Tip: Kill Those Suspicious Pop-Up Windows

Tip: Kill Those Suspicious Pop-Up Windows

Last week, I tweeted about repeatedly seeing a mysterious and suspicious pop-up command line window on my desktop PC. As it turns out, this is a widespread issue. So here’s the fix.

First up, the good news: This isn’t malicious behavior or any kind of malware. As it turns out, it’s caused by Microsoft Office.

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

OK, here’s what’s happening.

Last week, I tweeted about some mysterious behavior I was seeing on my main desktop PC only.

I keep seeing a command line window pop-up and then disappear in a second. 10-15 times a day. I am sure this is normal & nothing is wrong.

(That last bit was sarcasm, by the way. I was actually concerned by this behavior.)

I received a number of helpful responses, including one from Dave Dustin, who forwarded me to a Microsoft Answers post.

After noting that I would test the fix suggested by that post, I followed the instructions there, which amount to changing the account under which two background processes related to Microsoft Office run from “User” to “System.” When you do so, the processes will not display a UI, so the pop-up window is eliminated.

I can confirm that this fix works. So if you’re bedeviled by these pop-ups, you can get rid of them now. Or you can wait for Microsoft to issue a fix: This issue was a mistake that it is aware of, and I’m told it will be fixed soon.


Share post

Please check our Community Guidelines before commenting

Conversation 26 comments

  • blaktron

    31 May, 2017 - 9:11 am

    <p>Hey did you explore the implications of running those two processes as unrestricted SYSTEM instead of as a user? Its quite likely the Office security model isn't designed to protect those tasks from tampering, and if they are running as SYSTEM they could easily be exploited to grant full control to anyone that has changed the user context for those tasks.</p><p><br></p><p>From what I can see, those user tasks should NOT be run as SYSTEM, but were just created poorly to not prevent the echo. Prior to the insiders edition, Office 2016 added 4 tasks (not those ones), 2 of which ran as SYSTEM and 2 as User. These tasks do not look to be Application level, but Profile level which suggests they are not meant to run in the SYSTEM context and by recommending this you are possibly exposing users to an unknown number of risks.</p>

    • Jaxidian

      31 May, 2017 - 11:41 am

      <blockquote><a href="#120899"><em>In reply to blaktron:</em></a></blockquote><p>I'd +1 this more than I already have if I could. There are a non-trivial security changes when running services as System that were previously ran with lower privileges. I'm just going to keep having these popups for now – SOO much better than being victim to the next botnet malware.</p>

    • YouWereWarned

      31 May, 2017 - 12:36 pm

      <blockquote><a href="#120899"><em>In reply to blaktron:</em></a></blockquote><p>And this change is likely to cause the ad content that is generated to be forwarded to Satya instead of Paul, so probably a net plus.</p>

  • david.thunderbird

    31 May, 2017 - 10:11 am

    <p>Just another shovel full out of the pit that MS is digging</p>

  • Delmont

    31 May, 2017 - 10:14 am

    <p>I've been noticing this too. Thought I was nuts at first. Thank you for the article.</p>

  • Vuppe

    31 May, 2017 - 10:27 am

    <p>Paul, I take back everything I said about you yesterday. Thank you.</p>

  • Martin Pelletier

    Premium Member
    31 May, 2017 - 10:47 am

    <p>Will try that tonight after work. Thx Paul.</p>

    • Martin Pelletier

      Premium Member
      31 May, 2017 - 10:57 am

      <blockquote><a href="#120936"><em>In reply to Martin Pelletier:</em></a></blockquote><p>Oh maybe Maktron on the Standard Comments maybe right about something. Could by elevation the process to System open the process to security problems?</p>

      • Jaxidian

        31 May, 2017 - 11:42 am

        <blockquote><a href="#120939"><em>In reply to Martin Pelletier:</em></a></blockquote><p>Yup. You should not follow the advice in Paul's post unless you're comfortable adding a potential security vulnerability to your system.</p>

