topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • July 18, 2019, 05:12 PM
  • Proudly celebrating 13 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: IDEA: Possible Malware Debug - HW laptop back-light detector  (Read 3461 times)

BGM

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 330
    • View Profile
    • bgmCoder DC
    • Read more about this member.
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #25 on: February 17, 2019, 11:06 AM »
I have a problem with my computer, even after a new hard drive "Reach" install of Windows 10, so a fresh Windows 10 install is being used. The problem is that my computer will, at seemingly random points in time during the night, reactivate my screen, after it has powered down.


Maybe look to see if you have your network NIC set to wake up?
https://www.howtogee...ing-your-windows-pc/

Other than that, I believe this is probably some software issue or system setting.

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 125
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #26 on: July 11, 2019, 04:56 PM »
Maybe look to see if you have your network NIC set to wake up?
https://www.howtogee...ing-your-windows-pc/
All those settings have been disabled.

Sorry to bump an old thread but I updated to Win10 1903 and the problem has come back. Last night, the monitor powered on, so I got up and turned the machine onto airplane mode just to be sure, went back to bed, and after a few hours, it did turn on again. I am at my wits end here. I need to trace the root of this problem!
If I do it more than 2 times I want to automate it in C#!

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,549
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #27 on: July 11, 2019, 08:53 PM »
Are you sure there is not a scheduled task configured in your system that triggers the monitor/Windows to activate again?

Even if you did not configure one or never even have created such a task on your system, that doesn't mean such a task won't exist. And yes, although the name implies that these tasks are executed based on any kind of time interval, you can also create tasks that are triggered by changes in software or settings that happen in your system. A Microsoft update could have added such a task.

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 125
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #28 on: July 13, 2019, 10:43 PM »
Are you sure there is not a scheduled task configured in your system that triggers the monitor/Windows to activate again?

Even if you did not configure one or never even have created such a task on your system, that doesn't mean such a task won't exist. And yes, although the name implies that these tasks are executed based on any kind of time interval, you can also create tasks that are triggered by changes in software or settings that happen in your system. A Microsoft update could have added such a task.

I will check, but just moments ago my screen turned itself off by itself for the first time during use. All previous instances in which it has turned on/off were not during use.
If I do it more than 2 times I want to automate it in C#!

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 125
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #29 on: July 16, 2019, 07:59 AM »
Using procmon and nircmd, I began banging away at various programs that were performing tasks while the computer's monitor was off to no avail. Last night the screen turned on unprovoked several times.

We had also once wondered if it still happened "when the lid is closed". I got fed up and closed my lid and my computer entered full sleep mode rather than the monitor powering off after a timeout. Several minutes later, yes, my computer woke up while the lid was still closed.

I am literally losing sleep over this.
If I do it more than 2 times I want to automate it in C#!

ConstanceJill

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 163
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #30 on: July 16, 2019, 09:45 AM »
Which laptop model is it?

Are the BIOS and Intel Management Engine Firmware (if applicable) up to date?

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 125
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #31 on: July 16, 2019, 10:25 AM »
Which laptop model is it?

Are the BIOS and Intel Management Engine Firmware (if applicable) up to date?
-ConstanceJill (July 16, 2019, 09:45 AM)
Model: ASUS ROG GL752VW
Bios was up to date, but I see just a month ago they released a 3.03, which I will be updating to after this reply.
Intel Management Engine appears to be version 11.0.0.1166. Will try to see if I can update it.

EDIT1: Bios updated from 3.00 to 3.03 and after finding this link here my Intel Management Engine reports version 11.7.0.1040. Of the previous 3 Intel vulnerability tools I ran, 2 are still vulnerable after the update. MDS Tool also reports many vulnerabilities still. Though I will have to wait until tonight to see if my computer magically wakes up some more from it's the monitor-powered-down state.

EDIT2: There was a microcode update for my CPU provided by windows in KB44650655, however, the update is for 1809 and not 1903. So I cannot update my microcode just yet.

EDIT3: Went to lay down and turned the screen off. Relaxing after 20 min, the screen popped back on by itself. *sigh*
If I do it more than 2 times I want to automate it in C#!
« Last Edit: July 16, 2019, 03:16 PM by Asudem »

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 39,329
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #32 on: July 16, 2019, 05:10 PM »
Have you tried booting it with a different distribution, like a linux distro, to see if its a hardware issue?
What about reinstalling windows?

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 125
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #33 on: July 16, 2019, 11:07 PM »
Have you tried booting it with a different distribution, like a linux distro, to see if its a hardware issue?
What about reinstalling windows?
In prior posts, I have run Ubuntu and OpenSUSE Tumbleweed with no problems regarding "screen power time outs", and the monitor has never turned on by itself when left on the distro all night.

