Package & Telemetry Removal Guide v1.0

http://forums.mydigitallife.info/threads/70798-Package-amp-Telemetry-Removal-Guide-v1-0?p=1264782&viewfull=1#post1264782

Package & Telemetry Removal Guide v1.0

Hi All!

In this guide I’m going to try to help you & give the best tools for removal of unwanted Windows 10
Components, (Up-to-date with Anniversary edition 1607).

First, let me explain my philosophy, I don’t like to remove components from the system unless
It’s really necessary. Most things can be achieved by disabling instead.
Then you always have the option to roll-back if something unforeseen happens.
Also, making a “real” backup is also crucial, especially if you remove system apps.
With a real backup I mean making a diskimage. Acronis is a good program for this.
Before running any of the tools below, make sure you disable Windows Uppdate & System Restore.
(These can be re-enabled after at least 1 re-boot, when you are done with the tools).

Which app or package to remove is out of the scope of this article, there are plenty of lists around,
And opinions vary.what I want to do is give you the best way of doing it without screwing your system.
What app types are there?
Well, not to go to deep there are basically 2.
1.	Provisioned apps, these are the ones that get installed by default in any new user profile.
2.	System apps, these are globally installed for everyone.

To uninstall we use Powershell.
In order to uninstall a provisioned app for all users, you must uninstall the provisioned app package. Example:
Get-AppXProvisionedPackage -Online | where DisplayName -EQ Microsoft.WindowsCalculator | Remove-AppxProvisionedPackage –Online
To uninstall it from your local profile you use:
Get-AppxPackage -Name Microsoft.WindowsCalculator -AllUsers | Remove-AppxPackage

Now, removing system apps is another ballgame.
These can only be removed with Dism.exe and some trickery.
System apps & their reg keys can only be removed by the system account “Trustedinstaller”, as it's the owner, Administrators are locked out.
There are 2 approaches to achieve that:
1.	Impersonate Trustedinstaller with a special exe file that uses it’s token.
2.	Take ownership of the package registry keys

There is a tool called install_wim_tweak.exe for removing system apps, but I don’t like that one.
The reason is because it removes all Owner subkeys of apps under the branch:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\
even if you just use it to make a list of packages!
(There are almost 3000 of them)
That can potentially cause dependency issues, therefore I don’t recommend it.
Better is to use CBSEnum_x64.exe with it’s gui, or Powershell scripts that specifically target the package we are interested in, instead of “lawn mowing” like Wim Tweak does. Also, both these techniques uses Windows own Dism.exe in the removal process.

Ok, let’s get started:
First tool is CBSEnum_x64.exe which can be downloaded from here:

https://bitbucket.org/himselfv/cbsenum

This uses the “Trustedinstaller trick” so go and get the RunAsTI64.exe here:

https://github.com/jschicht/RunAsTI

https://bitbucket.org/himselfv/cbsenum/raw/tip/Docs/cbsenum-0.8-screen.png

To impersonate Trustedinstaller copy the RunAsTI64.exe & CBSEnum_x64.exe to the root of C:
(Add exclusion to RunAsTI64.exe in antivirus, as some don't like it)
Doubleclick RunAsTI64.exe, at command prompt type cd\ and enter, then type CBSEnum_x64 and enter again.(It opens)
First thing to do is create a list that you can search. Under File “Save package list” to some location.
Search for the full or partial package name.
Once found, go to CBSenum and choose viewing by “Flat list”.
Scroll down until you find the package and choose Visibility=>Make >Visible, Then Manage=>Decouple.
Now open Powershell as Admin (Not Windows PowerShell (x86).
Go back to CBSenum and rightclick package and choose Copy=>Uninstallation commands
Paste in Powershell, done!
Do not try to use the uninstall option in CBSEnum, it wont work.
Do NOT use any of the options under the EDIT meny.
If you want to remove several packages without restarting, add the /NoRestart switch to the end of the Uninstallation commands.

