Share via

Having some issues with Edge. Would like to ask a couple basic questions.

Max 1 Reputation point
2022-01-18T23:47:26.307+00:00

Opened 2 tabs on Edge and then another popped up that wanted me to verify through authentication without me doing anything that would call it to prompt. A little suspicious. Opened up Visual Studio 2022 to debug the authorization window that would not go away. I find that there is actually 7 instances of Webview, 6 instances of Windows.Client.WebExperience, and 11 general processes for Microsoft Edge (with no specific title). There is also an additional window that has the name of a window title attributed to it. Looking at the type of file, all of the Edge processes are listed as 64-bit, Javascript. Should I assume that there are several hidden Edge windows each running javascript?

Upon choosing a random windows, debugging fails with error message "Cannot connect to the target: connect ECONNREFUSED 127.0.0.1:9222" Why is visual studio trying to connect as a remote debugger through a TCP port?

All the connections for all of these processes have destinations listed as * in Sysinternals TCPView. I went to try wireshark and netstat. Some time while running those, I went back to TCPView and all the process IDs had changed to the same PID, even though I know they each had a unique PID before. How would a program be able to do this? What would be a foolproof way to track my destination IP address should this happen again?

Developer technologies Visual Studio Debugging
Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,240 questions
Microsoft Edge Microsoft Edge development
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2022-01-19T08:20:17.79+00:00

    Hi @Max

    For your first question, there's no "hidden Edge windows" but Edge indeed runs multiple processes. Like other modern browsers, Edge is designed to spread work out across several processes. Each of the tabs is a process, so is the extension or anything else that is running with the primary process. That's why you can see many Edge processes.

    For the second question, you can try to attach again, or close every web browser tabs and reopen them again to see if it works.

    As I'm not an expert of vs debugging and windows sysinternals, I can't provide solutions to your second and third parts of questions. Let's see if there's any other community members can provide some suggestions.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Regards,
    Yu Zhou

  2. Max 1 Reputation point
    2022-01-19T09:09:17.473+00:00

    For an extra troubleshooting measure, I rebooted the system in safe mode with networking.

    About 1-2 minutes after it booted, I was prompted with a system error. The system error read that there was a buffer overfill that caused a crash in explorer.exe. The error also stressed that an attacker could use this crash to compromise my system. Tracing the crash back with event viewer showed that camsvc was the cause. This process is responsible for allowing remote access to the devices cameras and microphones. This is ironic considering that I have been told several times that my computers were streaming video and audio and I must not know how to use a computer. (Actually I have every single imaging equipment (cameras and even fingerprint readers) covered by either a webcam cover or electrical tape. I also adapted a case for my iPhone that has all cutouts covered by electrical tape. I also use electrical tape to cover all the cameras on my Quest headsets.

    Looking up the relevant files for the camsvc module, I submitted the files to Microsoft malware analysis. Right after I submitted the files, I got a message on my iPhone that told me "Not cool".

    I also ran DSIM and sfc and tried rebooting in safe mode. No change to the constant crashing by explorer.exe. Booting in normal mode does not show the error because the external request by DCOM is able to be satisfied. I should also point out that the user that initiated the request is not any user on my system and has what looks like a computer generate user handle.

    I should also point out that I have remote access and remote assistance turned off.

    0 comments
  3. Max 1 Reputation point
    2022-01-19T09:27:05.46+00:00

    After getting that message, I then proceeded to contact Microsoft to try to stress the discovery by explaining the situation. Microsoft was completely unable to provide any help or escalate this issue to someone that might understand the problem or take it seriously. Their solution was to report the exploit to the authorities or submit a form on the error reporting page. I mentioned that I have tried to do this several times. Every time, I get a response that gives a non-relevant answer that makes no sense and usually condescending, then the case is closed without me being able to provide any further input (and sent from a non-replyable email).

    As for law enforcement, does anyone think I would be able to explain a stack overfill caused by an external request from a non-user that was a clear sign of a standard remote call for camera and microphone access on system boot that was unable to be met by the system because DCOM was not loaded? Can anyone with any contact in network security please get in touch with me so I can hopefully get these suspect files to a source?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.