Stop Windows From Spying on You β Every Tool + Manual Method That Exists 
Windows ships with a keylogger. On purpose. It records your keystrokes, tracks every app you open, logs your location, and phones home to Microsoft β all turned on by default. Most people have no idea. Hereβs every tool that exists to shut it down, ranked from βgrandma could do thisβ to βI audit my own firewall rules.β
What Windows Is Doing Behind Your Back β Right Now
Not conspiracy. Itβs in Microsoftβs own documentation. Your PC is reporting on you.
| What It Tracks | How | Service |
|---|---|---|
| Keystrokes & typing patterns | Input personalization + inking diagnostics | TabletInputService |
| App usage & launch history | Activity History synced to Microsoft cloud | DiagTrack |
| Location data | Background tracking even when βoffβ | lfsvc |
| Voice data | Cortana + online speech recognition | wisvc |
| Diagnostic data | System telemetry sent to Microsoft servers | Connected User Experiences and Telemetry |
| Wi-Fi credentials | Wi-Fi Sense shared with contacts | Network settings |
| Browsing data | Edge telemetry, Bing search history | Edge sync services |
| AI features (24H2+) | Copilot, Recall (screenshot history), Click to Do | Multiple new services |
The core pipeline is DiagTrack β Connected User Experiences and Telemetry. Everything flows through it. Kill that, and you cut the main artery. But Windows 11 24H2 added new AI-powered tracking (Recall screenshots your screen every few seconds, Copilot phones home constantly) β so you need tools that handle the new stuff too.
Tier 0 β Zero-Skill Fix (Pick ONE, Run It, Done)
You donβt need to understand anything below. Just pick one of these two, run it, reboot. Privacy fixed.
π‘οΈ O&O ShutUp10++ β Toggle Everything Off in a GUI
| Detail | Info |
|---|---|
| Tool | O&O ShutUp10++ |
| Cost | Free forever |
| Install? | No β portable .exe, runs instantly |
| What it does | Every privacy setting on one page. Toggle on/off. |
| Reversible? | Yes β built-in undo + auto restore point |
| Updated | Feb 2026, supports Win 11 24H2 |
Steps:
- Download from oo-software.com/en/shutup10
- Right-click β Run as Administrator
- Actions β Apply all recommended settings
- Reboot. Thatβs it.
Disables telemetry, keylogging, location tracking, Cortana, ad targeting, diagnostic uploads, and activity history β one screen.
π§ Chris Titus WinUtil β One Command, Full Control
irm christitus.com/win | iex
Run in PowerShell as Admin. Opens a full GUI.
| Tab | What You Can Do |
|---|---|
| Tweaks | Kill telemetry, location, Wi-Fi Sense, activity history, diagnostics β one click |
| Install | Batch-install apps via winget |
| Config | DNS, Ultimate Performance mode, legacy control panels |
| Updates | Security-only updates, defer feature updates, or kill updates entirely |
| MicroWin | Create a minimal Windows ISO with bloat pre-removed |
Open source: github.com/ChrisTitusTech/winutil β #2 most popular PowerShell utility on GitHub. Auto restore point. Full undo button.
Tier 1 β Hidden Gems Most People Donβt Know Exist
These arenβt on page 1 of Google. They handle the newest threats β Copilot, Recall, Click to Do β that the popular tools havenβt caught up with yet.
π§ AI & Copilot Killers β Remove What Microsoft Won't Let You Uninstall
| Tool | What It Does | 24H2 | Copilot | Recall | Stars | Link |
|---|---|---|---|---|---|---|
| RemoveWindowsAI | Force-removes Copilot, Recall, Click to Do, AI in Paint/Notepad/Edge. Blocks CBS reinstallation. GUI + CLI + full revert. |  |
|
|
895 | GitHub |
| win-ai-tools | Python/PyQt6 GUI. Dark theme. Detects 11 AI services. Portable EXE. Backup/restore. Multi-language. | |
|
|
12 | GitHub |
| TurnOffWindowsCopilot | Single .reg file. One double-click. Copilot gone. | β | |
β | Low | GitHub |
If youβre on Windows 11 24H2 and Recall/Copilot creep you out β RemoveWindowsAI is the nuclear option. It prevents Windows from silently reinstalling them after updates.
