Identifying Console Window Popups by Monitoring Process Starts

I recently noticed a console window pop up for a fraction of a second on my desktop. About an hour later, it happened again. Random windows appearing out of nowhere is not something I like to see on my machines. Read on to learn how I investigated the issue.

Monitoring Process Starts

Obviously, something was starting processes on my machine at a certain schedule. I wanted to find out what that was.

uberAgent, our user experience and application performance monitoring product, detects any process start on a monitored endpoint. Process starts are recorded with the exact timestamp, process name, PID, and the name of the parent process.

Detecting Console Process Starts

Identifying starts of console processes is easy if you have uberAgent. For every console process there is a console host child process called conhost.exe. All we need to do is look for conhost.exe processes and then list the names of the parent process. The following Splunk search does just that:

index=uberagent sourcetype=uberAgent:Process:ProcessStartup host=hkx1c ProcName=conhost.exe ProcParentName=* | table _time ProcParentName

Above search looks for process start events on my machine where the process name is conhost.exe. For every matching process start it lists the time the process was started and the name of the parent process. Please note that uberAgent’s configuration setting EnableExtendedInfo needs to be enabled in order for this to work. A listing of all sourcetypes and field names collected by uberAgent can be found here.

Finding the Console Process

When that offending console window popped up the next time I took note of the time and then ran the search from above. The result looked like this:

The console process started around the time I noticed the window pop-up was officebackgroundtaskhandler.exe. A while later I repeated the process, and again officebackgroundtaskhandler.exe turned up. So what’s the matter with this process apparently belonging to the Microsoft Office suite?

Why is officebackgroundtaskhandler.exe Flashing Console Windows?

A quick search for officebackgroundtaskhandler.exe led me to this Microsoft Answers post. Apparently the flashing console window is a know bug that will be fixed in a future update.

Phew, looks like this one is harmless and going to go away on its own. Unfortunately, that is not always the case. Make sure you understand the processes running on your machines. uberAgent can help with that.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.