Connect with us

The Online Technology

Keylogger Discovered in HP Audio Driver

Security Watch

Keylogger Discovered in HP Audio Driver

Rather than being malicious, this looks like negligence by developers. What's more concerning is it's been on HP systems since 2015.

UPDATE 5/12: HP issued an update for the Conexant audio driver to remove the keylogger, ZDNet reported. The update covers nearly 30 HP models from the EliteBook, ProBook, ZBook, and Elite x2 product lines. It can be downloaded from HP's website or via Windows Update.

Original Story:

If you own or use a HP computer, it's time to check whether C:WindowsSystem32MicTray64.exe or C:WindowsSystem32MicTray.exe in installed. If so, you have an active keylogger recording all key presses and need to take action by renaming the executable file.

SecurityWatchUsually when a new keylogger is discovered and reported publicly, it's found to be malicious spyware and the parties affected respond to the threat. In this case, the opposite is true. A keylogger was found on HP computers, but it is not malicious so the company isn't doing anything about it yet.

The keylogger was discovered by security company modzero AG in an audio driver installed on HP systems. Modzero did the responsible thing and made HP aware of its existence. HP Enterprise refused to take responsibility while HP Inc. and the other company involved, Conexant Systems Inc., are ignoring it. So modzero decided to go public "in accordance with our Responsible Disclosure process."

HP Conexant Audio Driver Keylogger

Real Life. Real News. Real Voices

Help us tell more of the stories that matter

Become a founding member

Here's where things get weird. Shipping a system with an active keylogger installed is only really ever going to happen for malicious reasons. But in this case it looks like pure negligence on the part of developers.

The software in question is part of a driver package offered by HP (since December 2015) and related to audio chips manufactured by Conexant. Conexant's integrated circuits appear on numerous sound cards for which they provide drivers. In this case, special key presses are supported for functions such as turning the microphone and recording LED on or off.


Modzero discovered that the software written to detect these special key presses actually records all key presses and stores them in a plain text log file (C:UsersPublicMicTray.log) for anyone to view. The log is overwritten every time you log back into the computer, but during use it is always recording key presses, which will include any and all passwords entered.

Negligent? Lazy? Call it what you will, but logging all key presses just to detect special key presses is ridiculous. As mentioned above, you can stop it happening by renaming the executable file, but doing so will stop the special key functionality working. Ideally, HP and Conexant take notice now and fix the problem.

Read more

Subscribe to the newsletter news

We hate SPAM and promise to keep your email address safe

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To Top