IDEA: Possible Malware Debug - HW laptop back-light detector

[Asudem]

I have a problem with my computer, even after a new hard drive "Reach" install of Windows 10, so a fresh Windows 10 install is being used. The problem is that my computer will, at seemingly random points in time during the night, reactivate my screen, after it has powered down.

I would like some kind of recursive diagnostic logger to help identify the cause of this issue down to the executable, daemon, rootkit, malware, or virus this may be.

Note: Only on my Win10 partition do I exhibit random "screen turn on experiences" with nothing in my log files. OpenSUSE Tumbleweed and Ubuntu 14.04.5 Desktop 64bit.

[Shades]

Are you sure it isn't your mouse sliding, because it is on a surface that isn't level?

Do you know the state of the hardware in the mouse? I have seen older (el cheapo) mouses move the cursor all by themselves when they were connected.Perhaps you don't notice during the day, but at night the hardware in your mouse can "misfire" for a long enough period to activate Windows.

Same is true for wireless mouse/keyboard devices. Some of them start to act weirdly when the batteries have become poor.

In short, a simple process of elimination is likely to produce a much quicker cause for the problem that you experience. Only when your computer is still acting up when you have disconnected all peripherals. It can even be something like your USB mouse/keyboard is supplying too much information than Windows is set to handle. Any operation system can start acting weird with something like that.

[4wd]

Since you say it's doing it after the computer is powered down the obvious thing to do is also switch off the computer PSU.

If the screen is still doing it then it seems likely that it may be caused by random power fluctuations or something in the monitor itself - obvious solution is to turn it off.

If it stops doing it then it's possibly getting random signals over the monitor lead from the gfx card that cause it to wake up. Try a different lead, (shielding maybe a factor), rerouting it away from power leads, etc.

Or the simple solution, turn the monitor off.

The Event Log on the computer will show if it's the computer powering on at random times which causes the monitor to wake up.
If the monitor is lighting up without the computer being on then it's a hardware issue.

[magician62]

Is the machine set to shut down or hybrid hibernate which is the default on W10. If the latter it's not something like  a Wake on LAN or Wake on USB?

[mouser]

It might also be some service like the update service, causing your pc to power on at certain times to check for updates.

[Asudem]

In short, a simple process of elimination is likely to produce a much quicker cause for the problem that you experience. Only when your computer is still acting up when you have disconnected all peripherals. It can even be something like your USB mouse/keyboard is supplying too much information than Windows is set to handle. Any operation system can start acting weird with something like that.

-Shades (December 24, 2018, 10:56 PM)

Hmm, yes. This starts after the monitor has entered it's power-down state while my laptop remains powered on. I can try turning off the wireless mouse at night. I haven't thought of that one.

Or the simple solution, turn the monitor off.

-4wd (December 25, 2018, 05:19 AM)

Well, you'd think that. This is a laptop setup, in which the PSU and monitor are all wedged into one chassis (so to speak), and even using a softswitch (the FN keys) to turn off the monitor, it does power itself back on at random times when I am trying to sleep.

Is the machine set to shut down or hybrid hibernate which is the default on W10. If the latter it's not something like  a Wake on LAN or Wake on USB?

-magician62 (December 25, 2018, 06:52 AM)

I'm really hoping it's not a wake up on either of those! Nothing should ping awake my hardware when I'm not at it! lol

It might also be some service like the update service, causing your pc to power on at certain times to check for updates.

-mouser (December 25, 2018, 09:04 AM)

I've also considered this, but the event logs from checking for updates (at least Window logs) do not match the times of the random powerons.

For the easiest pebuak solution, I will try turning off my wireless mouse.

[4wd]

It does it even when the lid is closed?

[Asudem]

It does it even when the lid is closed?

-4wd (December 25, 2018, 05:37 PM)

My laptop has a hard switch for detecting if it is closed or open, but it is currently set at the Windows software level to hibernate if that happens (apparently, I never close my lid). I have not powered off my mouse yet and I do believe it did light up on its own again, but I have to wonder if it really is the mouse. Although they are different OSes, the OpenSUSE partition, if left on all night, it doesn't seemingly power my screen on if it turns off.

This may just be a mystery left unsolved, but I would still like to theorize at what level could something like this be detected? For example, what is it that Windows constantly looks at to know that it should or should not have the screen in a powered state and what programs can have access to this outside of the API level, such as being used through a .NET call programmed specifically for that rather than the near assembly level instruction that actually takes care of the power on/offs. Surely Function Key suites for laptop need access to this level of hardware for the soft switches of turning off/on the screen. I'm very curious.

[Asudem]

Bumping with new info: With mouse disabled, the backlight is turning on and back off at times not designated by Windows.

[Shades]

Perhaps with a tool like this you are able to find out what instance of software is making your monitor light up.

[4wd]

Going back to the OP:

The problem is that my computer will, at seemingly random points in time during the night, reactivate my screen, after it has powered down.

-Asudem (December 24, 2018, 09:19 PM)

If this is correct then it's a hardware issue - reactivating the screen is not the same as powering up and booting into an OS.
What do you mean by "reactivate" the screen?
Turn the backlight on or something more?
How old is this laptop?

Unplug the charger if it's plugged in - this will remove any transient mains power event from affecting the laptop circuits.
Close the lid - besides sending a signal to Windows this sometimes disconnects the backlight via hardware, (depends on the design).

To clarify, what do you mean by powered down?

[Asudem]

Perhaps with a tool like this you are able to find out what instance of software is making your monitor light up.

-Shades (December 29, 2018, 02:51 PM)

I will investigate this software to see if it can't help trace the problem down, thanks!

Going back to the OP:
...
To clarify, what do you mean by powered down?

-4wd (December 29, 2018, 09:57 PM)

Good question, I should have been more specific: In Power Management, you are given a power option for when you would like your screen turned off at what I assume is the hardware level:
IDEA: Possible Malware Debug - HW laptop back-light detector

Once my afk has been detected for 5 minutes, I expect my screen to soft-power-down, meaning the lcd pixels and backlighting are turned off on my laptop monitor. I also do not expect the screen to resume until such input behavior is received from only my mouse or keyboard. My linux distros follow these rules similarly without power restoring to my monitor unexpectedly.

[4wd]

Good question, I should have been more specific: In Power Management, you are given a power option for when you would like your screen turned off at what I assume is the hardware level:
[ Invalid Attachment ]

Once my afk has been detected for 5 minutes, I expect my screen to soft-power-down, meaning the lcd pixels and backlighting are turned off on my laptop monitor. I also do not expect the screen to resume until such input behavior is received from only my mouse or keyboard. My linux distros follow these rules similarly without power restoring to my monitor unexpectedly.

-Asudem (December 30, 2018, 03:06 PM)

Much better - so just the normal Windows Display off function and not "powered down".

BTW, "reactivate" the screen = turn the backlight on (with no signal, eg. no Desktop) or completely wake the screen, ie. normal backlight/Desktop ?

Asking because my computer has two monitors connected, when Windows turns the display off one monitor will go into standby, the other monitor display will go black but the backlight is still on.

Are you running the latest chipset/graphics drivers?
Besides a mouse, what other peripherals do you have connected and have you tried disconnecting them all (if you have any)?

Something else to try, turn the display off manually using NirCmd (nircmd.exe monitor off) and see if it wakes up.

[Asudem]

BTW, "reactivate" the screen = turn the backlight on (with no signal, eg. no Desktop) or completely wake the screen, ie. normal backlight/Desktop ?
...
Something else to try, turn the display off manually using NirCmd (nircmd.exe monitor off) and see if it wakes up.

-4wd (December 30, 2018, 07:55 PM)

Reactivate = normal backlight/desktop

Latest graphics and chipset drivers.

After nircmd was used to power down the monitor, it was powered up unexpectedly again.

All I have left is my external audio card (wireless headset), my keyboard, 2 external drives, and an external BD drive. I could unplug those too but I doubt those units could also be powering the monitor off as well as back on.

