Cyber Threats #keylogger#malware removal#endpoint security

Keylogger Detection and Removal Guide

How keyloggers work across hardware and software types, how to detect them using Process Explorer and network monitoring, and how to remove them safely.

7 min read

Every keystroke you type — passwords, credit card numbers, private messages — can be silently recorded and transmitted to an attacker if a keylogger is present on your system. Unlike ransomware, keyloggers are designed to be invisible. They don’t encrypt your files or demand payment; they just watch and wait. This guide covers how they work, how to find them, and how to remove them.

Types of Hardware Keyloggers

USB Keyloggers

These physically plug in between a USB keyboard and the computer’s USB port. They look like innocuous adapters or extensions. All keystrokes are stored in onboard flash memory; an attacker returns later to retrieve the device and extract the log. Some models (like KeyGrabber WiFi) transmit data via WiFi or cellular.

Where to look: Visually inspect the back of desktop computers. Any unexpected adapter or dongle between the keyboard cable and the port is suspicious.

PS/2 Inline Keyloggers

Older but still found in legacy enterprise environments, these attach inline with PS/2 keyboard cables. Function is identical to USB variants.

Acoustic and Electromagnetic Keyloggers

Sophisticated variants use acoustic analysis of keystroke sounds or electromagnetic emanations from keyboard cables to reconstruct input. These are nation-state tools, not commodity threats, but worth knowing exist.

Types of Software Keyloggers

User-Mode Keyloggers

These run with regular user privileges and use operating system APIs to monitor keyboard input. On Windows, they commonly use:

  • SetWindowsHookEx with WH_KEYBOARD_LL — installs a low-level keyboard hook that receives all keystrokes system-wide
  • GetAsyncKeyState polling — repeatedly checks the state of each key in a loop
  • Accessibility APIs (UIAutomation) — intended for screen readers, abused for input capture

User-mode keyloggers are easier to detect because they appear in the process list and must register hooks visible to monitoring tools.

Kernel-Mode Keyloggers

These operate as device drivers or rootkits, intercepting keystrokes at the operating system kernel level — before they reach any user-mode application. They hook into the keyboard driver’s IRP (I/O Request Packet) dispatch routines. Kernel-mode keyloggers are:

  • Nearly invisible to user-mode tools
  • Capable of bypassing most antivirus products
  • Difficult to remove without a bootable scanner or OS reinstall

API Hooking Keyloggers

These inject a malicious DLL into browser or application processes and hook functions like GetMessage, PeekMessage, or TranslateMessage to capture input within specific applications — often targeting banking software.

How Keyloggers Exfiltrate Data

Captured keystrokes need to reach the attacker. Common methods include:

MethodDescription
Email (SMTP)Logs sent at intervals to an attacker’s email
FTP/SFTPLogs uploaded to a remote server
HTTP POSTData sent to a web-based C2 endpoint
Cloud storageLogs written to Dropbox/Google Drive via API
Local storageFile written locally for physical retrieval (hardware keyloggers)

Many keyloggers also capture screenshots, clipboard contents, and active window titles to provide context around keystrokes.

Detection Methods

Process Explorer and Autoruns (Sysinternals)

Process Explorer (from Microsoft Sysinternals) shows far more detail than Task Manager. Look for:

  • Processes with no company name or description
  • Processes running from temp directories (%APPDATA%, %TEMP%, C:\Users\...\AppData)
  • Processes with suspicious parent-child relationships

Autoruns shows every program configured to run at startup — registry keys, scheduled tasks, browser extensions, drivers, and more. Keyloggers almost always need persistence:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Filter Autoruns to hide Microsoft-signed entries, then investigate anything unsigned or unfamiliar.

Checking for Low-Level Keyboard Hooks

You can query active global hooks on Windows using tools like WinSpy++ or by checking via PowerShell:

# List all running processes with their loaded DLLs
Get-Process | ForEach-Object {
    $proc = $_
    $_.Modules | Where-Object { $_.FileName -notlike "*\Windows\*" -and $_.FileName -notlike "*\Program Files*" } |
    Select-Object @{N='Process';E={$proc.Name}}, FileName
}

Any DLL loaded from a temp directory or an unknown path warrants investigation.

Network Monitoring

Use Wireshark or Windows Firewall with Advanced Security logs to look for unexpected outbound connections, especially:

  • Outbound SMTP (port 25, 465, 587) from processes other than your mail client
  • Connections to IP addresses with no clear hostname
  • Regular, timed HTTP POST requests to unfamiliar domains

Fiddler or Charles Proxy can decrypt HTTPS traffic from applications by acting as a local proxy, revealing hidden data exfiltration.

Removal Steps

  1. Disconnect from the network immediately to stop ongoing exfiltration.
  2. Run Autoruns — delete any suspicious entries, noting their file paths.
  3. Kill suspicious processes in Process Explorer (right-click → Kill Process Tree).
  4. Delete identified files — keylogger binaries are often in %AppData%\Roaming, %Temp%, or disguised as system files in C:\Windows\System32.
  5. Check browser extensions — remove any you don’t recognize in all installed browsers.
  6. Scan with Malwarebytes in Safe Mode for thorough detection.
  7. Change all passwords from a known-clean device — not from the compromised machine.

Bootable Rescue Scanners

For suspected kernel-mode keyloggers, scanning from within the running OS is unreliable — the rootkit can hide itself from scanners. Use a bootable environment:

  • Kaspersky Rescue Disk — bootable Linux environment with Kaspersky’s engine; scans all mounted Windows partitions
  • Malwarebytes Incident Response — enterprise-grade offline scanner
  • Windows Defender Offline Scan — built into Windows 10/11, boots into a minimal environment before the main OS loads (Start > Windows Security > Virus & Threat Protection > Scan Options > Microsoft Defender Offline Scan)

On-Screen Keyboard as Partial Mitigation

The Windows On-Screen Keyboard (osk.exe) bypasses some software keyloggers that hook physical keyboard input — specifically those using SetWindowsHookEx with WH_KEYBOARD_LL. However, it does not protect against:

  • API hooking keyloggers targeting specific applications
  • Screenshot-capable keyloggers (they capture the screen as you click)
  • Kernel-mode variants

For sensitive inputs on an untrusted machine, consider using a dedicated password manager with auto-fill (which never types the password) combined with multi-factor authentication.

Prevention Best Practices

  • Enable multi-factor authentication — even if credentials are captured, the attacker can’t log in without the second factor
  • Use a password manager — auto-fill prevents keyloggers from seeing what’s typed
  • Keep OS and drivers updated — kernel-mode keyloggers often exploit driver vulnerabilities
  • Inspect USB ports visually before using shared or public computers
  • Use application allowlisting (Windows Defender Application Control) to prevent unauthorized executable launches
  • Train users to recognize suspicious processes and report anomalies

Keyloggers are patient attackers. The damage they cause — stolen banking credentials, corporate espionage, identity theft — often isn’t discovered until months after infection. Proactive monitoring and layered defenses are the only reliable protection.

#detection #spyware #endpoint security #malware removal #keylogger

// related articles

cyber-threats Keyloggers: Types, Detection, and Prevention Guide 7 min read cyber-threats Fileless Malware Attacks Explained: Detection and Defense 7 min read cyber-threats Adware and Browser Hijackers: Detection and Removal 7 min read