An Introduction to Keylogging

I had heard that people could capture what you were typing into your computer, and might then see which websites you were visiting (e.g., banking, porn), what you were typing there, who you were chatting with, what you were saying, and so forth.  I decided to learn more about the matter.  This post presents what I found.

Note that, while this post concentrates on computers, keylogging is also possible for smartphones.  Note also that the discussion of legality is postponed to the end of this piece, so as to be informed by the following insights about the various hardware and software keylogging possibilities.

Hardware Keylogging

Many sites told me that there was hardware keylogging, and then there was software keylogging.  One difference was that hardware keylogging would require someone to plug or install some physical device into my computer, whereas software keylogging would involve installation of a software program onto my computer.  It appeared that software keylogging would depend upon a certain operating system – for example, a software keylogger designed to run in Windows would obviously not run on a system booted with some other operating system (e.g., Linux) – while a hardware-oriented keylogging technique would tend to capture keystrokes and, in some approaches, would capture visual information as well.

Those initial impressions failed to anticipate the spectrum of possibilities available on the hardware side.  It was true that one could buy a physical device to capture keystrokes.  For example, Amazon offered little dongles for both USB and PS/2 keyboards.  You would plug the keyboard into the dongle, and plug the dongle into the computer.  The dongle would capture what was typed into the keyboard, and then the person who had inserted the dongle would secretly remove it and take it elsewhere to review its contents.  But someone with some money to spend (or the ability to build it him/herself) could instead use a wireless dongle, leave it in place, and receive its contents through automated emails to his/her inbox.  (Note the difference between a keylogging dongle and a harmless adapter from one kind of plug to another.)

It appeared that the contents of a typical keylogging dongle would not be formatted in any particular way; it would just be a text file with all the keystrokes mashed together.  It would presumably be difficult to identify the significance of even an important text string (e.g., a password) buried within a lot of other text, or typed in a webpage initiated via mouse click (as distinct from typing the webpage’s URL, which would be a clue as to the significance of whatever might be typed next).  The dongle would also presumably not capture incoming data (e.g., other parties’ responses on a chat page).  Except where the purpose of a password could be identified (e.g., occurring at the very start of a session), it seemed that the output of this device might be most useful for retrieving the contents of coherent texts (e.g., emails, memos) typed by the user of the machine.  It sounded like some of these devices might fail to keep up with a fast typist.

An advantage of such a device would be that, unlike typical software, you would not need administrative rights to install it.  So, for example, you could insert it long enough to get someone’s administrative password, and then remove it and use the administrative password to install keylogging software.  (Note that unplugging and replugging keyboards or mice might render them nonworking, at least until a reboot.)  This sort of device would be readily visible to anyone who would inspect the back of the computer and both ends of any keyboard or mouse extension cords that might be plugged into it – although, even then, some people might assume that the device was supposed to be there.  People do not typically inspect the backs and cables on public computers; indeed, they may not even do so on their home computers, nor may their system administrators regularly do so on office desktops.  A hardware keylogger would also typically not be visible on the software level (as e.g., an installed program visible in the Windows 7 Control Panel > Programs and Features list).

It further developed that I was mistaken in my initial belief that hardware keylogging was just a matter of keyboard dongles, wired or not.  That same Amazon link, and other sources, offered other kinds of devices as well.  For example, there were keylogging keyboards that would look normal, but would contain built-in keylogging circuitry, and keyboard modules, to add keylogging capabilities to ordinary (e.g., Microsoft, Logitech) keyboards.

There were also USB drive keyloggers.  These would not be inserted between the keyboard and the computer, but would rather be plugged into a separate USB port.  As such, they might work with wireless as well as wired keyboards.  It still sounded like they tended to capture only the user’s typing, as distinct from his/her mouse work or any incoming data; but there were indications that some of these devices could be instructed to capture periodic screenshots, providing a context for the typed text.  A search led to indications that it was possible to make one’s own USB or PS/2 keyloggers inexpensively.  In the absence of frequent screenshots, it seemed that these sorts of keyloggers could be defeated by using a virtual keyboard – that is, not a touch screen, but rather a dialog that would appear onscreen with a picture of a keyboard, from which you could mouse around and choose the letters you wanted to “type.”  Speech-to-text (i.e., voice recognition) software would be another option.

It seemed that some keyboard dongles and other capture devices would offer passwording and encryption, so that others discovering (or stealing) such devices would not have access to their contents.  If the device in question was a separate USB dongle, people might just assume that someone forgot to take their USB drive when they left the library.  Apparently one would access the contents, or reach a password dialog, by typing a special key combination (e.g., K-B-S; Ctrl-Alt-CapsLock).

These sorts of hardware devices tended to be irrelevant to portable computers.  Anyone would notice a stray USB drive attached to a laptop.  But there did seem to be other technologies in development (and, in some cases, available on the market) offering hardware keylogging that users might not readily detect.  First, it would be possible but probably quite difficult to undertake manual rewiring of the laptop’s internal circuitry, so as to insert a piece of keylogging hardware within that circuitry.  Snopes rebuts the legend (circa 2005) of hardware keyloggers installed in all new Dell laptops, and others reject a similar and more recent legend regarding Samsung.

By contrast, it would be fairly easy to open a laptop’s case – or just to use an external port – and insert a card or device in the appropriate format (e.g., Mini PCI, mSATA, MicroSD, PCI Express).  Laptops often do have empty bays in such formats.  A search led to some such devices.  The external port approach would be visible to, but perhaps long overlooked by, a laptop owner who tends not to use such slots.  Data recovery from such devices could evidently include not only physical retrieval of the device – it would usually take only a few minutes to remove the screws and pop off the rear panel, if necessary – but also the wireless approach mentioned above.

