5 ways Windows secretly tracks your activities

5 ways Windows secretly tracks your activities
The secret UserAssist database records details on every program you launch

Your PC is watching you - and carefully taking notes. Launch an application, open a file, tweak a setting, visit a website, just about everything you do gets recorded by Windows and your applications, and saved in a list somewhere for later use.

In some cases, of course, this is very obvious. You probably know that your web browser holds all kinds of details about recent internet sessions, for instance, and if you're unhappy about this then you can generally clear most of them in a click or two.

But other tracking technologies are far more obscure. For example, did you know that Windows maintains a detailed record of the programs you launch, how often you run each one, when a program was run last, and how it was used?

There is no way to view this list from the Windows interface, to turn off the tracking, or even to know it's going on - but with one small, portable program, any snooper with access to your system can learn a great deal about how you use your PC.

And it's not alone: there are plenty of other obscure ways in which Windows and your applications track your PC activities.

It is possible to fight back, though, and many of these technologies can be disabled, if you'd prefer it that way. Of course you have to know they exist, first, so let's take a closer look at some of the many hidden ways in which Windows tracks your every move.

1. UserAssist

Every time you run a program, Windows records details of that particular session under a Registry key called UserAssist.

This list can go back for a very long time: they don't just record the "last 10 apps", you may have 1,000 or more listed. There's a "Last used" date here, and also the number of times a program has been run, so at a glance a snooper could see which applications you use most often.

You can't view this information easily, though, as Windows encrypts it. So it's wise to get a little help from a tool like UserAssist (grab the XP/ Vista version or the Windows 7 version). No need to install the program, just run it and you'll see a table listing all the software you've been running recently: easy.

This can have some useful applications of its own. Are you wondering what your kids are running on their PC, for instance? Or how an employee is really using a company computer? UserAssist makes it easy to find out.

If you just want to protect your privacy on your own system, though, there are a couple of options.

The first is to delete the current UserAssist database. You can do this with the UserAssist program (click Commands > Clear All), or via a cleanup tool like CCleaner (click Cleaner, choose the Windows tab, select Advanced, and ensure "User Assist History" is checked).

Or to turn off this tracking altogether, click Commands > Logging Disabled within the UserAssist tool, reboot, and these details won't be recorded any more.

2. Prefetch files

Whenever you launch a program on your PC, Windows notes the associated files and areas of your drive that are accessed, and then in future it preloads these so your apps start more quickly. Which works for us.

Of course, there is a small privacy issue here as the names of all the programs you've launched recently are easily visible to anyone who can browse the \Windows\Prefetch folder.

What should you do, then? For most people we'd recommend you leave Prefetch alone: it's a good idea which improves your system performance.

If you value privacy above all else, though, you can simply delete the contents of the \Windows\Prefetch folder occasionally (you'll need to have permission to view protected operating system files, see Tools > Options > View in Windows 7).

Or, alternatively, you can apply a simple Registry tweak.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters, and double-click the EnablePrefetcher key. Then set its value to 2 if you want to enable only boot prefetching (applications won't be tracked), or 0 to disable prefetching altogether.

Disable prefetch

3. Jump Lists

Windows 7 introduced a new idea, Jump Lists, convenient shortcuts which appear when you right-click a taskbar button.

Just like Prefetch files, these are generally a good thing. If you want to reopen a recent document in Word, say, there's no need to go via the application menu: just right-click its taskbar button and choose your file from the list.

But of course this means that snoopers can now also find out more about what you've been doing with a few right-clicks.


And there are other complications. You might delete a reference that you've opened a particular document in your original application, for instance, but this won't necessarily be removed from the jump list. And even if it is, it may be possible to detect that deletion, and perhaps even recover the original entry.

For us, jump lists offer more than enough convenience to outweigh these privacy risks, and so we're happy to leave them working as they are.

But if you disagree then you might want to take action.

One option is just to manually delete particular (or all) jumplists. You'll find them at %APPDATA%\Microsoft\Windows\Recent\CustomDestinations and %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations (the folders are hidden, even if you've told Explorer to display system folders, so you'll need to paste this path directly into Explorer or the Start menu shortcut).

Or you can prevent Windows recording details about recently-opened documents at all by right-clicking the Start button, selecting Properties > Start Menu, then clearing both the Privacy checkboxes.

4. Storage devices and networks

Windows is particularly good at tracking hardware use. And this can have its advantages.

If you run a business, say, and someone plugs in a USB flash drive to a company PC, then copies some confidential files across, they might think their crime has left no trace: but that would be a mistake. The reality is that Windows maintains details on every USB device which connects to your PC, and when the last connection was made.

To view this for yourself, install a copy of OSForensics, launch the program, and click Recent Activity > Scan. Select "Date" in the "Sort by" box, choose "USB" in the "Show Only" list and the program will show you every USB storage device which has ever been connected to your system.


And that's just the start. Windows also records every wireless network your system has connected to, which could be interesting for laptops: select "WLAN" in the "Show Only" list for a closer look.

In theory, at least, this data could be removed by deleting the relevant Registry keys (see HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt for a list of USB drives, for instance).

In practice, though, it's not so straightforward. Search the Registry for name of a drive and you'll find it mentioned everywhere; this information is very widespread and it can't all be deleted safely. So if you do try to clean your system of particular references, be very careful - we wouldn't recommend you do anything until you've protected yourself with a system restore point and a full system backup, just to be safe.

5. Registry tricks

View your Registry via REGEDIT and it appears to be just a bunch of settings, but in reality Registry keys have a little more to them. And perhaps the most interesting additional property is a "last written" time, which shows you when a particular key (though not a value) was written.

To see how this works, just download a copy of Aezy Registry Commander, and start browsing. Look to the right of any Registry key (the yellow folders) and you'll see a "write time" which shows you when this was last changed.

This has all kinds of applications. If any of your programs write to the Registry when you use them, for instance, then those write times will reveal which applications you were using, when, and maybe even offer some clues as to how you were using them (depending on which area of the Registry had been changed).


What's more, you can't turn this behaviour off. The Registry will always update its timestamps when keys are rewritten.

So you can disable some of the more comprehensive tracking technologies, then, like jump lists and UserAssist, and that can make a great deal of sense on shared PCs: you'll greatly improve your privacy.

But there will always be other methods, like Registry write times, file last access times and so on, which will provide a way in which others can find out what you're doing.

So our advice would be not to get too paranoid, and don't take actions which will adversely affect your PC (like turning off prefetching): the privacy gains will be minimal, and it anyone wants to discover more about your activities then there are plenty of other ways to do so, anyway.


Liked this? Then check out 50 Windows 8 tips, tricks and secrets

Sign up for the free weekly TechRadar newsletter
Get tech news delivered straight to your inbox. Register for the free TechRadar newsletter and stay on top of the week's biggest stories and product releases. Sign up at http://www.techradar.com/register

Follow TechRadar on Twitter* Find us on Facebook

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.