Tip: Kill Those Suspicious Pop-Up Windows

Posted on May 31, 2017 by Paul Thurrott in Office, Windows 10 with 25 Comments

Tip: Kill Those Suspicious Pop-Up Windows

Last week, I tweeted about repeatedly seeing a mysterious and suspicious pop-up command line window on my desktop PC. As it turns out, this is a widespread issue. So here’s the fix.

First up, the good news: This isn’t malicious behavior or any kind of malware. As it turns out, it’s caused by Microsoft Office.

OK, here’s what’s happening.

Last week, I tweeted about some mysterious behavior I was seeing on my main desktop PC only.

I keep seeing a command line window pop-up and then disappear in a second. 10-15 times a day. I am sure this is normal & nothing is wrong.

(That last bit was sarcasm, by the way. I was actually concerned by this behavior.)

I received a number of helpful responses, including one from Dave Dustin, who forwarded me to a Microsoft Answers post.

After noting that I would test the fix suggested by that post, I followed the instructions there, which amount to changing the account under which two background processes related to Microsoft Office run from “User” to “System.” When you do so, the processes will not display a UI, so the pop-up window is eliminated.

I can confirm that this fix works. So if you’re bedeviled by these pop-ups, you can get rid of them now. Or you can wait for Microsoft to issue a fix: This issue was a mistake that it is aware of, and I’m told it will be fixed soon.

 

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (26)

26 responses to “Tip: Kill Those Suspicious Pop-Up Windows”

  1. blaktron

    Hey did you explore the implications of running those two processes as unrestricted SYSTEM instead of as a user? Its quite likely the Office security model isn't designed to protect those tasks from tampering, and if they are running as SYSTEM they could easily be exploited to grant full control to anyone that has changed the user context for those tasks.


    From what I can see, those user tasks should NOT be run as SYSTEM, but were just created poorly to not prevent the echo. Prior to the insiders edition, Office 2016 added 4 tasks (not those ones), 2 of which ran as SYSTEM and 2 as User. These tasks do not look to be Application level, but Profile level which suggests they are not meant to run in the SYSTEM context and by recommending this you are possibly exposing users to an unknown number of risks.

  2. bassoprofundo

    OMG thank you for this... I'd noticed on my desktop post-Creators Update, and I reimaged the whole thing only to have it keep happening. Good to know it isn't something malicious.

  3. Jacob Klein

    • I believe the problem in this article, was with Office Insider Build 8117.1000
    • The Office Insider Build 8201.2025, does NOT have the problem.
    • For a while, Office Insider Fast Ring had the 8117.1000 build, while Office Insider Slow Ring had a newer 8201.2025 build.
    • Now both rings have that new build, and all is good.
    • If you applied the workaround, and have the new fixed build, you might consider undoing the workaround.
  4. Alexander Rothacker

    From a security point of view this sounds like a really bad idea to run these processes as SYSTEM. See the good explanation by Maktron in the standard comments, which I can only second.

  5. hrlngrv

    Why does this default to running as a user process?

    Next, if this is only a character mode (or no UI at all) program running in a console window, that console window couldn't be launched minimized? Couldn't be hidden entirely? Couldn't have been implemented as a background service? The implications for the laziness and/or indifference towards customers on the Office developers team are worrying.

  6. rameshthanikodi

    Oh my God! I this thought this was just me!

    It started doing this for me this week. The pop up CMD windows runs "backgroundtaskhandler" from the office folder, so I knew it was a office issue, but I didn't know it was a widespread issue and not just me. Thanks for the tip and hopefully Microsoft fixes this asap.

  7. Darekmeridian

    I also have been seeing this, but i have been using Insider Builds as a daily driver for so long now I just assumed it was normal beta windows weirdness.


  8. bbold

    I've seen this happen once or twice but only when installing Office 365 on two new machines, thought it was just a part of the installation, maybe it was! At any rate, good to know there is a fix for when it's not. :)

  9. MCimino

    OMG. This has been driving me crazy. First thing I do when I get home is fix it. Thanks for the info.

  10. leonzandman

    Running SysInternals Process Monitor can easily identify such processes. Love that tool.

  11. Waethorn

    What about the shell reloading and re-caching icons?

  12. fuzzsdad

    I was just thinking about this and there it was! At least it's not malware. Thanks Paul!

  13. helix2301

    I have been wondering what that was all fixed thank you paul

  14. Martin Pelletier

    Will try that tonight after work. Thx Paul.

  15. Vuppe

    Paul, I take back everything I said about you yesterday. Thank you.

  16. Delmont

    I've been noticing this too. Thought I was nuts at first. Thank you for the article.

  17. david.thunderbird

    Just another shovel full out of the pit that MS is digging

  18. Paul Goldstraw

    This did my head in for a few days about a week ago before i applied this fix coming from the same place Paul references. It boots you out of full screen games which was my biggest bugbear. Spent hours with a screen recording tool running to try and catch that one second it flashed up and disappeared again...fun times!

Leave a Reply