I’m not super concerned with being surveilled personally (my job is more project-driven), but after seeing this damn spy program consistently taking up a third of my RAM, I decided enough was enough.
I couldn’t disable the service that launches the program itself, but had just enough admin privileges to change the name of the .exe for the program, and copy over another exe with an identical name that doesn’t actually open.
My PC is so much faster now that my screen isn’t being recorded 24/7, but man I hope IT doesn’t come knocking anytime soon lol
Comments
Pure genius !!!
I would assume at some point IT is gonna be notified by who ever actively checks whatever that software reports to and they’ll be asked to fix it. Who knows how long before that happens.
I’ve worked in IT for about 15 years now. I’d check to see why it’s not launching. If the exe does not have an icon that looks right, I’d suspect something is up but don’t know how far I’d dig into it. I’d probably figure it got jacked up and try to reinstall/repair it. Can’t really say how the uninstaller will handle the dummy exe and the renamed legit exe though.
Most IT are just gonna fix the problem and move on. Unless it’s obviously been fucked with, a repeat issue or management really wants details. Software breaks all the time, but when it’s constant on one machine, thats when people start poking around.
No you didn’t. This could not be more fake
Yeah that’s going to show up on a spreadsheet somewhere. Usually that kind of crap is punitive and as long as your work gets done they won’t even connect the dots. And with the extra RAM your numbers should git got. The idea about changing the exe to gibberish is a good one. I would wait until a OS update and change the exe and the icon again so it looked like it happened the same day. If anyone says anything, blame Bill Gates.
Your company tracks you, but you have admin rights on your computer?
The “spyware” is likely an MDM which is required for compliance and a standard part IT infrastructure.
If you did this to one of the systems at my company, we would get notified pretty quickly, and would know instantly the exe was fraudulent based on the checksum. It would take little to no effort to realize what happened.
The first time you did this would be a serious talking to and warning. If you did it again we might consider you a security risk- it’s debatable whether we’d straight up lock your laptop but we would definitely be having a conversation with your manager and HR.
That said, the fact you are able to do this in the first place probably means your IT team is either lazy or incompetent.
Modern problems require modern solutions.
Many years ago I wrote a script that issues a “kill -9” to whatevertheheck that program is that lets admins monitor my MacOS X screen.
Make sure to swap it back during lunchtime so IT sees that it’s still recording to keep you off their radar.
When your org’s Client PC mgmt team deploys the next update to the software, the deployment package’s detection rule will find your PC isn’t compliant and the update will be installed again. You’ll have to then do your hoop-jumping again.
If you have rights to rename anything in Program Files, you should also have rights to uninstall (though no user should be running as admin, not even me, THE admin). If you are running day-to-day as admin, you may be invalidating your cyber insurance.
My problem is I look at things too much and this is wha tI see here
If you’re able to rename the actual monitoring executable and replace it with a dummy .exe then you likely have more than just enough admin privileges. Most corporate places restrict this heavily. Even a basic Windows service will usually prevent renaming or replacing its .exe while running.
If you have a half competent IT dept. then monitoring programs run as system services and should have self-protection. Renaming the .exe or replacing it would either
1 – Fail because the file is in use,
2 – Trigger the service to repair itself automatically,
3 – Send an alert in IT monitoring tools that they monitor.
Not to mention issues with heartbeat checks or agent status, CPU monitoring or logging as the .exe that doesn’t open wouldn’t be able to function.
This wouldn’t last 10 mintus in my office.
Whats the program that records your screen? Just curious
lol. I hope you have another job lined up.
The local IT guy at my workplace a few years ago was great. He let me try out some specialty software to evaluate how helpful it would be. But he was to busy to install them himself. So everytime I did it I had to call him and he would come by and enter his credentials. After about 20 calls one day he messaged me his credentials and told me to only call if I broke something. And not to tell anyone.
Used that for almost a year before he called me and asked about some strange activity main IT had flagged.
Can you make the new executable an actual piece of software that does launch so the logging software records a successful launch, then exit out of it? (Or leaving it running if it helps…like have it launch the calculator and just minimize it.)
Not sure if that’s how tracking works vs the actual software phoning home but it might slow down the discovery time.
You’d get fired so quickly for this at my workplace. I hope your relationship with IT is good.
We track these. And this is why we take away admin rights from people.
If some random program is using a big chunk of my PC’s processing power I wouldn’t mess around renaming and stuff I’d just call IT and tell them. I may say that I think my PC has picked up some spyware or has some sort of virus but it’s really their issue to solve.
I’d probably be issued a replacement laptop or they’d spend ages connected to my laptop fault finding. If that new laptop did the same thing or I got the brush off I’d keep reporting it as faulty.
