The Conexant audio driver logs all keystrokes on certain HP machines and publishes them to a file in the Public folder Credit: Thinkstock Today, while Microsoft extols the virtues of Windows 10 S and HoloLens at the Build keynote, many who have an HP machine will be dealing with a new, unexpected tech problem. Swiss security firm modzero AG released a white paper (PDF) that contains details about a keylogger in certain HP audio drivers. The keylogger stores records of all of your keystrokes in a file located in the public folder C:UsersPublicMicTray.log. Fortunately, there’s an easy way to check to see if the MicTray keylogger is on your machine and, if so, to get rid of it. According to modzero, the keylogger is part of the driver set for Conexant audio chips. In its Security Advisory, modzero says: Software packages known to be affected: Recent and previous (Q2/2017) HP Audiodriver Packages / Conexant High-Definition (HD) Audio Driver Version 10.0.931.89 REV: Q PASS: 5 (ftp://whp-aus1.cold.extweb.hp.com/pub/softpaq/sp79001-79500/sp79420.html) Probably other hardware vendors, shipping Conexant hardware and drivers The Security Advisory goes on to list almost 30 HP machines known to use the bad drivers, including EliteBook, ProBook, ZBook, and Elite x2 models running both Windows 10 and Win7. It’s an impressive lineup, including many current models. Modzero says it found evidence of the problematic behavior going all the way back to December 2015. It’s still there today with driver Version 1.0.0.46. The infection method seems simple enough: Conexant’s MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. The program monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys. Monitoring of keystrokes is added by implementing a low-level keyboard input hook function that is installed by calling SetwindowsHookEx(). In addition to the handling of hotkey/function key strokes, all key-scancode information is written into a logfile in a world-readable path (C:UsersPublicMicTray.log). If the logfile does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user-context to capture keystrokes without exposing malicious behavior. Any framework and process with access to the MapViewOfFile API should be able to silently capture sensitive data by capturing the user’s keystrokes. I have no idea how the driver passed Microsoft certification, but apparently it has. Here is the disinfection method proposed by modzero: All users of HP computers should check whether the program C:WindowsSystem32MicTray64.exe or C:WindowsSystem32MicTray.exe is installed. We recommend that you delete or rename the executable files so that no keystrokes are recorded anymore. However, the special function keys on the keyboards might no longer work as expected. If a C:UsersPublicMicTray.log file exists on the hard drive, it should also be deleted immediately, as it can contain a lot of sensitive information such as login-information and passwords. I’d go one step further. If you have a Conexant audio chip—Speccy will tell you—go through those steps, make sure that MicTray64.exe gets renamed, and delete current and backed-up copies of MicTray.log. Modzero isn’t happy with the runaround it’s getting from HP. The group says it discovered the keylogger in MicTray 1.0.0.31 back on April 28. Modzero contacted Conexant the same day, and when the keylogger was found in the latest audio drivers, it contacted HP Enterprise on May 1. Then on May 5, modzero got a response from HP Enterprise, which “tried to reach for security folks at HP Inc. to gain attention.” Looks like HP Enterprise and HP Inc. aren’t talking to each other—I bet they start talking now. Discussion continues on the AskWoody Lounge. Related content opinion On a personal note... Woody Leonhard looks back a bit, looks ahead to retirement — and shares good news about who's picking up the Windows patching torch. By Woody Leonhard Nov 09, 2020 3 mins Small and Medium Business Computers Windows news analysis Get Microsoft's October patches installed — and seriously consider Win10 2004 Odd ancillary patches have their problems, but the mainstream October patches look pretty reliable. The big question: Is Win10 version 2004 up to your stability standards. I’m skeptical -- especially because it has few worthwhile improvements. By Woody Leonhard Oct 30, 2020 6 mins Small and Medium Business Microsoft Computers news analysis Microsoft Patch Alert: October 2020 The big news with this month’s patches – aside from the usual smorgasbord of strange errors – has more to do with the patches that are outside the regular cumulative update stream. Remarkably, we didn’t get any security fixes By Woody Leonhard Oct 22, 2020 189 mins Small and Medium Business Microsoft Office Microsoft news analysis With Patch Tuesday here, be sure Windows Update is paused With all the flotsam floating around, it’s easy to lose sight of Second Tuesdays. October’s arrives tomorrow and, with it, another round of Windows and Office patches. Take a minute to make sure you aren’t in the front lines, as eve By Woody Leonhard Oct 12, 2020 5 mins Small and Medium Business Microsoft Windows Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe