topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • August 23, 2019, 10:10 PM
  • Proudly celebrating 13 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: IDEA: Possible Malware Debug - HW laptop back-light detector  (Read 4900 times)

BGM

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 364
    • View Profile
    • bgmCoder DC
    • Read more about this member.
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #25 on: February 17, 2019, 11:06 AM »
I have a problem with my computer, even after a new hard drive "Reach" install of Windows 10, so a fresh Windows 10 install is being used. The problem is that my computer will, at seemingly random points in time during the night, reactivate my screen, after it has powered down.


Maybe look to see if you have your network NIC set to wake up?
https://www.howtogee...ing-your-windows-pc/

Other than that, I believe this is probably some software issue or system setting.

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #26 on: July 11, 2019, 04:56 PM »
Maybe look to see if you have your network NIC set to wake up?
https://www.howtogee...ing-your-windows-pc/
All those settings have been disabled.

Sorry to bump an old thread but I updated to Win10 1903 and the problem has come back. Last night, the monitor powered on, so I got up and turned the machine onto airplane mode just to be sure, went back to bed, and after a few hours, it did turn on again. I am at my wits end here. I need to trace the root of this problem!
If I do it more than 2 times I want to automate it in C#!

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,569
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #27 on: July 11, 2019, 08:53 PM »
Are you sure there is not a scheduled task configured in your system that triggers the monitor/Windows to activate again?

Even if you did not configure one or never even have created such a task on your system, that doesn't mean such a task won't exist. And yes, although the name implies that these tasks are executed based on any kind of time interval, you can also create tasks that are triggered by changes in software or settings that happen in your system. A Microsoft update could have added such a task.

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #28 on: July 13, 2019, 10:43 PM »
Are you sure there is not a scheduled task configured in your system that triggers the monitor/Windows to activate again?

Even if you did not configure one or never even have created such a task on your system, that doesn't mean such a task won't exist. And yes, although the name implies that these tasks are executed based on any kind of time interval, you can also create tasks that are triggered by changes in software or settings that happen in your system. A Microsoft update could have added such a task.

I will check, but just moments ago my screen turned itself off by itself for the first time during use. All previous instances in which it has turned on/off were not during use.
If I do it more than 2 times I want to automate it in C#!

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #29 on: July 16, 2019, 07:59 AM »
Using procmon and nircmd, I began banging away at various programs that were performing tasks while the computer's monitor was off to no avail. Last night the screen turned on unprovoked several times.

We had also once wondered if it still happened "when the lid is closed". I got fed up and closed my lid and my computer entered full sleep mode rather than the monitor powering off after a timeout. Several minutes later, yes, my computer woke up while the lid was still closed.

I am literally losing sleep over this.
If I do it more than 2 times I want to automate it in C#!

ConstanceJill

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 175
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #30 on: July 16, 2019, 09:45 AM »
Which laptop model is it?

Are the BIOS and Intel Management Engine Firmware (if applicable) up to date?

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #31 on: July 16, 2019, 10:25 AM »
Which laptop model is it?

Are the BIOS and Intel Management Engine Firmware (if applicable) up to date?
-ConstanceJill (July 16, 2019, 09:45 AM)
Model: ASUS ROG GL752VW
Bios was up to date, but I see just a month ago they released a 3.03, which I will be updating to after this reply.
Intel Management Engine appears to be version 11.0.0.1166. Will try to see if I can update it.

EDIT1: Bios updated from 3.00 to 3.03 and after finding this link here my Intel Management Engine reports version 11.7.0.1040. Of the previous 3 Intel vulnerability tools I ran, 2 are still vulnerable after the update. MDS Tool also reports many vulnerabilities still. Though I will have to wait until tonight to see if my computer magically wakes up some more from it's the monitor-powered-down state.

EDIT2: There was a microcode update for my CPU provided by windows in KB44650655, however, the update is for 1809 and not 1903. So I cannot update my microcode just yet.

EDIT3: Went to lay down and turned the screen off. Relaxing after 20 min, the screen popped back on by itself. *sigh*
If I do it more than 2 times I want to automate it in C#!
« Last Edit: July 16, 2019, 03:16 PM by Asudem »

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 39,401
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #32 on: July 16, 2019, 05:10 PM »
Have you tried booting it with a different distribution, like a linux distro, to see if its a hardware issue?
What about reinstalling windows?

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #33 on: July 16, 2019, 11:07 PM »
Have you tried booting it with a different distribution, like a linux distro, to see if its a hardware issue?
What about reinstalling windows?
In prior posts, I have run Ubuntu and OpenSUSE Tumbleweed with no problems regarding "screen power time outs", and the monitor has never turned on by itself when left on the distro all night.

