The short answer is to use Mark Russinovich's "sysinternals.com" tools. He's Windows internals guru at Microsoft and has been maintaining a suite of tools that are critical for Windows system maintenance and security. Copy all the tools from "https://live.sysinternals.com". Also, you can copy with Microsoft Windows Networking (SMB).
Of these tools, what we want is something that looks at "processes". There are several tools that do this, but focus on processes that are currently running. What we want is something that monitors process creation.
The tool for that is "sysmon.exe". It can monitor not only process creation, but a large number of other system events that a techy can use to see what the system has been doing, and if you are infected with a virus.
Sysmon has a fairly complicated configuration file, and if you enabled everything, you'd soon be overwhelmed with events. @SwiftOnSecurity has published a configuration file they use in the real world in real environment that cuts down on the noise, and focuses on events that are really important. It enables monitoring of "process creation", but filters out know good processes that might fill up your logs. You grab the file here. Save it to the same directory to where you saved Sysmon:
https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xmlOnce you've done it, run the following command to activate the Sysmon monitoring service using this configuration file by running the following command as Administrator. (Right click on the Command Prompt icon and select More/Run as Administrator).
sysmon.exe -accepteula -i sysmonconfig-export.xml
Now sit back and relax until that popup happens again. Right after it does, go into the "Event Viewer" application (click on Windows menu and type "Event Viewer", or run 'eventvwr.exe'. Now you have to find where the sysmon events are located, since there are so many things that log events.
The Sysmon events are under the path:
Applications and Services Logs\Microsoft\Windows\Sysmon\operationalWhen you open that up, you should see the top event is the one we are looking for. Actually, the very top event is launching the process "eventvwr.exe", but the next one down is our event. It looks like this:
Drilling down into the details, we find the the offending thing causing those annoying popups is "officebackgroundtask.exe" in Office.
We can see it's started by the "Schedule" service. This means we can go look at it with "autoruns.exe", another Sysinternals tool that looks at all the things configured to automatically start when you start/login to your computer.
They are pink, which [update] is how autoruns shows they are "unsigned" programs (Microsoft's programs should, normally, always be signed, so this should be suspicious). I'm assuming the suspicious thing is that they run in the user's context, rather than system context, creating popup screens.
Autoruns allows you to do a bunch of things. You can click on the [X] box and disable it from running in the future. You can [right-click] in order to upload to Virus Total and check if it's a known virus.
You can also double-click, to open the Task Scheduler, and see the specific configuration. You can see here that this thing is scheduled to run every hour:
Conclusion
So the conclusions are this.
To solve this particular problem of identifying what's causing a process to flash a screen occasionally, use sysmon.
To solve generation problems like this, use Sysinternals suite of applications.
I haven't been, but I am now, using @SwiftOnSecurity's sysmon configuration just to monitor the security of my computers. I should probably install something to move a copy of the logs off the system.
Some Notes
Some URLs:
- https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf
- https://technet.microsoft.com/en-us/sysinternals
- https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/
- https://github.com/SwiftOnSecurity/sysmon-config
Some tweets:
Sysmon— Mark Russinovich (@markrussinovich) June 2, 2017
To disable it, open Task Scheduler, go to Task Scheduler Library > Microsoft > Office, disable "OfficeBackgroundTaskHandlerRegistration" https://t.co/mROwfzUMBT— MalwareTech (@MalwareTechBlog) May 28, 2017
Nice writeup. Pink means unsigned.— Mark Russinovich (@markrussinovich) June 3, 2017
Nice! I just stumbled on this site and ran across this. I was about to wipe my main desktop. Super bothersome.
ReplyDeleteNice post,thank you for this blog.
ReplyDeletegclub online
goldenslot
gclub casino