[Shades]

Keyboard can. And if the external drives came with driver and/or back-up software, those could trigger Windows to become active again.

Wireless headset uses BlueTooth? That sure can re-activate the audio system from Windows again when battery level from the wireless headset goes below a certain level. Same can be true with a wireless keyboard that uses Bluetooth.

The external BD device is the least suspect. The process of elimination to find the suspect device really requires you to disconnect everything from your laptop. Not just the devices that you think is logical.

Because this problem is playing long enough to make a thread for it on this forum, I think it is safe to assume that we are (long) past the stage of applying the logic that already has been applied and didn't solve your problem.

So, disconnect everything external, cut power to any of them, keeping all of them out of Bluetooth range, etc. If your laptop still activates at random, you can be sure that it something in your Windows installation or the hardware of your laptop and not something external. Right now it is unclear (to me) what is connected and what not. So better start from the most essential setup to get a good bearing of where to look for your problem.

[Asudem]

Keyboard can. And if the external drives came with driver and/or back-up software, those could trigger Windows to become active again.

-Shades (January 01, 2019, 01:58 PM)

If my keyboard is phantom stroking itself off at 2 or 4 in the morning when I am trying to sleep I will be pissed. Also, note, I said it does not happen in other OSes.

No backup software or drivers to my knowledge outside whatever MS provides with Win10.

Wireless headset uses BlueTooth?

RF receiver, which blinks when deactivated and stays lit when activated. It has never stayed lit when the monitor has powered back on, or if it has, the headset itself would be plugged into a power outlet and is just broadcasting silence. The random on/off of my screen has been observed in both states.

Not just the devices that you think is logical.

Turning the machine off to avoid the issue is a logical fix. This disconnects all power. I am not looking for logic. I am looking to find the answer.

Logic would imply I would be staring at my screenless laptop while all items are disconnected through countless nights of waiting for the issue to happen, and then it happens, then I have nothing other than a confirmation some process in Windows is causing this. As I have stated before, no other OSes do this.

Logic would also imply these devices cannot turn the screen back off at a non-designated Windows time (5 min), and yet, the light can turn off in anywhere from 5 sec after turning on to 2 min after turning on.

Logic does not explain that any of these devices could also cause the screen to power down.

EDIT: One minor note, I am experiencing what appear to be unrelated power fluctuations on the circuit in my house with lights flashing as well. This behavior as observed on my laptop is as follows:
The laptop detects a power drop and momentarily enters battery mode, in which it has a different set of rules to follow for powering the monitor off and the event is logged as a "power unplugged" event. When power is restored to the laptop, usually within a few moments, the backlight will kick into full brightness under the "plugged in" profile, and will recognize (somehow) the monitor should be in the powered off state, as its states was never cleared properly when it was plugged in, and will turn off my monitor once again. This is observed and consistent behavior.

EDIT2: I feel that this is the closest answer I can find to monitor power on/off behaviors.

[4wd]

You could try setting the screensaver timeout the same as display off timeout and then watch for Event ID 4802 and 4803 in the Security Eventlog.

It may give info about the calling process, it may not - most likely not but it's something to try.

See here:
https://superuser.co...cmd-upon-screensaver

The other obvious question is:
When did you first notice it happening, (and does it coincide with anything else, eg. software install, power fluctuations)?

eg. Until I recently decided to uninstall ~20 programs I no longer use, my computer would not go into Sleep mode, something I had become used to.
Now it does again.

Another experiment, instead of just getting it to turn the display off, have it also Lock the computer.
This will require physical interaction with the mouse or keyboard to have the display turn on.

[Asudem]

I like the idea of creating a log entry when the screensaver times out, that's very clever. I don't have gpedit as I don't have pro but you may be onto something.

EDIT: Oh, what? Event IDs 4802 and 4803 do not appear in my event logs even when manually activated... 

When did you first notice it happening, (and does it coincide with anything else, eg. software install, power fluctuations)?

