MSFT only when I install the software from Windows Store, I am okay with it because it need to store the list of software I have installed (and paid for it, in case the software is not freeware). But for software downloaded outside Windows Store...? I don't know the others, but I'm okay with it as long as the information sent is encrypted (apparently MSFT is not doing good enough here according to the article).

Oh noo, Microsoft are going to know that I personally have installed Pornpro 98.

In fact if I put it on a tablet they'll probably be able to use GPS data to track me down and judge me in person.

JamesWeb said,
Oh noo, Microsoft are going to know that I personally have installed Pornpro 98.

In fact if I put it on a tablet they'll probably be able to use GPS data to track me down and judge me in person.

Think of the millions of underage tablet and smatrphone users with Pornpro on their devices; not to mention the thousands of senior level executives with in on their company-issued tablets.

So what is this for? Will this screen for known bad / malicious applications and warn you? Or is it purely reporting this stuff back to Microsoft?

Chicane-UK said,
So what is this for? Will this screen for known bad / malicious applications and warn you? Or is it purely reporting this stuff back to Microsoft?

When you run an exe file, it will instead display a warning message that you shouldn't run the file, prevents it from ever running and hides the "Run Anyway" button if it's not a well known exe / reported malicious. You still have the option of ignoring the warning anyway and launching the exe if you click "more information" to learn why it might not be safe and then click "Run Anyway" - but it's designed to stop people downloading random exe's from the internet and thinking it's safe to run them. The data that decides on the reputability of the file comes from how many other people have used the exe and haven't had any problems caused by it - data which is collected by Smartscreen itself (probably amongst other sources too).

It also blocks known malicious sites entirely in Internet Explorer too. Frankly, I imagine this same sort of data is collected by a large number of Firewall & Anti-Virus vendors too to provide similar security services.

Edited by ~Johnny, Aug 24 2012, 10:57am :

Chicane-UK said,
So what is this for? Will this screen for known bad / malicious applications and warn you? Or is it purely reporting this stuff back to Microsoft?

It's similar with a feature in IE wich scan all your downloads and tell you if it's trusted or not based on similar downloads made by other users and acording to a microsoft list. It also call home. Now MSFT has extended this to the software installation. However, even if you disable Smart Screen, Windows will continue to transmit data about your system and your habits to Microsoft. This has started with XP. Theoretically based on telemetry, MSFT can improve the OS, but let's remember that the telemetry was the excuse for Classic Menu and Start Button Removal.

eiffel_g said,

It's similar with a feature in IE wich scan all your downloads and tell you if it's trusted or not based on similar downloads made by other users and acording to a microsoft list. It also call home. Now MSFT has extended this to the software installation. However, even if you disable Smart Screen, Windows will continue to transmit data about your system and your habits to Microsoft. This has started with XP. Theoretically based on telemetry, MSFT can improve the OS, but let's remember that the telemetry was the excuse for Classic Menu and Start Button Removal.

Hasn't Windows done this for a while now? When you go to install a program from an untrusted (no certificate) source it pops up asking if you really want to install it. Even after install it continually asks if you really want to run the program. Of course you can't tell it to 'always run' and not ask also. Something about data execution prevention. The only difference is that in W8 it tells MS about it by default which is what I have a problem with. It should be off by default (not the data execution prevention aspect).

You can disable SmartScreen so you are no longer reporting your installation habits to Microsoft, but this is apparently not easy to do and results in periodic nags to re-enable it.

It's quite easy to disable SmartScreen; simply search for Smartscreen, disable it and choose to 'Turn off messages about Windows SmartScreen' to prevent the nagging. It would be difficult to make this any more easy.

Jazirian said,

It's quite easy to disable SmartScreen; simply search for Smartscreen, disable it and choose to 'Turn off messages about Windows SmartScreen' to prevent the nagging. It would be difficult to make this any more easy.

Yep, its in the security section of the action center. Very well hidden, MS are so evil! /s

Jazirian said,

It's quite easy to disable SmartScreen; simply search for Smartscreen, disable it and choose to 'Turn off messages about Windows SmartScreen' to prevent the nagging. It would be difficult to make this any more easy.

Beat me to it. If you don't want it, your probably a bit more capable- meaning you can turn off a Windows feature. As for the nagging, there is clear underlined text asking you if you want to disable messages for it!

The actual feature isn't bad at all - It does explain what it does when you look at it on your Windows 8 Install. You can also turn this on or off during the installation of Windows 8 If I remember correctly.

MattGarner said,
The actual feature isn't bad at all - It does explain what it does when you look at it on your Windows 8 Install. You can also turn this on or off during the installation of Windows 8 If I remember correctly.

