Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries
Recently Reddit user "sammiesdog" posted claims that Visual Studio's C++ compiler was automatically adding function calls to Microsoft's telemetry services. The screenshot accompanying their post showed how a simple 5 line CPP file produced an assembly language file that included a function call titled “
The ensuing discussion then revolved around how to disable this unannounced “feature” while also speculating its purpose. “sammiesdog” noted that this appears in release builds, while user “ssylvan” also indicated that it appeared in debug builds too. The telemetry function is intended to communicate with ETW.
User “xon-xoff” explains their concerns in a posting to a related thread:
You are correct, ETW by itself just logs events. That in itself is not a problem. Here are the problems:
- ETW can and is sometimes used as part of solutions for remote telemetry.
- These events are coming from the program itself whenever the CRT is statically linked into the program.
- It's called telemetry.
While conducting research for this article, this author was able to view the telemetry function calls reported by “sammiesdog” using the following CPP code when compiled under Visual Studio 2015 Update 2:
telemetry_main_invoke_trigger was found in both Debug and Release builds when the project was compiled under both Windows 7 and Windows 10.
The ensuing controversy and conversation about the discovery of this function led to a response from Microsoft’s Steve Carroll, Development Manager for the Visual C++ team. First and foremost in his response is the unequivocal statement that this functionality will be removed in Visual Studio 2015’s Update 3. Carroll goes on to explain Microsoft’s thought process behind including this functionality:
…what the code does is trigger an ETW event which, when it’s turned on, will emit timestamps and module loads events. The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs) so this data is only applicable to customers that are actively seeking help from us and are willing to share these PDBs as part of their investigation. We haven’t actually gone through this full exercise with any customers to date though, and we are so far relying on our established approaches to investigate and address potential problems instead.
In the meantime, users who have a copy of VS2015 Update 2 and wish to turn off the telemetry functionality currently being compiled into their code should add “
notelemetry.obj” to their linker command line. (This fix was confirmed by Carroll.)
InfoQ reached out to Microsoft to confirm whether or not this default behavior exists in Visual Studio “15” and according to a Microsoft spokesperson while this behavior does currently exist in "15", it will be removed in a future preview release. However, a timetable for removal has not been provided. VS2012 and VS2013 do not include this telemetry behavior.
Why isn't this treated as a hoax? What telemetry services?
Of course, malware could read the event log just like *any* other log.
Yousef Awad May 16, 2016
Jason McGee of IBM Talks about Open Source Projects and the Interactions at the Collaboration Summit
Jason McGee May 15, 2016
Srini Penchikala May 15, 2016