π Enterprise-Grade Privacy (Overkill for Most β Perfect for Paranoids)
| Tool | What It Does | Link |
|---|---|---|
| noid-privacy | 630+ settings. 32 Copilot policies. 19 ASR rules. DNS-over-HTTPS. MS Security Baseline 25H2 (425 settings). Zero external binaries. | GitHub |
| Security-ADMX | Enterprise ADMX templates. Explicit Copilot disable policy. Sudo config for 24H2. BlackLotus mitigation. VBS Mandatory mode. | GitHub |
| barely-windows | Web-based config generator (live tool). Follows DoD/NSA hardening. Outputs a config file β no scripts on your machine. | GitHub |
| Harden-Windows-Security | Microsoft Security Compliance Toolkit implementation. LGPO automation. GPO backups. Policy Analyzer. | GitHub |
These are for the βI want my PC locked down to government standardsβ crowd. noid-privacy alone covers more settings than most corporate IT departments configure.
π οΈ Fresh 2025-2026 Tools (Recently Built, Actively Updated)
| Tool | What It Does | Link |
|---|---|---|
| Winslop | New 2026. C# WinForms. Plugin system. ~170KB portable. Explicit Click to Do registry support. From the CrapFixer author. | GitHub |
| devside/windows-telemetry | WPF GUI. Per-item undo. Snapshot/restore. Covers Windows + Office + Edge + VS telemetry. One-liner: irm "https://devside.nl/win" | iex |
GitHub |
| WindowsTelemetryBlocker | Modular (4 modules: telemetry/services/apps/misc). Dry-run preview before changes. Rollback scripts. Markdown reports. | GitHub |
Tier 2 β The Full Arsenal (Ranked by Use Case)
π Scripts You Can Audit Line-by-Line
| Tool | What It Does | Link |
|---|---|---|
| Win11Debloat | Lightweight PS script β removes bloat, kills telemetry, Copilot, Recall, restores classic context menu | GitHub |
| privacy.sexy | Web/Electron script generator. YAML-driven. 53+ Edge scripts. Added Recall/Copilot/eye-tracking disable. 13k+ stars. | GitHub β Live Tool |
| Sophia-Script | Most comprehensive PS module. 150+ tweaks. SophiApp GUI. LTSC 2024. Winget/scoop install. 8.8k stars. | GitHub |
| Win11-Debloat-And-Privacy | Apply/Verify modes. Restore point. Content Delivery Manager bloatware prevention. Tested on 25H2. | GitHub |
| HushWin | Single .bat β disables every telemetry service. No GUI. No dependencies. Run and forget. | GitHub |
| NX1X Privacy Toolkit | Lightweight PS. Audit scripts. One-liner install. Office + PowerShell telemetry covered. | GitHub |
| Telemetry-Blocker | Single compact self-elevating script. DiagTrack, dmwappushservice, CompatTelRunner, firewall rules. Minimal footprint. | GitHub |
| disable-telemetry-windows | One-liner. Specifically sets EnableRecallOnDevice=0. Disables Recall via Optional Features. |
GitHub |
π₯ Firewall-Level Blocking (Network Layer β Windows Can't Bypass)
| Tool | What It Does | Link |
|---|---|---|
| Portmaster | Go/Rust app firewall. WFP kernel driver. Per-app policies. Built-in tracker lists. DoT/DoH. SPN multi-hop. 11.1k stars. | GitHub |
| simplewall | C Win32 WFP firewall. ~2MB. Whitelist-first. 619+ built-in telemetry rules. WSL/IPv6/UWP. 7.7k stars. | GitHub |
| WindowsSpyBlocker | Blocks telemetry IPs via firewall + hosts file. Maintains lists of known Microsoft tracking endpoints. | GitHub |
| TinyWall | C#, ~20KB memory. Enhances Windows Firewall. Whitelist approach. No popups. UWP support. | tinywall.pados.hu |
| MinimalFirewall | .NET 8 portable. Uses native Windows Firewall (no WFP). Prompts on new connections. Audits rule changes. | GitHub |
| block_ms_telemetry | Custom firewall outbound rules prefixed telemetry_. Bilingual EN/ES. No reboot. Easy reversal. |
GitHub |
Hosts file alone isnβt enough β Microsoft hardcodes some telemetry IPs that bypass DNS. Firewall-level tools catch what hosts files miss.
π DNS & Network Blocklists (Block at the Router Level)
| Tool | What It Does | Link |
|---|---|---|
| Microsoft-Blocker | Codeberg DNS blocklist. βProperβ vs βNo Microsoftβ modes. AdGuard Home/Pi-hole/hosts compatible. | Codeberg |
| pihole-bl-msft-telemetry-bsi | Pi-Hole blocklist sourced from BSI (German Federal Security Agency) documentation. ~100 curated lists. Cron auto-updates. | GitHub |
| BadBlock | Modular ABP-syntax blocklists for Microsoft/Adobe/Amazon. uBlock/AdGuard/Pi-hole compatible. | Codeberg |
| tblock | Python system-wide hosts blocker. Built-in filter converter. Cross-platform. GUI available. | Codeberg |
These protect every device on your network β not just one PC.