This was occurring on my old Win10 drive, I bought a new drive and did a multi-boot install with a fresh install of Win10 and it was doing it the same night I installed the fresh copy. It stopped happening in March but resurfaced immediately after the 1903 update.
If I do it more than 2 times I want to automate it in C#!

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,776
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #34 on: July 17, 2019, 04:18 AM »
My guess is that it is some background process or service that is activating it, perhaps some installed software checking for updates, phoning home, or syncing data.

Maybe Chrome, your antivirus, Windows itself, some browser add-on (if you leave your browser open when you go to sleep), e-mail app checking for new mail, a utility from your laptop manufacturer, other software, etc. It could even be your printer, especially if it's a Canon and you accidentally authorized it to phone home with usage statistics, when you installed the software on your laptop. It could even be one of those Start Menu apps that comes with Windows 10 that displays data in your Start menu, such as weather, news, etc.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,749
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #35 on: July 17, 2019, 10:32 AM »
I don't know exactly what causes it, but sometimes my screens reactivate or the screensaver is interrupted whenever a notification pops up from any program. If I get a text, or email, or IM, or any app shows any notification, it can cause the screen to wake up.

It doesn't always happen, but it happens often enough to be a semi-regular thing on my PC. Maybe your laptop is doing something similar.

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 125
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
My guess is that it is some background process or service that is activating it, perhaps some installed software checking for updates, phoning home, or syncing data.

Maybe Chrome, your antivirus, Windows itself, some browser add-on (if you leave your browser open when you go to sleep), e-mail app checking for new mail, a utility from your laptop manufacturer, other software, etc. It could even be your printer, especially if it's a Canon and you accidentally authorized it to phone home with usage statistics, when you installed the software on your laptop. It could even be one of those Start Menu apps that comes with Windows 10 that displays data in your Start menu, such as weather, news, etc.

I don't know exactly what causes it, but sometimes my screens reactivate or the screensaver is interrupted whenever a notification pops up from any program. If I get a text, or email, or IM, or any app shows any notification, it can cause the screen to wake up.

It doesn't always happen, but it happens often enough to be a semi-regular thing on my PC. Maybe your laptop is doing something similar.

I have a problem with my computer, even after a new hard drive "Reach" install of Windows 10, so a fresh Windows 10 install is being used. The problem is that my computer will, at seemingly random points in time during the night, reactivate my screen, after it has powered down.

I would like some kind of recursive diagnostic logger to help identify the cause of this issue down to the executable, daemon, rootkit, malware, or virus this may be.

Note: Only on my Win10 partition do I exhibit random "screen turn on experiences" with nothing in my log files. OpenSUSE Tumbleweed and Ubuntu 14.04.5 Desktop 64bit.

In my very first post in this thread, I assumed all of this. I just wanted a tool to tell me which thing was doing it!

In somewhat better news, I ran a 40 min ProcMon scan and the screen turned itself on during the logging process. Several hours combing through the scan lead to some interesting findings (and a 3GB log file).

  • An entry by svchost.exe frequently used the path "HKLM\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys" with the RESULT as "REPARSE". Jumping to the key lead me to the registry entry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistance", which I found to be a bit odd. Looking through the entries I saw that "fAllowFullControl" and "fEnableChatControl" were enabled as "1", even though in my "System Properties" under the "Remote" tab, "Remote Assistance" was disabled. I changed these entries to "0" to disable them, just in case.
  • I noticed that Tablet Input was being called a lot in the log file. To my surprise, the service was running with no way to stop it, as all the options were greyed out. I could change the service to "Disabled" instead of "Automatic" but I needed to identify the process ID from svchost.exe and terminate it. Though an easier method in retrospect would have been typing "sc queryex TabletInputService" in an elevated command prompt.
[li]I can't seem to find too much information on "LockApp.exe" or how it works. But it seems to be at the begging of all the system calls which were used to turn my screen on. The process appears to be started under my user account and the command line that started the process looks like this [/li][/list]
Code: Text [Select]
  1. "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" -ServerName:WindowsDefaultLockScreen.AppX7y4nbzq37zn4ks9k7amqjywdat7d3j2z.mca
    I can't seem to find any information regarding what the ServerName switch does.[/li]
  • In the "Event Properties" for LockApp.exe's listed modules is a "umpdc.dll" located in "C:\Windows\System32\" directory. I sent it to hybrid-analysis for a review. Some of the more suspicious data from the analysis come from the file exports: "PdcSleep", "PdcSleepstudyHelperBlockerActiveDereference", "PdcSleepstudyHelperBlockerActiveReference", "PdcSleepstudyHelperBuildBlocker", and so on.... this is because when I analyzed the SleepStudy log file taken at the exact moment my monitor turned on, all "Process" return "Unknown". It might be something, it might be nothing. I don't know.

After taking the steps above, such as disabling the Remote Assistance registry entries and disabling tablet input, the computer still wakes on it's own.
If I do it more than 2 times I want to automate it in C#!