I’m not being paid to fix my work device. If they want to install stuff that makes it harder for me to work then fine, I’ll just be less productive.
Ok but IT will probably catch you since the service is not running anymore i guess
Wouldn’t they be able to track you replacing the program though?
Have you contacted IT with your computer specs and asked if your RAM is within specs? If that app is draining 30% you are probably due for an upgrade.
a third of your ram??? yeah id be removing it too wtf
Since you have the workaround figured, moving the dummy around and about and renaming the file takes half a minute. You could do this daily or weekly, to juggle around that there’s at least some data gathered and have it working if you assume there’s a reason to believe something could be inspected. Won’t remove risk completely, but I’d assume it reduces risk.
Save your replacement on a thumb drive and you can put it back as soon as they fix it.
Don’t replace the exe that they want to start, try to open with ResourceHacker and delete icons, manifest etc.. and save it – can make it sometimes crash on launch OR open the exe in some hex editor and overwrite entry point with zero bytes, both ways it will look like it got corrupted somehow.
Congratulations, you’re now officially the IT department’s final boss.
The company owns the assets not you. This could get you fired.
Somewhere in IT, a guy is staring at an error log and questioning his entire career.
a few suggestions if you decide to do this long term: use an exe that starts successfully as a service but uses very little resources. also swap the real exe back in once or twice a week and start it. almost guarantee they run a report once in a while looking for endpoints without the management tool and you will invite scrutiny being on that list. lastly, running it successfully once in a while will ensure you get whatever updates and changes are needed.
Yep IT will eventually notice metrics aren’t being collected, or errors will alert them to noncompliance behaviors with the application. Some organizations will see this as a fireable offense when you manipulate the app they installed to manage DPL (or whatever). Just be careful.
I would just open more programs that what is necessary to overload the RAM. Then complain about a virus using my laptop RAM, that it hinders me from doing my work.
Brilliant 👏
It kills me that my company pays a shit ton of money on state of the art tracking software to make sure I’m doing my job but puts no money into the software that would help me do my job.
Be very cautious doing things like this, as it could very easily get you fired. Some organizations have contracts that require their employees to be monitored as such, and thereby have a legal requirement to do so. At minimum, I can almost guarantee that the employee handbook for the vast majority of larger organizations have specific documentation about not circumventing IT controls, and doing so may result in termination.
Don’t be surprised if it suddenly starts running again seemingly by itself. IT will likely get notified by whoever monitors the data from the spyware that it isn’t working on your computer, and someone may just remote into your computer behind the scenes and reinstall it. They may just fix the issue without further investigation if it only happened the one time, but the chance for further investigation increases the more often it happens.
Also, depending on what other products are implemented in your environment, IT may be able to see exactly what you did. There’s security software available (often managed by the IT security department specifically in larger organizations) that tracks executable files, file renames, file moves, file executions, etc, and any admin of such software should easily be able to show a manager (or whoever) what you did by events captured from said software. In the environment I work in, there are actually two products that monitor such things (and a lot more) and are extremely difficult to bypass (which I do not recommend attempting, because even attempting to do so will raise all kinds of alerts that will get your actions investigated very quickly if not almost immediately). I’ve managed security tools like this for years at a large organization, and I’ve have had to investigate similar incidents for various software mysteriously not working, often at the request of HR, legal, or higher level managers.
Anyway, if you get caught and/or the spyware starts running again, a better option would be to contact IT and your manager and complain about how it impacts your computer’s performance and how it reduces your productivity. Whoever manages that software might be able to configure it to consume fewer resources, or maybe they will consider using a different product all together if sufficient people complain about it. Either the software itself is poorly written or your computer has relatively low RAM; if your computer has low RAM perhaps they might replace it with a more performant computer.
A company paranoid enough to employ spyware and stupid enough to allow local admin rights, is going to jump right to the assumption you fucked with the software.
You can also simply create a folder/directory with the same name as the executable since there can only be one object with that name.
This makes no sense.
Just download more RAM problem solved.
at least op is getting pointers at what he did wrong in this thread
OP, what is the program that you found is spying on you? I’d like to know what to look for so I know whether my company is or not.
I am so happy to be alive in a country that has made such things very illegal to do.
Ha! We can’t use caffeine at my org, so I renamed it not-caffeine. Has worked for 5yrs .
Good choice! If they’re paying attention and actually following up, someone from IT will likely attempt to repair the application at some point. It’s doubtful that they’ll spend time trying to figure out what happened versus just reinstalling. The assumption is they’ll have a certain number of clients not reporting in and they just want to fix it and move on.