  • helix2301

    Premium Member
    31 May, 2017 - 11:33 am

    <p>I have been wondering what that was all fixed thank you paul</p>

  • fuzzsdad

    Premium Member
    31 May, 2017 - 11:51 am

    <p>I was just thinking about this and there it was! At least it's not malware. Thanks Paul!</p>

  • Waethorn

    31 May, 2017 - 11:59 am

    <p>What about the shell reloading and re-caching icons?</p>

  • leonzandman

    31 May, 2017 - 12:30 pm

    <p>Running SysInternals Process Monitor can easily identify such processes. Love that tool.</p>

  • bassoprofundo

    Premium Member
    31 May, 2017 - 12:30 pm

    <p>OMG thank you for this… I'd noticed on my desktop post-Creators Update, and I reimaged the whole thing only to have it keep happening. Good to know it isn't something malicious.</p>

  • MCimino

    Premium Member
    31 May, 2017 - 1:01 pm

    <p>OMG. This has been driving me crazy. First thing I do when I get home is fix it. Thanks for the info.</p>

  • bbold

    31 May, 2017 - 1:11 pm

    <p>I've seen this happen once or twice but only when installing Office 365 on two new machines, thought it was just a part of the installation, maybe it was! At any rate, good to know there is a fix for when it's not. :)</p>

  • Darekmeridian

    31 May, 2017 - 1:28 pm

    <p>I also have been seeing this, but i have been using Insider Builds as a daily driver for so long now I just assumed it was normal beta windows weirdness.</p><p><br></p>

  • rameshthanikodi

    31 May, 2017 - 2:48 pm

    <p>Oh my God! I this thought this was just me!</p><p>It started doing this for me this week. The pop up CMD windows runs "backgroundtaskhandler" from the office folder, so I knew it was a office issue, but I didn't know it was a widespread issue and not just me. Thanks for the tip and hopefully Microsoft fixes this asap.</p>

  • hrlngrv

    Premium Member
    31 May, 2017 - 3:46 pm

    <p>Why does this default to running as a user process?</p><p>Next, if this is only a character mode (or no UI at all) program running in a console window, that console window couldn't be launched minimized? Couldn't be hidden entirely? Couldn't have been implemented as a background service? The implications for the laziness and/or indifference towards customers on the Office developers team are worrying.</p>

    • rameshthanikodi

      31 May, 2017 - 3:51 pm

      <blockquote><a href="#121147"><em>In reply to hrlngrv:</em></a></blockquote><p>It is a background service. It is supposed to run silently, but obviously a bug in the latest version of the updater is causing it to show up.</p>

      • hrlngrv

        Premium Member
        31 May, 2017 - 5:36 pm

        <p><a href="#121148"><em>In reply to rameshthanikodi:</em></a></p><p>If it were meant to be a background service and had been such prior to the last version or so (thus didn't appear previously), but now it does appear, does that say anything good for Office QA testing?</p>

        • rameshthanikodi

          01 June, 2017 - 4:02 am

          <blockquote><a href="#121214"><em>In reply to hrlngrv:</em></a></blockquote><p>it doesn't say anything good.</p>

  • Alexander Rothacker

    Premium Member
    31 May, 2017 - 5:44 pm

    <p>From a security point of view this sounds like a really bad idea to run these processes as SYSTEM. See the good explanation by Maktron in the standard comments, which I can only second.</p>

  • Jacob Klein

    01 June, 2017 - 12:43 am

    <ul><li>I believe the problem in this article, was with Office Insider Build 8117.1000</li><li>The Office Insider Build 8201.2025, does NOT have the problem.</li><li>For a while, Office Insider Fast Ring had the 8117.1000 build, while Office Insider Slow Ring had a newer 8201.2025 build.</li><li>Now both rings have that new build, and all is good.</li><li>If you applied the workaround, and have the new fixed build, you might consider undoing the workaround.</li></ul>

  • Paul Goldstraw

    01 June, 2017 - 11:38 am

    <p>This did my head in for a few days about a week ago before i applied this fix coming from the same place Paul references. It boots you out of full screen games which was my biggest bugbear. Spent hours with a screen recording tool running to try and catch that one second it flashed up and disappeared again…fun times!</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC