Hidden cryptocurrency mining on your laptop is one of the most insidious threats of 2026. Unlike viruses, which immediately block the system or demand a ransom, miners work quietly, but cause no less harm: they overheat the processor, drain the battery in an hour and reduce the service life of the hardware by 2-3 times. According to Kaspersky, every fifth user Windows 11 I've encountered similar attacks without even knowing it.

The problem is compounded by the fact that modern miners masquerade as legitimate processes - e.g. svchost.exe or Windows Update. They can enter through pirated software, browser vulnerabilities, or even USB devices. This article will help you identify and remove miners, even if they are hidden deep in the system. We will analyze it as standard tools Windows 11, as well as professional utilities for in-depth diagnostics.

1. The first signs of infection by miners

Before delving into the settings, pay attention to indirect symptoms. Mining is loading CPU And GPU 80-100% even in standby mode. Here are the key markers:

  • 🔥 The laptop gets hot like an iron during simple work Word or viewing YouTube
  • ⚡ The battery runs out in 1-2 hours instead of the usual 5-6 (at the same time, msconfig no resource-intensive tasks)
  • 🐢 The system slows down when opening new tabs in the browser or launching games
  • 📈 Fans run at maximum speed for no apparent reason
  • 💻 Internet traffic consumption has increased noticeably (mining requires a constant connection to the pools)

If at least 2-3 points match, it’s time to check the system. It is especially dangerous if the laptop starts to slow down immediately after turning it on, even before starting any programs. This is a sign that a miner has infiltrated autoload.

⚠️ Warning: some legitimate programs (for example, NVIDIA GeForce Experience or Adobe Creative Cloud) also load the GPU. Before checking, close all background utilities via the system tray.

2. Check via Task Manager

The fastest way to identify suspicious activity is to analyze processes in Task Manager. Open it with the combination Ctrl + Shift + Esc and go to the tab Details. Please note:

  • 📊 Processes with unusual names (for example, xmrig.exe, miner.exe, cpuminer.exe)
  • 🔄 Legitimate processes (svchost.exe, runtimebroker.exe), which consume >30% CPU
  • 🖥️ Unknown services with high GPU load (checked in the Performance → GPU)

If you detect a suspicious process:

  1. Right click on it → Open file location
  2. Check the path: legitimate Windows files are stored in C:\Windows\System32 or C:\Program Files
  3. If the path leads to Temp, AppData or a folder with a random name - this is 100% miner

Remember the process name for further search|Open the file location|Check the digital signature (right click → Properties → Digital signatures)|Run an antivirus scan along this path|Delete the process via Taskkill (if the antivirus fails)-->

To force the process to end, use the command in CMD (on behalf of administrator):

taskkill /f /im имя_процесса.exe

3. Deep startup scan

Miners are often registered in startup so that they start every time the laptop is turned on. B Windows 11 check:

  1. Settings → Applications → Startup (disable anything suspicious)
  2. Run → msconfig → Startup tab (system miners may be hiding here)
  3. Registry Editor (regedit) → HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  4. Task Scheduler (taskschd.msc) → Task Scheduler Library (look for tasks with the trigger "On startup")

Pay attention to tasks with:

  • 🕵️ Random names of 8-10 characters (for example, kjsd8f3j.exe)
  • 🔗 Paths to temporary folders (%Temp%, %AppData%\Roaming)
  • ⏰ Triggers that fire every 5-10 minutes

Once a month|Only when the system is slow|Never checked|I use specialized utilities-->

⚠️ Attention: do not delete tasks from Microsoft or laptop manufacturer (for example, Lenovo Vantage or Dell SupportAssist). This may disrupt the system.

4. Network activity analysis

Mining requires a constant connection to pools (servers for joint mining). Check network traffic via:

  1. Task Manager → Network tab (sort by "Network Activity" column)
  2. Resource Monitor (resmon.exe) → Network tab
  3. Specialized utilities: Wireshark, GlassWire, TCPView

Suspicious signs:

ParameterNormal valueMiner sign
Outgoing traffic0.1-5 Mbit/s idle>10 Mbps without active downloads
IP connectionsMainly to Microsoft and Google serversMassive connections with unknown IPs (especially in countries with cheap electricity: Kazakhstan, Iceland, Paraguay)
Ports80, 443 (HTTP/HTTPS)3333, 5555, 7777, 14444 (popular ports for mining)
ProtocolsTCP, UDPStratum (used for mining)

To block suspicious connections:

  1. Open Windows Firewall → Advanced Settings
  2. Create a rule to block outgoing connections to found IPs
  3. Use Hosts file to block miner domains (add lines like 0.0.0.0 pool.supportxmr.com)
💡

Save the network activity log before deleting the miner - this will help restore the chain of infection if the virus returns.