There were also several hardware keylogging techniques that would not require physical contact with the targeted computer.  Articles at HacknMod and Wikipedia described some such emerging technologies.  These included laser analysis, in which a laser pointed at a keyboard could detect which keys were being pressed; power-line analysis that could detect keystrokes from any machine plugged into the local power circuit; analysis of the radiation emanating from a video display to determine what was being displayed at some distance; radiation analysis applied to wired keyboards; acoustic keyloggers, working with a sample of the sounds made by at least 1,000 keystrokes to estimate what is being typed; optical surveillance (i.e., a camera positioned to capture keystrokes); and wireless keyboard sniffers, which would receive and interpret the signals sent by wireless keyboards.  Although such signals were typically encrypted, a Carnegie-Mellon webpage suggested that the encryption on ordinary keyboards could be easily cracked, at increasing distances with tools like Keykeriki.

Incidentally, elsewhere in the wireless world, a search for Tamosoft’s CommView for WiFi (starting at $199, but apparently cracked and available for free illegally), selected as a Product of the Year for 2009 by TMC’s Internet Telephony Magazine, yielded instructions (and more and still more instructions) on cracking wireless networks (using “outsourced super computers, such as WPA Cracker”) and links to two programs (EffeTech HTTP Sniffer and Ace Password Sniffer) designed to capture email and passwords from cracked networks.  CommView for WiFi reportedly decrypts data and “includes a VoIP module for in-depth analysis, recording, and playback of SIP and H.323 voice communications” (e.g., Skype).  To defeat such intrusions, the instructional websites recommended using WPA or better (e.g., WPA2-PSK) encryption with long and complex passwords that would resist a multimillion-word dictionary cracking approach, and ideally implementing Network Access Control or Network Access Protection.

Yet another hardware keylogging possibility:  BIOS (i.e., firmware) modification.  This was apparently difficult and unlikely, though there were instances of it happening on military chips (with national security implications) and Apple keyboards.  This seemed to be the preferred realm of some very worrisome governmental and corporate snooping into individual privacy.  Pursuit of that topic led to a Wikipedia article describing the COFEE tool to aid law enforcement in grabbing data from private computers, and the DECAF tool to obstruct COFEE.  (I did not research the legality of any such obstruction.)  At least where the keylogging was not intended by the chip manufacturer, it appeared that flashing the BIOS (i.e., installing a BIOS update, assuming one is available, or perhaps reinstalling the existing BIOS) would tend to wipe out BIOS mods, at least until they could be reinserted into the target computer (by e.g., an infected hard drive).  As a partial precaution (presumably defeated by a BIOS flash), it appeared advisable to enable BIOS passwording, typically by hitting DEL or F2 at bootup and going into the machine’s BIOS setup options.

These observations yielded several thoughts.  In general, security would be increased by using and keeping a computer well away from other people, not only in public locations (e.g., libraries) but even in offices, apartment buildings, and other places where sight, sound, and/or wireless signal could be used to detect contents of communications.  When networked, security depended upon network administrators who paid attention and had some idea of what they were doing.  Also, since I kept making new discoveries as my inquiry continued, I had to assume that there would continue to be unrecognized security threats from devices and techniques I had not considered.

On this basis, I decided that there seemed to be three levels of hardware security threat.  First, at the commodity level, there was the risk that any intelligent person could buy and use a relatively inexpensive USB or PS/2 dongle, or possibly a MicroSD or similar device for a laptop.  Second, at the moderately informed beginner-hacker level, it appeared feasible to spend an hour or two, and maybe $100-200, and start learning how to install an internal hardware device capable of storing and/or transmitting captured keystrokes, two-way communications, and/or screenshots; or to use a camera, wireless detector, or other device from a distance of some yards away, perhaps but not necessarily through walls.  Third, at the most sophisticated level, there would be the potential for devoted efforts by security professionals, in corporations and government and also in private investigative enterprises, legal or otherwise, who would actually be getting paid to figure out how to capture keystrokes and otherwise penetrate into one’s private information.  No doubt there were vast differences between the best and the worst security professionals, but to me all of them presently operated on a different level from me.  I could hope to maintain a low profile, have relatively little of value, and protect what I had well enough, thereby tending to avoid involvement with them; but in the grand scheme there seemed to be a substantial risk that, with present or future hardware, someone would eventually have means and reason to invade my keystroking space.

Note:  lest anyone assume they are safe by following the sorts of precautions discussed in this post, it may be worthwhile to review the comments provided in a discussion thread about carrying a business laptop to China, in a somewhat bizarre proposal for securing data against customs officials in any country, and in an Electronic Frontier Foundation piece for travelers carrying digital devices.

Software Keylogging

Unlike hardware, software depended upon an operating system.  I was using Windows 7, and was thus concerned with software keylogging tools that would run in Windows.

It appeared that I would be substantially protected from Windows-based keylogging software if I chose to boot up a different operating system (e.g., Linux).  It seemed that installation of any operating system could entail installation of spyware; but it also seemed that Windows attracted the most attention, since it had the largest user base.  An alternative was to simply avoid installing an operating system, and thus to avoid installing spyware, by booting up an operating system (e.g., Ubuntu Linux; DOD LPS) using a “live” CD.  A live CD (or a bootable live USB drive) could contain everything necessary to run at least some basic functions (e.g., word processing, email,  Internet browsing) while saving nothing to storage (e.g., hard drive, USB drive) on the system that was running it.  I was not sure to what extent booting into Windows Safe Mode (perhaps With Networking) (i.e., keep hitting F8 after rebooting) would also permit some kinds of work (though apparently not email or other online work) without starting the keylogger.

Assuming I was going to boot Windows in Normal (not Safe) mode, the next question was how to avoid a Windows software-based keylogger.  Windows would boot after the BIOS, so the foregoing hardware-related remarks about BIOS keyloggers would still have to be taken into account, as would the other hardware concerns; these would generally apply to any operating system.  I already faced security risks on the hardware side; the question here was how many more software-based risks Windows would bring to my door.