This was occurring on my old Win10 drive, I bought a new drive and did a multi-boot install with a fresh install of Win10 and it was doing it the same night I installed the fresh copy. It stopped happening in March but resurfaced immediately after the 1903 update.
If I do it more than 2 times I want to automate it in C#!

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,782
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #34 on: July 17, 2019, 04:18 AM »
My guess is that it is some background process or service that is activating it, perhaps some installed software checking for updates, phoning home, or syncing data.

Maybe Chrome, your antivirus, Windows itself, some browser add-on (if you leave your browser open when you go to sleep), e-mail app checking for new mail, a utility from your laptop manufacturer, other software, etc. It could even be your printer, especially if it's a Canon and you accidentally authorized it to phone home with usage statistics, when you installed the software on your laptop. It could even be one of those Start Menu apps that comes with Windows 10 that displays data in your Start menu, such as weather, news, etc.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,792
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #35 on: July 17, 2019, 10:32 AM »
I don't know exactly what causes it, but sometimes my screens reactivate or the screensaver is interrupted whenever a notification pops up from any program. If I get a text, or email, or IM, or any app shows any notification, it can cause the screen to wake up.

It doesn't always happen, but it happens often enough to be a semi-regular thing on my PC. Maybe your laptop is doing something similar.

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #36 on: July 18, 2019, 05:11 PM »
My guess is that it is some background process or service that is activating it, perhaps some installed software checking for updates, phoning home, or syncing data.

Maybe Chrome, your antivirus, Windows itself, some browser add-on (if you leave your browser open when you go to sleep), e-mail app checking for new mail, a utility from your laptop manufacturer, other software, etc. It could even be your printer, especially if it's a Canon and you accidentally authorized it to phone home with usage statistics, when you installed the software on your laptop. It could even be one of those Start Menu apps that comes with Windows 10 that displays data in your Start menu, such as weather, news, etc.

I don't know exactly what causes it, but sometimes my screens reactivate or the screensaver is interrupted whenever a notification pops up from any program. If I get a text, or email, or IM, or any app shows any notification, it can cause the screen to wake up.

It doesn't always happen, but it happens often enough to be a semi-regular thing on my PC. Maybe your laptop is doing something similar.

I have a problem with my computer, even after a new hard drive "Reach" install of Windows 10, so a fresh Windows 10 install is being used. The problem is that my computer will, at seemingly random points in time during the night, reactivate my screen, after it has powered down.

I would like some kind of recursive diagnostic logger to help identify the cause of this issue down to the executable, daemon, rootkit, malware, or virus this may be.

Note: Only on my Win10 partition do I exhibit random "screen turn on experiences" with nothing in my log files. OpenSUSE Tumbleweed and Ubuntu 14.04.5 Desktop 64bit.

In my very first post in this thread, I assumed all of this. I just wanted a tool to tell me which thing was doing it!

In somewhat better news, I ran a 40 min ProcMon scan and the screen turned itself on during the logging process. Several hours combing through the scan lead to some interesting findings (and a 3GB log file).

  • An entry by svchost.exe frequently used the path "HKLM\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys" with the RESULT as "REPARSE". Jumping to the key lead me to the registry entry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistance", which I found to be a bit odd. Looking through the entries I saw that "fAllowFullControl" and "fEnableChatControl" were enabled as "1", even though in my "System Properties" under the "Remote" tab, "Remote Assistance" was disabled. I changed these entries to "0" to disable them, just in case.
  • I noticed that Tablet Input was being called a lot in the log file. To my surprise, the service was running with no way to stop it, as all the options were greyed out. I could change the service to "Disabled" instead of "Automatic" but I needed to identify the process ID from svchost.exe and terminate it. Though an easier method in retrospect would have been typing "sc queryex TabletInputService" in an elevated command prompt.
  • I can't seem to find too much information on "LockApp.exe" or how it works. But it seems to be at the beginning of all the system calls which were used to turn my screen on. The process appears to be started under my user account and the command line that started the process looks like this ["C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" -ServerName:WindowsDefaultLockScreen.AppX7y4nbzq37zn4ks9k7amqjywdat7d3j2z.mca] I can't seem to find any information regarding what the ServerName switch does.
  • In the "Event Properties" for LockApp.exe's listed modules is a "umpdc.dll" located in "C:\Windows\System32\" directory. I sent it to hybrid-analysis for a review. Some of the more suspicious data from the analysis come from the file exports: "PdcSleep", "PdcSleepstudyHelperBlockerActiveDereference", "PdcSleepstudyHelperBlockerActiveReference", "PdcSleepstudyHelperBuildBlocker", and so on.... this is because when I analyzed the SleepStudy log file taken at the exact moment my monitor turned on, all "Process" return "Unknown". It might be something, it might be nothing. I don't know.

