You may have heard that HP have been found to have some laptops that were shipping with what is in effect a keylogger! The affected models have a Conexant audio chip whose driver includes hotkey functionality for microphone muting. Unfortunately this was left in debugging mode and as a result logged all keypresses to a file locally! HP’s official security bulletin is here.
Some of our laptops were affected and our antivirus started detecting it as “Conexant MicTray Keylogger”. Just the thing to scare our users with after the recent news over the WannaCry v2 ransomware…
Rather than push a 200MB driver update to them all, I shut them up remotely with the following little batch file I pushed out over SCCM.
@echo off taskkill.exe /im:MicTray.exe /f >nul 2>&1 taskkill.exe /im:MicTray64.exe /f >nul 2>&1 del /F c:\Windows\System32\MicTray.exe >nul 2>&1 del /F c:\Windows\System32\MicTray64.exe >nul 2>&1 del /F "c:\Program Files\Conexant\Install\Audio\MicTray\MicTray\MicTray.exe" >nul 2>&1 del /F "c:\Program Files\Conexant\Install\Audio\MicTray\MicTray\MicTray64.exe" >nul 2>&1 del /F c:\Users\Public\MicTray.log >nul 2>&1 exit
In retrospect, I’m glad that’s the solution I took, as the first update HP released to fix the issue apparently didn’t even remove the functionality, it just turned it off – but it could then be re-enabled with a registry value change! Since our users don’t use the mics on their laptops, I’m leaving the thing deleted as above.