Selecting a Typical Keylogger

Understanding software keylogging seemed to require, first, an understanding of what tools were available.  A search led to several recent lists of the best keylogger programs:  by CNET,,,, Amazon, and VagueWare, along with a MacPing list of best Mac keyloggers (not discussed here).  I was not able to get the sorting options to work properly at CNET and Amazon, so I began with FindTheBest’s top five entries:  Family Cyber Alert, Elite Keylogger, SoftActivity Keylogger, AceSpy Spy Software, and Total Spy.  This list partly overlapped with the top ten named by VagueWare:  Elite Keylogger at No. 1, followed by SoftActivity Keylogger, Free Keylogger, AllinOne Keylogger, Revealer Keylogger, Micro Keylogger, Argos Monitoring, The Best Keylogger, Super Free Keylogger, and Ardamax Keylogger. selected All In One Keylogger, Spytech SpyAgent, StaffCop Standard, The Best Keylogger, REFOG Personal Monitor, SoftActivity Keylogger, Elite Keylogger, Perfect Keylogger, iSafe AllInOne Keylogger 2013 Pro, and Total Spy.  Going in a very different direction, Well Researched Reviews chose WebWatcher, SpectorPro, Content Protect, SpyAgent, eBlaster, CyberSitter, Net Nanny, and Cyber Patrol.

I suspected that some of those lists might be driven more by advertising dollars or by authors’ arbitrary and possibly uninformed impressions than by accumulated user experiences or qualified editor reviews.  To test that, I looked for more information on the top two entries in each of those four lists.  For those eight entries, total downloads and ratings at Softpedia suggested they might be ranked as follows:  All In One Keylogger (9,227 downloads, 3.1 rating (out of 5)), SoftActivity Keylogger (10,734 downloads, 3.0 rating), Family Cyber Alert (6,754 downloads, 3.8 rating), WebWatcher (1,273 downloads, not rated), and Free Keylogger Platinum (200 downloads, 5.0 rating), with Elite Keylogger, Spytech SpyAgent, and SpectorPro not listed.  By contrast, using information from CNET, they would perhaps be ranked as follows:  Free Keylogger Pro (58,874 total downloads, 4.5-star rating by 86 users); AllInOne Keylogger (780,766 total downloads, 4-star rating by 187 users, 4-star editors’ rating); Spytech SpyAgent (132,670 total downloads, 3.5-star rating by 99 users); Family Cyber Alert (329,085 total downloads, 3-star rating by 101 users, 5-star editors’ rating; WebWatcher (14,234 total downloads, 3-star rating by 27 users); SoftActivity Keylogger (173,006 total downloads, less than a 2-star rating by 12 users, 5-star editors’ rating); Spector Pro (8,067 total downloads, not rated); and Elite Keylogger (254 total downloads, 5-star rating by 1 user).  At Amazon, most were unlisted or had very few user ratings; the exception was Spector Pro (3.5 stars, 47 customer reviews).

Given that information, I tried to figure out why anyone would have listed Elite Keylogger as a top keylogger.  VagueWare did not provide a very convincing explanation.  FindTheBest had no user reviews for most of these items; in the case of Elite Keylogger, at least, it seemed to rely on CNET’s single review.  It was not clear whether CNET’s editors were always in step with user experiences, but there did appear to be some congruence between the list and user responses (in terms of both downloads and ratings) at CNET.

It tentatively appeared, then, that the list might be the best of these sources of potential guidance.  I was a bit stuck on the name “Well Researched Reviews” (WRR), though; it made me think there must be a reason for its departure from these three other lists.  It baffled me that hardly any of the programs listed on these other sites even appeared on WRR’s list.  It was as though they had grabbed a bunch of programs at random – programs that, for some reason, were not considered stellar (may not even have been considered relevant) at these other sites.  I decided to look more closely at their review of WebWatcher and their side-by-side comparison, as contrasted against the CNET editors’ five-star review of Family Cyber Alert.  There appeared to be hardly any substance to that CNET review, whereas WRR had examined numerous criteria and provided an extensive writeup.  In another comparison, I looked at the reviews of Spytech SpyAgent provided by WRR and by  In this case, the WRR review was a joke, while provided an extensive discussion.  I tentatively concluded that WRR may have liked WebWatcher, and may have focused on it for that reason, but that had done a more consistent job across the board.  As a final, rather impressionistic test, I did a search to see whether WebWatcher appeared to be more of a topic of discussion than’s top choice of AllInOne.  This search suggested that AllInOne was far more a topic of review and discussion.

That search also belatedly led to a WebWatcher selection as the number one pick at TopSoftwareReviews, however, and to a potential explanation of divergence:  these people, and perhaps those at WRR, described themselves as being focused specifically on keylogging, as distinct from general-purpose PC monitoring or “parental control software.”  In a hybrid of WRR and, TopSoftwareReviews chose Spytech SpyAgent as No. 2 and Spector Pro as No. 3.  The review of AllInOne did note that it was able to capture sounds from the target computer’s microphone and take a variety of screenshots.  Even more belatedly, the WebWatcher homepage informed me that it had been ranked No. 1 by PC Magazine among others (in 2009, it appeared) – but it did not seem to capture from the microphone.  Further browsing led to a sense of convergence, of closing in on a few key programs:  without a lot of detail, seemed to feel that Spytech SpyAgent was the best, with five stars, followed by three four-star contenders:   SoftActivity Keylogger, All In One, and WebWatcher – but they demoted WebWatcher solely because of its price.

Since I did not have a specific spying situation in mind, sufficient to turn me toward any particular set of features, I looked at price.  At this writing, WebWatcher went for $97, while AllInOne and SpyAgent each cost $69.95.  I had to say that, at this point, a return to the feature list of SpyAgent gave me the “desirable” feeling that it was creepy, as I observed how completely it would apparently allow someone to sit back and monitor what someone else was doing – essentially, what they were thinking and feeling – without them knowing it.

