±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 32473
New Yesterday: 4 Visitors: 179

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Windows 10 Keylogger

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

Windows 10 Keylogger

Post Posted: Fri Jan 27, 2017 1:14 pm

Hi guys,

I have been burdened with the task of determining if windows, in fact, has an application running within that logs all the information a user types. I did some research and found out that the autologger service may be collecting certain telemetry information to aid microsoft.

My question is, are we able to locate and interpret the collected information in a way that can aid forensic examiners?  


Re: Windows 10 Keylogger

Post Posted: Sat Jan 28, 2017 8:18 pm

Well, that all depends on the collected information.

If you want to see if a keylogger is installed, you can try open up a console window, hold down a key for a minute or two. Check timestamps of files created to try to determine if anything is logged. Repeat and exclude.

Most keyloggers also use hooks and make lots of API noise and can be catched that way. I'm not sure if Processmon from sysinternals can help, but you can give it it a try.


Senior Member

Re: Windows 10 Keylogger

Post Posted: Sun Jan 29, 2017 4:16 am

- wilx
My question is, are we able to locate and interpret the collected information in a way that can aid forensic examiners?

Well, the autologger you seem to refer to is intended to trace booting problems. Not sure what use that would be forensically.

The mechanism is (I believe) the internal Windows event tracing mechanism, which uses an in-memory buffer structure as well as may use an external file for storage. The file should be named something.etl and can be placed anywere. However, there's no requirement to use a file. You could just log to buffers, and then send full buffers over the network.

There is a system call QueryAllTraces() that may be useful. It returns all EVENT_TRACE_PROPERTIES blocks that have been registered (and that you are allwoed to see). That includes points to file names and other info. You can find the GUIDs for such traces by the EnumerateTraceGuidsEx() call. There is sample code available from MSDN if you feel like testing.

This is a fairly arcane area of Windows software development, so ... best chances to learn everything about this, I think, to ask Microsoft for suitable courses that cover it. I would suspect it's covered in DDK courses, but ... it's not an area I've set foot in much myself.

The Event Tracing (EWT) reference manual is available at MSDN. And the contents of .etl files seem to be standardized and readable with MS tools.

But ... on the other hand ... anyone wanting to snoop would be somewhat silly to allow an event tracing session to be easily traceable. I'm sure there are many other technical possibilities.

An examination of the mechanisms used in existing keyloggers might be useful as starting information.  

Senior Member

Re: Windows 10 Keylogger

Post Posted: Wed Feb 15, 2017 8:29 pm

Hi Guys,

Thanks for your response and apologies for the delay in responding.

I appreciate the effort to assist, however, the alleged "keylogger" is the one mentioned in several articles that mention Windows 10's technical preview was shipped with the capabilities to log keystrokes. It was said that this was for telemetry purposes and the plan was to discontinue it however the same articles suggest that this feature was still shipped with the OEM.


I have been maintaining that the title "keylogger" is misleading, however, I still get questions from my superiors saying that they need evidence that it does not exist or cannot be accessed.

Thanks again,  


Re: Windows 10 Keylogger

Post Posted: Thu Feb 16, 2017 3:01 pm

It's not that kind of "keylogger".

It is really how the computer is used, not what the computer is used for.

quality is remembered long after price is forgotten 


Reply to topicReply to topic

Share and Like this forum topic to get more replies

Page 1 of 1