Is TuneBit Safe?

Four guarantees, every release. TuneBit is always code-signed by Paige Julianne Sullivan; always asks Windows for permission before doing anything; never collects personal data, telemetry, or analytics; and always takes a System Restore point plus a registry .reg backup before changing anything that could need to be undone.

Promise 1

Always signed

Every TuneBit.exe is code-signed by Paige Julianne Sullivan via Azure Trusted Signing — the same code-signing service Microsoft uses for first-party tooling. You can verify on every launch.

Read the detail
Promise 2

Always asks first

TuneBit only changes Windows after you click a fix. Every launch triggers Windows' own User Account Control prompt, and individual destructive actions ask again before touching anything.

Read the detail
Promise 3

Doesn't spy on you

No analytics, no crash reports, no usage tracking, no scan results sent home. The only outbound network call is a periodic license-validity check. Customer-machine data stays on the customer machine.

Read the detail
Promise 4

Always makes a backup

Every tool that edits the registry exports the affected keys to a .reg file first, and creates a System Restore point. If something goes sideways, you can put it back exactly the way it was.

Read the detail
Promise 1

Always signed by Paige Julianne Sullivan

Every build of TuneBit — Release and Debug, plus the obfuscated variants — passes through Azure Trusted Signing as the final step of the build script. Azure Trusted Signing is Microsoft's own code-signing service, which means the certificate chain ultimately roots in the Microsoft Identity Verification Root that Windows already trusts. SmartScreen and most enterprise allowlists treat the binary as a trusted publisher.

You can verify the signature in three places, any time:

  • On every launch — Windows shows a UAC prompt that reads “Verified publisher: Paige Julianne Sullivan” in the blue band at the top. If you ever see a yellow band, or the publisher line is missing, click No: something has tampered with the binary.
  • Right-click → Properties → Digital Signatures — select the row for Paige Julianne Sullivan, click Details, and you'll see “This digital signature is OK”. From there, View Certificate → Certification Path walks all the way up to the Microsoft Identity Verification Root.
  • Scriptable verification — for fleet allowlisting, PowerShell's Get-AuthenticodeSignature returns the same data. Anything other than Status: Valid with the correct subject means the file has been altered after signing.
PS> Get-AuthenticodeSignature .\TuneBit.exe | Format-List Status, SignerCertificate

Status            : Valid
SignerCertificate : [Subject]
                      CN=Paige Julianne Sullivan, O=Paige Julianne Sullivan, ...

The publisher and product strings are stable across releases on purpose — so if your environment uses publisher-pinned WDAC or AppLocker rules, they don't break on update.

For a screenshot walk-through of all three verification methods, see the Download page.

Promise 2

Always asks permission before making changes

TuneBit is one app that needs full administrator rights to do its job (you can't repair Windows from a sandbox), so it leans into Windows' own permission machinery rather than working around it.

  • Every launch triggers UAC. TuneBit checks its own elevation on startup and re-launches itself via Windows User Account Control if it isn't already running elevated. That's the blue dialog asking “Do you want to allow this app to make changes to your device?” It runs every time you start TuneBit — not because we ask Windows to, but because Windows always asks you.
  • No silent system changes during a scan. The initial health scan, the dashboard, and the per-module “analyze” flows are all read-only. TuneBit can tell you that your startup folder is heavy, your registry has dangling references, or your privacy posture is wide open — but it doesn't change any of those until you click a fix.
  • Destructive actions ask again. Bulk debloater removals, registry cleans, and shadow-copy operations show a confirm dialog with the list of things they're about to touch. You can deselect anything you don't want changed.
  • Headless modes are explicit. The command-line modes (/maintenance, /cleanup, /affinity-watcher) are designed for scheduled-task and RMM use. They have to be deliberately invoked — nothing in TuneBit auto-installs itself as a service or a scheduled task without you asking.
Bottom line: if you don't click a button, nothing changes. The only thing TuneBit does on its own is the once-on-launch read-only triage scan — and that data never leaves your machine.
Promise 3

Doesn't spy on you or send personal data

TuneBit was built specifically because most of the “PC fixer” market is a graveyard of bundleware and telemetry. We don't ship analytics. We don't ship crash reports. We don't ship usage tracking. We don't ship hashed-machine-fingerprint inventory uploads. We don't ship a partner-recommendation pixel.

