1

After startup my machine has a lot of IO activity and if I open the start menu right after logging in, random sequences of s and . seem to be (emulated) key strokes sent to stdout showing up in the search field like in this screenshot:

enter image description here

How can I identify the source process?

  • I already ran a virus check on my drive from a safe boot media but nothing was found.

  • I'm only able to reproduce this after a cold boot, not a reboot.

  • I'm also not able to reproduce this booting in safe mode (minimal option).

Also I'm not able to catch chars by firing up notepad - the editor will simply loose focus there's no other trace.

Tarnay Kálmán
  • 3,597
  • 5
  • 27
  • 32
Filburt
  • 63
  • 8
  • Please add a screenshot of this output. If this appears as a window on the screen, you can identify the process by using [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) and dragging the bull's-eye icon on top of it. – harrymc Mar 10 '20 at 09:02
  • There's no output window (cmd or else) to capture. I only noticed this by chance because (unexpected ) characters are emitted to the standard output and did show up in the search textbox when I opened the Start Menu. I'll add a screenshot of this as soon as I'm back home. – Filburt Mar 10 '20 at 09:31
  • 1
    Let me know when you do. Add to your comment `@harrymc` for me to be notified. – harrymc Mar 10 '20 at 09:34
  • @harrymc Added a screenshot of just as it happened when I logged in and pressed the Win key. After 1 or 2 sec the character `s` appeared in the search box. – Filburt Mar 10 '20 at 18:15
  • If there is no output windows then it is not an output to stdout. The screen shot looks more like emulated key strokes. You can trace them using a Tools like spy++ (spyxx.exe by Microsoft). – Robert Mar 10 '20 at 18:21
  • Amazing. This might be caused by some installed software. To check, [Start Windows 10 in Safe Mode](https://www.tenforums.com/tutorials/2304-boot-into-safe-mode-windows-10-a.html) and check if the problem arrives with only Windows software in play. – harrymc Mar 10 '20 at 18:21
  • As @Robert mentions, what you are referring to certainly isn't STDOUT. A process doesn't just 'spew' STDOUT to to topmost window as keystrokes. This is more like something (poorly) using 'sendkeys' to a topmost window. WOW! I like figuring out who is running garbage software on my box! – Señor CMasMas Mar 10 '20 at 19:26
  • @SeñorCMasMas What's odd is, is that it doesn't like Notepad++ or Windows Terminal - tried those but they just loose focus and key strokes go (presumably) to nirvana. – Filburt Mar 10 '20 at 19:54
  • Have you disabled EVERYTHING from your startup? Have you thought of running a key logger? It might give you a better clue as to what is going on. – Señor CMasMas Mar 10 '20 at 21:00
  • @SeñorCMasMas As harrymc suggested I'll give spy++ a try. Since booting in safe mode made it go away I'll have to start disabling selectively to find the culprit. – Filburt Mar 10 '20 at 21:12

1 Answers1

1

As booting in Safe Mode fixed the problem, this indicates that some third-party application is responsible for it.

To locate the problematic application, you may use the free tool Autoruns for Windows.

This utility shows all programs configured to run during system bootup or login in its "Everything" tab. You may turn off startup items with a click and return them later with another click. You may avoid listing Microsoft products by using the menu Options > Hide Microsoft Entries, Hide Empty Locations and Hide Windows Entries

I would suggest turning off startup entries in bunches, drilling down to the startup program that causes this behavior. Once identified, it might have some setting that can avoid the problem, or can be left out of startup and only be invoked when required (verify that once invoked it does not add another startup entry, but such can again be disabled by Autoruns).

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • After 8 or 9 reboots with narrowing down the startup entries using Autoruns, I managed to identify the culprit: Logitech LCD Manager (lcdmon.exe), an app that came with my game panel which allows you to forward notifications (mail etc.) to the game panel LCD display. I'd happily honor your answer with a 500 bounty but all my rep is over at [so] and I'd like to keep my commenting privilege here. – Filburt Mar 11 '20 at 21:26