Canarytokens keep being trigerred


I just reinstalled Windows. Right after re-installation, I installed a canary token folder and a canarytoken file and placed them on my desktop. The folder (but not file) was triggered twice within the span of 10 minutes without my doing soon after being placed there. No antivirus or similar program was run in the meantime (none was even installed up until that point) and Windows defender hadn’t automatically run either.

What process could be triggering this, I presume, false alarm?


Hi @jack8789,

Could you please share details of running processes either a task manager list or a screenshot of it. I’ll look into it. Thanks

Hi @Jaswinder_Saini
That would take a very long time…so I decided to run process monitor instead.

What I found was very surprising. It turns out one of the culprits is Veracrypt!

When I unlock a file/drive using Veracrypt, I get an instant trigger alert which I verify using process monitor.

Why is Veracrypt accessing a folder that has absolutely nothing to do with the file I’m decrypting? They’re not even in the same path! This never happened before I reinstalled everything.

There is also another program that triggers the token, I just haven’t caught it yet but suspect it’s the windows indexer.

Private message me the alert URL. I will have a look.


Could you please clarify? The canarytokens I use from don’t include an alert URL in their message. There’s a channel and a source IP; the latter is simply my IP address.

This is not our service. We cant help you with this.