[zerohp]

I had an interview last year with the Windows and Devices Group. On the day of the interview, I was told it would be with people that work on telemetry.

One interviewer told me that keystrokes were being measured by conhost.exe. Not just for internal testing. He clarified that it was done on customer machines. It wasn't clear if they collected individual key presses because we were discussing something you could infer by knowing keystroke timing.

Windows 10 is the most prolific malware in the world.

[DHowett]

Speaking as the engineering lead owning conhost.exe: I can't find anything in our code that would trace user input, or data effectively derived from user input, to even a local event stream.

There are a couple instances where we trace API call timings, but only that of API calls initiated by an attached console application.

[cjones26]

When are we going to see unlimited command line buffers :)?

[zadjii]

Hey, I work on the commandline team too - We can't give out exact timelines for anything we work on, but I can tell you that it's pretty high up on the backlog. It's closer now than it's ever been, that's for sure.

[elken]

Open the code up then..

[earenndil]

I highly doubt he is the one who has the power to make that happen.

[crumbshot]

That is such an outrageous claim I had to check for myself.

From looking at conhost.exe in IDA Pro, there are some references to telemetry in a function HandleKeyEvent: https://i.imgur.com/MwaBLcW.jpg

But looking more closely it's just used to increase some counters when Ctrl+C or Ctrl+V are used: https://i.imgur.com/29e2qLD.png

There is another one for Ctrl+A elsewhere in the function as well.

Seems these are for when clipboard operations happen, there is other telemetry nearby for when key activity causes a paste: https://i.imgur.com/xONKrGJ.png

So Microsoft are indeed collecting keystroke telemetry in conhost.exe, but it's just some boring old counters to measure clipboard usage.

[russh]

But how can that be when "... the engineering lead owning conhost.exe: I can't find anything in our code that would trace user input, or data effectively derived from user input, to even a local event stream."

[DHowett]

I mean, I suppose that the key sequences around copy/paste are technically user input. Those events get processed into telemetry as to whether they were done in processed or raw input mode, and whether Quick Edit was engaged at the time.

Additional telemetry points include whether the "Find" dialog is being used (explicitly, whether "find next" has been clicked, and how long the search string is -- no other user-generated search content is included in event logs), when a process detaches from the console, and when the window is resized.

[jessaustin]

How about this one?

https://news.ycombinator.com/item?id=19323560

[DHowett]

Sorry. This is a subthread on the Console and conhost.exe, and I don’t consider myself qualified to talk about Calculator’s telemetry points.

[crumbshot]

I think this disassembly supports their assertion. The number of times a user copies and pastes isn't in itself input to the console, just a metric of some out of band events.

[reaperducer]

it's just some boring old counters to measure clipboard usage.

Today. After the next (forced?) upgrade...?