Silly question maybe, but does Windows 10 create logs of when you open any of the options in Windows 10's Control Panel? For example, if I were to go to Program Features or Internet Options, does Windows 10 create a log of a user entering either of those?
No, not a simple, easy-to-use log... but the information IS there. You just have to use a couple of tools (run elevated) to work out what's happening and when and by whom.
Privazer's ShellBagAnalyzer + Cleaner - This will analyze all current stored ShellBags stored in the registry and show you when All Control Panel Items was opened. (The following entry identies the account in use at the time.) This lets you narrow down the search period for use in the next utility. Here's a screenshot to show you the sort of output:
Sysinternals/Technet's Process Monitor (ProcMon) with filtering events set to Show File System Activity - This will show you the exact time that individual Control Panel items are opened and their names (so, for example, you can search for 'Internet Options' and 'Programs and Features') and which account was used to open them. Entries either side of the Control Panel item event further identifies where per user jumplist data is stored. Here's a screenshot with only the relevant events left in to give you an idea:
Events a and c are the results of my searches for 'Internet Options' and 'Programs and Features' whilst event b is unrelated to Control Panel:
The proliferation of WriteFile events related to C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\7e4dca80246863e3. automaticDestinations-ms are all related to Control Panel. To confirm this I used another tool.
This screenshot of a jumplist list confirms that the WriteFile events related to C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\7e4dca80246863e3. automaticDestinations-ms all refer to the Control Panel.
Unfortunately, even using a JumpList parser like JumpListEx for Windows 10, there's no useful additional data available:
That's about it and hopefully answers your question.
Hope this helps...
Wow, that's crazy! So there is logs for absolutely everything huh? Is there a way to turn off any and all logging and delete all present logs on the system?
IMO the answer is a qualified 'No' (but I'm more than happy to be corrected). If there is then I haven't yet heard of it, only ways to reduce a fraction of built-in data collection. These artefacts are how forensic specialists can put together a report by collecting little nuggets of info from different parts of the Windows ecosystem to retrace activity.
Take the collection of ShellBags info as an example. Whilst Privazer's ShellBagAnalyzer + Cleaner offers an easy way to view and delete the built-up collection of info about what folders (including Control Panel) have been visited to that point, there isn't a way AFAIK to turn off the actual collection itself.
For another example, the use of every USB device is recorded (what, when, where and by whom). Windows' interaction with the USB bus hardware appears to be the most inquisitive sub-system by far... and the info is recorded in the registry and a plethora of logs.
You can see all (most) of this happening in real-time using ProcMon but digging out previous info requires many tools (mostly third-party), many of them now automated (Try a Google search for forensic analysis tools). Bear in mind that much (most) of the info is protected (whilst the system is online), obfuscated (and requires privileges higher than being in the 'Administrators' group). Often we can use tools (many of them third-party) to view some of the info but a lot of the info is encrypted. As a result it's impossible to know the full extent of info collection.
It's easy to delete most built-up logs gathered as part of the normal event diagnostics, i.e. the logs displayed in Event Manager. For example, open an elevated PowerShell window and use wevtutil el | Foreach-Object {wevtutil cl “$_”} but note that this will take some time to complete execution and won't delete all logs (even when using a local account with NO Microsoft Account login used for anything).
However, it's probably impossible to stop their collection in the first place, even if you disable the multiple services involved... because Microsoft actively deters you from making changes to many of them.... and if you DO disable them then that triggers further automated event collection (basic telemetry) that is shipped home for automated analysis. This in turn often eventually triggers a Microsoft response - in a subsequent update - to stop you fiddling. (Think 'Windows Update' for example, and the new services [e.g. 'Windows Update Medic Service'] that have appeared to prevent you fiddling with its operation or correct your fiddling automatically if you are successful.)
Bear in mind that it's the cost of using Windows... accepting the EULA means you have in theory agreed to this data collection in the first place. (This has not yet been tested in the courts AFAIK but places like the European Union continue to pressure Microsoft into revealing its methods and content. Bear in mind also that - certainly since Edward Snowden's revelations in 2013 - Microsoft now claims it does not share user data... yet also reports the ever-increasing number of annual data access 'requests' from various government security agencies... like other OS giants.)
Hope this helps...
Last edited by RickC; 11 Sep 2020 at 09:27.
Wow. This is some good, in detail stuff here! Thanks for sharing!
That Privazer's ShellBagAnalyzer + Cleaner, is it like CCleaner in the sense you just launch it and it won't create any extra files anywhere else on your PC? I hate it when programs do that crap. . . I am looking through some random user folder and see some program that has been uninstalled or supposed to be all within it's .exe and clogging up my PC with it's useless .cfg or .log file. . . Ugh!
I have no idea... I haven't used tools like ProcMon to analyse whether it creates additional files because I have little or no interest. In these days of massive disk capacities for very little money, I'm more interested in systems contacting unknown external endpoints on the internet without their owner's knowledge or permission.SightUp;2016221That Privazer's [URL="https://privazer.com/en/download-shellbag-analyzer-shellbag-cleaner.php" said:
CCleaner, IMO, has grown from being a very good single-purpose cleaner many years ago to a catch-all tool that I no longer use.
Again IMO, Privazer's ShellBagAnalyzer + Cleaner has just three purposes...1) to show and 2) to delete the history of folders that users (and the OS itself) have visited. It's 3rd purpose is to remind you of Microsoft's tracking of filesystem folder activity within the Windows OS.
Before you ask... no, I have no idea whether that filesystem activity is subsequently uploaded to Microsoft.
Hope this helps...
Quote
