Creepy NVIDIA Telemetry, almost ghostly.

Discussion in 'Videocards - NVIDIA GeForce Drivers Section' started by Xtreme512, May 15, 2020.

  1. Xtreme512

    Xtreme512 Master Guru

    Messages:
    678
    Likes Received:
    9
    GPU:
    GTX1060 6GB
    I also posted this on Reddit.

    I've been using NextDNS and saw blocked Nvidia domains (activation|subscription)*.gfe.nvidia.com. I also use GlassWire and Binisoft WFC, there's no Nvidia exe file doing any connection at all, plus all of them are blocked in WFC, so there shouldn't be any.

    Then how come (some)thing query those domains out of nowhere?

    Note that, I'm using clean Nvidia driver install (extracting setup file and deleting folders I don't need, configuring setup.cfg, bare minimal). No scheduler for telemetry, no GFE installed, only display container which is blocked already and like I said it's bare minimal installation. Yet, I know that Nvidia integrated some telemetry tools in their core (NVTelemetry64.dll and DisplayDriverRAS.dll) if deleted certain things will break, so I cannot tamper.

    You also have in C:\ProgramData\NVIDIA Corporation\DisplayDriverRAS\NvTelemetry "telemetry_switch.ini" for GDPR consent and "NvTelemetry.log" file which exactly shows what domain it tried to connect. I set my GDPR consent to 0 and it automatically reverts as seen in the log file (invasive). (Right now I set the file to read-only and see how that goes)

    My question is, how in the earth is it still capable to try and resolve domain when there's no exe from Nvidia seen in GlassWire? Is it trying to do it via a bare .dll file? Even if at least it has to get help from svchost.exe (DnsClient) then I should be able to see it in GlassWire like all the others.
     
  2. Vidik

    Vidik Master Guru

    Messages:
    590
    Likes Received:
    169
    GPU:
    MSI 1070 Gaming Z
    Pretty sure it only pings nvidia about successful installation. Dunno about everything else.
     
  3. BetA

    BetA Ancient Guru

    Messages:
    4,320
    Likes Received:
    251
    GPU:
    G1-GTX980@1400Mhz
    Using an Clean Driver myself, an Reg Tweak and my own Blocklist for HOSTS and DNSCrypt-Proxy (and Router), i should also mention that i DISABLED the "DnsClient Service" since im using my DNSCrypt-Proxy as an Service...

    FilterList:
    Some more informative stuff here:
    https://www.gameindustry.eu/hosts/hosts.php #informative site about Telemetry in Games etc..
    https://github.com/CHEF-KOCH/nVidia-modded-Inf/blob/master/Telemetry/HOSTS/HOSTS


    Dont block everything, just block what u dont need... Blocking ALL will result also in Blocking Nvidia.com :p


    Since, looking at my logs, the only thing Nvidia does on my system is: (had to restart my PC to make Nvidia do "IT") :p


    DNS Request is made to DNSCrypt-Proxy on 127.0.0.1
    ->


    DNSCrypt-Proxy resolves the DNS
    ->

    Firewall Blocks Nvidia
    ->

    Thats all thats happening on my system.
    Looks pretty normal and not much going on, theres is NO other connection form nvidia outgoing.. The "activation.gfe.nvidia.com" is the only thing and it only tries it at startup. Now, i also blocked it in my Filter Lists.

    EDIT:

    The REG Tweak im using is:

    [HKEY_USERS\XXXXXXXX\Software\NVIDIA Corporation\NVControlPanel2\Client]
    "OptInOrOutPreference"=dword:00000000





    Also i have a question, in your "telemetry_switch.ini" Is there spmething listed under User?
    Heres mine: {"GDPRUser":{},



    edit.. i played a bit around with an debugger :p
    Strings/adresses hardcoded into "NvTelemetry64.dll" wich is located --> C:\Program Files\NVIDIA Corporation\Installer2\Display.Driver.{8167F5B8-4626-4C70-AA0C-84AE8AF24218}\NvTelemetry64.dll

    https://activation.gfe.nvidia.com
    https://events.gfestage.nvidia.com #wasnt in the list i think...
    https://events.gfe.nvidia.com
    https://telemetry.gfestage.nvidia.com #wasnt in the list i think...
    https://telemetry.gfe.nvidia.com

    imma keep looking :p
     
    Last edited: May 17, 2020
  4. Xtreme512

    Xtreme512 Master Guru

    Messages:
    678
    Likes Received:
    9
    GPU:
    GTX1060 6GB
    no, not about installation, as its ongoing. for installation, I can see the setup exe in Glasswire connecting, thats not the problem.
     

