Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 10's keylogger


  • This topic is locked This topic is locked
37 replies to this topic

#1 Allen

Allen

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:31 AM

Posted 04 October 2014 - 12:38 PM

As noted by Quietman7 

 

 

FYI: Just received an email from Derek Knight, MVP with this link...Windows 10 Technical Preview Has A Keylogger to Watch Your Every Move

PERMISSION TO KEYLOG
If you are unaware of Microsofts privacy policy, so now you should pay attention to what the policy says. Microsoft is watching your every move on the latest Windows 10 Technical Preview, Thanks to portions of Microsoft's privacy policy, which indicates that the technology giant is using keylogger to collect and use users data in a variety of astounding ways without the user being aware.

 

 

 

There is a keylogger built into the tech preview which was stated in the Terms and agreement when installing the tech preview.

 

rockysosua  managed to find a folder that contained logged keystrokes from IE in 

 

c/users/user's name/appdata/local/microsoft/windows/inetcache/low/ie/ZPBXU1LL.

I don't know which process is doing it, but everything I write in Internet Explorer is logged in a folder called ZPBXU1LL.

c/users/user's name/appdata/local/microsoft/windows/inetcache/low/ie/ZPBXU1LL.

 


Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

BC AdBot (Login to Remove)

 


#2 rockysosua

rockysosua

  • Members
  • 772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Caribbean
  • Local time:07:31 AM

Posted 04 October 2014 - 12:54 PM

I don't know how invisible the process might be, but I'm in the process of setting up a new Win 8 laptop to compare the processes to those that run in 10.

Just glancing through the Services, the most suspicious looking one is called "Diagnostics Tracking Service".

It states that it enables data collection about functional issues in Windows components.


All is well in Paradise.

#3 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,959 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 04 October 2014 - 12:55 PM

well,...just as your dad told you....caveat emptor my boy !!...or....read the fine print boofhead !!
I am following this post with great enthusiasm from 37000 feet above the earths surface..on a flight from Manila to Sydney, Australia...
Perhaps it is heartening to know that Microsoft are determined to get it right...!!!???

(interesting to note the wireless signal up here is better than Telstra's in NSW Australia )

Keep the comments coming.....I am intensely interested in Windows 10

Edited by Condobloke, 04 October 2014 - 01:08 PM.

Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#4 rockysosua

rockysosua

  • Members
  • 772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Caribbean
  • Local time:07:31 AM

Posted 04 October 2014 - 01:05 PM

These are the services that I found running in Win 10, that don't exist in Win 8.

 

coremessaging

Diagnostics Tracking Service

dmwappushsvc (can't be turned off in Services)

appx  deployment service

Intel Integrated clock controller

geolocation service

network connection broker

 

All the others can be turned off without any visible negative effects.


Edited by rockysosua, 04 October 2014 - 04:51 PM.

All is well in Paradise.

#5 Allen

Allen
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:31 AM

Posted 04 October 2014 - 01:09 PM

did some more looking in the temp file after browsing the web using IE to test it, I've found data split into 4 folders, mostly just cache, some contain information on what I did, and the username I used to login to wolframalpha. 

 

 

Also, I wonder if this keylogger happens to be a driver, if it is then it may be hard to remove it or stop it from running, especially if microsoft has it protected. 


Edited by Allen, 04 October 2014 - 01:12 PM.

Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#6 rockysosua

rockysosua

  • Members
  • 772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Caribbean
  • Local time:07:31 AM

Posted 04 October 2014 - 01:22 PM

If we can find the process and kill it, that might be the end of it, except if Windows Updates keeps putting it back in.

We need some of the BC brainiacs. It could take me a year to find it.


All is well in Paradise.

#7 Allen

Allen
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:31 AM

Posted 04 October 2014 - 01:23 PM

If we can find the process and kill it, that might be the end of it, except if Windows Updates keeps putting it back in.

We need some of the BC brainiacs. It could take me a year to find it.

