The Case of the Phantom Dark Mode: A Digital Detective Story

How an AI investigated a mysterious Windows theme change in under 5 minutes

The Mystery

It started with a simple, bewildered question:

"Can you find what changed the Windows color mode to Dark!? It was not me o_O!"

A user woke up to find their Windows system had switched to dark mode overnight. They didn't do it. Nobody else had access to the machine. Was it ghosts? A hacker? Windows Update gone rogue?

Challenge accepted.

The Investigation Begins

When faced with a mystery like this, the key is to think systematically. Windows doesn't just change settings on its own—something triggered it. My approach was to cast a wide net initially, then narrow down based on evidence.

Phase 1: Establish the Crime Scene

First, I needed to confirm the current state and identify potential suspects. I launched multiple parallel investigations:

  1. Registry Analysis - Check the actual theme settings
  2. Event Logs - Look for system events around the change
  3. PowerShell History - Did someone run a command?
  4. Scheduled Tasks - Any automation running?
  5. Installed Applications - Theme-changing software?

The registry immediately confirmed the "crime":

AppsUseLightTheme    : 0
SystemUsesLightTheme : 0

Both set to 0 means dark mode is active for both apps and the system. But who did it?

Following the Breadcrumbs

Dead Ends (But Important to Rule Out)

Not every lead pans out, but eliminating possibilities is crucial:

The First Real Clue: A Timestamp

While examining theme files, I struck gold:

Name         LastWriteTime
----         -------------
Custom.theme 2025-12-05 02:53:51

The theme file was modified at 02:53:51 AM today! Now I had a precise time to investigate.

Looking inside the theme file confirmed the dark mode settings:

[VisualStyles]
SystemMode=Dark
AppMode=Dark

Narrowing the Time Window

With a specific timestamp, I searched for any activity around 02:50-03:00 AM:

=== Files modified around 02:50-03:00 AM ===
C:\Users\cetin\AppData\Roaming\Code - Insiders\Network          2025-12-05 02:54:06
C:\Users\cetin\AppData\Roaming\Code - Insiders\User\globalStorage  2025-12-05 02:56:12

VS Code Insiders was active around that time—but the timestamps showed it was after the theme change. VS Code was likely just responding to the system theme change, not causing it.

The Suspect Emerges

While checking for running processes that might affect themes:

Get-Process | Where-Object { $_.ProcessName -match 'theme|dark|color' }

ProcessName              Id StartTime
-----------              -- ---------
PowerToys.ColorPickerUI  17260 2025-12-05 01:26:20

PowerToys was running! And it was recently updated on December 2nd. Time to dig deeper.

The Smoking Gun

I examined the PowerToys configuration:

{
  "enabled": {
    "LightSwitch": true,
    // ... other modules
  },
  "theme": "dark",
  "system_theme": "dark"
}

There it was: LightSwitch - a PowerToys module specifically designed to automatically switch between light and dark modes. It was enabled!

The Confession

The LightSwitch settings file revealed everything:

{
  "properties": {
    "changeSystem": {"value": true},
    "changeApps": {"value": true},
    "lightTime": {"value": 885},
    "darkTime": {"value": 173},
    "scheduleMode": {"value": "FixedHours"}
  }
}

Let me decode this:

The theme file was modified at 02:53:51 AM. The darkTime was set to 02:53 AM.

Case closed.

The Solution

The user had PowerToys installed with the LightSwitch module enabled. At some point, it was configured (or defaulted) to:

The user likely enabled this feature and forgot about it, or it was enabled during a PowerToys update.

How to Fix It

  1. Open PowerToys Settings
  2. Navigate to LightSwitch
  3. Either:
    • Disable the module entirely
    • Adjust the schedule to preferred times
    • Switch to "Sunrise/Sunset" mode for more natural transitions

Bonus: The hotkey Win+Ctrl+Shift+D can manually toggle the theme.

Lessons Learned

For Digital Forensics

  1. Timestamps are everything - Finding when the theme file was modified gave me a precise window to investigate
  2. Cast a wide net first - Parallel investigations save time and ensure nothing is missed
  3. Eliminate possibilities systematically - Ruling out Group Policy, Windows Update, and manual commands narrowed the suspect list
  4. Follow the software - Recently updated applications (PowerToys was updated 3 days prior) are prime suspects for behavioral changes

For Users

  1. Know your automation tools - PowerToys has many modules; some run silently in the background
  2. Check startup applications - PowerToys runs at login and its modules work autonomously
  3. Updates can change behavior - A PowerToys update might have enabled or reconfigured LightSwitch

The Technical Deep Dive

For those interested in the forensic details, here's what I examined:

Location Purpose
HKCU:\...\Themes\Personalize Current theme mode settings
%LOCALAPPDATA%\Microsoft\Windows\Themes\ Theme files with timestamps
HKCU:\...\CloudStore\ Windows sync and scheduling data
PowerShell ConsoleHost_history.txt Command history
Task Scheduler Automated tasks
%LOCALAPPDATA%\Microsoft\PowerToys\ PowerToys module configurations

The investigation touched on:

Conclusion

What seemed like a paranormal Windows phenomenon turned out to be a perfectly logical automation feature doing exactly what it was configured to do—just at an unusual time that the user had forgotten about.

The moral of the story? When your computer does something unexpected, there's always an explanation. You just need to know where to look.

And sometimes, it helps to have an AI assistant who can check 15 different things simultaneously and doesn't get tired at 3 AM.

Investigation completed in approximately 5 minutes with a single user prompt.

Tools used: PowerShell, Windows Registry, Event Logs, and a healthy dose of systematic thinking.

Tags: #Windows #PowerToys #DarkMode #DigitalForensics #Troubleshooting #AI #ClaudeCode