Hidden cryptocurrency mining on your laptop is one of the most insidious threats of 2026. Unlike viruses, which immediately block the system or demand a ransom, miners work quietly, but cause no less harm: they overheat the processor, drain the battery in an hour and reduce the service life of the hardware by 2-3 times. According to Kaspersky, every fifth user Windows 11 I've encountered similar attacks without even knowing it.
The problem is compounded by the fact that modern miners masquerade as legitimate processes - e.g. svchost.exe or Windows Update. They can enter through pirated software, browser vulnerabilities, or even USB devices. This article will help you identify and remove miners, even if they are hidden deep in the system. We will analyze it as standard tools Windows 11, as well as professional utilities for in-depth diagnostics.
1. The first signs of infection by miners
Before delving into the settings, pay attention to indirect symptoms. Mining is loading CPU And GPU 80-100% even in standby mode. Here are the key markers:
- 🔥 The laptop gets hot like an iron during simple work Word or viewing YouTube
- ⚡ The battery runs out in 1-2 hours instead of the usual 5-6 (at the same time,
msconfigno resource-intensive tasks) - 🐢 The system slows down when opening new tabs in the browser or launching games
- 📈 Fans run at maximum speed for no apparent reason
- 💻 Internet traffic consumption has increased noticeably (mining requires a constant connection to the pools)
If at least 2-3 points match, it’s time to check the system. It is especially dangerous if the laptop starts to slow down immediately after turning it on, even before starting any programs. This is a sign that a miner has infiltrated autoload.
⚠️ Warning: some legitimate programs (for example, NVIDIA GeForce Experience or Adobe Creative Cloud) also load the GPU. Before checking, close all background utilities via the system tray.
2. Check via Task Manager
The fastest way to identify suspicious activity is to analyze processes in Task Manager. Open it with the combination Ctrl + Shift + Esc and go to the tab Details. Please note:
- 📊 Processes with unusual names (for example,
xmrig.exe,miner.exe,cpuminer.exe) - 🔄 Legitimate processes (
svchost.exe,runtimebroker.exe), which consume >30% CPU - 🖥️ Unknown services with high GPU load (checked in the
Performance → GPU)
If you detect a suspicious process:
- Right click on it →
Open file location - Check the path: legitimate Windows files are stored in
C:\Windows\System32orC:\Program Files - If the path leads to
Temp,AppDataor a folder with a random name - this is 100% miner
Remember the process name for further search|Open the file location|Check the digital signature (right click → Properties → Digital signatures)|Run an antivirus scan along this path|Delete the process via Taskkill (if the antivirus fails)-->
To force the process to end, use the command in CMD (on behalf of administrator):
taskkill /f /im имя_процесса.exe
3. Deep startup scan
Miners are often registered in startup so that they start every time the laptop is turned on. B Windows 11 check:
Settings → Applications → Startup(disable anything suspicious)Run → msconfig → Startup tab(system miners may be hiding here)Registry Editor (regedit) → HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunTask Scheduler (taskschd.msc) → Task Scheduler Library(look for tasks with the trigger "On startup")
Pay attention to tasks with:
- 🕵️ Random names of 8-10 characters (for example,
kjsd8f3j.exe) - 🔗 Paths to temporary folders (
%Temp%,%AppData%\Roaming) - ⏰ Triggers that fire every 5-10 minutes
Once a month|Only when the system is slow|Never checked|I use specialized utilities-->
⚠️ Attention: do not delete tasks from Microsoft or laptop manufacturer (for example, Lenovo Vantage or Dell SupportAssist). This may disrupt the system.
4. Network activity analysis
Mining requires a constant connection to pools (servers for joint mining). Check network traffic via:
Task Manager → Network tab(sort by "Network Activity" column)Resource Monitor (resmon.exe) → Network tab- Specialized utilities: Wireshark, GlassWire, TCPView
Suspicious signs:
| Parameter | Normal value | Miner sign |
|---|---|---|
| Outgoing traffic | 0.1-5 Mbit/s idle | >10 Mbps without active downloads |
| IP connections | Mainly to Microsoft and Google servers | Massive connections with unknown IPs (especially in countries with cheap electricity: Kazakhstan, Iceland, Paraguay) |
| Ports | 80, 443 (HTTP/HTTPS) | 3333, 5555, 7777, 14444 (popular ports for mining) |
| Protocols | TCP, UDP | Stratum (used for mining) |
To block suspicious connections:
- Open
Windows Firewall → Advanced Settings - Create a rule to block outgoing connections to found IPs
- Use Hosts file to block miner domains (add lines like
0.0.0.0 pool.supportxmr.com)
Save the network activity log before deleting the miner - this will help restore the chain of infection if the virus returns.
