Keylogging by Using Windows’ Built-in Mechanisms Only

Let’s talk about keylogging. It’s a very exciting topic because usually, for this type of activities, we’re using 3rd party tools — whereas in this case you can just open your console and dig into it.

Let’s talk about keylogging. It’s a very exciting topic because usually, for this type of activities, we’re using 3rd party tools — whereas in this case you can just open your console and dig into it.

Today I’ll show you how to make full use of it — and how to leverage ETW (Event Tracing for Windows) in order to get a list of everything you’ve typed.

Let’s begin.

Tracing In ETW


I got open a tool UI for ETW (Event Tracing for Windows). It’s a free tool that you can download from GitHub. What we’re going to do is just to start tracing, and that’s it.



In Cortana, we’re going to start typing “test”. We’re going to do “save trace buffers” and we’re going to have a trace created, and this is done, as you see, this is the trace that we’ve got right now.

So we can even copy that particular path. This is the merged ETL. Okay, and that’s it.

We can just stop tracing. Perfect.

Deep Diving Into Particular Traces


What is important for us is that when you are doing that kind of tracing, make sure that you’re going to set the “Input Tracing” to “Full”, to capture all the types of events that you can capture at the current moment.

When we’ve got this particular trace, then we can just double-click on it, which is very nice. The tool supports that. And then it opens in the Windows Performance Analyzer, which you need to have downloaded first.

Windows Performance Analyzer allows me to do a little bit of a deep dive into what this particular trace shows.



And we’ve got here by default loaded generic events. Random ASCII Chrome and Multi Events. Maybe we can just choose something. Random ASCII Multi Events, why not.


Now, we can have a look at what kind of different types of events we have over here.



And we do have, indeed, events of a keyboard, and then we’ve got of course multi-input, and then if you have a look where we can see over here its “TEST”. So this is exactly what I have typed over here.

This is quite interesting because it shows that by using the regular Windows monitoring, so Event Tracing for Windows, which is basically something that we could call an absolute source of information in Windows, we are able to monitor what is being typed on a keyboard without the necessity of having additional tools over here.

Okay, so this was the first thing that I wanted to show you.


2nd Option: Using CQETW Keylogger

Second thing seems to be a little bit more interesting because, at that stage, I would like to get into our tools, and then we’ve got a CQETWKeylogger. This is our tool.


I will just launch it and then next:

  • Get into the text file.
  • Take the keyboard that I have connected by using the USB port, because we are monitoring here USB events.
  • Type something here, so we could do it this way.



“CQURE” as you see. So right now I press space. I am monitoring everything, every kind of a keystroke, that I am making on the keyboard that is connected to the USB port. So that is also possible.

What’s The Conclusion Coming Out Of That?


Anything in Windows can be traced, as long as we do have appropriate monitoring pre-set before that kind of event happen, yes. And that is something that we can get by using ETW, Event Tracing for Windows.

Every single time we perform anything in Windows that is of course traced, it can be saved also into the file. But please remember that if you set up a pre-monitoring like that, it is not for free. Meaning it is also something that costs you a little bit of performance of your operating system.

You Have To Set Up Your Goal


So it’s really a question of what is your goal. If your goal is to:

a) trace the keystrokes, bring it on. You can measure how much performance it takes. I mean in this case, not much, actually. But if you want to monitor:

b) a lot of different types of events, or much, much more over here, then it can even take up to 20% or even more percent of your overall system performance. So be careful with that.

Also, good lesson at the end. Make sure that log that you are logging to, it’s circular. That you set up the certain size, so that it does not fill up your drive. Because it’s not very difficult to do.

As you see, it’s not that difficult to perform the keylogging activity by using built-in Windows mechanisms. And if you’ve got some questions and if you have some comments, please leave them in our blog post or on our Facebook wall. We are looking forward to those.

Are you aware of Windows vulnerabilities? Take intensive training from CQURE CyberBytes series and stay secure.

Exploit Development training