My webcam just came on "out of the blue"

I have a Microsoft LifeCam HD sitting atop my monitor. Today, completely out of the blue, its light came on -- I was simply browsing the web (in Chrome) when it happened. After about 5 minutes the webcam turned off.

Naturally, I immediately suspected my ex-wife (when in doubt, I always suspect her), but she isn't computer savvy enough.

I looked over the process list and didn't see anything suspicious. I am running a couple of open source projects and free apps (e.g., greenshot, powermenu, supertray), but I've had them for years. Autoruns reports nothing suspicious in the startup and neither does Windows Defender.

Anyways, what could it be? What should I look at next?

AngryHacker

Posted 2011-05-27T05:24:53.420

Reputation: 14 731

3when it happens again, disconnect your internet, and see if the cam goes dead. – 7wp – 2011-05-27T05:42:01.200

11Is your ex-wife named 'HappyHacker'? – Mateen Ulhaq – 2011-05-27T06:09:42.863

14@muntoo more like 'ReallyAngryHacker'. – AngryHacker – 2011-05-27T06:32:41.637

You're not alone. I've got the same issue here with that camera and OS. – Commander Keen – 2011-05-27T08:58:58.320

15If your computer starts saying things like, "I'm afraid I can't do that, Dave", then you should really worry. – Django Reinhardt – 2011-05-27T12:17:34.257

Also, this might be a good question for: http://security.stackexchange.com/

– Django Reinhardt – 2011-05-27T12:18:49.360

1@Johnny-W if that happens then I think we should all begin to worry. – Wipqozn – 2011-05-27T14:01:56.297

I just had this happen the other night, too. Closed all browsers (and made sure their processes were closed in Task Manager). The blue light stayed on for about 10 minutes, then shut off again. Antivirus and anti-spyware are all up to date, and I haven't had any warnings. What's interesting is that my camera also is a LifeCam. I wonder if there was a background software update or version check that needed to "activate" the camera hardware (without turning on the camera itself), which caused the blue light to go on. – Robaticus – 2011-05-27T12:10:57.423

Are you a student at Harriton High School in Pennsylvania?

– JYelton – 2011-05-27T15:47:15.113

2This is why I've taped over the built-in camera in my laptop. "Can't truss 'em"... – Niklas – 2011-05-27T16:22:41.243

1Might just want to unplug that camera when not in use... At least until you get the problem figured out! – Brian Knoblauch – 2011-05-27T17:20:22.727

@JYelton - great link. Seriously, WTF. – AngryHacker – 2011-05-27T18:13:02.110

2Here's an idea: Find a live cd that can work with your camera and run it for some time. If there is a bug in the camera's firmware, it may turn on and if it does, the operating system might be safe. – AndrejaKo – 2011-05-27T20:37:04.737

@Johnny W: I have two famous words for you: "Don't panic!" – Randolf Richardson – 2011-05-27T22:06:45.697

1In the meantime, put a piece of tape over your camera! – thrillscience – 2011-05-28T08:08:48.907

And let us know what it was, if you find out. – Mark Hurd – 2011-05-28T19:22:40.220

@Mark It hasn't happened again yet. – AngryHacker – 2011-05-29T17:12:36.167

I have this exact same question for OS X. If anyone knows of an parallel question on SuperUser or AskDifferent, a link would be greatly appreciated— else I'll open a new question (sooner or later). – Slipp D. Thompson – 2013-06-29T07:42:49.757

Answers

Process Explorer from Microsoft would be my next guess : http://technet.microsoft.com/en-us/sysinternals/bb896653. Once you have loaded it up, click View -> Lower Pane View -> Handles. Now when you click on each of the processes in the top Pane, you get a report about all of the files and registry keys it has open. The keys are the important bit.

It can list lots of information about currently running processes, and although I don't know for sure if it will definitely tell which process has the webcam open, you might be able to gain hints. I just tried it for OneNote while recording a video, and for my Lifecam VX7000, it had this key open while recording a video, which is almost certainly the webcam (especially seeing as it disappeared once I stopped recording) :

HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\{65E8773D-8F56-11D0-A3B9-00A0C9223196}\##?#USB#VID_045E&PID_0723&MI_00#8&27B22E96&0&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\#GLOBAL\Device Parameters

I don't know what your device will appear as, but keep an eye out for processes which have HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\ keys open, and look for keywords like "USB#VID" in there. Pressing Ctrl+F and searching for the string "USB#VID" should find processes with that key open.

If you want to find out exactly what your USB device is called to windows, open device manager, find your webcam in there, double click on it, then click the details tab. In the drop down box on that page, go to Hardware ids, or check out some of the other details in that dropdown box, and see if you can match it up to a process in Process Explorer.

edit : forgot to mention, this procedure only works while the process is still using the webcam (i.e. the light is still on)

camster342

Posted 2011-05-27T05:24:53.420

Reputation: 1 691

2Very helpful. I found it was my IE8/XP virtual machine (MS's own OVA file downloaded from Modern.ie) that was using the usb camera. VirtualBox allows USB pass-through and while the VM was running, it was turning the camera on. The handle to look for in this case is 'vboxusbwebcam'. – Astravagrant – 2014-08-07T13:20:08.373

My LifeCam has the light always on ever since I took a final exam with Examity, in which an Indian proctor asked me to enable my camera in Examity's browser interface. processexplorer.exe > ctl-f reveal only 2 instance of "#VID", both associated with Skype. – Bennett Brown – 2015-09-08T18:51:39.247

Another query string for the LifeCam can be found using the Device Manager as recommended at http://lifehacker.com/find-out-what-windows-program-is-using-your-webcam-on-w-1582372561?sidebar_switch=off&utm_expid=66866090-53.WJHsK0uiTqG2KukuD0irIA.1&utm_referrer=https%3A%2F%2Fwww.google.com . In my case, the Process Explorer does not find any program accessing the device with this identification, though the Life Cam's blue light is still on.