========================================================================

Now for the Powershell script solution,(That uses the Take ownership route).
Credit to W4RH4WK where you can also find more scripts here:

https://github.com/W4RH4WK/Debloat-Windows-10

This is also very good, as it only goes after the target package and leave everything else intact.
Especially when removing several packages, and it also accept wildcards, ok here we go:

1.	Create a folder named Debloat in the root of C: (C:\Debloat)
2.	Inside this folder create 2 more folders named lib and scripts
3.	Inside the lib folder drop the take-own.psm1 file (All files below in spoiler tags)
4.	Inside the scripts folder drop the systemappremove.ps1 & provisionappremove.ps1 files
5.	Open Powershell as Admin and type Set-ExecutionPolicy Unrestricted say “Yes to all”.
6.	Then type cd\ and enter , then type cd Debloat and enter, now inside the Debloat folder
Type ls -Recurse *.ps1 | Unblock-File and enter & ls -Recurse *.psm1 | Unblock-File and enter.
Now you can run the scripts!, to remove systemapps type scripts\systemappremove and enter, and so on.
Inside the scripts you see that there are many apps mentioned with a hashtag in front (#)
That hashtag tells Powershell not to run the line, so if you don’t want it removed, keep the hashtag in front of the app name.
In script below "ContentDeliveryManager" & "AllowTelemetry" Packages will be removed.

To get a list of all Provisioned apps, type in the following in Powershell:
Get-AppXPackage -AllUsers | Select Name > C:\packages.txt

Here are the files:

take-own.psm1 (Inside lib folder)

=======================================================================================================================================
function Takeown-Registry($key) {
# TODO does not work for all root keys yet
switch ($key.split('\')[0]) {
"HKEY_CLASSES_ROOT" {
$reg = [Microsoft.Win32.Registry]::ClassesRoot
$key = $key.substring(18)
}
"HKEY_CURRENT_USER" {
$reg = [Microsoft.Win32.Registry]::CurrentUser
$key = $key.substring(18)
}
"HKEY_LOCAL_MACHINE" {
$reg = [Microsoft.Win32.Registry]::LocalMachine
$key = $key.substring(19)
}
}

# get administraor group
$admins = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
$admins = $admins.Translate([System.Security.Principal.NTAccount])

# set owner
$key = $reg.OpenSubKey($key, "ReadWriteSubTree", "TakeOwnership")
$acl = $key.GetAccessControl()
$acl.SetOwner($admins)
$key.SetAccessControl($acl)

# set FullControl
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule($admins, "FullControl", "Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
}

function Takeown-File($path) {
takeown.exe /A /F $path
$acl = Get-Acl $path

# get administraor group
$admins = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
$admins = $admins.Translate([System.Security.Principal.NTAccount])

# add NT Authority\SYSTEM
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($admins, "FullControl", "None", "None", "Allow")
$acl.AddAccessRule($rule)

Set-Acl -Path $path -AclObject $acl
}

function Takeown-Folder($path) {
Takeown-File $path
foreach ($item in Get-ChildItem $path) {
if (Test-Path $item -PathType Container) {
Takeown-Folder $item.FullName
} else {
Takeown-File $item.FullName
}
}
}

function Elevate-Privileges {
param($Privilege)
$Definition = @"
using System;
using System.Runtime.InteropServices;

public class AdjPriv {
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);

[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid {
public int Count;
public long Luid;
public int Attr;
}

internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

public static bool EnablePrivilege(long processHandle, string privilege) {
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
"@
$ProcessHandle = (Get-Process -id $pid).Handle
$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege($processHandle, $Privilege)
}
=======================================================================================================================================

systemappremove.ps1 (Inside scripts folder)

=======================================================================================================================================
Import-Module -DisableNameChecking $PSScriptRoot\..\lib\take-own.psm1

echo "Elevating priviledges for this process"
do {} until (Elevate-Privileges SeTakeOwnershipPrivilege)

echo "Force removing system apps"
$needles = @(
#"Anytime"
#"BioEnrollment"
#"Browser"
#"ContactSupport"
#"Cortana" # This will disable startmenu search.
#"Defender"
"ContentDeliveryManager"
"AllowTelemetry"
#"Gaming"
#"InternetExplorer"
#"Maps"
#"OneDrive"
#"Wallet"
#"Xbox"
)

foreach ($needle in $needles) {
echo "Trying to remove all packages containing $needle"

