Your HP device might have a keylogger installed
Fresh from Switzerland comes a report from security firm modzero AG about a keylogger in audio drivers of certain HP devices.
The keylogger is built-into the driver, records all keystrokes made by users of the system, and saves them all to a logfile MicTray.log in the C:\Users\Public\ of the computer system. Note that the log file is written to the Public folder, and not the user specific folder.
The report raises several questions. First, why a keylogger is in the audio driver, and second, how to make sure it is not running on your HP devices.
The second question is more pressing than the first. So, lets start with it and address the first question afterwards.
First thing you need to know is that only HP devices appear to be affected by this. The company lists HP EliteBook, HP ProBook, HP Elite, and HP ZBook models on its website, and the operating systems Windows 7 and Windows 10. You can consult the full list of affected devices here.
Modzero suggests that users check whether the files C:\Windows\System32\MicTray64.exe and C:\Windows\System32\MicTray.exe exist, and if they do, delete or rename the executable files to stop the keylogger.
Additionally, users need to check for the existence of the C:\Users\Public\MicTray.log file, and if it exists, delete it. Since all keystrokes are logged to the text file, it may contain sensitive information such as authentication data, credit card numbers, and personal chat messages or emails. Please note however that the file is overwritten after each login.
While that is better than if it would not be overwritten, backups, file history, or other services that create copies of the file may have saved previous versions of it. If you run these, make sure you delete the information from those as well to avoid potential leaks.
- Check if C:\Windows\System32\MicTray64.exe exists. If it does, delete the file, or rename it.
- Check if C:\Windows\System32\MicTray.exe exists. If it does, delete the file, or rename it.
- Check if C:\Users\Public\MicTray.log exists. If it does, delete the file.
Some background information
The executable file MicTray (in its 64-bit and/or 32-bit variant) is installed with the Conexant audio driver. The program is scheduled to run right after user login, and starts to capture keystrokes as soon as it runs.
Its main function is to provide functionality between key presses on the device, and certain audio driver features such as muting the microphone.
Modzero reveals the following about the keylogging component:
Monitoring of keystrokes is added by implementing a low-level keyboard input hook function that is installed by calling SetwindowsHookEx().
You probably wonder why the keylogger was added to the driver in first place. Modzero has an answer for that as well.
Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive.
Users who operate affected devices need to make sure that the software is not updated. If it is updated, new versions of the keylogging program will be installed on the system, and the logging begins anew.
It is difficult to justify the integration of a keylogger in software, and even harder to understand why the driver passed Microsoft's quality controls as Woody points out over on InfoWorld.
As if the keylogger that comes with Windows 10 was not enough (; But that’s what you get for buying Horrible Products – malware on top of malware.
Can you please elucidate what you are talking about ? No offense intended at all, I just would like to know since I have no clou about this issue. Thanks.
Which part? I guess you’re talking about the Windows 10 one? There’s a “feature” which sends keystrokes to Microsoft to help them improve.. something. It makes no sense and the wording is vague at best, but it’s there. Go to Settings > Privacy and you should find it. Whether the switch does something or not comes down to whether or not you trust Microsoft.
This is malicious activity, hence why I consider it malware. If you’re on W10, I suggest you to disable everything in the Privacy section (it has 10 or more subsections shown in the left pane of the application, disable everything in each subsection). None of those settings affect the functionality of regular Win32 programs (such as Firefox, Chrome, VLC, Thunderbird, Office, etc) in any detrimental way. All they do is data collection then sending it to Microsoft.
To fully disable Telemetry and the keylogger in Win 10, …
Open up the Command Prompt by launching cmd as an administrator, and enter the following:
sc delete DiagTrack
sc delete dmwappushservice
echo “” > C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl
Open up the Registry Editor by launching regedit as an administrator. Go through HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection, select AllowTelemetry, change its value to 0, then apply.
When they mentioned “devices” I thought printers and other peripherals also. I have an HP Envy printer but no laptop or other PC’s from HP. Relieved for the moment.
EDIT: This brings up another issue. Are other keyboard combos being recorded to include all keystrokes? For instance if I press FN + F6 are all my keystrokes being recorded in a file somewhere?
Since I didn’t have time to edit fully, as a followup, the FN+F6 increases volume. Upon activating that, it could start recording everything typed in a hidden file also.
No MicTray…. for me (PC with win 8.1 which seems not concerned anyway).
Thanks for info.
OMG. I planned to buy new HP laptop.
Time to change my mind.
Check System76 Laptops.
To the best of my knowledge, unless you have the enterprise version of windows 10, there is no way to completely turn off telemetry, you can however set it to basic with the pro version. If you have the home version, I think you cannot change the telemetry settings, I could be wrong.