BT

InfoQ Homepage News Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries

Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries

Bookmarks

Recently Reddit user "sammiesdog" posted claims that Visual Studio's C++ compiler was automatically adding function calls to Microsoft's telemetry services.  The screenshot accompanying their post showed how a simple 5 line CPP file produced an assembly language file that included a function call titled  “telemetry_main_invoke_trigger”.

The ensuing discussion then revolved around how to disable this unannounced “feature” while also speculating its purpose.  “sammiesdog” noted that this appears in release builds, while user “ssylvan” also indicated that it appeared in debug builds too.  The telemetry function is intended to communicate with ETW. 

User “xon-xoff” explains their concerns in a posting to a related thread:

You are correct, ETW by itself just logs events. That in itself is not a problem. Here are the problems:

  • ETW can and is sometimes used as part of solutions for remote telemetry.
  • These events are coming from the program itself whenever the CRT is statically linked into the program.
  • It's called telemetry.

While conducting research for this article, this author was able to view the telemetry function calls reported by “sammiesdog” using the following CPP code when compiled under Visual Studio 2015 Update 2:

#include "stdafx.h"
#include <iostream>

int main()

{
    return 0;

}

telemetry_main_invoke_trigger was found in both Debug and Release builds when the project was compiled under both Windows 7 and Windows 10.

The ensuing controversy and conversation about the discovery of this function led to a response from Microsoft’s Steve Carroll, Development Manager for the Visual C++ team.  First and foremost in his response is the unequivocal statement that this functionality will be removed in Visual Studio 2015’s Update 3.  Carroll goes on to explain Microsoft’s thought process behind including this functionality:

…what the code does is trigger an ETW event which, when it’s turned on, will emit timestamps and module loads events. The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs) so this data is only applicable to customers that are actively seeking help from us and are willing to share these PDBs as part of their investigation. We haven’t actually gone through this full exercise with any customers to date though, and we are so far relying on our established approaches to investigate and address potential problems instead.

In the meantime, users who have a copy of VS2015 Update 2 and wish to turn off the telemetry functionality currently being compiled into their code should add “notelemetry.obj” to their linker command line.  (This fix was confirmed by Carroll.)  

InfoQ reached out to Microsoft to confirm whether or not this default behavior exists in Visual Studio “15” and according to a Microsoft spokesperson while this behavior does currently exist in "15", it will be removed in a future preview release.  However, a timetable for removal has not been provided.  VS2012 and VS2013 do not include this telemetry behavior.

Rate this Article

Adoption
Style

Educational Content

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • so it is a back door?

    by Cheung Peter /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    so it is a back door?

  • Why isn't this treated as a hoax? What telemetry services?

    by Panagiotis Kanavos /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    ETW = the *local* event log. So no telemetry, just instrumentation for module loading.
    Of course, malware could read the event log just like *any* other log.

  • Re: so it is a back door?

    by Pei Lin /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Seems like...:-)

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.