-4wd (January 01, 2019, 05:14 PM)

It first started doing this on my machine sometime at the beginning of last year, so about a year ago now. The house power fluctuations are more recent, the beginning of Winter 2018. I can only monitor what I am awake for and it only happens in the dark, all lights off, and when I am in bed. It is quite possible the process knows this through some sort of malware hijacking my cam, as the monitor never shuts off by itself while being used. However, no such exe was found using my webcam when I had Avast Pro's webcam anti-spy thing, there was no activity logged but I was still suspicious.

eg. Until I recently decided to uninstall ~20 programs I no longer use, my computer would not go into Sleep mode, something I had become used to.
Now it does again.

It did this the night of the fresh Win10 install on a new hard drive about a month ago. So it survived an entire Hard Drive and OS clean install. Again, left overnight, no forms of Linux seem affected.

Another experiment, instead of just getting it to turn the display off, have it also Lock the computer.
This will require physical interaction with the mouse or keyboard to have the display turn on.

It's worth a shot, but I highly doubt this will affect it in any manner.

EDIT: I can't seem to find a "require login on wake" setting, but I do find a "allow wake timers" which might not have been modified on my old machine and was set to "important only", and I have now set it to "disabled". I have also set the "Screen Saver" to "none" and require login after the same amount of time as the power management to turn off my monitor.

However: None of this can explain what turns my monitor back off after turning it on.

EDIT2: Found this in my security audit. Should I be concerned? Why would chome.exe be in there while I'm using it to read this reply?

Spoiler

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/1/2019 4:38:40 PM
Event ID:      4798
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DESKTOP-GHRIIHN
Description:
A user's local group membership was enumerated.

Subject:
   Security ID:      DESKTOP-GHRIIHN\bigge
   Account Name:      bigge
   Account Domain:      DESKTOP-GHRIIHN
   Logon ID:      0x1E8E43D2

User:
   Security ID:      DESKTOP-GHRIIHN\bigge
   Account Name:      bigge
   Account Domain:      DESKTOP-GHRIIHN

Process Information:
   Process ID:      0x24e4
   Process Name:      C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Event Xml:
<Event xmlns="http://schemas.micro...2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4798</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13824</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2019-01-02T00:38:40.791620000Z" />
    <EventRecordID>16146</EventRecordID>
    <Correlation ActivityID="{4e25fc43-9d83-0005-52fc-254e839dd401}" />
    <Execution ProcessID="868" ThreadID="15548" />
    <Channel>Security</Channel>
    <Computer>DESKTOP-GHRIIHN</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">bigge</Data>
    <Data Name="TargetDomainName">DESKTOP-GHRIIHN</Data>
    <Data Name="TargetSid">S-1-5-21-1929593028-2655745888-1613840321-1001</Data>
    <Data Name="SubjectUserSid">S-1-5-21-1929593028-2655745888-1613840321-1001</Data>
    <Data Name="SubjectUserName">bigge</Data>
    <Data Name="SubjectDomainName">DESKTOP-GHRIIHN</Data>
    <Data Name="SubjectLogonId">0x1e8e43d2</Data>
    <Data Name="CallerProcessId">0x24e4</Data>
    <Data Name="CallerProcessName">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
  </EventData>
</Event>

[4wd]

Again, left overnight, no forms of Linux seem affected.

-Asudem (January 01, 2019, 05:52 PM)

Saying that Linux is unaffected is pretty close to pointless as Linux won't be affected unless it is a physical hardware issue, (eg. intermittent contact in the keyboard), as that is the only common ground between Linux and Windows.

It would have relevance if Linux used the same drivers and ran the same processes ... but then it would be Windows.  So it still doesn't exclude peripherals from the equation.

It did this the night of the fresh Win10 install on a new hard drive about a month ago. So it survived an entire Hard Drive and OS clean install.

In the absence of information, can we assume that most, if not all, of the Windows telemetry has not been disabled?

Considering this has been occurring since OS installation and the amount of crap that Windows collects and sends back to Microsoft at who knows what times, it might be related to that.