5. Checking via PowerShell and command line
For advanced users there are powerful diagnostic tools via PowerShell And CMD. These commands will help identify hidden processes:
# Показать все активные сетевые подключенияnetstat -ano | findstr "ESTABLISHED"
# Показать процессы, использующие GPU (требуется Windows 11 22H2+)
Get-CimInstance Win32_PerfFormattedData_Counters_GPUUsage | Select-Object Name, UtilizationPercentage
# Поиск подозрительных задач в Планировщике
schtasks /query /fo LIST /v | findstr "TaskName\|Run As\|Task To Run"
Pay special attention to:
- 🖥️ Processes with
PIDthat don't show up in Task Manager - 🔄 Tasks launched on behalf of
SYSTEMorTrustedInstaller - 📁 Files in folders
C:\Users\PublicorC:\ProgramData
To remove detected threats, use:
# Удалить задачу из Планировщикаschtasks /delete /tn "Имя_задачи" /f
# Удалить службу
sc delete "Имя_службы"
6. Specialized utilities for searching for miners
If standard tools do not help, use professional tools. They can even detect rootkits And polymorphic viruses, which disguise themselves as system files.
| Utility | Features | Link |
|---|---|---|
| Malwarebytes Anti-Malware | Scans memory for hidden miners, blocks malicious connections | malwarebytes.com |
| Kaspersky Virus Removal Tool | Detects even new versions XMRig And Claymore | kaspersky.ru |
| Process Explorer | Shows the tree of processes and their parent connections (helps to find the miner’s “mask”) | learn.microsoft.com/.../process-explorer |
| GMER | Scans for rootkits that hide miners from Task Manager | gmer.net |
Recommended procedure:
- Start scanning at Safe Mode (click
Win + R→msconfig→Boot → Safe Mode) - Use Process Explorerto find processes with suspicious parents (for example,
explorer.exe, generatingminer.exe) - Scan the system Kaspersky Virus Removal Tool with the "Deep scan" option enabled
What to do if the antivirus does not find the miner?
If standard antiviruses do not detect the threat, try:
1. Boot into a live disk (eg Kaspersky Rescue Disk) and scan the system from it.
2. Check the laptop on another device via network access (if the miner blocks local scanning).
3. Use SandBoxie to run suspicious processes in an isolated environment and analyze their behavior.
7. Prevention of re-infection
Removing the miner is half the battle. So that he doesn't come back:
- 🔒 Install firewall with control rules (For example, TinyWall or Windows Firewall Control)
- 🛡️ Use an antivirus with protection against miners (Bitdefender, ESET NOD32 have specialized modules)
- 🚫 Block script execution in the browser using extensions uBlock Origin or NoCoin
- 🔄 Update regularly Windows 11 and drivers (especially for GPU)
- 💾 Create a system restore point in case of re-infection
For extra protection:
- Disable
WMI(Windows Management Instrumentation), if you don't use it - miners often exploit this service - Set up
AppLockerto block the launch of executable files from temporary folders - Use SandBoxie to run suspicious programs
Even after the miner is removed, the power settings it changed may remain active. Reset the power scheme to factory settings via Control Panel → Power Options.
FAQ: Frequently asked questions about miners in Windows 11
Can the miner work without an Internet connection?
No, mining requires a constant connection to the pool (server for joint cryptocurrency mining). However, some viruses can download miner components when you first connect, and then run them locally, waiting for the network to appear. Check startup even offline.
How does the miner get to my laptop if I don’t download pirated software?
Main routes of penetration:
- Browser vulnerabilities (for example, through advertising banners with malicious JavaScript)
- USB devices (flash drives, external drives with autorun)
- Outdated drivers (especially for video cards NVIDIA And AMD)
- Fake software updates (for example, fake Adobe Flash Player)
Update your software regularly and disable autorun for removable media.
Is it possible to mine on a laptop legally without harm?
Technically yes, but:
- Laptops are not designed for round-the-clock loads - overheating will lead to chip failure
- Modern mining on a laptop CPU/GPU does not even pay for electricity
- Manufacturer's warranty (eg ASUS or HP) does not cover damage from mining
For experiments, use cloud services (NiceHash, MinerGate) or special ASIC miners.
Does resetting Windows 11 to factory settings help?
Yes, but with reservations:
- If a miner has infiltrated UEFI/BIOS (which happens extremely rarely), resetting will not help
- Restoring will delete all data - first save important files to an external drive
- After the reset, immediately update the system and install an antivirus
Use the option Settings → System → Recovery → Reset PC.
How to check a laptop for a miner if it does not turn on?
If the system does not boot:
- Connect the hard drive to another PC via USB adapter or Dock station
- Scan the disk with an antivirus (for example, Dr.Web CureIt!)
- Check the folders
\Windows\System32And\Users\for unusual.exe-files - Use Live CD with an antivirus (for example, Kaspersky Rescue Disk)
If the problem is BIOS (which is unlikely), a flashing is required at a service center.