Detecting the Typical Keylogger

Guided by the foregoing selections, I ran a search (and a follow-up) to see whether people were especially likely to be talking about blocking or removing WebWatcher, SpyAgent, or AllInOne.  My impression was that, at least in the first 50 hits, those three programs were talked about in just that order, with WebWatcher apparently being the one that people were most interested in identifying and avoiding.  I tentatively decided that, while I might actually buy SpyAgent if I wanted to do spying, I would proceed here on the assumption that someone was using WebWatcher on me, and now it was a question of how I would discover and confirm that, and what I could do about it.  (To test for SpyAgent or some other program, I would probably follow steps similar to these, beginning with a revision of the following search.)

A search yielded a number of suggestions and insights on detection.  There seemed to be some discrepancies between WebWatcher’s own claims of “undetectability” and “unparalleled invisibility” and users’ claims that they were actually able to detect keylogging software.  For instance, Mesanore said that he was able to identify WebWatcher by using TCPView:  “This program has identified that the iexplore.exe process constantly tries to access [] . . . via HTTPS.”  Mesanore said that four different antivirus programs had failed to detect it.  But ComplaintsBoard, listing complaints about WebWatcher (e.g., hidden extra costs), offered several claims that the program was “often detected by antivirus software and rootkit scanners,” such as Norton (or Sophos) AntiVirus, and would then be disabled after a week or two of use.  The suggestion in that case, for one who wanted not merely to disable it but to know it was being disabled, would apparently be to read any detailed notices provided by the antivirus software, to see if items being disabled or removed included keylogging software like WebWatcher.   WikiHow suggested several means of detection:

  • Hold down Ctrl-Alt-CapsLock.  This, they said, was the default key combination to bring up a password that the installing individual would use to enter the program and change its settings.  A search did seem to confirm that this was the default for WebWatcher.  They noted that the person installing WebWatcher could have decided to change that key combination.  No doubt some installers would not bother.
  • Run SpyDLLRemover (freeware; rated 4 out of 5 stars at SoftPedia by 53 users; 27,247 total downloads; see also  In version 5.0, adjust Settings (i.e., the Gears icon) as follows:   check “Scan for Hidden Processes” and everything under it; uncheck “Ignore modules other than DLL extension.”  Click Save > Start Scan.  Look for certain directories (see next bullet point).  Also look for any file named WPSNUIO.  Right-click > Remove any such items.  (Manual detection and deletion (below) may be easier in some instances.)  I suspected that removing non-dangerous items not specified here could destabilize some Windows programs or functions.
  • Run a smart scan in LavaSoft Ad-Aware (free version; rated 3.5 out of 5 stars by 13,560 users at CNET; 383 million total downloads).  Remove WebWatcher (a/k/a UltraView) if it appears in the list of findings.  For me, Ad-Aware’s installer closed Firefox without warning, causing me to lose work.  Ad-Aware detected my existing antivirus (Microsoft Security Essentials (MSE)) and offered to install in a “compatible” mode as a second line of defense.  Note that Malwarebytes’ Anti-Malware likewise tended to be a compatible complement to major antivirus programs like MSE.  Whether Ad-Aware was compatible with Malwarebytes, I was not sure.  I doubted it was necessary or even advisable to keep it in addition to Malwarebytes and MSE.  I had previously tried and rejected Ad-Aware, and still disliked its installation style, and saw elsewhere that others were recommending Malwarebytes for keylogger detection.   Another program on CNET’s list that I had first used and liked many years earlier:  Spybot – but there were reports of problems when not run as an administrator.  It seemed that some scans might be best run in Safe Mode.
  • Manual detection:  open a command prompt as administrator.  In Windows 7, one way to have an administrator command prompt readily available is to create a shortcut to it.  To do that, go to the Desktop > right-click > New > Shortcut > Shortcut tab > C:\Windows\System32\cmd.exe > Advanced > Run as administrator.  Save it with a name like AdminCMD.  In the Admin command prompt, look for typical WebWatcher directories.  If they exist, you may be infected; you may want to delete the directories.  To look for the directories, type C: at the Admin command prompt to get to drive C, and then type CD and a space and the name of the directory, such as:
    c:\program files\webwatcherv5
    c:\program files\skyhook wireless
    WikiHow said you could just delete these directories.  It might be necessary to use a combination of commands to do so.  Another source cited other possible program file locations:
    C:\Program Files\IT Webwatcher
    C:\Documents and Settings\user name\Application Data\IT Webwatcher
    C:\Document and Settings\All Users\Application Data\IT Webwatcher
    Note that it might be possible to open such directories by typing or pasting the foregoing addresses into the Address box in Windows Explorer, assuming one has configured Windows Explorer to show the Address box.  It might also be possible to delete some such items using Unlocker.  (See additional uninstallation remarks below.)

For some reason, eHow suggested an anti-spyware scan using XoftSpySE (2.5 stars by 91 users at CNET).  It appeared possible but unlikely that XoftSpySE would detect malware that much more popular and established programs (above) would miss.

Along with general-purpose antivirus and anti-spyware programs, there were also programs specifically designed to detect keyloggers.  Wikipedia said that an anti-keylogger would flag all keyloggers, including those that an anti-spyware or antivirus program might not report on grounds that the keylogger was not part of a virus or for other reasons would be considered legitimate.  On this basis, I was not entirely sure I would need a dedicated keylogger.  Would WebWatcher be considered an illegitimate program, given the frequent claims that people often buy such software to keep an eye on their kids, or employees, or others over whom they have (or at least claim) a need for supervision?  In other words, would antivirus software tend to detect such programs already, without a specialized keylogging program?  As in the hardware situation (above), there remained the likelihood that a sophisticated person or agency could devise customized keylogging software that would outfox the approaches used in commercial antikeyloggers.

Assuming I would want and/or need an anti-keylogger, Wikia started me with a list of five:  SpyShelter, MaxSecurity Lab’s DataGuard, DewaSoft’s KL-Detector, and Keylogger Blocker.  TopTenReviews echoed SpyShelter as the No. 1 anti-keylogger, followed by Zemana AntiLogger, KeyScrambler Premium, Keylogger Detector, and GuardedID Premium.  Raymond recommended Zemana AntiLogger, SpyShelter Premium, and DataGuard AntiKeylogger Ultimate.  MakeUseOf also recommended Zemana and SpyShelter.  In short, these sources seemed to share some consensus on SpyShelter and Zemana.

