DonationCoder.com Software > Post New Requests Here
IDEA: Possible Malware Debug - HW laptop back-light detector
Asudem:
Keyboard can. And if the external drives came with driver and/or back-up software, those could trigger Windows to become active again.
-Shades (January 01, 2019, 01:58 PM)
--- End quote ---
If my keyboard is phantom stroking itself off at 2 or 4 in the morning when I am trying to sleep I will be pissed. Also, note, I said it does not happen in other OSes.
No backup software or drivers to my knowledge outside whatever MS provides with Win10.
Wireless headset uses BlueTooth?
--- End quote ---
RF receiver, which blinks when deactivated and stays lit when activated. It has never stayed lit when the monitor has powered back on, or if it has, the headset itself would be plugged into a power outlet and is just broadcasting silence. The random on/off of my screen has been observed in both states.
Not just the devices that you think is logical.
--- End quote ---
Turning the machine off to avoid the issue is a logical fix. This disconnects all power. I am not looking for logic. I am looking to find the answer.
Logic would imply I would be staring at my screenless laptop while all items are disconnected through countless nights of waiting for the issue to happen, and then it happens, then I have nothing other than a confirmation some process in Windows is causing this. As I have stated before, no other OSes do this.
Logic would also imply these devices cannot turn the screen back off at a non-designated Windows time (5 min), and yet, the light can turn off in anywhere from 5 sec after turning on to 2 min after turning on.
Logic does not explain that any of these devices could also cause the screen to power down.
EDIT: One minor note, I am experiencing what appear to be unrelated power fluctuations on the circuit in my house with lights flashing as well. This behavior as observed on my laptop is as follows:
The laptop detects a power drop and momentarily enters battery mode, in which it has a different set of rules to follow for powering the monitor off and the event is logged as a "power unplugged" event. When power is restored to the laptop, usually within a few moments, the backlight will kick into full brightness under the "plugged in" profile, and will recognize (somehow) the monitor should be in the powered off state, as its states was never cleared properly when it was plugged in, and will turn off my monitor once again. This is observed and consistent behavior.
EDIT2: I feel that this is the closest answer I can find to monitor power on/off behaviors.
4wd:
You could try setting the screensaver timeout the same as display off timeout and then watch for Event ID 4802 and 4803 in the Security Eventlog.
It may give info about the calling process, it may not - most likely not but it's something to try.
See here:
https://superuser.com/questions/538146/run-a-batch-cmd-upon-screensaver
The other obvious question is:
When did you first notice it happening, (and does it coincide with anything else, eg. software install, power fluctuations)?
eg. Until I recently decided to uninstall ~20 programs I no longer use, my computer would not go into Sleep mode, something I had become used to.
Now it does again.
Another experiment, instead of just getting it to turn the display off, have it also Lock the computer.
This will require physical interaction with the mouse or keyboard to have the display turn on.
Asudem:
I like the idea of creating a log entry when the screensaver times out, that's very clever. I don't have gpedit as I don't have pro but you may be onto something.
EDIT: Oh, what? Event IDs 4802 and 4803 do not appear in my event logs even when manually activated... :o
When did you first notice it happening, (and does it coincide with anything else, eg. software install, power fluctuations)?
-4wd (January 01, 2019, 05:14 PM)
--- End quote ---
It first started doing this on my machine sometime at the beginning of last year, so about a year ago now. The house power fluctuations are more recent, the beginning of Winter 2018. I can only monitor what I am awake for and it only happens in the dark, all lights off, and when I am in bed. It is quite possible the process knows this through some sort of malware hijacking my cam, as the monitor never shuts off by itself while being used. However, no such exe was found using my webcam when I had Avast Pro's webcam anti-spy thing, there was no activity logged but I was still suspicious.
eg. Until I recently decided to uninstall ~20 programs I no longer use, my computer would not go into Sleep mode, something I had become used to.
Now it does again.
--- End quote ---
It did this the night of the fresh Win10 install on a new hard drive about a month ago. So it survived an entire Hard Drive and OS clean install. Again, left overnight, no forms of Linux seem affected.
Another experiment, instead of just getting it to turn the display off, have it also Lock the computer.
This will require physical interaction with the mouse or keyboard to have the display turn on.
--- End quote ---
It's worth a shot, but I highly doubt this will affect it in any manner.
EDIT: I can't seem to find a "require login on wake" setting, but I do find a "allow wake timers" which might not have been modified on my old machine and was set to "important only", and I have now set it to "disabled". I have also set the "Screen Saver" to "none" and require login after the same amount of time as the power management to turn off my monitor.
However: None of this can explain what turns my monitor back off after turning it on.
EDIT2: Found this in my security audit. Should I be concerned? Why would chome.exe be in there while I'm using it to read this reply?
