KB 2952664 triggers daily telemetry run in Windows 7 -- and may be snooping on users

Microsoft bills the 'compatibility update' as way to ease the upgrade process to Windows 10 -- but it's collecting data daily

KB 2952664 triggers daily telemetry run in Windows 7 -- and may be snooping on users
Credit: Shutterstock/Wikimedia/Stephen Sauer

If you think that KB 2952664 just tweaks your system a bit to improve the upgrade process, you may be in for a surprise. It could also be triggering a daily telemetry run and maybe even snooping on you.

KB 2952664 is billed as a "compatibility update for upgrading Windows 7… [that] helps Microsoft make improvements to the current operating system in order to ease the upgrade experience to the latest version of Windows." So I was surprised when reader Carl Anderson sent me an email, pointing out a Microsoft Answers forum thread that accuses the February 2015 Black Tuesday patches of installing a process that red-lines one core of the CPU every time Windows 7 is started.

Anderson pointed to three possible sources of the spiking process: KB 2952664, KB 2990214, or KB 3035583.

Taking them in reverse order, we already know that KB 3035583 lays the plumbing for Windows 10 nagware. We haven't seen the nagware yet, but with that KB installed, Microsoft will have the ability to run ads and promotions in Windows 7 and 8.1 PCs, urging customers to upgrade to Windows 10.

The KB 2990214 patch for Windows 7 (and KB 3044374 for Windows 8.1) is billed as an "update that enables you to upgrade to a later version of Windows." It was very poorly documented when it was released, but we have since been assured by Windows product manager Joseph Conway that it contains "improvements in the overall Windows Update client, which is why it was released as Important." His explanation left several "important" questions in its wake which have not been answered as yet.

Which leaves the "Important" KB 2952664 patch, which was rolled out the Automatic Update chute early this month, a week before this month's Black Tuesday. Billed as a "compatibility update for upgrading Windows 7," there is no further information about the patch, other than a list of files that it installs.

Following Anderson's hunch, I installed KB 2952664 on a fresh Windows 7 SP1 x64 PC. I was disturbed to find that it adds a program to the Windows Task Scheduler called DoScheduledTelemetryRun. That entry didn't exist before I installed KB 2952664.

You can see it on your PC by bringing up Task Scheduler (type task scheduler in the find box), then on the left move down to Task Scheduler Library/ Microsoft/ Windows/ Application Experience. There you'll find the Microsoft Compatibility Appraiser task, set to run at 3:00 a.m. every day.

The Microsoft Compatibility Appraiser task runs %windir%\system32\rundll32.exe appraiser.dll,DoScheduledTelemetryRun with the description "Collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program."

I found that the program runs whether or not you've opted into the Microsoft Customer Experience Improvement Program (CEIP). And even if you opt out, the program still runs.

Can somebody tell me why Microsoft is performing a telemetry run on PCs that have opted out of the CEIP? This results from an "important" update in the Automatic Update chute, for heaven's sake.

There's an additional question, about the Scheduled task AitAgent, which seems to be related. AitAgent was already installed and working on my PCs before KB 2952664 was installed, so I couldn't run it down. If you can, please enlighten all of us in the comments.

The original thread on the Answers forum was primarily -- and rightfully -- concerned about the CPU overhead of running the Microsoft Compatibility Appraiser. But I can't help but wonder if there's some unauthorized snooping going on as well.