Neither SpyShelter nor Zemana appeared to be available at Amazon.  SpyShelter’s comparison page indicated that the Premium version (20€ (about $26) per year; 50€ lifetime) had numerous advantages over the Free version, including 64-bit support (increasingly relevant to newer computers), keystroke encryption, and webcam logger protection.  It seemed very likely that I would have chosen the Premium version.  Zemana indicated that its free version offered 64-bit support but lacked certain other features found in its full version ($29); here, the price differential was not so great, nor was the need for the full version so obvious.  At CNET, SpyShelter Premium enjoyed a four- (out of five) star rating (17 voters; 3,313 total downloads; no editors’ review), while the free version drew a 3.5-star rating (15 voters; 6,933 total downloads); meanwhile, Zemana AntiLogger was rated at 3 stars (41 voters; 2,456,345 total downloads; 4-star editors’ review), and its free version received 3.5 stars (from editors and also from 17 voters; 11,295 total downloads).  Finally, at Softpedia, SpyShelter Premium averaged a 4.6-star rating from 114 users (4.5 stars from editors; 5,749 total downloads); its free version also averaged 4.6 stars (139 users; 11,332 total downloads; 4.0 stars from editors); Zemana averaged 4.2 stars (225 users, 1,372,275 total downloads; 4.5 stars from editors); and Zemana Free drew 4.3 stars from 71 users (4,722 downloads; no editors’ review).  It appeared that price had tended to steer many users toward Zemana rather than SpyShelter; and between the free and full versions, the slight price differential had made Zemana Full by far the popular choice.

In a look at reviews, I saw that TopTenReviews found Zemana somewhat inferior to SpyShelter in keylogger protection but slightly superior in compatibility with antivirus programs and in protecting financial information specifically.  Their writeup did not clearly explain why they considered one program better than another in such regards.  Writing in 2011, WildersSecurity found SpyShelter more complicated to use.  I sensed that CNET’s editors might concur; Softpedia’s might not; but otherwise I did not find the reviews at CNET or Softpedia helpful.  Another reviewer illustrated how SpyShelter worked.  Raymond tested both programs with 12 different keylogging tools (not including either WebWatcher or SpyAgent).  He found some problems with each, notably including a lack of audio capability in Zemana; he noted SpyShelter’s protection against webcam and VoIP audio hacking; and he made Zemana his first choice.  Among other things, he found both programs ineffectual against keystroke and screen capture done by Elite Keylogger and Advanced Keylogger.  My reading of his reported findings would also have suggested that Zemana was inferior at detecting keylogging by a couple others.  If I had a specific need, I would do a closer reading of capabilities (and might try Zemana’s simulation tests).  But for purposes of just adding a protective layer against present or future keyloggers generally, real or imagined, I would think that Zemana would be fine, and might be superior, for half the price.

On that basis, the question was whether Zemana would detect WebWatcher, my typical keylogger.  A search led back to that WildersSecurity page, which reported that, in tests conducted in 2011, both Zemana and SpyShelter did detect both WebWatcher and SpyAgent.  Another writer reported (in 2012) that Spybot AntiVirus did not detect WebWatcher, but Zemana did.  I had seen references to a sort of arms race, between the keylogging and anti-keylogging software developers, so I had to guess that there would probably be a persistent risk of a breach, most likely minor and/or temporary, even if I did have a solid keylogger in place.  Further research and/or testing would have been necessary to clarify this situation.  Given the number of possible combinations of antivirus, keylogging, and anti-keylogging programs available, and the lack of an immediate need, I decided not to pursue that line of inquiry at the moment.  My tentative conclusion was that Zemana, reportedly easy to use and highly compatible with antivirus software, would be worth having as long as someone was willing to pay $30 for it.  There did not seem to be a good reason not to try the free version, useful up to 64-bit Windows 8.

Defeating and Removing the Typical Keylogger

Once I had decided that my computer was infected with keylogging software, I would want to prevent it from operating and, ideally, would get rid of it.  The preceding section has already addressed some routes to that end:  presumably any number of antivirus and anti-keylogging programs would offer to quarantine or delete files and folders identified as spyware, assuming they did detect them.

But it appeared that the road was not always clear.  For example, the writer (above) who found that Spybot did not detect WebWatcher, but Zemana did, described him/herself as still somewhat “paranoid as to what is on my computer” and how to remove it.  That particular discussion proceeded through an extended period of time (apparently lasting a week or more) during which the people helping the user led him/her through Hijack This! and other relevant programs.  I had often seen this sort of procedure, over the years, in cases of real or suspected malware infection; for example, the earlier post by Mesanore (above) drew a boatload of prescriptions.  As is often the case, it was not clear in that instance which (if any) were necessary and effective.

The WikiHow page had some suggestions, including these:  ask the person who installed the keylogger to remove it, if you know who they are; ask the software developer or vendor to remove it (good luck); or boot the system with a live CD (e.g., Ubuntu – see above) and use its file navigator and search tools to find and move, rename, or delete files and folders specified above, being aware of the risk of system instability caused by the disappearance of an expected file or folder.  Of course, one could also look in Control Panel > Programs and Features to see if WebWatcher was listed there, in which case it could be uninstalled from there.  A good uninstallation program (e.g., Revo Uninstaller) might also provide a solution.  I was not sure whether one could use the approach of installing WebWatcher again (as an administrator, of course), so as to get access to the option of uninstalling it.  It was recommended that the user reboot after uninstalling a keylogger, so as to clear remnants of the program from memory.

Another possibility would be to simply restore an earlier version of the Windows program drive (C).  I was not sure whether the Windows System Restore option (Control Panel > System > Advanced System Settings > System Protection tab) would wipe out keylogging files.  A more solid option would be to restore an earlier drive image, created with a program like Acronis True Image or Macrium Reflect, bearing in mind that such a restoration would permanently eliminate all program changes, installations, and settings that may have accrued in the days, weeks, or months since the image was created.

