登录
Microsoft.com
 
Microsoft
 
 
 

none
Sudden background/lock scren change RRS feed

 , 
 > 

  • 问题

  • Question
    登录进行投票
    2
    登录进行投票
    Hi community!

    I am currently analyzing anomalous behavior related to the sudden change of a bakcground/lock screen on a Windows 10 operating system. The user (not admin) does not remember having performed any action or knowing the brand of the image of the new configured wallpaper (it is the logo of another company), although at the level of commands and logs (via EDR) I can see that the following was executed:

    - C:\Windows\system32\desktopimgdownldr.exe /deskimgurl:https://WWW.DOMAIN.COM/Wallpaper2022V2.jpg /eventName:DesktopImageDownloadCancelEvent

    - C:\Windows\system32\desktopimgdownldr.exe /lockscreenurl:https://WWW.DOMAIN.COM/LockScreen2022V2.jpg /eventName:LockScreenImageDownloadCancelEvent

    The flow of processes would be given by a tree from major to minor as follows:
    1.   wininit.exe
    2.   services.exe
    3.   svchost.exe
    4.   omadmclient.exe
    5.   desktopimgdownldr.exe

    I have been looking for information and although it could be related to some type of LOLBAS attack, it does not seem to be the case since the use and the services executed seem to correspond to those of Windows and would be legitimate. Has anyone experienced a similar case? How could I confirm if it is a security incident or an accident? Could you carry out a proof of concept through the omadmclient.exe process that could confirm for me how to do it? Could you have made that change?

    Thank you very much in advance!
    2023年1月19日 18:31
    |

全部回复

  • Question
    登录进行投票
    1
    登录进行投票

    Hi,

    Have you tried troubleshooting for your PC or laptop. Might be there could be chance any software malfunction.

    2023年1月20日 5:30
    |
  • Question
    登录进行投票
    0
    登录进行投票
    I have the same problem, I haven't found a solution yet :(
    2023年1月21日 14:21
    |
  • Question
    登录进行投票
    0
    登录进行投票
    I also face this issue on 21 Jan, I haven't found a solution yet :(
    2023年1月22日 18:53
    |
  • Question
    登录进行投票
    0
    登录进行投票

    Hi!

    Nope, nothing strange!

    2023年1月23日 17:29
    |
  • Question
    登录进行投票
    2
    登录进行投票
    Someone else gets the message: *Some of these are hidden or managed by your organization. when you try to change it back?
    2023年1月23日 17:34
    |
  • Question
    登录进行投票
    2
    登录进行投票
    I suggest further investigation and analysis of the system, including reviewing user activity and network traffic. It may also be helpful to check for any recent software updates or changes made to the system. Additionally, consulting with a cybersecurity expert would be beneficial in determining if this is a security incident or an accident.
    2023年1月28日 22:56
    |
  • Question
    登录进行投票
    1
    登录进行投票

    Go to Settings > Personalization > Lock screen. Under Background, select Picture or Slideshow to use your own picture(s) as the background for your lock screen.

    Regards,

    Rachel Gomez

    2023年2月3日 6:33
    |
  • Question
    登录进行投票
    1
    登录进行投票
    You may start a full scan for viruses or malware with Microsoft Defender. 
    If it is not a security incident, you may change the background for your lock screen as Rachel said.
    2023年2月27日 8:11
    |