– Bennett Brown – 2015-09-16T18:30:15.983

Faster method: Hit CTRL+F to search and then enter USB#VID there; or for CLI people there is handle.exe. :)

– Tamara Wijsman – 2011-05-27T13:24:55.423

1ctrl+f while in process explorer that is. Note that the camera's vendor id string can be found in the device manager: dbl click the device, look at the details tab and then pick hardware Ids from the dropdown – horatio – 2011-05-27T15:00:36.770

2@tom ah excellent, I wasn't sure if Ctrl+F would search through all the handle keys as well or just process names. I've never needed to use it as I've always known exactly which process I'm looking for. I'll add that info in. – camster342 – 2011-05-27T20:24:27.003

Could be flash or another browser plugin.

Andrew Cooper

Posted 2011-05-27T05:24:53.420

Reputation: 1 249

7Would flash typically throw up a message box asking if it's ok to use? – AngryHacker – 2011-05-27T06:01:47.587

3I would hope so, but there may be ways around that. – Andrew Cooper – 2011-05-27T06:02:36.357

11Not if you once agreed to allow Flash to always use the camera? – Snark – 2011-05-27T09:16:16.183

@Snark: It's per-site, though. – user1686 – 2011-05-27T11:28:56.737

2I believe flash asks every single time, and there isn't an "always trust this site" option. I'm a flash developer and Adobe is very paranoid about security exploits so I cannot see it being something like a saved permission or just plain being accessed without permission. – None – 2011-05-27T12:46:50.053

2It could be silverlight as well, and silverlight does have an "always trust this site" selection. – Barry – 2011-05-27T13:23:44.073

I always dismiss those dialogs, so I doubt it was that. It is possible that one of my kids clicked ok at some point, but they don't typically browse the same sites that I do. – AngryHacker – 2011-05-27T18:01:24.180

Cameras (and other recording devices) that you own should NEVER turn on without your consent. If you're not aware of an application that you've configured to do this automatically from time-to-time, then it's time to start figuring out if you have SpyWare on your computer that may be activating it.

Here are two excellent free tools that I trust (there isn't much that I do trust when it comes to security software in particular) and use for removing SpyWare that should be helpful to you:

MalwareBytes
http://www.malwarebytes.org/

SpyBot - Search & Destroy
http://security.kolla.de/

If I was experiencing this problem, scanning for SpyWare would be a very high priority.

Randolf Richardson

Posted 2011-05-27T05:24:53.420

Reputation: 14 002

2"should never turn on without your consent"... is very different from "what actually happens". EX: Most languages let you freely open the soundcard and start recording without alerting the user. So unless your OS somehow has permissions for how code accesses hardware... it's up to the programmer to alert the user or not. – Trevor Boyd Smith – 2011-05-27T16:42:44.520

2Java applications by default let's you record audio without alerting the user in any way. "Permission to record sound is controlled separately. This permission should be granted with care, to help prevent security risks such as unauthorized eavesdropping. By default, ... An application running with no security manager can both play and record audio" – Trevor Boyd Smith – 2011-05-27T16:52:22.357

@TrevorBoydSmith: +1 for each of those fine contributions. My use of the word "should" was intentional. I think more people should pressure vendors to respect consent for audio and video recording functions. – Randolf Richardson – 2011-05-27T22:04:16.493

To add to @Andrew Cooper's answer:

About a year ago there was a big hoopla in the security community over a researcher using what's now known as clickjacking to get Adobe Flash to erroneously think the user agreed to allow webcam access.

That specific vulnerability has been fixed, but there could always be more. The only way currently to prevent clickjacking is using Firefox with NoScript. Chrome/IE8 also have rudimentary clickjacking prevention, but only for sites which support it (which won't help prevent Flash-clickjacking).

BlueRaja - Danny Pflughoeft

Posted 2011-05-27T05:24:53.420

Reputation: 7 183

...wow that was almost three years ago. Boy am I getting old. – BlueRaja - Danny Pflughoeft – 2011-05-28T06:42:48.947

You may not see something wierd in the process list since the "malware" may have injected itself into another application. Most likely a process that is common on all windows systems(explorer.exe as one example).

Unplug internet, see if it turns off. Whenever it happens again start working on finding the process, thats using your webcam, as suggested by another poster, with process explorer.

When you have determined which process you should look at which connections that process has and to which ports. This is also viewable in process explorer.

Note the IPs, post the list on a forum(Can't think of a specific one at the moment) that deals in these sorts of things if you can't determine it yourself.

Save the information from above.

Wipe your system and install from trusted sources.

artifex

Posted 2011-05-27T05:24:53.420

Reputation: 426

If you have WIA (Windows Image Acquisition) service trying to run in your log and it's disabled, it will log an error (typically, it's auto-start with Windows).

I've had this, and no cam attached, no scanner or digital camera attached, and possibly it could be something invoked by Flash.

Facebooksgiftofnarcissism

Posted 2011-05-27T05:24:53.420

Reputation: 11

-4

Cover your camera. Right-click on a YouTube player window. Click Settings. See the eyeball in a TV image? Click it and deny access to your camera.

christiangrowing

Posted 2011-05-27T05:24:53.420

Reputation: 1