One source cited registry locations (e.g., HKEY_CURRENT_USER\Software\IT Webwatcher; HKEY_LOCAL_MACHINE\SOFTWARE\IT Webwatcher), accessible via Start > Run > regedit that one might try to delete, in a bid to wipe out traces of keylogging software.  A search for text strings like the ones observed in those locations might reveal other registry locations calling for selective deletion as well.  Since registry editing was risky at any rate, this would ideally happen only on a system whose program drive had been imaged before WebWatcher was installed, so that there would be that fail-safe backup.

Wikipedia noted additional possibilities.  One was the use of a network monitor or reverse firewall, hinted at in the foregoing reference to TCPView, to detect when the keylogger is attempting to convey its data to the server or other external location where the spy would be viewing it.  Restrictions on a keylogger’s outgoing communications would not remove the keylogging program; it would just render the keylogging program useless, pending the time when the user would reinstall Windows or some other operating system and eliminate the keylogger along with every other program previously installed.  Reverse firewalls did not appear to be a topic of wide and passionate interest.

A modified search suggested that the solution here might be, not to find a dedicated outgoing firewall, but rather to choose and configure a standard incoming firewall to restrict certain kinds of outgoing communications.  According to a MakeUseOf article, the Windows Firewall available for free from Microsoft defaulted to allowing all outgoing connections.  Exceptions could be configured manually, but (a) the process was reported to be clunky and (b) Windows Firewall would still fail to notify the user if a specific program was trying to make an outgoing connection.  There appeared to be two possible responses:  either work with Windows Firewall nonetheless, perhaps with the aid of a tool like Windows Firewall Notifier or Windows 7 Firewall Control, or use a third party firewall.

A search led to a list and discussion of several such tools, among which Sphinx Software’s Windows 8 Firewall Control ($29.95) came well-recommended.  For free alternatives, Gizmo gave four (out of five) stars to the free version of Windows 7 Firewall Control and to TinyWall, and gave five stars to the apparently more powerful but more difficult-to-configure PrivateFirewall.  The Windows Club had its own free list:  Comodo, ZoneAlarm, EmsiSoft, and PrivateFirewall.  Neither review mentioned outbound or outgoing control in their discussion of TinyWall.  Its feature list confirmed outgoing control capabilities, and offered a plausible discussion of “security fatigue” in which a user can become overwhelmed with too many requests for confirmation of various external sites.  It seemed that the ideal might be to go with an established product that already had a database of approved and/or unapproved outgoing sites or applications.  Comodo had been overwhelming, the last time I had used it, some years earlier, but now The Windows Club was calling it easy to use, and it was the top firewall at CNET and had a five-star editor’s review (4.5 stars from users) at Softpedia.  Gizmo put it into the more difficult category, but gave it four stars.  I decided to give it another try.  Within a matter of minutes, however, I had succeeded in rendering my system unable to connect with the Internet.  I bailed out of that and tried ZoneAlarm.  For some similar reason, within an hour or two, I was back at Windows Firewall.  In my case, at least, it seemed that the choice and configuration of an outgoing firewall could become a project in itself.

Additional Countermeasures

The foregoing efforts to identify and, where possible, to remove keylogging software might not always succeed.  Despite the best of efforts, some of what is suggested here may still be vulnerable to the criticisms offered in a 2007 document, “Trusteer Anti-Keylogger Myths.”  A keylogger might remain undetected, or despite being detected it might remain installed and might even continue to be active.  Various sources provided suggestions for countermeasures that could help to foil keylogging efforts, regardless of whether any keyloggers were detected or were known to be active.  The preceding discussion has hinted at a number of potential countermeasures, on both the hardware and software levels.

Other countermeasures were listed at Wikipedia, a Carnegie-Mellon webpage, and elsewhere.  While there was the option of using motion-detecting software to email yourself webcam pictures of what was happening in your computer’s vicinity, these countermeasures mostly focused on minimizing or distorting the entry of important information.  The objective here was to avoid entering names, account numbers, and other sensitive data whenever possible.  Automatic form-filling software (in e.g., some web browsers) could aid in this effort:  the program would detect a webpage calling for certain data, and would enter that data without requiring the user to enter keystrokes.  A password manager (e.g., LastPass) would store passwords and enter them, without being either typed or visible onscreen.  One would typically have to log into the password manager, however, unless it had been set to log in automatically – at the risk that anyone gaining physical access to Windows on that machine would then be able to enter any previously entered website without knowing its password.

Other means of minimizing the typing of sensitive data included one-time passwords, speech recognition, handwriting recognition, and mouse gestures.  It was also possible to use keystroke interference software, or to mimic the effect of such software by pausing in the middle of a data entry field to type random characters somewhere else in the window:  the keylogger would pick up the typed characters, but would not necessarily know which of them belonged in the data field, or (with the aid of the mouse) at the beginning or end of the typed string, or selecting and overwriting previously typed gibberish (without using the Delete key).  One person suggested using the Alt-key combination instead of typing letters (e.g., Alt-130 on the numeric keypad = é); I was not sure how that would help.  One could also use the mouse to copy and paste protected data from another window without retyping it.  There was even hardware (e.g., the Byteccc Encryptor keyboard) that would encrypt typed data.  None of these precautions would be foolproof, but collectively they appeared likely to foil some keylogging efforts.

Two other suggestions offered by many sources (e.g., MakeUseOf) were to keep software updated, so that hackers could not bypass firewalls, antivirus software, and other protections; and to change passwords frequently, so that passwords stolen a few days or weeks earlier (from one’s own machine or via security breaches at various companies) would no longer give data thieves access to one’s information.  Along with other suggestions already conveyed above, Wikia suggested that it might be helpful to conduct critical browsing (to e.g., banking websites) by using a portable browser with few if any plug-ins or add-ons.  It also appeared that online banking might be made more secure by more widespread use of the acclaimed Trusteer Rapport program.

