60

I have a Microsoft LifeCam HD sitting atop my monitor. Today, completely out of the blue, its light came on -- I was simply browsing the web (in Chrome) when it happened. After about 5 minutes the webcam turned off.

Naturally, I immediately suspected my ex-wife (when in doubt, I always suspect her), but she isn't computer savvy enough.

I looked over the process list and didn't see anything suspicious. I am running a couple of open source projects and free apps (e.g., greenshot, powermenu, supertray), but I've had them for years. Autoruns reports nothing suspicious in the startup and neither does Windows Defender.

Anyways, what could it be? What should I look at next?

AngryHacker
  • 19,327

7 Answers7

39

Process Explorer from Microsoft would be my next guess : http://technet.microsoft.com/en-us/sysinternals/bb896653. Once you have loaded it up, click View -> Lower Pane View -> Handles. Now when you click on each of the processes in the top Pane, you get a report about all of the files and registry keys it has open. The keys are the important bit.

It can list lots of information about currently running processes, and although I don't know for sure if it will definitely tell which process has the webcam open, you might be able to gain hints. I just tried it for OneNote while recording a video, and for my Lifecam VX7000, it had this key open while recording a video, which is almost certainly the webcam (especially seeing as it disappeared once I stopped recording) :

HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\{65E8773D-8F56-11D0-A3B9-00A0C9223196}\##?#USB#VID_045E&PID_0723&MI_00#8&27B22E96&0&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\#GLOBAL\Device Parameters

I don't know what your device will appear as, but keep an eye out for processes which have HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\ keys open, and look for keywords like "USB#VID" in there. Pressing Ctrl+F and searching for the string "USB#VID" should find processes with that key open.

If you want to find out exactly what your USB device is called to windows, open device manager, find your webcam in there, double click on it, then click the details tab. In the drop down box on that page, go to Hardware ids, or check out some of the other details in that dropdown box, and see if you can match it up to a process in Process Explorer.

edit : forgot to mention, this procedure only works while the process is still using the webcam (i.e. the light is still on)

camster342
  • 1,797
19

Could be flash or another browser plugin.

Andrew Cooper
  • 1,275
11

Cameras (and other recording devices) that you own should NEVER turn on without your consent. If you're not aware of an application that you've configured to do this automatically from time-to-time, then it's time to start figuring out if you have SpyWare on your computer that may be activating it.

Here are two excellent free tools that I trust (there isn't much that I do trust when it comes to security software in particular) and use for removing SpyWare that should be helpful to you:

  MalwareBytes
  http://www.malwarebytes.org/

  SpyBot - Search & Destroy
  http://security.kolla.de/

If I was experiencing this problem, scanning for SpyWare would be a very high priority.

Randolf Richardson
  • 14,794
3

To add to @Andrew Cooper's answer:

About a year ago there was a big hoopla in the security community over a researcher using what's now known as clickjacking to get Adobe Flash to erroneously think the user agreed to allow webcam access.

That specific vulnerability has been fixed, but there could always be more. The only way currently to prevent clickjacking is using Firefox with NoScript. Chrome/IE8 also have rudimentary clickjacking prevention, but only for sites which support it (which won't help prevent Flash-clickjacking).

Glorfindel
  • 4,158
BlueRaja - Danny Pflughoeft
  • 7,841
2

You may not see something wierd in the process list since the "malware" may have injected itself into another application. Most likely a process that is common on all windows systems(explorer.exe as one example).

Unplug internet, see if it turns off. Whenever it happens again start working on finding the process, thats using your webcam, as suggested by another poster, with process explorer.

When you have determined which process you should look at which connections that process has and to which ports. This is also viewable in process explorer.

Note the IPs, post the list on a forum(Can't think of a specific one at the moment) that deals in these sorts of things if you can't determine it yourself.

Save the information from above.

Wipe your system and install from trusted sources.

artifex
  • 436
1

If you have WIA (Windows Image Acquisition) service trying to run in your log and it's disabled, it will log an error (typically, it's auto-start with Windows).

I've had this, and no cam attached, no scanner or digital camera attached, and possibly it could be something invoked by Flash.

slhck
  • 235,242
Facebooksgiftofnarcissism
  • 11
-4

Cover your camera. Right-click on a YouTube player window. Click Settings. See the eyeball in a TV image? Click it and deny access to your camera.

slhck
  • 235,242
christiangrowing
  • 1