If it’s a work laptop, treat it like it has tracking software on it. Don’t use your work computer for personal stuff that you don’t want your employer to see. Period.
Disclaimer, I have not studied the software in question and there are many ways to implement it, so this isn’t a way to say a computer is clean, just a way to detect if it’s infected.
Typically, keylogging programs like these are installed as device driver filters. Open devmgmt.msc, locate your keyboard and right click -> properties -> details tab -> property drop down -> upper filters and lower filters.
These should be empty normally. If there are entries present then you have some program that is hooking into your keyboard driver and accessing your keystrokes.
Similarly, there should be a filter on your mouse if it is being listened to.
If you are especially paranoid, you can jot down the GUID of the keyboard and mouse driver (it looks like a long hex number with dashes surrounded by {}s), then shut down the computer and boot to a rescue disk, open up regedit, mount the registry hive for SYSTEM it’s located in \windows\system32\config\system, (let’s say you mount it to SYSTEM.remote), then navigate to SYSTEM.remote\CurrentControlSet\Control\Class\
Then you scroll through this key’s values and look for UpperFilters and LowerFilters.
The reason why you do it this way is to avoid a rootkit situation, where a driver also hooks into requests to the OS for certain information, and uses that to hide its presence.
Yes, but my point is that you’re asking a flawed question. It’s possible for us to give you a bunch of different services or processes to look for, but it’s trivial for these companies to just make a new service or process with a different name that’s harder to find. You’re trying to play a cat and mouse game that you’re not going to win.
I work in IT. Most of our clients’ computers are managed by an MDM, which means that we can push ANY package or software to the computer at ANY time, without notifying the user. Most of our clients don’t bother with tracking software, but some do. And make no mistake, tracking software is basically legal spyware.
So, my point is this: it doesn’t matter whether or not you have evidence of tracking software on your computer. Just assume that it’s there, and don’t use your computer for anything you don’t want your employer to see. That is the safest route.
You’d have to disable IME for Intel or the equivalent for AMD and then reinstall the OS.
However you might simply want to run some rootkit detecting tools, check what programs and drivers you have installed and look up each one, and browser extensions.
How can I check if my laptop has such software installed?
If it’s a work laptop, treat it like it has tracking software on it. Don’t use your work computer for personal stuff that you don’t want your employer to see. Period.
Well, thx. But this was not my question.
Disclaimer, I have not studied the software in question and there are many ways to implement it, so this isn’t a way to say a computer is clean, just a way to detect if it’s infected.
Typically, keylogging programs like these are installed as device driver filters. Open devmgmt.msc, locate your keyboard and right click -> properties -> details tab -> property drop down -> upper filters and lower filters.
These should be empty normally. If there are entries present then you have some program that is hooking into your keyboard driver and accessing your keystrokes.
Similarly, there should be a filter on your mouse if it is being listened to.
If you are especially paranoid, you can jot down the GUID of the keyboard and mouse driver (it looks like a long hex number with dashes surrounded by {}s), then shut down the computer and boot to a rescue disk, open up regedit, mount the registry hive for SYSTEM it’s located in \windows\system32\config\system, (let’s say you mount it to SYSTEM.remote), then navigate to SYSTEM.remote\CurrentControlSet\Control\Class\
Then you scroll through this key’s values and look for UpperFilters and LowerFilters.
The reason why you do it this way is to avoid a rootkit situation, where a driver also hooks into requests to the OS for certain information, and uses that to hide its presence.
Yes, but my point is that you’re asking a flawed question. It’s possible for us to give you a bunch of different services or processes to look for, but it’s trivial for these companies to just make a new service or process with a different name that’s harder to find. You’re trying to play a cat and mouse game that you’re not going to win.
I work in IT. Most of our clients’ computers are managed by an MDM, which means that we can push ANY package or software to the computer at ANY time, without notifying the user. Most of our clients don’t bother with tracking software, but some do. And make no mistake, tracking software is basically legal spyware.
So, my point is this: it doesn’t matter whether or not you have evidence of tracking software on your computer. Just assume that it’s there, and don’t use your computer for anything you don’t want your employer to see. That is the safest route.
You’d have to disable IME for Intel or the equivalent for AMD and then reinstall the OS.
However you might simply want to run some rootkit detecting tools, check what programs and drivers you have installed and look up each one, and browser extensions.