SpoilerLog Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 1/1/2019 4:38:40 PM
Event ID: 4798
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: DESKTOP-GHRIIHN
Description:
A user's local group membership was enumerated.
Subject:
Security ID: DESKTOP-GHRIIHN\bigge
Account Name: bigge
Account Domain: DESKTOP-GHRIIHN
Logon ID: 0x1E8E43D2
User:
Security ID: DESKTOP-GHRIIHN\bigge
Account Name: bigge
Account Domain: DESKTOP-GHRIIHN
Process Information:
Process ID: 0x24e4
Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4798</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-01-02T00:38:40.791620000Z" />
<EventRecordID>16146</EventRecordID>
<Correlation ActivityID="{4e25fc43-9d83-0005-52fc-254e839dd401}" />
<Execution ProcessID="868" ThreadID="15548" />
<Channel>Security</Channel>
<Computer>DESKTOP-GHRIIHN</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">bigge</Data>
<Data Name="TargetDomainName">DESKTOP-GHRIIHN</Data>
<Data Name="TargetSid">S-1-5-21-1929593028-2655745888-1613840321-1001</Data>
<Data Name="SubjectUserSid">S-1-5-21-1929593028-2655745888-1613840321-1001</Data>
<Data Name="SubjectUserName">bigge</Data>
<Data Name="SubjectDomainName">DESKTOP-GHRIIHN</Data>
<Data Name="SubjectLogonId">0x1e8e43d2</Data>
<Data Name="CallerProcessId">0x24e4</Data>
<Data Name="CallerProcessName">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
</EventData>
</Event>
4wd:
Again, left overnight, no forms of Linux seem affected.-Asudem (January 01, 2019, 05:52 PM)
--- End quote ---
Saying that Linux is unaffected is pretty close to pointless as Linux won't be affected unless it is a physical hardware issue, (eg. intermittent contact in the keyboard), as that is the only common ground between Linux and Windows.
It would have relevance if Linux used the same drivers and ran the same processes ... but then it would be Windows. So it still doesn't exclude peripherals from the equation.
It did this the night of the fresh Win10 install on a new hard drive about a month ago. So it survived an entire Hard Drive and OS clean install.
--- End quote ---
In the absence of information, can we assume that most, if not all, of the Windows telemetry has not been disabled?
Considering this has been occurring since OS installation and the amount of crap that Windows collects and sends back to Microsoft at who knows what times, it might be related to that.
EDIT2: Found this in my security audit. Should I be concerned? Why would chome.exe be in there while I'm using it to read this reply?
--- End quote ---
It's Google, they along with Microsoft want to collect everything about you, this is common knowledge - since you've knowingly installed Chrome I would have thought you'd expect to see it's grubby little feet trampling through your machine :)
Event ID 4798
But if it makes you feel easier, I'm not seeing anything like that for Vivaldi, Iridium, or Slimjet - all based on the same source code. I don't use any type of browser account for syncing, bookmarks, passwords, etc - so who knows, it may be related to that.
However: None of this can explain what turns my monitor back off after turning it on.
--- End quote ---
Find what's turning it on since the second event can't happen without the first event.
Asudem:
It would have relevance if Linux used the same drivers and ran the same processes ... but then it would be Windows. So it still doesn't exclude peripherals from the equation.
-4wd (January 01, 2019, 10:26 PM)
--- End quote ---
Interesting. So you're saying it would be at the driver level anyway if any tampering would be had, and not by faulty hardware. Alright, I can buy that. I thought people were trying to argue that the hardware itself was doing it, not the drivers. This makes more sense.
In the absence of information, can we assume that most, if not all, of the Windows telemetry has not been disabled?
--- End quote ---
Initially, yes. I have since run Blackbird and disabled (seemingly all telemetry. It has done the on/off thing since this.
It's Google, they along with Microsoft want to collect everything about you, this is common knowledge - since you've knowingly installed Chrome I would have thought you'd expect to see it's grubby little feet trampling through your machine :)
--- End quote ---
Google has a big enough footprint on me that I've become rather comfy knowing if I'm suddenly wanted for murder or something, their activity could just prove I was on the toilet while the crime was committed or whatever. Microsoft, meh, but to see chrome itself as an executable accessing what is essentially the area of Windows in which users are authenticated is a little shocking. I'm not fully alarmed by it, but it is quite the unexpected appearance.
Find what's turning it on since the second event can't happen without the first event.
--- End quote ---
That's why I created this thread and hoped some sort of ProcMon like software existed or could exist, to diagnose this issue. The program Shades mentioned might be able to help out there, but if only I can figure out how to utilize it. Hmm....
Going to unplug everything but power and wifi tonight, see if it happens again.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version