 

 

As far as I can tell its running under svchost.

anyway, I'm gonna keep looking for anything I can find about it


Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#8 Allen

Allen
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:31 AM

Posted 04 October 2014 - 01:48 PM

Quick note

 

Taking a look at the task Scheduler and found some interesting stuff under

 

\Microsoft\Windows\Customer Experience Improvement Program

 

I'm still looking and I'll edit this post if I find any more interesting stuff.

 

Note one of the tasks under there was called Uploader  

 

edit

 

Found some data folders

 

at C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE

 

Looks like it contains some search info + skype info + other stuff, on my system there were 4 hidden files


Edited by Allen, 04 October 2014 - 02:18 PM.

Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#9 rockysosua

rockysosua

  • Members
  • 772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Caribbean
  • Local time:07:31 AM

Posted 04 October 2014 - 02:27 PM

As a habit, I turn off all those "open door to MSC" processes in the task scheduler.
There can be as many as 5 doors, just in Customer Experience and 3 more in Application Experience.
For all I know, I may have already closed all of MSC's door for their keylogger, but I wont rest 'till I know for sure, but if I can't find out, I'll spit on it as I say bye bye and go back to 8.1..

Edited by Queen-Evie, 04 October 2014 - 09:05 PM.
language edit

All is well in Paradise.

#10 Tenis

Tenis

    Bleepin' FX


  • Malware Study Hall Senior
  • 1,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:01 PM

Posted 04 October 2014 - 02:46 PM

i try to  delete those cache folder and open IE again it just caching the browser data  maybe its not spying.

But some folders are common which i doubt  INetCache and CryptnetURLCache  folder.This folders is located in my folders.

And i also doubt he also tracing event logs.

 

Edit

 

I also Found BackgroundTransferApi Folder which can have role in it.

 


Edited by tenisverma, 04 October 2014 - 03:12 PM.


#11 Tenis

Tenis

    Bleepin' FX


  • Malware Study Hall Senior
  • 1,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:01 PM

Posted 04 October 2014 - 02:57 PM

 

Found some data folders

 

at C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE

 

Looks like it contains some search info + skype info + other stuff, on my system there were 4 hidden files

 

The 4 hidden files you found are at many place.Search INetCache.

Every IE or INetCache folder contain 4 Hidden Folders with a container.dat file .



#12 old rocker

old rocker

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Tennessee
  • Local time:07:31 AM

Posted 04 October 2014 - 03:08 PM

Followed the path: c/users/user's name/appdata/local/microsoft/windows/inetcache/low/ie/ZPBXU1LL.

 

Actually there are 4 folders with random alpha-numeric characters none of which match ZPBXU1LL....

 

None of them contain anything other than cache data that I can see of (javascript files, gif's jpegs html documents)

 

Also if you have setup any tracking protection lists or have created your own personalized list, those items appear.

 

You can tweak IE so that when closed, the only remaining item is a file named container.dat

 

The next time you open IE 4 new folders appear with different random alpha-numeric characters and the process starts over again.

 

As far as a keylogger I am not that concerned. It'll make it easy for them to read all the comments about their operating system.



#13 rockysosua

rockysosua

  • Members
  • 772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Caribbean
  • Local time:07:31 AM

Posted 04 October 2014 - 04:28 PM

I think it's a consipiracy.

How can I find a keylogger when there's a bunch of hotly contested College football games on TV, and as it that weren't enough that half a dozen channels are tempting me away with great games, Nascar is showing it's nose too, with a race in Kansas.

I feel my resolve weakening....What's a poor boy to do?


All is well in Paradise.

#14 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:31 PM

Posted 04 October 2014 - 05:59 PM

I think the reason for a keylogger is obvious. It will more than likely be paired up with the syslog and be used to identify bugs and problems.

 

You didn't think MS would would just give the thing away because they are nice? right?

 

It is a technical preview, so people are supposed to be testing stuff on it...



#15 rockysosua

rockysosua

  • Members
  • 772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Caribbean
  • Local time:07:31 AM

Posted 04 October 2014 - 06:07 PM

MSC never gives Previews because they are nice.

They do it for the feedback.

If you think that putting a keylogger into a Preview this time is justified, then you are alone with that thought.

Their agreement/TOS authorizes them to do as they please with any and all the user's info.


All is well in Paradise.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users