none
Hidden Startup Application RRS feed

  • Question

  • I'm new to SysInternals. On my Windows 10 Pro (64) system, about a week ago, I noticed an application in my Startup named -HIDE. It's disabled but I'm trying to determine what is is and remove it. I don't think it should be there.

    I use ESET Endpoint Protection and I'm not seeing anything unusual on the System other than the LED's on my network switch appear to show alot of activity at times when I'm not doing anything.

    I've monitored my Temp folder C:\Users\XX\AppData\Local\Temp and noticed the following logs keep getting written to it daily. I'm not sure if they are related to the hidden app in startup or not.

    I've noticed the following log files that keeps getting created in my temp folder named
    bitrock_installer.log
    mat-debug-17532.log 

    I've deleted all files from the temp folder, but these continue to be created every time I restart. 

    These files are generated multiple times a day with different numerical section of the file name.

    I checked Task Manager, search the registry, services, Event Viewer, Program files, Program Files (86) and Program Data folders for the word HIDE or other unexpected name, but i haven't found anything.

    I'm assuming Process Explorer is the best tool to use for investigating this issue. I haven';t used it yet. Please provide your opinion on how best to proceed.

    Thanks,

    Tony


    Tony

    Monday, June 29, 2020 5:28 PM

All replies

  • In this specific case, the best tool is ProcMon.

    You should capture a Procmon boot log, and you will see who will generate those file from a clean boot, where the exe creating them is and at that point if it is legitimate or not...

    Start Procmon as administrator, options, Enable boot logging, reboot..

    When you are again logged in start again ProcMon as Administrator.. it will say to you there is a bootlog to save..Save and analyze it.. you will find it very educational..

    HTH
    -mario

    Monday, June 29, 2020 8:22 PM
  • Thank you for the responses. I followed your suggestion and tracked down the Bitrock log to a Jive application I have installed. It looks like they run a network test to verify the network speed for their service that I use.

    My other problem is there is a program in my Startup that is named -HIDE and I can't identify what it is. How do I check on that?


    Tony

    Tuesday, June 30, 2020 3:06 PM
  • What do you mean with " in my Startup that is named -HIDE"??

    Do you mean your profile startup folder?? Did you try using Autoruns to see if it is still there or if it is something left behind by old software installation or something like that??

    If it is in the startup folder and you enabled explorer to show known file name, it may be a .lnk or an .exe but in any case it should be possible to identify whatever it is..

    If there is something in your user profile will be visible in Autoruns under those keys..

    But if you have noticed nothing from the boot log starting from you user profile Startup folder, then there is nothing.. try filtering your previous boot log with a filter like "Path Contains \Windows\Start Menu\Programs\Strtup" if you can find something then you will be able to follow the trace.. 

    HTH
    -mario

    Tuesday, June 30, 2020 3:29 PM
  • I ran AutoRuns and don't find anything I think is suspicious.  Here is a screen print ofmy startup. Look at the first app. That;'s what I'm trying to identify. It's disabled, however Im trying to find out what is is in a safe manner and then possibly delete it.


    Tony

    Tuesday, June 30, 2020 4:11 PM
  • Ok, if you can see it only here and not in Autoruns, it ma be a Modern App, which is using a totally different set of registry keys and is not Autoruns friendly..

    You have to run ProcMon with a filter like "PAth contains Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion"

    Then if you go to the settings page you shoved above and change it from disable to enabled, Procmon should record the operation.

    That way you will find the whole path to the app, and will find its name and from where it is started.

    HTH
    -mario

    Friday, July 3, 2020 8:30 AM