  5. Xtreme512

    Xtreme512 Master Guru

    Messages:
    678
    Likes Received:
    9
    GPU:
    GTX1060 6GB
    dont know about that registry key but in .ini file i set consent to 0 but still... GDPRUser is empty for me as well but its the deviceid it takes into account, see your telemetry log file.

    dns queries all blocked but still "nvdisplay.container.exe" doesnt make any connections in my pc, thats whats bugging me.
     
  6. Vidik

    Vidik Master Guru

    Messages:
    590
    Likes Received:
    169
    GPU:
    MSI 1070 Gaming Z
    I meant that for me the contents of that log file end with "Stopping logging." and timestamp dating back to the day a driver was installed and that file wasn't modified since.
     
  7. Xtreme512

    Xtreme512 Master Guru

    Messages:
    678
    Likes Received:
    9
    GPU:
    GTX1060 6GB
    I think I found it. Few days ago I migrated to simple dnscrypt from NextDNS Windows application due to various reasons (I have posts about it), configured it to use NextDNS DoH with dns stamp calculator, everything went fine.

    The pattern of traffic I saw was identical to Nvidia telemetry, as dnscrypt DoH client doesn't have its own interface and works as a localhost proxy, turns out Glasswire won't show internal 127.0.0.1 traffic in its graph. I caught it from WFC, Nvidia was (still don't know which exe) using svchost dnsclient as a proxy for dns lookups and remain as a ghost, rather than directly connecting to advertised DNS server.

    I can say its solved for now.

    BTW, Nvidia is not honoring GDPR user consent parameter at all! Even though its read-only now, it still tries to connect, when not read-only it reverts back to '1' which means "true, user has consent".
     
    BetA likes this.
  8. WhiteLightning

    WhiteLightning Don Illuminati Staff Member

    Messages:
    28,672
    Likes Received:
    1,535
    GPU:
    GTX1070 iChillx4
    thx for the list @BetA
     
    BetA likes this.
  9. BetA

    BetA Ancient Guru

    Messages:
    4,320
    Likes Received:
    251
    GPU:
    G1-GTX980@1400Mhz


    ahhh, i get it now, so Glasswire does not see whats going on @ LocalHost? Did i understand this right?
    If so, *Puts Glasswire to the List of Firewalls im not using..

    Glasswire does use WFP? isnt it? it does not have its OWN Firewall, it uses teh Windows Firewall (WFP - Windows Filtering Platform) Thanks for teh heads up... so i dont have to test this one....


    @WhiteLightning

    I cleaned up the FilterList a bit and added some more info.. just so its better to read..


    Greetz
     
    WhiteLightning likes this.
  10. Xtreme512

    Xtreme512 Master Guru

    Messages:
    678
    Likes Received:
    9
    GPU:
    GTX1060 6GB
    Yes maybe they just wanted to ignore it because lots of things going on on 127.0.0.1 (local) even Glasswire itself does lots of things in localhost. I discovered it with Binisoft WFC (owned by Malwarebytes now). Dont get me wrong though Glasswire is beautiful but lacks most important things, like PID reporting (handy for svchost), port reporting (gives port type name but not number) and ignoring localhost. There are feature requests from years ago about PID, but still not available.
     

  11. WhiteLightning

    WhiteLightning Don Illuminati Staff Member

    Messages:
    28,672
    Likes Received:
    1,535
    GPU:
    GTX1070 iChillx4

    Nice! , it is really hard to read if you use the dark them now though, since you made the letters black and the background is dark grey.
     
  12. mbk1969

    mbk1969 Ancient Guru

    Messages:
    9,664
    Likes Received:
    6,551
    GPU:
    GF RTX 2070 Super
    If device driver goes to internet firewall will not show exe-file, I guess.
     

Share This Page