After taking the steps above, such as disabling the Remote Assistance registry entries and disabling tablet input, the computer still wakes on its own.
If I do it more than 2 times I want to automate it in C#!
« Last Edit: July 18, 2019, 08:45 PM by Asudem »

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,792
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #37 on: July 18, 2019, 07:47 PM »
In my very first post in this thread, I assumed all of this. I just wanted a tool to tell me which thing was doing it!

My apologies. Nothing I read in your OP indicates that you assumed it was a notification (which could be from any/every application running on your PC!) that kept waking your monitor.

I have a problem with my computer, even after a new hard drive "Reach" install of Windows 10, so a fresh Windows 10 install is being used. The problem is that my computer will, at seemingly random points in time during the night, reactivate my screen, after it has powered down.

I would like some kind of recursive diagnostic logger to help identify the cause of this issue down to the executable, daemon, rootkit, malware, or virus this may be.

Note: Only on my Win10 partition do I exhibit random "screen turn on experiences" with nothing in my log files. OpenSUSE Tumbleweed and Ubuntu 14.04.5 Desktop 64bit.

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #38 on: July 18, 2019, 07:54 PM »
My apologies. Nothing I read in your OP indicates that you assumed it was a notification (which could be from any/every application running on your PC!) that kept waking your monitor.
Well, some executable/application/program has to send a notification? Right? The "Focus Assist" notifications have never affected my screen-time outs or screen savers. If you can think of any other ways "notifications" appear and can be traced, please enlighten me.

EDIT: Looking at those notifications, each one is very descriptive of what is sending the notification: Microsoft Store, Google Chrome, Windows Security, etc... if it were that easy, I don't think I would have created this thread.

EDIT2: Disabled notifications completely and will see if that yields any results.

EDIT3: If that were the case, however, I have never disabled notifications, and for months this problem has not been happening, just after I updated...

EDIT4: I seem to recall sitting down at my monitor-off computer, jiggling the mouse, seeing the lock screen, then notifications will appear, yes, but it has never woken the screen before.

EDIT5: It seems "ShellExperienceHost.exe" is the executable for Notification/Action Center and I can verify it was running in my process tree for the duration of my 40 min 3GB log file, but it had 0 events associated with it.
If I do it more than 2 times I want to automate it in C#!
« Last Edit: July 18, 2019, 08:38 PM by Asudem »

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,897
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #39 on: July 18, 2019, 08:33 PM »
FWIW, according to the following article which discusses LockApp.exe, it can be disabled:

https://www.howtogee...p.exe-on-windows-10/

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #40 on: July 18, 2019, 08:45 PM »
FWIW, according to the following article which discusses LockApp.exe, it can be disabled:

https://www.howtogee...p.exe-on-windows-10/

Interesting, thank you! I've made the change in the registry and will see if this combined with no notifications has any effect tonight.

3am EDIT: *SLAMS HEAD MULTIPLE TIMES ON DESK* Nothing.... nothing can stop this...
If I do it more than 2 times I want to automate it in C#!
« Last Edit: July 19, 2019, 04:52 AM by Asudem »

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,897
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #41 on: July 19, 2019, 01:12 PM »
Sorry it's still around.

On the off-chance you haven't seen the following, this thread sounded awfully similar:

https://www.tenforum...tiple-computers.html

It appears there was some success for the original poster described on the second page of the thread, with the original suggestion (plus link to article) on the first page.

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #42 on: July 19, 2019, 07:59 PM »
Sorry it's still around.

On the off-chance you haven't seen the following, this thread sounded awfully similar:

https://www.tenforum...tiple-computers.html

It appears there was some success for the original poster described on the second page of the thread, with the original suggestion (plus link to article) on the first page.
Thank you! I tried quite a bit from that thread. I also find the following commands from ghacks VERY useful, and might make a snack to make this a little easier:

Command line Fu

Here is a list of useful commands that can help you find out more about your PC's sleep mode and wake up configuration:

powercfg -a displays a list of available sleep states of the computer.
powercfg -devicequery wake_armed lists all devices that can wake the computer
powercfg -devicequery wake_programmable lists all devices that can be programmed to wake up the PC.
powercfg -devicedisablewake "exact device name" disables the wake functionality of the selected device.
powercfg -deviceenablewake "exact device name" will enable that device again.
powercfg -lastwake displays the last device that woke up the PC.
powercfg -waketimers lists all active wake timers.
If I do it more than 2 times I want to automate it in C#!
« Last Edit: July 19, 2019, 08:41 PM by Asudem »

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #43 on: July 20, 2019, 03:08 AM »
It turned on again... I'm fairly close to igniting this computer in gasoline. I'm just going to say it's cursed at this point.

No more laptops for me. I'll build a nice desktop with a Linux distro that can run my favorite games. None of this NVIDIA Optimus tripe.
If I do it more than 2 times I want to automate it in C#!