$pkgs = (ls "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" |
where Name -Like "*$needle*")

foreach ($pkg in $pkgs) {
$pkgname = $pkg.Name.split('\')[-1]

Takeown-Registry($pkg.Name)
Takeown-Registry($pkg.Name + "\Owners")

Set-ItemProperty -Path ("HKLM:" + $pkg.Name.Substring(18)) -Name Visibility -Value 1
New-ItemProperty -Path ("HKLM:" + $pkg.Name.Substring(18)) -Name DefVis -PropertyType DWord -Value 2
Remove-Item -Path ("HKLM:" + $pkg.Name.Substring(18) + "\Owners")

dism.exe /Online /Remove-Package /PackageName:$pkgname /NoRestart
}
}
=======================================================================================================================================

provisionappremove.ps1 (Inside scripts folder)

=======================================================================================================================================
# Description:
# This script removes unwanted Apps that come with Windows. If you do not want
# to remove certain Apps comment out the corresponding lines below.

Import-Module -DisableNameChecking $PSScriptRoot\..\lib\take-own.psm1

echo "Elevating priviledges for this process"
do {} until (Elevate-Privileges SeTakeOwnershipPrivilege)

echo "Uninstalling default apps"
$apps = @(
# default Windows 10 apps
"Microsoft.3DBuilder"
"Microsoft.Appconnector"
"Microsoft.BingFinance"
"Microsoft.BingNews"
"Microsoft.BingSports"
"Microsoft.BingWeather"
#"Microsoft.FreshPaint"
"Microsoft.Getstarted"
"Microsoft.MicrosoftOfficeHub"
#"Microsoft.MicrosoftSolitaireCollection"
#"Microsoft.MicrosoftStickyNotes"
"Microsoft.Office.OneNote"
#"Microsoft.OneConnect"
"Microsoft.People"
"Microsoft.SkypeApp"
#"Microsoft.Windows.Photos"
#"Microsoft.WindowsAlarms"
#"Microsoft.WindowsCalculator"
"Microsoft.WindowsCamera"
"Microsoft.WindowsMaps"
"Microsoft.WindowsPhone"
#"Microsoft.WindowsSoundRecorder"
#"Microsoft.WindowsStore"
"Microsoft.XboxApp"
"Microsoft.ZuneMusic"
"Microsoft.ZuneVideo"
"microsoft.windowscommunicationsapps"
"Microsoft.MinecraftUWP"

# Threshold 2 apps
"Microsoft.CommsPhone"
"Microsoft.ConnectivityStore"
"Microsoft.Messaging"
"Microsoft.Office.Sway"

# non-Microsoft
"9E2F88E3.Twitter"
"Flipboard.Flipboard"
"ShazamEntertainmentLtd.Shazam"
"king.com.CandyCrushSaga"
"king.com.CandyCrushSodaSaga"
"king.com.*"
"ClearChannelRadioDigital.iHeartRadio"
"TheNewYorkTimes.NYTCrossword"

# apps which cannot be removed using Remove-AppxPackage
#"Microsoft.BioEnrollment"
#"Microsoft.MicrosoftEdge"
#"Microsoft.Windows.Cortana"
#"Microsoft.WindowsFeedback"
#"Microsoft.XboxGameCallableUI"
#"Microsoft.XboxIdentityProvider"
#"Windows.ContactSupport"
)

foreach ($app in $apps) {
echo "Trying to remove $app"

Get-AppxPackage -Name $app -AllUsers | Remove-AppxPackage

Get-AppXProvisionedPackage -Online |
where DisplayName -EQ $app |
Remove-AppxProvisionedPackage -Online
}
=======================================================================================================================================

That's it folks !