EDIT2: Found this in my security audit. Should I be concerned? Why would chome.exe be in there while I'm using it to read this reply?

It's Google, they along with Microsoft want to collect everything about you, this is common knowledge - since you've knowingly installed Chrome I would have thought you'd expect to see it's grubby little feet trampling through your machine 

Event ID 4798

But if it makes you feel easier, I'm not seeing anything like that for Vivaldi, Iridium, or Slimjet - all based on the same source code.  I don't use any type of browser account for syncing, bookmarks, passwords, etc - so who knows, it may be related to that.

However: None of this can explain what turns my monitor back off after turning it on.

Find what's turning it on since the second event can't happen without the first event.

[Asudem]

It would have relevance if Linux used the same drivers and ran the same processes ... but then it would be Windows.  So it still doesn't exclude peripherals from the equation.

-4wd (January 01, 2019, 10:26 PM)

Interesting. So you're saying it would be at the driver level anyway if any tampering would be had, and not by faulty hardware. Alright, I can buy that. I thought people were trying to argue that the hardware itself was doing it, not the drivers. This makes more sense.

In the absence of information, can we assume that most, if not all, of the Windows telemetry has not been disabled?

Initially, yes. I have since run Blackbird and disabled (seemingly all telemetry. It has done the on/off thing since this.

It's Google, they along with Microsoft want to collect everything about you, this is common knowledge - since you've knowingly installed Chrome I would have thought you'd expect to see it's grubby little feet trampling through your machine 

Google has a big enough footprint on me that I've become rather comfy knowing if I'm suddenly wanted for murder or something, their activity could just prove I was on the toilet while the crime was committed or whatever. Microsoft, meh, but to see chrome itself as an executable accessing what is essentially the area of Windows in which users are authenticated is a little shocking. I'm not fully alarmed by it, but it is quite the unexpected appearance.

Find what's turning it on since the second event can't happen without the first event.

That's why I created this thread and hoped some sort of ProcMon like software existed or could exist, to diagnose this issue. The program Shades mentioned might be able to help out there, but if only I can figure out how to utilize it. Hmm....

Going to unplug everything but power and wifi tonight, see if it happens again.

[4wd]

I thought people were trying to argue that the hardware itself was doing it, not the drivers.

-Asudem (January 01, 2019, 11:49 PM)

Due to the "murkiness" of the original post, eg. "powered down" as opposed to Windows turning the display off. 

First step should still be remove all peripherals, mice, RF transceivers, external HDDs, etc, etc - so we'll see what happens.

That's why I created this thread and hoped some sort of ProcMon like software existed or could exist, to diagnose this issue.

There's also Sysmon which will log to the Event Log.

[Asudem]

I thought people were trying to argue that the hardware itself was doing it, not the drivers.

-Asudem (January 01, 2019, 11:49 PM)

Due to the "murkiness" of the original post, eg. "powered down" as opposed to Windows turning the display off. 

First step should still be remove all peripherals, mice, RF transceivers, external HDDs, etc, etc - so we'll see what happens.

That's why I created this thread and hoped some sort of ProcMon like software existed or could exist, to diagnose this issue.

There's also Sysmon which will log to the Event Log.

-4wd (January 02, 2019, 12:33 AM)

I will be doing this, and also using a NANY 2019 app from Mouser! Gonna let it run all night!

[4wd]

How to check monitor state

Possible take the code, loop it every minute with the result being output to a text file with a timestamp - this might enable you to narrow down any possible culprit in Eventlog, etc.

[Asudem]

Ooooh, fancy that! Nice find, thanks much! 

EDIT: It's nearly 3am and I just want this batch processing to finish so I can disconnect everything. The Laptop Buyers Remorse is really real tonight folks...

EDIT2: I didn't sleep, and no, it never turned on. I guess I'll try again before I actually fall asleep.

[Asudem]

It just turned itself on again by itself this morning. I don't think there's a possible way to diagnose this according to you guys other than blaming drivers or peripherals.