Yup, go express setup and you can easily opt-out.
It even warns you what it does, why it does so, and why people should rather keep it.
I suggest people to keep these kind of things enabled to.

See often enough people use IE and get driveby downloads and cry for getting f'd in the A, while these sites are blacklisted if you have smartscreen enabled -.-

MattGarner said,
The actual feature isn't bad at all - It does explain what it does when you look at it on your Windows 8 Install. You can also turn this on or off during the installation of Windows 8 If I remember correctly.

Its the first thing I disable because it thinks all of my self made apps are malicious.

Toysoldier said,

You do realize that alot of software in Windows 7 phones home too right?


Win7 phones home some usage, not everything you install (unless problems ocure, it'll phone home a list of installed software if you decide to send a report)
And unlike Win7, Win8 offers the option to opt-out during initial setup

myxomatosis said,
One more reason to keep using Windows 7

Wow. It's not even a compulsory feature and it's designed for computer illiterate people like yourself because you are incompetent at selecting trustworthy sources for programs...

If you check the install image you will find a file call telemetry.xls - you can find inside what kind of information is collected and transmitted to Microsoft.

Leo (DerpDerp) said,
In before someone spins this as a good thing.

I dont see the issue. Google keeps track of what users install.
Apple keeps even more track of what users install exactly.
Microsoft does it and NOW ITS BAD OM F*CKING GOD NO! BAD MS BAD MS! DOWN! BURN TO THE GROUND!!!!!!!!!!

And everything is as secure as thin air. Bunch of paranoid idiots.
Go DNS spoof or IP spoof and NOTHING is secure. Go online through an access point you do not control, and nothing is secure either.
Catch the handshake and no SSL connection will be sufficient enough

Edited by ~Johnny, Aug 24 2012, 10:45am :

Leo (DerpDerp) said,
In before someone spins this as a good thing.
In before "people don't know how to read post install setup correctly".
It's clearly announced to the user, nothing tricky ala Google here

Edited by ~Johnny, Aug 24 2012, 10:15am :

Leo (DerpDerp) said,
In before someone spins this as a good thing.

Do you have any valiid reasons why Smartscreen isn't a good thing? Or is trolling sufficient for you?

Seems to me that Smartscreen is a potentially useful feature, and of course it has to send details of what you install to Microsoft. How else would the service know if the application is known to be safe.

Edited by ~Johnny, Aug 24 2012, 10:27am :

Shadowzz said,

I dont see the issue. Google keeps track of what users install.
Apple keeps even more track of what users install exactly.
Microsoft does it and NOW ITS BAD OM F*CKING GOD NO! BAD MS BAD MS! DOWN! BURN TO THE GROUND!!!!!!!!!!

And everything is as secure as thin air. Bunch of paranoid idiots.
Go DNS spoof or IP spoof and NOTHING is secure. Go online through an access point you do not control, and nothing is secure either.
Catch the handshake and no SSL connection will be sufficient enough

Exactly why I'd NEVER install anything of Googles or Apple. Besides, most programs that phone home, do so to the company where the software came from, not MS.

This should not be enabled by default! Just another service to disable immediately after installing Windows 8.

Shadowzz said,

I dont see the issue. Google keeps track of what users install.
Apple keeps even more track of what users install exactly.
Microsoft does it and NOW ITS BAD OM F*CKING GOD NO! BAD MS BAD MS! DOWN! BURN TO THE GROUND!!!!!!!!!!

And everything is as secure as thin air. Bunch of paranoid idiots.
Go DNS spoof or IP spoof and NOTHING is secure. Go online through an access point you do not control, and nothing is secure either.
Catch the handshake and no SSL connection will be sufficient enough

Two wrongs don't make a right. (nor does three)

cork1958 said,

This should not be enabled by default! Just another service to disable immediately after installing Windows 8.

Frankly this should be enabled by default given the inherent added security it provides to a large number of people who don't realize the harm installing random programs can do. If you don't feel you need it you can by all means turn if off during Windows Setup (where it's explained what it does and that it sends information about what you install to Microsoft), or any other time.

Shadowzz said,

I dont see the issue. Google keeps track of what users install.
Apple keeps even more track of what users install exactly.
Microsoft does it and NOW ITS BAD

I use MS software not Google or Apple ones so........... I am interested about what the former does not the others.
Personally I would prefer that these kind of services should not be enabled by default but offered as opt-in.

Edited by Fritzly, Aug 24 2012, 10:54am :

~Johnny said,

Frankly this should be enabled by default given the inherent added security it provides to a large number of people who don't realize the harm installing random programs can do. If you don't feel you need it you can by all means turn if off during Windows Setup (where it's explained what it does and that it sends information about what you install to Microsoft), or any other time.