I’ve worked in IT for 30 years, and manage a team that does this exact sort of thing.
Do we tell them about Microsoft recall 😈 or just keep it a secret.
Ah, this reminds me of my school days. My school used to use a monitoring software called dyknow. I didn’t have admin privileges cause I’m a student obv but I used a drive with windows on it to move cmd prompt to the utility menu on the login screen, since I wasn’t logged in yet it goes to the system 32 cmd prompt instead of the locked studen cmd prompt. From there, I made an admin account and deleted parts of the software bit by bit since I couldn’t force it to close, so I just removed stuff till it didn’t work. I never got in trouble for that part, but I did have to switch teachers cause one of them kept complaining he couldn’t see my screen. Anyway, best of luck. Hopefully, you get away with this for as long as possible 👍
Sooooo…depending on how competent your IT department is and the QA or whatever dept is reviewing any footage of you, it may take a while for anyone to actually notice that you’ve done this, but they WILL find out eventually. I have no idea how you can possibly think no one will ever notice this. And the way you’ve done this makes it painfully clear that it wasn’t accidental. This is a great way to get yourself watched even more heavily (if not worse) because they’re going to wonder wtf you’re trying to hide by doing something this stupid.
It sounds like you are feeling like you did something really clever.
I assure you, you didn’t. No need to be smug. This is extremely obvious and IT will get an alert and they’ll be annoyed at the obviously malicious tampering. If you don’t like the workplace IT policies and practices raise the concern with management or leave the org.
These system agents regularly ‘check-in’ with home base per se to give and get updates. IT will come knocking eventually and when they find out what you did it won’t look good for you.
Just so you know they will eventually find out and when they do they will audit your pc to find out why it’s not running. Your up the creek since you have admin rights and they’re find out you changed the name of the file. Start looking for another job
If they’re cool they’ll be impressed at what you’ve done.
What’s the name of the tracking software?
When they get the notification you haven’t been actively working for a month.
Good luck 😆
This is solid! You know, if IT ever comes knocking, I say just play stupid. You care about things and working hard and smart are just some of them, so while working and getting slow consistently, you looked around and you just noticed some random program.
It didn’t have anything to do with your direct work, and from your point of view, it looked like just bloatware. Since it created a situation so your PC was bogged down, you took a proactive step to be more efficient, did a workaround to disable it and you’ve been able to work so much quicker and more efficiently!
And even sort of a burn on them which I like the best!
The Indirect Burn To employer:
Your spyware, which is pretty invasive, well it’s slowing it the hell out of my workstation and actually making my work harder and You’re only hurting yourself, champ! Gosh, and you do this with how many employees? I wonder how many extra resources you’re burning through, because you can’t hire properly (this is the equivalent of standing behind someone who’s physically at the office… It’s weird that it’s not totally looked at that way).
I would think just simply logging sites visited would be enough… Not something that invasive! Maybe there’s a work around that I’m not aware of which is 99% likely lol
You open the original exe with a hex editor and change a few random bytes here and there. File size should be the same. There are apps to change creation and edit dates, I use it to set dates on old photos that have been copied or scanned…
I’m proud of you!
I’m very surprised they don’t have that access blocked with admin privileges. Kinda shows you how much they actually care.
Good for you. I also never accept a company phone because they put those trackers in them. It’s terrible how companies treat workers like that and get away with it.
I love geeks. They sort that shit out.
At best, and most likely, it’ll eventually get noticed but IT is so busy and doesn’t care enough to do anything but just reinstall it.
At worst they’re going to give enough of a damn to notice the obvious and submit a report that surveillance software has been modified, which… isn’t good.
Look at it this way. For YOU all you’re doing is trying to increase productivity.
For the company, they have no idea if you’ve done it to try and do some shady stuff behind their back, not just goof off at your computer or whatever other reason they might think up.
I wouldn’t do it. Not worth it. Could lead to waaaay more trouble than just “we figured out you did it because you thought it was inefficient so you’re getting written up”.
I did something like this at school when I was young, we have timecode surveillance program but not all Pcs are on, and when they turn on the program starts up but I learnt that if I unplug the Ethernet cable it opens up a part of the program for me to exit it and then replug it back and if caught, idk what happened I’m just using the computer and if not I just restart the program at the end and leave, showed my friends it and they got caught first or second time.
Use processhacker to suspend it after it runs. Or find out what it connects to and add a windows firewall rule. Or even sneakier, change the compatibility options so it runs in a 16bit dos compatible mode (right click-> properties).
Changing the file directly leaves lots of traces that could get you in trouble. Chances are IT won’t care unless your boss asks questions.