Legality and Ethics

The preceding materials have focused on the question of how a person could engage in keylogging and anti-keylogging.  A number of webpages contained information on the question of whether a person should do so.

Certain contexts seemed especially likely to generate an interest in keylogging and other electronic spying.  One was the employment context.  Donna Ballman said that employers tended not only to be using keyloggers, but were also monitoring email and Internet usage, demanding social media (e.g., Facebook) passwords, recording employee conversations, videotaping various  locations within the workplace, and so forth.  Another common spying venue:  the domestic (especially romantic or marital) relationship.  A search led to many indications that people were tempted to check up on their significant others.


Law is often the most cumbersome and least decent line of defense, on the question of what people should do.  That is, those who disregard conscience and social obligation are likely to pause when confronted with the risk of felony conviction; but the law declines to take a stand on many forms of behavior that deserve felony conviction.  This discussion begins, then, with the question of where the line gets drawn, beyond which keylogging becomes illegal.

These paragraphs do not provide a formal legal analysis.  Such an analysis would entail direct inspection of statutes, cases, regulations, and other sources of enforceable law.  This is merely a synopsis of what some blog posts and other articles seemed to say on the question.  A formal legal analysis would depend upon the choice of jurisdiction, since laws varied from one country and state to another.  Accurate legal information for a particular situation would inevitably require intelligent personal legal research and/or consultation with a legal specialist.

A lengthy law review article by Garrie, Blakley, and Armstrong (2006, pp. 216-217) concludes with these words:

The existing tort theories of liability and statutes do not provide consumers an adequate remedy for spyware perpetrators. . . . [G]enerally, the availability of defenses such as authorization based on implied consent in a lengthy, legalistic EULA, eviscerates such relief.  Furthermore, the limited damages available to the consumer reduce the likelihood of finding meaningful representation.  Courts’ interpretations of the statutes are inconsistent, and courts’ applications of tort liability depend upon each of the states’ tort laws.  Even within a state, the federal court and the state court may interpret tort law differently.  Moreover, even if courts allow tort liability, damages are unlikely to be sufficient to deter spyware perpetrators.

Those words refer primarily to “torts” – that is, to civil as opposed to criminal wrongdoing, where a key difference is that the government hires the lawyers and otherwise pays for the costs of prosecuting criminal cases.  The point seems to be that, when people have to hire their own attorneys to pursue the matter, they may find themselves in a murky legal area.  It is apparently not the case that finding a piece of keylogging software or hardware on one’s computer will reliably lead to conviction of the responsible person in every case.

A presumably more recent page posted by a New Jersey law firm seems to sketch out a vaguely commonsense impression that the acceptability of spyware in the marital context depends upon privacy expectations.  For example, the lawyers say (regarding the laws in New Jersey, at least), people have a greater expectation of privacy when their personal emails are on their own computer (as opposed to one available to all family members in the living room), or when the emails are passworded and stored in one’s private email account.  In other words, if you put the stuff out there for everyone to see, don’t complain if they see it.  The concept seems to be that the law protects people against really invasive behavior.

Another principle often cited on webpages is that it is “absolutely illegal” to install keyloggers on others’ computers.  Unfortunately, there are few absolutes in this world.  Are parents subject to conviction in every jurisdiction for installing keyloggers on their children’s computers?  It seems unlikely.  The lawyers (above) cautioned that the law was complex in this area.  It did not seem uniformly safe to just go ahead and spy on one’s spouse.  A North Carolina law firm concurred:

Courts have been all over the place with regard to how to treat emails whose content was obtained through use of a keylogger.  There is conflicting opinion as to whether it matters it the emails had been opened and whether they were stored manually or saved by the Internet service provider. . . .

Our advice is to proceed with caution.  This is an area of the law with a lot of unknowns.  With regard to federal law, the answer to the question of the legality of keyloggers is very unclear.  Some courts read the statutes narrowly, others more broadly.  Until there are clearly defined rules, either through judicial opinions or legislation, it is unclear whether use of a keylogger will result in liability . . . .

Even if you aren’t found to have [criminally] violated a federal law, you can still be found guilty of violating the state law addressing computer related crimes, and you may face liability with regard to common law tort claims.  Because use of keyloggers can implicate several state and federal laws, we advise you to stay away from using keyoggers to catch your spouse in the act of cheating.

So, for example, we have felony charges for a guy who keylogged his girlfriend’s computer, and the FBI most-wanted hacker who wrote software for the purpose.  There appears to be comparable uncertainty surrounding the use of keyloggers in the workplace.  According to Lichter (n.d.),

The conflict of interpretations between jurisdictions leaves people in many states vulnerable to invasive employer spying. It also creates a lack of clarity for employers and employees regarding what is considered lawful conduct. . . . Courts in some jurisdictions have declined to take the step to prohibit the surreptitious use of keyloggers, despite the apparent option to apply state legislation. This posture leaves individuals vulnerable to having their private information exploited by their employers.

In other words, the law governing an individual’s situation may not be decided until s/he goes ahead, uses the keylogger, gets caught, hires a lawyer, and proceeds to trial.  Of course, trials are very expensive.  It may be quite likely that the law governing that individual’s case will not in fact be decided – that the parties will instead work out a settlement, with one party paying the other instead of racking up huge legal bills.

For further reading on relevant law, one might consider Chapter 2 of Harper et al. (2011), Gray Hat Hacking:  The Ethical Hacker’s Handbook.


These observations lead to the question of practicalities.  Some people may decide that there is not much risk of getting caught and/or that the information gained (even if not admissible in court) will be valuable nonetheless.  As something of an example, the guy caught spying on his girlfriend said this:  “I didn’t realize that it was illegal when I did it, and I just wanted to catch her cheating on me, which I did.”

Much of law is at least allegedly based on ethics, and ethical considerations may be the only guide when the law ceases to provide a practical and effective guide to conduct.  On the other hand, ethics is a branch of philosophy, which pretty much guarantees that people can arrive at very different conclusions for seemingly sensible reasons.  For instance, even if the law does not protect a right to privacy, one may feel quite strongly that such a right is to be protected; yet meanwhile, his/her spouse or employer may have a comparably strong interest in knowing the truth.