Man you have edited so many comments here, why?

Anthonyd said,
Man you have edited so many comments here, why?

They all quoted the original post I had to edit, so I needed to edit the quote in all of those too

Shadowzz said,

I dont see the issue. Google keeps track of what users install.
Apple keeps even more track of what users install exactly.
Microsoft does it and NOW ITS BAD OM F*CKING GOD NO! BAD MS BAD MS! DOWN! BURN TO THE GROUND!!!!!!!!!!

And everything is as secure as thin air. Bunch of paranoid idiots.
Go DNS spoof or IP spoof and NOTHING is secure. Go online through an access point you do not control, and nothing is secure either.
Catch the handshake and no SSL connection will be sufficient enough

Please explain how Google knows everything i install, and how apple knows what i install on a Windows machine.

Why are people b1tching about thing this, cause Windows is installed on more machines than Apple OS X and they have a new OS about to be released. Am i worried about this, YES What i do with my machine is up to me, MICROSOFT, APPLE AND GOOGLE (and anyone else) shouldn't have access to what i install or remove from my machine.

~Johnny said,

Frankly this should be enabled by default given the inherent added security it provides to a large number of people who don't realize the harm installing random programs can do. If you don't feel you need it you can by all means turn if off during Windows Setup (where it's explained what it does and that it sends information about what you install to Microsoft), or any other time.

Oh, so you're one of the nanny-state supporters then. Can't make an educated decision under any circumstance and must be told what to do, how to do it, and when. God forbid an ADULT takes responsibility for what they do.

If a persons computer gets f'd up beyond repair due to their own lack of care and understanding then they can just pay for a new one or stay the hell away from tech. Plain and simple.

Next thing you know you'll be ok with a camera in your bedroom so the government can make sure you're 'doing it correctly' or not doing anything illegal. How about sensors on your clothes to make sure you're washing them and wearing them correctly too?

I have no issue with this by the way, since the feature can be turned off. However, to say it should be enabled by default is asinine.

Shadowzz said,

I dont see the issue. Google keeps track of what users install.
Apple keeps even more track of what users install exactly.
Microsoft does it and NOW ITS BAD OM F*CKING GOD NO! BAD MS BAD MS! DOWN! BURN TO THE GROUND!!!!!!!!!!

And everything is as secure as thin air. Bunch of paranoid idiots.
Go DNS spoof or IP spoof and NOTHING is secure. Go online through an access point you do not control, and nothing is secure either.
Catch the handshake and no SSL connection will be sufficient enough

welcome to neowin

KCRic said,
Oh, so you're one of the nanny-state supporters then. Can't make an educated decision under any circumstance and must be told what to do, how to do it, and when. God forbid an ADULT takes responsibility for what they do.

If a persons computer gets f'd up beyond repair due to their own lack of care and understanding then they can just pay for a new one or stay the hell away from tech. Plain and simple.

Next thing you know you'll be ok with a camera in your bedroom so the government can make sure you're 'doing it correctly' or not doing anything illegal. How about sensors on your clothes to make sure you're washing them and wearing them correctly too?

I have no issue with this by the way, since the feature can be turned off. However, to say it should be enabled by default is asinine.

For the average user, which none of us here are, they just want to use a computer in a safe manner without learning to become system administrators. For mom, dad, and the grandparents, this feature is a great idea and should be enabled by default.

For the more tech-savvy users out there, like us, it's not as necessary. But then we're tech-savvy enough to know how to shut it off, or find out how if we don't know.

th3r3turn said,
Please explain how Google knows everything i install,
Are you using Google to search for software to installs? Are you using Chrome (which sends all your visited pages to Google) ? If so then yes, Google knows you more than you do.
And like MS, you can disable most of the tracking for Chrome. But you can't for the search engine AFAIK.

Shadowzz said,
Apple keeps even more track of what users install exactly.

What are you even talking about? How do they know ANYTHING about what users install as long as it doesn't come from the App Store (which is optional on OS X)?

Shadowzz said,

Google keeps track of what users install.

BULLSH*T. They only know what you download from the MARKET. Nothing more. And its COMPLETELY anther System.
On the other hand, you are right about apple.

th3r3turn said,

Please explain how Google knows everything i install, and how apple knows what i install on a Windows machine.

Why are people b1tching about thing this, cause Windows is installed on more machines than Apple OS X and they have a new OS about to be released. Am i worried about this, YES What i do with my machine is up to me, MICROSOFT, APPLE AND GOOGLE (and anyone else) shouldn't have access to what i install or remove from my machine.