BT

Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries

| by Jeff Martin on Jun 08, 2016. Estimated reading time: 2 minutes |

Recently Reddit user "sammiesdog" posted claims that Visual Studio's C++ compiler was automatically adding function calls to Microsoft's telemetry services.  The screenshot accompanying their post showed how a simple 5 line CPP file produced an assembly language file that included a function call titled  “telemetry_main_invoke_trigger”.

The ensuing discussion then revolved around how to disable this unannounced “feature” while also speculating its purpose.  “sammiesdog” noted that this appears in release builds, while user “ssylvan” also indicated that it appeared in debug builds too.  The telemetry function is intended to communicate with ETW. 

User “xon-xoff” explains their concerns in a posting to a related thread:

You are correct, ETW by itself just logs events. That in itself is not a problem. Here are the problems:

  • ETW can and is sometimes used as part of solutions for remote telemetry.
  • These events are coming from the program itself whenever the CRT is statically linked into the program.
  • It's called telemetry.

While conducting research for this article, this author was able to view the telemetry function calls reported by “sammiesdog” using the following CPP code when compiled under Visual Studio 2015 Update 2:

#include "stdafx.h"
#include <iostream>

int main()

{
    return 0;

}

telemetry_main_invoke_trigger was found in both Debug and Release builds when the project was compiled under both Windows 7 and Windows 10.

The ensuing controversy and conversation about the discovery of this function led to a response from Microsoft’s Steve Carroll, Development Manager for the Visual C++ team.  First and foremost in his response is the unequivocal statement that this functionality will be removed in Visual Studio 2015’s Update 3.  Carroll goes on to explain Microsoft’s thought process behind including this functionality:

…what the code does is trigger an ETW event which, when it’s turned on, will emit timestamps and module loads events. The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs) so this data is only applicable to customers that are actively seeking help from us and are willing to share these PDBs as part of their investigation. We haven’t actually gone through this full exercise with any customers to date though, and we are so far relying on our established approaches to investigate and address potential problems instead.

In the meantime, users who have a copy of VS2015 Update 2 and wish to turn off the telemetry functionality currently being compiled into their code should add “notelemetry.obj” to their linker command line.  (This fix was confirmed by Carroll.)  

InfoQ reached out to Microsoft to confirm whether or not this default behavior exists in Visual Studio “15” and according to a Microsoft spokesperson while this behavior does currently exist in "15", it will be removed in a future preview release.  However, a timetable for removal has not been provided.  VS2012 and VS2013 do not include this telemetry behavior.

Rate this Article

Relevance
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

so it is a back door? by Cheung Peter

so it is a back door?

Why isn't this treated as a hoax? What telemetry services? by Panagiotis Kanavos

ETW = the *local* event log. So no telemetry, just instrumentation for module loading.
Of course, malware could read the event log just like *any* other log.

Re: so it is a back door? by Pei Lin

Seems like...:-)

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

3 Discuss

Educational Content

BT