CBS log Questions

I have for quite some time have been target of some rather comprehensive electronic harassment. The nature of this and the context from which it began is beyond words; in any case there is some litigation approaching and thus the uptick.

I have repeatedly attempted to the best of my ability to fortify my security, having multiple PC's/hardrives compromised -- genuinely I have a decent pile, I suppose that speaks to some level my reason for asking for assistance. On a PC that I'm hoping is solid, I've gone through the normal steps in safeguarding setting firewall, DNS, all security defender lockdowns, limited program features, limited services etc - ZTDNS is likely my final option...

In any case I have noticed that within my CBS log from my Windows update/installation there are a LOT of entries that I wouldn't have expected -- many pertaining to remote provisioning, various RSat tools (DHCP/DNS, remote management, Rip Listener etc), Azure, Client-terminal services, SNMP, SMBDirect etc. I think you get the idea. I checked my "program features" selections, and none of these are enabled.

I'm wondering if anyone with a bit more knowledge might be able to tell me if these shown below are typical for a standard installation/upgrade. Or, if anyone might happen to have an example CBS log of a typical installation, this would be a huge help! I must say these look very suspecting.. Thanks all the same!

These are the optional Feature on Demand packages being enumerated from "C:\Windows\servicing\FodMetadata\FoDMetadata_Client.cab".

Look at the timestamps, it takes zero time to "add" everything which wouldn't be the case if something was actually installed.

The metadata represents what Features can be added to your live Windows image, using the Optional Features control panel or "DISM /Add-Capability" command. Without the metadata, Windows wouldn't know which Features to offer you; since some of the install packages are only provided online or from a downloadable FOD ISO, and not included in the base Windows install image.

You can prove this to yourself. Media.DolbyFeaturePack is included in the CAB file.

For a listing of which FOD packages are expected to be part of the metadata, check here:
Available features on demand

Attached is a filtered CBS.log from a clean 24H2 install.

1. I don't have deep knowledge.

2.


3. Dynamic IP address from the provider.

4. GitHub - henrypp/simplewall: Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer.

5. Download WARP stable releases

I'm happy to hear that it seems these entries are seemingly an artifact of the potential features, not reflective of installed packages. Very helpful! At this point it is hard for me to discriminate at times, I'm only scrutinizing as a result of the ongoing issues...but at least in this case this seems normal.

While I know this doesn't pertain to the thread's topic...in running DM log collector utility, I happened to realize that I have both of these in my system info.. I would assume these indicate that my pc is provisioned, correct? Once again, this is on a personally purchased laptop where I recently reinstalled Windows 11 with a fresh ISO image.

App Control for Business policy: Enforced
App Control for Business user mode policy: Enforced

Log/debug files attached, just if it is of any interest. I realizing I'm asking a bit, so thanks again for the help!

Infinite358 said:

App Control for Business policy: Enforced
App Control for Business user mode policy: Enforced

Click to expand...

This is normal. Windows provides a SiPolicy.p7b file on every release, and it's now updated by the W11 Monthly Update.

SiPolicy.p7b is a binary-encoded policy definition which sets the baseline App Control rules for which executables may be run on this system.

Enterprises and organizations may define their own policy files (using a special MS tool) to replace the system default. You can restrict certain types of apps (Win32, UWP), and check how they're signed (unsigned, signed by specific Certificate Authorities).

As a consumer, you get the standard policy that everyone else gets. sysinfo is informing you that rule enforcement is in effect. What would be bad is if you disabled App Policy enforcement or updated the rules to allow unsigned code to run without restrictions.

Awesome -- thanks!!