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 39,401
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #44 on: July 20, 2019, 04:53 AM »
Have you checked in the bios and made sure you have all wake-on-lan and any other fishy options disabled?

If you turn off your network adapter (e.g. disconnect ethernet, disconnect from wireless), does the problem still happen?
Have you tried turning off automatic update checking?

Have you any 3rd party (like laptop manufacturer, or intel) app that might be trying to check regularly for updates?

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #45 on: July 20, 2019, 05:43 AM »
Have you checked in the bios and made sure you have all wake-on-lan and any other fishy options disabled?

If you turn off your network adapter (e.g. disconnect ethernet, disconnect from wireless), does the problem still happen?
Have you tried turning off automatic update checking?

Have you any 3rd party (like laptop manufacturer, or intel) app that might be trying to check regularly for updates?

I don't believe my BIOS has that option. I will check again soon.

I have been in airplane mode and it still wakes up.

My Blizzard agent checks for updates regularly, but in the months it ran before my 1903 update it ran and updated fine without waking up my screen.

I'm not sure how much farther I want to go down this rabbit hole. I could be messing with power configs, notification settings, network stuff, and registry entries forever. It's insane to see this problem I'm having be so difficult to diagnose for what seems like a simplistic functiion of the operating system.
If I do it more than 2 times I want to automate it in C#!

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 39,401
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #46 on: July 20, 2019, 07:02 AM »
I hear ya.. This kind of thing makes me feel like I'm losing my mind. My neighbors hear my screams and think I am going insane.

Asudem

  • Member
  • Joined in 2015
  • **
  • Posts: 131
  • C# data manipulation junkie
    • View Profile
    • Donate to Member
Re: IDEA: Possible Malware Debug - HW laptop back-light detector
« Reply #47 on: July 22, 2019, 08:02 AM »
TAKING THE SLEDGEHAMMER APPROCH

853.gifIDEA: Possible Malware Debug - HW laptop back-light detector

Alright, so... I've decided something: If I don't move my mouse, I don't want the screen to turn on!

After failing to figure out how to use RegisterPowerSettingNotification to figure out if my display was on or off, I found that Windows API Code Pack can also do this. So, I whipped up a small little C# program for myself:

Code: C# [Select]
  1. using System;
  2. using System.Runtime.InteropServices;
  3. using System.Drawing;
  4. using System.Windows.Forms;
  5. using Microsoft.WindowsAPICodePack.ApplicationServices;
  6.  
  7. namespace ReSleeper
  8. {
  9.     public partial class Form1 : Form
  10.     {
  11.         Point point = new Point();
  12.         const int HWND_BROADCAST = 0xffff, WM_SYSCOMMAND = 0x0112, SC_MONITORPOWER = 0xF170;
  13.  
  14.         public Form1()
  15.         {
  16.             InitializeComponent();
  17.         }
  18.    
  19.         public class Display
  20.         {
  21.             [DllImport(@"User32", CharSet = CharSet.Auto)]
  22.             private static extern IntPtr PostMessage(IntPtr hWnd, UInt32 Msg, IntPtr wParam, IntPtr lParam);
  23.  
  24.             public static void PowerOff()
  25.             {
  26.                 PostMessage(
  27.                    (IntPtr)HWND_BROADCAST, // HWND_BROADCAST
  28.                    WM_SYSCOMMAND,         // WM_SYSCOMMAND
  29.                    (IntPtr)SC_MONITORPOWER, // SC_MONITORPOWER
  30.                    (IntPtr)0x0002  // POWER_OFF
  31.                 );
  32.             }
  33.          }
  34.        
  35.         private void button1_Click(object sender, EventArgs e)
  36.         {
  37.             point = Cursor.Position;
  38.             Display.PowerOff();
  39.             PowerManager.IsMonitorOnChanged += PowerManager_IsMonitorOnChanged;
  40.         }
  41.  
  42.         private void PowerManager_IsMonitorOnChanged(object sender, EventArgs e)
  43.         {
  44.             Point point2 = Cursor.Position;
  45.             if (PowerManager.IsMonitorOn == true && point == point2)
  46.                 Display.PowerOff();
  47.         }
  48.     }
  49. }

Basically, if the monitor powers on for whatever reason, and the mouse cursor has not moved, it will turn off again! Hurrah! No more getting out of bed walking to the computer! It's almost instantaneous when I try to use my keyboard to wake my machine up! I can add logging to this to get an idea of when the mouseless events occur and try to compare them to event logs.

But for now... it's time to enjoy some monitor-off sleep  :Thmbsup:
If I do it more than 2 times I want to automate it in C#!
« Last Edit: July 22, 2019, 08:19 AM by Asudem »