5. Checking via PowerShell and command line

For advanced users there are powerful diagnostic tools via PowerShell And CMD. These commands will help identify hidden processes:

# Показать все активные сетевые подключения

netstat -ano | findstr "ESTABLISHED"

# Показать процессы, использующие GPU (требуется Windows 11 22H2+)

Get-CimInstance Win32_PerfFormattedData_Counters_GPUUsage | Select-Object Name, UtilizationPercentage

# Поиск подозрительных задач в Планировщике

schtasks /query /fo LIST /v | findstr "TaskName\|Run As\|Task To Run"

Pay special attention to:

  • 🖥️ Processes with PIDthat don't show up in Task Manager
  • 🔄 Tasks launched on behalf of SYSTEM or TrustedInstaller
  • 📁 Files in folders C:\Users\Public or C:\ProgramData

To remove detected threats, use:

# Удалить задачу из Планировщика

schtasks /delete /tn "Имя_задачи" /f

# Удалить службу

sc delete "Имя_службы"

6. Specialized utilities for searching for miners

If standard tools do not help, use professional tools. They can even detect rootkits And polymorphic viruses, which disguise themselves as system files.

UtilityFeaturesLink
Malwarebytes Anti-MalwareScans memory for hidden miners, blocks malicious connectionsmalwarebytes.com
Kaspersky Virus Removal ToolDetects even new versions XMRig And Claymorekaspersky.ru
Process ExplorerShows the tree of processes and their parent connections (helps to find the miner’s “mask”)learn.microsoft.com/.../process-explorer
GMERScans for rootkits that hide miners from Task Managergmer.net

Recommended procedure:

  1. Start scanning at Safe Mode (click Win + RmsconfigBoot → Safe Mode)
  2. Use Process Explorerto find processes with suspicious parents (for example, explorer.exe, generating miner.exe)
  3. Scan the system Kaspersky Virus Removal Tool with the "Deep scan" option enabled
What to do if the antivirus does not find the miner?

If standard antiviruses do not detect the threat, try:

1. Boot into a live disk (eg Kaspersky Rescue Disk) and scan the system from it.

2. Check the laptop on another device via network access (if the miner blocks local scanning).

3. Use SandBoxie to run suspicious processes in an isolated environment and analyze their behavior.

7. Prevention of re-infection

Removing the miner is half the battle. So that he doesn't come back:

  • 🔒 Install firewall with control rules (For example, TinyWall or Windows Firewall Control)
  • 🛡️ Use an antivirus with protection against miners (Bitdefender, ESET NOD32 have specialized modules)
  • 🚫 Block script execution in the browser using extensions uBlock Origin or NoCoin
  • 🔄 Update regularly Windows 11 and drivers (especially for GPU)
  • 💾 Create a system restore point in case of re-infection

For extra protection:

  1. Disable WMI (Windows Management Instrumentation), if you don't use it - miners often exploit this service
  2. Set up AppLocker to block the launch of executable files from temporary folders
  3. Use SandBoxie to run suspicious programs
💡

Even after the miner is removed, the power settings it changed may remain active. Reset the power scheme to factory settings via Control Panel → Power Options.

FAQ: Frequently asked questions about miners in Windows 11

Can the miner work without an Internet connection?

No, mining requires a constant connection to the pool (server for joint cryptocurrency mining). However, some viruses can download miner components when you first connect, and then run them locally, waiting for the network to appear. Check startup even offline.

How does the miner get to my laptop if I don’t download pirated software?

Main routes of penetration:

  • Browser vulnerabilities (for example, through advertising banners with malicious JavaScript)
  • USB devices (flash drives, external drives with autorun)
  • Outdated drivers (especially for video cards NVIDIA And AMD)
  • Fake software updates (for example, fake Adobe Flash Player)

Update your software regularly and disable autorun for removable media.

Is it possible to mine on a laptop legally without harm?

Technically yes, but:

  • Laptops are not designed for round-the-clock loads - overheating will lead to chip failure
  • Modern mining on a laptop CPU/GPU does not even pay for electricity
  • Manufacturer's warranty (eg ASUS or HP) does not cover damage from mining

For experiments, use cloud services (NiceHash, MinerGate) or special ASIC miners.

Does resetting Windows 11 to factory settings help?

Yes, but with reservations:

  • If a miner has infiltrated UEFI/BIOS (which happens extremely rarely), resetting will not help
  • Restoring will delete all data - first save important files to an external drive
  • After the reset, immediately update the system and install an antivirus

Use the option Settings → System → Recovery → Reset PC.

How to check a laptop for a miner if it does not turn on?

If the system does not boot:

  1. Connect the hard drive to another PC via USB adapter or Dock station
  2. Scan the disk with an antivirus (for example, Dr.Web CureIt!)
  3. Check the folders \Windows\System32 And \Users\ for unusual .exe-files
  4. Use Live CD with an antivirus (for example, Kaspersky Rescue Disk)

If the problem is BIOS (which is unlikely), a flashing is required at a service center.