Question Random process window on startup: "npm install winreg" ?

Nov 3, 2024
6
0
10
Everytime i login after startup or switch account, a process window with "npm install winreg" randomly appears for few seconds. Anyone can help me to find out what that is?
 
Strange.

I found the following links:

https://medium.com/adroit-group/accessing-windows-registry-in-electron-or-node-js-2bf5de82f4fe

https://www.supportyourtech.com/tec...indows-11-a-step-by-step-guide-for-beginners/

https://www.geeksforgeeks.org/npm-install-command/

And other similar links as well.

Did not find any such references on my system....

Windows 11 - Source? Edition and version information?

Likely that the install is being launched or attempted via Task Manager > Startup or perhaps being triggered via Task Scheduler.

If possible take a screenshot of the pop-up Window and post the screenshot here via imgur (www.imgur.com)

Failing that look in Task Manager > Startup and Task Scheduler and take screenshots showing anything "npm".

More needs to be known.
 
The links didn't help me, I know what npm does but it doesn't make sense to see it running every time I login. I tried to look in Task Manager and Task Scheduler but didn't find anything.

Windows 11 - Source? Edition and version information?
Pro - Version 10.0.22631 Build 22631
 
Look in Task Manager > Services.

Is it listed there?

If so right click the corresponding entry in the Status column.

What is the status and what other options are available?

Note: You can sort the Name column by clicking the column header.
 
Unfortunately it's not there, and I don't even know what to look for exactly, since npm is just a cli command and not a service
 
Okay.

Try a different way to find it: Powershell.

And the Get-Process cmdlet as admin.

FYI:

https://powershellfaqs.com/powershell-get-process/

Start with the basic cmdlet.

Likely a lengthy list. Look in ProcessName

Keep in mind that that "npm install winreg" may be being attempted by some other process.

FYI:

https://www.npmjs.com/package/winreg

https://www.squash.io/how-to-set-npm-registry-configuration/

So look for any processes Registry related.

The purpose of the links is to just provide you with some additional insight.

The objective is to make that pop-up/process window go away.

To do that we need to discover what is opening the window to begin with and the links may help you recognize some other relevant factor.
 
I tried to do it, but the window disappears so fast that the process is not there anymore when I launch the command.
 
Download Process Explorer (Microsoft, free).

https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

Run and look for any references/listings regarding "npm install winreg" etc..

Premise being that there has to be something running to cause/create the pop-up window.

Another way is to examine the Description, Company Name, and Verified Signer fields. Any that are blank would warrant further investigation.

= = = =

Open Task Manager > Startup.

Take a full screenshot(s) and post the screenshot(s) here via imgur (www.imgur.com).
 
Open Task Manager > Startup.

Take a full screenshot(s) and post the screenshot(s) here via imgur (www.imgur.com).
View: https://imgur.com/a/1NXYLtI




Another way is to examine the Description, Company Name, and Verified Signer fields. Any that are blank would warrant further investigation.
Didn't find anything about the winreg command, but I found this Nvidia process running Node (i don't think it's related to the concern though)
View: https://imgur.com/a/7Jf37IV
 
The Nvidia process appears legitmate. I found a number of links describing what the process is and what it does. You can easily go to Nvidia's website or other sites as well to learn more.

What is more interesting are those enabled Startup Apps.

For example "Hotkey for Dev Diagnostics": that is the sort of startup app that I would consider as a potential culprit. Especially if you do not knowingly use the app. [It does not appear on my computer.]

The startup app may have some purpose. Hopefully an app that you recognize and use.

Fair enough but it could also be buggy or corrupt.

What to do - simply disable the app from Startup. Make no other changes and keep track of any settings that may be involved.

Determine 1) Does the pop-up window stop appearing, and 2) does anything else go wrong or stop happening?

If that does not work then disable some other startup app that you do not need or recognize. Go online and look for more information just in case the startup app is part of something else you run.

Even if the startup app is necessary - again it could be buggy or corrupt.

Working through the list will take some time and effort. You must be slow and methodical.

Ideally you will discover some startup app that when Enabled = Pop-up Window and Disabled = No Pop-up Window".

As always, ensure that all important system data is backed up at least 2 x to locations away from the computer in question. Verify that the backups are recoverable and readable.

= = = =

Try running the Get-Process cmdlet again.

Open Powershell as Admin and type "Get-Process" (without quotes) at the PS> prompt.

There should be a long list of processes presented. The only part that is immediately meaningful is the ProcessName column. Look for names in the ProccessName Column may include or imply "npm". "reg", etc..

Indeed the process may be being launched/enabled and immediately disabled. There could still be other processes involved. Just look.
 
Nothing changed disabling that startup app, and still nothing appeared when running again the command Get-Process, this is so strange..
 
1. Malicious Google Updater Directory:

  • Path: <span>C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0</span>
  • Suspicious Files:
    • <span>updater.exe</span> (multiple instances with different sizes and modification dates)
    • <span>uninstall.cmd</span>
    • Other files like <span>crashpad_handler.exe</span>, <span>GoogleUpdate.exe</span>, <span>settings.dat</span>, etc. (as seen in your screenshot)
2. Scheduled Task:

  • Path: <span>C:\Windows\System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem132.0.6833.0{09415ED8-B069-4173-976C-69D1F79F368D}</span>
  • Content: The XML file defining the scheduled task that runs the malicious <span>updater.exe</span> with high privileges.
3. Suspicious Files in <strong>Temp</strong> Folder:

  • Path: <span>C:\Windows\Temp\GoogleUpdateSetup_241216173656_6084</span>
  • Suspicious Files:
    • <span>GoogleUpdateSetup.exe</span>
    • <span>UpdaterSetup.exe</span> (containing the nested structure with the hidden <span>updater.exe</span>)
4. Legitimate Google Update Location (Potentially Compromised):

  • Path: <span>C:\Program Files (x86)\Google\Update</span>
  • Note: While this is the legitimate location for Google Updater, you mentioned finding a suspicious <span>GoogleUpdate.exe</span> here with a recent modification date. It's worth reporting this location as well, as it might have been tampered with.


the blow commands will attempt to find, stop, and delete the suspicious Google Updater files

Stopping the scheduled task...

schtasks /delete /tn "\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem132.0.6833.0{09415ED8-B069-4173-976C-69D1F79F368D}" /f



Deleting the malicious Google Updater directory...

rmdir /s /q "C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0"



Deleting the suspicious files in the Temp folder...

rmdir /s /q "C:\Windows\Temp\GoogleUpdateSetup_241216173656_6084"



Deleting the suspicious GoogleUpdate.exe in the legitimate Update directory...

del /f /q "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"