π’ GUI Tools β Click Buttons, Get Privacy
| Tool | What It Does | Link |
|---|---|---|
| WPD.app | ~335KB portable GUI. Group Policy + firewall + hosts + Store app uninstaller. CLI automation support. | wpd.app |
| Privatezilla | Privacy check + fix. GUI. Uses WindowsSpyBlockerβs rules + firewall blocking. | GitHub |
| Optimizer | C# GUI. 24 languages. Windows/Office/Cortana/Copilot telemetry. Hosts editor. DNS changer. 17.7k stars. | GitHub |
𧱠Hardening & Compliance (Corporate/Government Grade)
| Tool | What It Does | Link |
|---|---|---|
| Windows-Optimize-Harden-Debloat | DoD STIG/SRG compliance. Follows NSA + PrivacyTools.io recommendations. | GitHub |
| private-secure-windows | Two levels (Basic/HighSecurity). LGPO deployment. VBS. BitLocker enforcement. | GitHub |
| windows-hardening-scripts | 920+ lines of hardening commands. MS Office macro hardening. Audit policies. Restore point. | GitHub |
| HardeningKitty | Audits against CIS/MS baselines. HailMary mode for non-GPE systems. Detailed reports. | GitHub |
| fix-windows-privacy | By security firm modzero. XML-based extensible rules. One-click restore. | modzero |
| ET-All-in-One-Optimizer | GitLab-exclusive. 470 commits. Batch/PS for Win10/11 debloat/privacy. GPL v2. | GitLab |
| Windows-Telemetry (BSI) | Based on BSI (German Federal Security Agency) recommendations. Government-sourced telemetry endpoints. | GitHub |
| Windows-Telemetry-Disabler | Runs as TrustedInstaller. ARM64/x64/x86. Disables Reserved Storage, DiagTrack logs, CompatTelRunner. | GitHub |
| VS Telemetry Disable Tool | Targets Visual Studio 2015-2022, VS Code, .NET CLI, NuGet telemetry. Smart detection β only modifies existing paths. | GitHub |
Donβt Know What to Pick? Start Here.
| Your Situation | Use This | Why |
|---|---|---|
| βI just want it off. No terminal.β | O&O ShutUp10++ | Toggle switches. Undo button. Zero learning curve. |
| βI want one command and full control.β | Chris Titus WinUtil | One PowerShell line. GUI opens. Everything in tabs. |
| βKill Copilot and Recall specifically.β | RemoveWindowsAI | Nuclear option β force-removes AI features + blocks reinstall. |
| βI want a script I can read first.β | privacy.sexy | Pick what you want disabled. Generates the script. You audit it. |
| βBlock telemetry at the network level.β | Portmaster | Per-app firewall. Kernel driver. 11k stars. |
| βI run a company / want government hardening.β | noid-privacy | 630+ settings. Enterprise baselines. Zero external binaries. |
| βI want everything β maximum paranoia.β | Stack: ShutUp10++ β Portmaster β privacy.sexy β RemoveWindowsAI | Layer them. Registry + firewall + network + AI removal. |
Quick Reference β What Handles What
| Handles ALL vectors (firewall + hosts + services + tasks + registry) |
|---|
| noid-privacy, privacy.sexy, WPD.app, Portmaster |
| Specifically kills 24H2 + Recall + Copilot + Click to Do |
|---|
| RemoveWindowsAI , noid-privacy , Winslop , privacy.sexy |
| Single portable EXE β no install, no trace |
|---|
| WPD.app, simplewall, Winslop, MinimalFirewall, Optimizer |
π The Manual Way β Hosts File (Original Method)
Still works for basics. Open Notepad as Admin β C:\Windows\System32\drivers\etc\hosts β add Microsoft telemetry domains with 0.0.0.0.
But hereβs the honest truth: the hosts file alone only blocks DNS-level calls. Microsoft hardcodes some telemetry IPs that bypass DNS entirely. Every tool above does hosts file blocking AND registry tweaks + service disabling + scheduled task removal + firewall rules. The hosts-only approach is like locking your front door but leaving every window open.
Use it as one layer in a stack β not as your only defense.
After major Windows updates (feature updates, not security patches), some settings get silently re-enabled by Microsoft. Re-run your tool after every big update. O&O ShutUp10++ shows what changed. Chris Titus WinUtil lets you re-apply your config. RemoveWindowsAI blocks CBS reinstallation β the only tool that prevents the βit came back after updateβ problem.
!