A search led to a Gecko Monitor page that said this:  “You might consider monitoring your employees’ computers if you are worried about time wasting or productivity issues. . . . You may also be concerned about your employees revealing sensitive information about your company to other people.”  These remarks seem commonsensical within business as usual in the U.S.  Yet some may question such views.  If an employer is indeed concerned about productivity, presumably s/he is aware of research indicating that breaks from the grind can enhance productivity.  There may be a question of whether the employer is indeed focusing on productivity (and, for that matter, on good human resource practices) or is instead manifesting a potentially abusive urge to control.  (I did not explore the research in this field sufficiently to determine whether alleged increases in productivity from keylogging would diminish over the long term, after taking into account such factors as employee attrition.)  But how about “revealing sensitive information”?  It sounds good, if one visualizes theft of trade secrets.  Not so good, though, if the people receiving the information are reporters or prosecutors investigating corporate malfeasance, fraud, or other deplorable practices indulged at the expense of employees, consumers, or the public.

The gist of such remarks is that ethical quandaries may be better decided on a case-by-case basis rather than by deduction from general principles.  For example, it could often be true that one should not steal.  Yet there may be a case in which stealing is the lesser of two evils.  Stealing malicious code from a malevolent hacket, for example, could be crucial to the protection of thousands of innocent software users.  Hence one contemplates the Ten Commandments of Computer Ethics:

1. Thou Shalt Not Use A Computer To Harm Other People.  Which would make it unethical to use computers in war.  When the need to defend oneself against aggressors goes away, then perhaps the defensive use of computers to harm other people can be ethically prohibited.

2. Thou Shalt Not Interfere With Other People’s Computer Work.  End of LOLcats.

3. Thou Shalt Not Snoop Around In Other People’s Computer Files.  Who needs detectives, anyway?

4. Thou Shalt Not Use A Computer To Steal.  Uh-oh.  End of corporate America.

5. Thou Shalt Not Use A Computer To Bear False Witness.  “In a new interview today, Sarah Palin refused to endorse Chris Christie. Afterward, Christie told Palin, ‘Thanks, I owe you one.'” –Conan O’Brien

6. Thou Shalt Not Copy Or Use Proprietary Software For Which You have Not Paid.  I’ll tell my boss that I can’t work on his computer, because I didn’t buy the software.

7. Thou Shalt Not Use Other People’s Computer Resources Without Authorization Or Proper Compensation.  OK, if you lawyer it to death, you probably can come up with a commandment that works most of the time.

8. Thou Shalt Not Appropriate Other People’s Intellectual Output.  Sorry, Conan.  I didn’t mean to be appropriating your joke.  (Actually, that’s a lie.)

9. Thou Shalt Think About The Social Consequences Of The Program You Are Writing Or The System You Are Designing.  But thou shalt not be deterred if your socially deleterious work will help you defeat people who are even less likely to care about the social consequences of what they are doing.

10. Thou Shalt Always Use A Computer In Ways That Insure Consideration And Respect For Your Fellow Humans.  Which, if you can’t spell, may mean not using it at all.

Seriously, the message is that general principles can be problematic in real-world situations.  It is not that such principles are invariably wrong.  They aren’t.  It is just that their use needs to be modulated in light of situational specifics.

To clarify one point, there is a difference between ethics and morals, and much of what is called “ethics” is actually “morals.”  One way of seeing the difference is that ethics are negotiated guidelines that may incorporate compromises among different ways of seeing things.  So, for example, in practice, the lawyer’s ethical requirement of defending his/her client often works very much against the moral duty to tell the truth.  We have an immoral ethical principle for lawyers because society has decided that there is no substitute for a motivated advocate who focuses on his/her client’s best interests.

There are other codes.  Some may be better than the ten commandments critiqued above.  For example, the Australian Computer Society has a Code of Professional Conduct based on six values, each of which was discussed in some detail in the source text:

1. The Primacy of the Public Interest

You will place the interests of the public above those of personal, business or sectional interests.

2. The Enhancement of Quality of Life

You will strive to enhance the quality of life of those affected by your work.

3. Honesty

You will be honest in your representation of skills, knowledge, services and products.

4. Competence

You will work competently and diligently for your stakeholders.

5. Professional Development

You will enhance your own professional development, and that of your staff.

6. Professionalism

You will enhance the integrity of the ACS and the respect of its members for each other.

Surreptitious keylogging could violate several of these principles, regardless of what the law says.  Does keylogging serve the public interest?  Does it enhance the quality of life for those affected?  Is it honest?  A counterpoint to such principles may be that keylogging done by a beleaguered spouse or employer would begin with a question of whether keylogging enhances one’s own life and interests, against the depredations of a spouse, employee, or other opposing party – if, that is, that party does seem to deserve the distrust and intrusion.


There appeared to be many ways to engage in keylogging.  They varied in effectiveness and invasiveness.  While some applications might be relatively defensible (e.g., protecting a clearly wayward child from unknown and potential lethal threats online), others clearly could not pass the smell test:  they exposed private acts, and even private thoughts, to a degree that could not be reaslistically called respectful, beneficial, or honest, though they might nonetheless offer a degree of protection and/or information to the spouse or other victim of an abuse of trust.  Against these powerful tools, the law offered a vague threat:  if you do the wrong thing, and get caught, you might be prosecuted; you might also be sued, although perhaps only by someone with the money for an expensive civil lawsuit; and the law governing such matters might best be divined through unlikely prior consultation with a cyberlaw expert in your jurisdiction.  It appeared that, on the day-to-day level, people tempted to engage in keylogging, or to be subjected to it (in e.g., an employment context), might be advised to begin with the question of whether this sort of activity would be consistent, over the long term, with the sort of life situation that one wishes for oneself.

This entry was posted in Uncategorized and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s