Windows 10 screen flickering every few seconds? Check for hacking attempts!
After updating to the Windows 10 Version 1903, I noticed that my monitors started flickered every few seconds. I've seen it happen every 38 seconds, every 17 seconds or every 15 seconds, but always regular as clockwork and annoying as heck. Rolling back to Windows 10 Version 1809 eliminated the flickering, but that is obviously not a sustainable solution. So what causes this flickering? Is it a Windows 10 bug? Yes. And no.
What is it?
Checking the Application log in the Event Viewer revealed that, coinciding with each and every flicker, an event showed up from the Desktop Window Manager with Event ID 9027 and the description "The Desktop Window Manager has registered the session port." which is rather unusual when you're actively using the computer, as this should only happen when a user logs on. Going into the Security log then show lots and lots of logon attempts to various system accounts, all coming from the network. Look for an Audit Failure event from Microsoft Windows security auditing with Event ID 4625 and find the Source Network Address. In my case, the dipshits attempting to log on from 87.251.75.179, which is an address in Russia. This is basically a bot trying to log on through RDP in an attempt to gain control of my system.
Why only after the update?
The update from Windows 10 Version 1809 to Version 1903 (and later) apparently made the switch from the Windows XP display driver model (XPDM) to the Windows Vista display driver model (WDDM) for remote desktop by default, which is actually a good thing, as it enables better performance over RDP, including using hardware accelerated DirectX. It is this change that causes the display to flicker when there is a login attempt. It may even be related to whatever display adapter you have in your system (my system has an NVIDIA card).
While I consider the flickering to be somewhat of a bug, the reality is that when Remote Desktop is being used properly, nobody will be around to notice the occasional flicker. The flickering actually turned out to be useful because it brought to light the hacking attempt which would otherwise just have been logged and silently ignored.
How to stop it?
Disabling remote access immediately stopped the flickering. If you don't need remote desktop, then disable it. Unfortunately, I can't disable remote desktop as much of my work on this system is remote (when not sheltering in place for a pandemic). So, instead, I created a rule in the Windows Firewall that blocked that IP address (or rather: the entire IP range). Better is to block by default and use a whitelist instead, if you can. Personally, I found myself wishing it would be possible to simply blacklist entire countries in the Windows Firewall.
If you absolutely must have your RDP exposed to the internet at large, you can disable the WDDM driver and go back to the XPDM driver. I wouldn't recommend this, but it is possible by going into the registry editor, navigating to the key HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows NT\Terminal Services and adding a DWORD value named fEnableWddmDriver with the value of 0.
Comments
No comments, yet...
Post a comment