Your HP device might have a keylogger installed

Martin Brinkmann
May 11, 2017
Updated • May 22, 2018
Security
|
10

Fresh from Switzerland comes a report from security firm modzero AG about a keylogger in audio drivers of certain HP devices.

The keylogger is built-into the driver, records all keystrokes made by users of the system, and saves them all to a logfile MicTray.log in the C:\Users\Public\ of the computer system. Note that the log file is written to the Public folder, and not the user specific folder.

The report raises several questions. First, why a keylogger is in the audio driver, and second, how to make sure it is not running on your HP devices.

The second question is more pressing than the first. So, lets start with it and address the first question afterwards.

Detection

First thing you need to know is that only HP devices appear to be affected by this. The company lists HP EliteBook, HP ProBook, HP Elite, and HP ZBook models on its website, and the operating systems Windows 7 and Windows 10. You can consult the full list of affected devices here.

Modzero suggests that users check whether the files C:\Windows\System32\MicTray64.exe and C:\Windows\System32\MicTray.exe exist, and if they do, delete or rename the executable files to stop the keylogger.

Additionally, users need to check for the existence of the C:\Users\Public\MicTray.log file, and if it exists, delete it. Since all keystrokes are logged to the text file, it may contain sensitive information such as authentication data, credit card numbers, and personal chat messages or emails. Please note however that the file is overwritten after each login.

While that is better than if it would not be overwritten, backups, file history, or other services that create copies of the file may have saved previous versions of it. If you run these, make sure you delete the information from those as well to avoid potential leaks.

In short:

  1. Check if C:\Windows\System32\MicTray64.exe exists. If it does, delete the file, or rename it.
  2. Check if C:\Windows\System32\MicTray.exe exists. If it does, delete the file, or rename it.
  3. Check if C:\Users\Public\MicTray.log exists. If it does, delete the file.

Some background information

The executable file MicTray (in its 64-bit and/or 32-bit variant) is installed with the Conexant audio driver. The program is scheduled to run right after user login, and starts to capture keystrokes as soon as it runs.

Its main function is to provide functionality between key presses on the device, and certain audio driver features such as muting the microphone.

Modzero reveals the following about the keylogging component:

Monitoring of keystrokes is added by implementing a low-level keyboard input hook function that is installed by calling SetwindowsHookEx().

You probably wonder why the keylogger was added to the driver in first place. Modzero has an answer for that as well.

Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive.

Users who operate affected devices need to make sure that the software is not updated. If it is updated, new versions of the keylogging program will be installed on the system, and the logging begins anew.

Closing Words

It is difficult to justify the integration of a keylogger in software, and even harder to understand why the driver passed Microsoft's quality controls as Woody points out over on InfoWorld.

Summary
Your HP device might have a keylogger installed
Article Name
Your HP device might have a keylogger installed
Description
Fresh from Switzerland comes a report from security firm modzero AG about a keylogger in audio drivers of certain HP devices.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Mr. Jim Business said on May 12, 2017 at 10:49 am
    Reply

    To the best of my knowledge, unless you have the enterprise version of windows 10, there is no way to completely turn off telemetry, you can however set it to basic with the pro version. If you have the home version, I think you cannot change the telemetry settings, I could be wrong.

  2. Devastator said on May 11, 2017 at 8:47 pm
    Reply

    OMG. I planned to buy new HP laptop.
    Time to change my mind.

    1. dark said on May 12, 2017 at 4:36 am
      Reply

      Check System76 Laptops.

  3. Belga said on May 11, 2017 at 7:10 pm
    Reply

    No MicTray…. for me (PC with win 8.1 which seems not concerned anyway).
    Thanks for info.

  4. ddk said on May 11, 2017 at 6:55 pm
    Reply

    When they mentioned “devices” I thought printers and other peripherals also. I have an HP Envy printer but no laptop or other PC’s from HP. Relieved for the moment.

    EDIT: This brings up another issue. Are other keyboard combos being recorded to include all keystrokes? For instance if I press FN + F6 are all my keystrokes being recorded in a file somewhere?

    1. ddk said on May 11, 2017 at 7:07 pm
      Reply

      Since I didn’t have time to edit fully, as a followup, the FN+F6 increases volume. Upon activating that, it could start recording everything typed in a hidden file also.

  5. Yuliya said on May 11, 2017 at 6:25 pm
    Reply

    As if the keylogger that comes with Windows 10 was not enough (; But that’s what you get for buying Horrible Products – malware on top of malware.

    1. Weezcatle said on May 11, 2017 at 10:00 pm
      Reply

      Can you please elucidate what you are talking about ? No offense intended at all, I just would like to know since I have no clou about this issue. Thanks.

      1. AnorKnee Merce said on May 12, 2017 at 5:54 am
        Reply

        To fully disable Telemetry and the keylogger in Win 10, …

        Open up the Command Prompt by launching cmd as an administrator, and enter the following:

        sc delete DiagTrack

        sc delete dmwappushservice

        echo “” > C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl

        Open up the Registry Editor by launching regedit as an administrator. Go through HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection, select AllowTelemetry, change its value to 0, then apply.
        .
        .

        http(semi colon)//theinfounderground(dot)com/smf/index.php?topic=19515.0

        https(semi colon)//fix10.isleaked(dot)com/

      2. Yuliya said on May 11, 2017 at 10:49 pm
        Reply

        Weezcatle,
        Which part? I guess you’re talking about the Windows 10 one? There’s a “feature” which sends keystrokes to Microsoft to help them improve.. something. It makes no sense and the wording is vague at best, but it’s there. Go to Settings > Privacy and you should find it. Whether the switch does something or not comes down to whether or not you trust Microsoft.
        This is malicious activity, hence why I consider it malware. If you’re on W10, I suggest you to disable everything in the Privacy section (it has 10 or more subsections shown in the left pane of the application, disable everything in each subsection). None of those settings affect the functionality of regular Win32 programs (such as Firefox, Chrome, VLC, Thunderbird, Office, etc) in any detrimental way. All they do is data collection then sending it to Microsoft.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.