Many HP laptops released in 2015 and 2016 have a major problem. The audio driver provided by Conexant has debugging code enabled, and it either logs all your keystrokes to a file or prints them to the system debug log, where malware could snoop on them without looking too suspicious. Here’s how to check if your PC is affected.
HP says it has no access to this data, and the keylogger in question does not appear to be malicious. There’s no evidence that the keylogger actually does anything with the keystrokes it captures beyond saving them to your PC. However, this could be dangerous, as that sensitive log of keystrokes would be available to malware and may be stored in backups. In other words, it’s not malice—just incompetence.
This appears to be debugging code in the Conexant audio driver, code which should have been removed by Conexant before the driver shipped on PCs. The part of the driver which listens for media shortcut keys automatically logs the keys it sees you press. It was discovered by researchers from Modzero.
There appears to be different behavior on different HP laptops, depending on the version of the audio driver they include. On many laptops, the keylogger writes keystrokes to the
C:\Users\Public\MicTray.log file. This file is wiped at each boot, but it may be captured and stored in system backups.
C:\Users\Public\ and see if you have a MicTray.log file. Double-click it to view the contents. If you see information about your keystrokes, you have the problem driver installed.
If you do see data in this file, you’ll want to delete the MicTray.log file from any system backups it may be a part of to ensure the records of your keystrokes are erased. You should also delete the MicTray.log file from here to erase the record of your keystrokes.
Even if you don’t see the MicTray.log file, your HP laptop may have previously been recording keystrokes to this file before it downloaded an automatic update that stopped it. You should examine any backups created of your PC and remove the MicTray.log file, if you see it.
On our HP Spectre x360, we saw the MicTray.log file but it was 0 KB in size. However, even if no data is being printed to this file, every single keystroke you type may be printed via the Windows OutputDebugString API. Any application running in the current user account can view this debugging information and capture every keystroke you type, without doing anything that would appear suspicious to antivirus programs.
To check whether this is happening, download and run Microsoft’s DebugView application. Look at the DebugView application and press some keys on your keyboard.
If the Conexant audio driver is capturing keystrokes and printing them as debug messages, you’ll see many “Mic target” lines, each with a scancode. The information on each line identifies the key you pressed, so this information could be decoded to capture each key you press in the order you press them, if an application was listening in to the debug log on your PC.
If you don’t see a MicTray.log file with keystrokes in it and you don’t have any “Mic target” output visible in DebugView, congratulations. Your system does not have the buggy audio driver software installed and running.
If you do see the MicTray.log file filled with data or you can see the “Mic target” debug output visible in DebugView, you have the dangerous keylogging audio driver installed and you should disable or remove it.
Fixes to this problem will arrive via Windows Update on the affected laptops. A fix for laptops released in 2016 was added to Windows Update on May 11, while a fix for laptops released in 2015 is set to arrive on May 12. Head to Settings > Update & security > Windows Update to ensure you have the latest updates.
If the fix hasn’t been released yet, or you can’t run Windows Update for some reason, you can remove the software that causes the problem. You will need to delete the MicTray.exe or MicTray64.exe file. This will prevent some media function keys on your keyboard from functioning, but that’s a temporary small price to pay for security.
First, open the Task Manager by right-clicking your taskbar and selecting “Task Manager”. Click “More details”, click the “Details” tab, locate either MicTray64.exe or MicTray.exe in the list, right-click it, and select “End Task”.
Next, locate the MicTray executable file on your system and delete it. The researchers indicate that this file is often found at either
C:\Windows\system32\MicTray64.exe . However, on our system, we found it at
C:\Program Files\CONEXANT\MicTray\MicTray64.exe .
When Windows Update installs an updated driver in the future, it should install a new MicTray executable that will fix the problem and re-enable your keyboard’s function keys.
Photo Credit: Amanz Network/Flickr