---

@Salvolin wrote:

Hi all,

 

After reading about the possible keylogger in the Synaptics Touchpad Driver I ended up on this page for an update of my driver: https://support.hp.com/us-en/document/c05827409

 

Checking the available driver their against the one on my system doesn't seem to add up.

 

1. The new updated driver should have driver number 19.3.31.31
2. But my current driver (dated 16th of august 2017) also has driver number 19.3.31.31

Question 1: How is that even possible? If the fix is recent shouldn't the new driver have a higher drivernumber?

---

Thank you for posting in the HP Support forum! 🙂

They didn't change the driver number.

Reason : Well, I don't know.

I can confirm that I can see HP articles dated August 2017 which refer to the same driver version as the one released earlier this week. Perhaps they were in a rush released the update, rather than changing documentation.

You can see these files which mentions August

>> ftp://ftp.hp.com/pub/softpaq/sp81501-82000/sp81891.html

>> ftp://ftp.hp.com/pub/softpaq/sp81501-82000/sp81891.cva

If you open the FTP before the files >> ftp://ftp.hp.com/pub/softpaq/sp81501-82000/

and search for sp81891.exe

You will see these were released in November (and published November on the server), which confirms they are updated.

All the story >> https://zwclose.github.io/HP-keylogger/

---

@Salvolin wrote:

Question 2: Where can I find a working updated driver

 

---

Here is the latest one >> https://support.hp.com/us-en/document/c05827409

---

@Salvolin wrote:

Finally.

On th einternet it is stated that the keylogger is off by default but can be turned on using a regkey. More specifically the key: HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTP\Defaults

 

This key is present on my machine

Question 3: Can I safely remove HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTP\ or even HKEY_LOCAL_MACHINE\SOFTWARE\

 

---

No, don't do this as you may break the driver. I don't think you will be able to remove the entire "SOFTWARE" section as it is essential but if you manage to do it (somehow), your Windows operating system will be absolutely bricked.

With all due respect, the way you talk about this confirms that you have no idea how Windows Registry works and its purpose. Therefore, I recommend you do not mess inside it to avoid having serious issues.

General info about the Windows Registry

>> https://www.computerhope.com/jargon/r/registry.htm

>> https://www.lifewire.com/windows-registry-2625992

---

@Salvolin wrote:

Question: How can I check if my system is breached an a keylogger is active?

 

---

You were not breached by this, relax, please.

The entire story is over-exposed from the mass media. Big company like HP, some security issues... wow, it was a big day for the reporters. Human beings are usually sensitive about security... but how could these human beings forget about another stories... well, when this happens on monthly bases, they stopped caring about.

This is a vulnerability, single vulnerability, not a malcious code itself (not a malware by itselft).

The supposed "keylogger" functionality has been off all the time and this was not a public story until recently. The driver itself has/had a keylogging capability but nothing has been exposed so far.

There is no way for me to tell you 100% if there ever was a malicious program inside your PC which could have exposed the previously unknown (pubically) vulnerability in this driver. Therefore, no way to tell you if you are breached.

The fact that you use Windows as an operating system means you are already "breached" - I mean "breached by design". Windows itself is full of thousands of known vulnerabilities, thousands of hidden vulnerabilities, thousands of yet to be discovered vulnerabilities, Swiss cheese holes , so many... Consider the amount of patches, patches, patches that Microsoft publishes to the OS and other products every month or more often. This is work in progress, not a complete product.

Back in year 2000, Mary Jo Foley from ZDNET caught Microsoft and disclosed they have released official RTM version of Windows 2000 knowing internally that it has 63 000 known bugs (program errors) >> http://www.zdnet.com/article/bugfest-win2000-has-63000-defects/

Not 1 bug, not 10, not 100, but 63000 and it was released as official RTM (final) one.

Take a look at the most vulnerable apps and OS for 2015 >> https://techtalk.gfi.com/2015s-mvps-the-most-vulnerable-players/

or 2014 >> https://techtalk.gfi.com/most-vulnerable-operating-systems-and-applications-in-2014/

My point is not to focus on one single Synaptic driver vulnerability (which is patched now) but to focus on the bigger picture.

Tips for staying secure (as much as possible) >> www.microsoft.com/protect

Hi @IT_WinSec,

Thanks for your quick and thorough reply. A bit off topic here and there but I got myself to thank for that for not being entirely clear in my questions and making some typo’s here and there.

So back to my questions and your reply’s.

Question 1: How is that even possible? If the fix is recent shouldn't the new driver have a higher drivernumber?

Answer: They didn't change the driver number. Reason : Well, I don't know.

My reply: Thanks

Question 2: Where can I find a working updated driver

Answer:  Here is the latest one >> https://support.hp.com/us-en/document/c05827409

My reply: Yeah that one worked, may be my download was just corrupted twice yesterday.

Question 3: Can I safely remove HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTP\ or even HKEY_LOCAL_MACHINE\SOFTWARE\

Answer:  Something with “all due respect” which I totally deserved, because I provided the wrong regkey for my question. The question should have been.

Can I safely remove:

HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTP\

or even

HKEY_LOCAL_MACHINE\SOFTWARE\ Synaptics\

Meaning can I remove anything associated to the SynTP driver or even anything associated to Synaptics as a whole. I wanted to know this because HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTP\default contains the keymapping values for each key in my registry and that doesn’t feel right. Kind of feels suspicious.

Question 4: How can I check if my system is breached and a keylogger is active?

Answer: My point is not to focus on one single Synaptic driver vulnerability (which is patched now) but to focus on the bigger picture.

My reply: I agree, but I still think there is a difference between a) a bug which results in an error. b) a bug which results in a vulnerability and c) malicious source code in your touchpad driver, because even the smallest of testing procedures could have detected that.

Since there are keymapping values present in my registry I was just curious if they would be there even if the keylogger is de-activited or if the keys being there mean that in my case the keylogger was activated.

p.s.

After installing the new driver, my device withing device manager still has 16th of august as a last modified date and the SynTP.sys also still has the same last edit date of 18th of august 2017. Even if they forgot to change the driver version I would have expected other dates after installing the newest driver version.