Lol OP thinks he’s being smart as if IT teams haven’t seen this nonsense over and over again, and if their boss cares enough, you will be reported.
This could be grounds for immediate termination. It sounds like your security or IT group isn’t doing their job. All of those applications have reports to show when they checked in last. Although if your IT group did their jobs you wouldn’t be able to change it.
Listening to all the various comments, your next post will probably be you downloaded something and gave your company ransomware.
Two things are true.
Your actions were morally correct.
You will see consequences for this.
A lot of people saying this will get checked. Im skeptical unless there’s some reason to check your work otherwise.
Get a new employer that doesn’t track you.
what was the program? also seems like a lot of potential headache to get back 30% ram lol
So fun times when I was a computer science teacher in a public school. I used to boot my computer into Linux then, replace magnify.exe with cmd.exe then reboot and then create an local admin account to do what I wanted. (Don’t change your account to be a local admin that phones home to AD and IT will see that.)
They could have stopped this if they encrypted their hard drives or used bios passwords.
I’d just worry that the software might flag you as never actually being logged in and working. But I’d probably look for a job that didn’t waste time and resources on tracking this level of stuff.
I would just remove it, and cover your tracks by removing some other useless programs at the time. Then if you get called out, just say the computer was running super slow, so you figured it was windows bloat and got rid of some programs that you didn’t recognize.
Most of that stuff isn’t because people are bored and spying on you, it’s to ensure patches are complete and save the company from issues down the line. Nobody is actively watching you unless alarm bells are ringing. But you disabled that and basically just raised a big old flag and said “hey look at me”
You made more work for your It department, and based on the way you talk about it, they probably already fucking hate you.
Imagine how much faster your PC will be when you’re no longer using it as a result of being fired for tampering with it…
Chances are, if an employer is using monitoring software, they’re also using systems management software that can report configuration changes.
Rather than tampering, I’d approach my manager and IT stating that the resource consumption is affecting my productivity and put the onus on them to tweak the configuration, make an exception, or upgrade my hardware.
So you have like 1.000.0000 files of kiddyporn on your desktop?
About 20 years ago, my high school deployed a watcher software that allowed teachers to remotely view your screen. Not that I was really looking at anything I shouldn’t have been, but I still didn’t like it. They just installed the software on our network drives, I found the executable and just deleted it. Boom, no more remote monitoring. One of my teachers finally noticed that he was never able to view my screen and asked if I had messed with the software, and I just shrugged.
wow, your work records your screen 247?
its time to update that resume bud and find a new employer
This screams toxic workplace and I would work elsewhere.
[deleted]
I did something simple as just taking a screenshot of my boss’s desktop, set it as his background, hid the icons and taskbar and disabled right click and the windows key. He couldn’t do his work for a week until someone could come in and fix it.
Really, only in America is working from home monitoring at this level.
In high school, the IT department had a hard coded allow list so we would just rename the game binaries to notepad.exe to get around it. Felt like hackers.
Very long term sysadmin here.. You are playing with fire. In most companies, when (not if) IT figures what you did, it’s a termination offense. My advice is to put it back and get it back the way it was and then reach out to IT and/or your manager and complain about the resource drag. Let them deal with it or get you a machine with more ample resources.
If they had any brains during the implementation you are for sure showing a red flag somewhere in some log. Now if that log is being watched, or acted on, hard to say.
I used to have the, um, honor of doing forensic user activity reporting in a past job. HR would contact me in certain “situations” and ask for ammo. The ammo was all there most of the time, clear as day, but it’s not like I had a dashboard that was blinking red about that activity that I just clicked to catch.
Redirect to a batch script to shut the computer down with a message that says “gaxored” or something.
We did that first year I.t students when we were in our second year at my vocational school and the teacher just left them there ” you’re training to do computer repair, figure it out”
If I remember correctly, it’s been about 14 years, I think we did it to their web browsers
Bro trying his best to get fired 🤣
Just Christ what’s wrong with your thought process.
Did somebody say Resume Generating Event?
They get what they deserve, hope you won’t get caught OP
yes !! way to SUBVERT !!
Not a tracking program, but I had a stupid program that came installed with video drivers to allow quick changes – VERY SELDOM NEEDED – that constantly ran and used some keyboard shortcuts I wanted to map elsewhere. So… booted to safe mode and rd amed it, copied shutdown.exe to its place. Since there were no options, it did nothing…. but prevented it running unless I wanted it to.
If they do come knocking, you’re getting fired or worse. With all the hubbub over potential North Koreans working in companies, this shit is getting hunted down.