The complete list of network operations any TuneBit install ever performs:

  • License validation. On launch, the desktop posts your license code to https://tunebit.app/api/validate-license.php over HTTPS and reads back { valid: true|false, status: "..." }. If we can't be reached, the license stays valid offline for 3 days before re-prompting. No system data is included in that request.
  • Trial fetch on first launch. On a fresh install with no existing license, the desktop posts your hardware ID to https://tunebit.app/register.php to receive a 7-day trial code. The hardware ID is a SHA-256 fingerprint — not a serial number, not your MAC address, not anything identifying.
  • Update check. The auto-updater GETs https://dist.tunebit.app/VERSION on launch and, if a newer version exists, asks you whether to download https://dist.tunebit.app/TuneBit.exe. Nothing about your system is sent — not even a User-Agent header beyond the .NET default.
  • VirusTotal hash lookups (opt-in). If you explicitly run the VirusTotal scanner module on a specific file, TuneBit sends that file's SHA-256 hash to VirusTotal's public API. Nothing else, only when you click that button, only the hash — never the file contents.

That's it. The other 33 modules — junk cleaner, registry scanner, BSOD analyzer, hardware inventory, performance tweaks, privacy controls, the lot — run entirely on your local machine. The scan results never leave the box.

Want to verify it yourself? Block tunebit.app and dist.tunebit.app in your firewall. TuneBit will fall back to the 3-day offline grace window for licensing and otherwise behave identically. There is no other outbound endpoint.

See the privacy policy and the EULA for the legal restatement of the same.

Promise 4

Always makes a backup before changing anything reversible

If TuneBit is about to touch the registry, the file system, or system services in a way that could need to be undone, it takes two backups first — not one, both:

  • A System Restore point is created via the Windows Management Instrumentation SystemRestore class, the same API the OS itself uses. The description is set so you can find it later in Control Panel → Recovery → Open System Restore: e.g. “TuneBit — Registry Clean”, “TuneBit — App Uninstall”, “TuneBit — Pre-repair”.
  • A registry export is written to %LOCALAPPDATA%\TuneBit\backups\reg-yyyy-MM-dd-HHmmss\ as one .reg file per affected key. These are plain text files you can open in Notepad or double-click to merge back into the registry if you ever need to undo TuneBit's work after the System Restore window has passed.

Specifically, the following modules take both backups before they run:

  • Registry Scanner / Cleaner — exports every key it's about to remove, then creates a restore point labeled “TuneBit — Registry Clean”
  • App Uninstaller — exports the uninstalled program's registry keys plus its file-association entries, restore point labeled per-app
  • Repair Tools (SFC / DISM / shell / network / Windows Update repair) — restore point labeled “TuneBit — Pre-repair”; the underlying repair tools (SFC, DISM, etc.) carry the same rollback semantics Microsoft built into them
  • Performance Tweaks — exports every tweak's HKLM/HKCU key before flipping the value
  • Privacy / Telemetry Lockdown — exports every key it's about to disable
How to restore manually: open File Explorer → %LOCALAPPDATA%\TuneBit\backups\, find the reg-<timestamp> folder for the action you want to undo, and double-click any of the .reg files in it. Confirm the merge prompt. The original registry values come back exactly as they were.
Caveat: System Restore must be enabled on the system drive for the restore-point side of the backup to land. On Windows 10/11 it's enabled by default but a small percentage of OEM images disable it; if you want belt-and-suspenders on a specific machine, check Control Panel → System → System Protection first. The .reg exports happen unconditionally either way.

Still have questions?

The FAQ covers code-signing, licensing, EDR allowlisting, and how TuneBit handles edge cases. The Download page shows screenshots of what SmartScreen and the every-launch UAC prompt look like, so you know exactly what's normal. For anything else, support@sullivantechnology.us is a human, not a queue.

Download TuneBit Read the FAQ