Some HP machines have a keylogger installed with the Audio Driver, here’s how to disable it
HP is quite well-known for its pre-installed software on its laptops and PCs, as with most OEMs, however, while we’ve become accustomed to dealing with pre-installed software (and the process of removing it on a freshly-purchased computer), HP appears to be overstepping its mark by installing a keylogger with the audio driver on some of its laptops (via Bleeping Computer).
The keylogger, packaged with the Conexant HD Audio Driver Package in version 18.104.22.168 and earlier, has been discovered by researchers. With this audio driver comes a file, MicTray64.exe (or MicTray.exe for non-64-bit users), which has a Scheduled Task to run each time the user logs-on to their machine. Essentially, each time a key on the keyboard is pressed, it records it. The keystrokes are then stored in a plaintext file – definitely not a secure way of storing every key pressed on a machine.
The keystroke log is stored at C:\users\public\MicTray.log.
This file can be accessed by other users of the machien or, potentially more worrisome, by any program installed on the computer. Additionally, should the file not exist, it will instead pass the keystrokes to an API named OutputDebugString. This API can then be used by programs, with or without malicious intent, to view the keystrokes directly, in real-time.
So far, 28 models released by HP are known to be affected. Investigators looking into the security issue have not ruled out the potential for other models, and other manufacturers, to also be affected. The following are the known models affected:
- HP EliteBook 820 G3 Notebook PC
- HP EliteBook 828 G3 Notebook PC
- HP EliteBook 840 G3 Notebook PC
- HP EliteBook 848 G3 Notebook PC
- HP EliteBook 850 G3 Notebook PC
- HP ProBook 640 G2 Notebook PC
- HP ProBook 650 G2 Notebook PC
- HP ProBook 645 G2 Notebook PC
- HP ProBook 655 G2 Notebook PC
- HP ProBook 450 G3 Notebook PC
- HP ProBook 430 G3 Notebook PC
- HP ProBook 440 G3 Notebook PC
- HP ProBook 446 G3 Notebook PC
- HP ProBook 470 G3 Notebook PC
- HP ProBook 455 G3 Notebook PC
- HP EliteBook 725 G3 Notebook PC
- HP EliteBook 745 G3 Notebook PC
- HP EliteBook 755 G3 Notebook PC
- HP EliteBook 1030 G1 Notebook PC
- HP ZBook 15u G3 Mobile Workstation
- HP Elite x2 1012 G1 Tablet
- HP Elite x2 1012 G1 with Travel Keyboard
- HP Elite x2 1012 G1 Advanced Keyboard
- HP EliteBook Folio 1040 G3 Notebook PC
- HP ZBook 17 G3 Mobile Workstation
- HP ZBook 15 G3 Mobile Workstation
- HP ZBook Studio G3 Mobile Workstation
- HP EliteBook Folio G1 Notebook PC
To prevent keystrokes being recorded, a registry change is needed. Reddit user _My_Angry_Account_ explained the process:
- Start the Registry Editor (regedit).
- In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options.
- Right click on image file execution options > New > Key
- Name the new key MicTray.exe
- Right click new MicTray.exe key > New > String value
- Name the new value debugger
- Set new “debugger” string value data to: devenv /debugexe
If on a 64-bit machine, replace the above file name with MicTray64.exe.
HP are yet to comment on the reports.Further reading: HP, Keylogger, Security