SecurityBeginner25 min read

What Is Keylogger? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

A keylogger is a tool that secretly records everything you type on your computer keyboard. It can be a software program or a small physical device. The person who installed it can then see your passwords, messages, and other private information. Keyloggers are a common cybersecurity threat that IT professionals must know how to detect and prevent.

Commonly Confused With

KeyloggervsSpyware

Spyware is a broad category of software that secretly monitors user activity and collects information without consent. A keylogger is a specific type of spyware that focuses only on capturing keystrokes. Spyware can also include screen scrapers, webcam hijackers, and location trackers. Not all spyware is a keylogger, but all keyloggers are spyware.

If a program watches where you click and what websites you visit, it is spyware but not necessarily a keylogger. If it records every character you type, it is a keylogger.

KeyloggervsRootkit

A rootkit is a type of malware that hides its presence and gives an attacker persistent, privileged access to a system. While a rootkit can be used to hide a keylogger from detection, they are different tools. A keylogger focuses on capturing keystrokes, while a rootkit focuses on concealment and access control. A keylogger may be a component of a rootkit, but not all keyloggers are rootkits.

Think of a rootkit as a secret hiding place inside a house, and a keylogger as a camera that records who enters and leaves. The keylogger can be hidden using the rootkit, but the rootkit itself does not record keystrokes.

KeyloggervsTrojan

A Trojan is a malicious program disguised as legitimate software. Trojans are often used to deliver other types of malware, including keyloggers. A keylogger can be delivered by a Trojan, but the keylogger is the payload, not the delivery method. If an exam question describes a program that looks like a game but secretly records keystrokes, the correct label is a Trojan that contains a keylogger.

A free PDF converter you downloaded from an untrusted website might be a Trojan. When you run it, it installs a keylogger in the background. The Trojan is the candy wrapper; the keylogger is the poison inside.

Must Know for Exams

Keyloggers appear in several major IT certification exams, and understanding them is not optional if you aim for a high score. In the CompTIA Security+ exam (SY0-601 and SY0-701), keyloggers are explicitly listed under the domain of "Attacks, Threats, and Vulnerabilities" as a type of malware. You can expect multiple-choice questions that ask you to define a keylogger, identify the type of attack it represents, or select the best countermeasure from a list. For example, a typical question might read: "An employee notices that their password was changed without their knowledge, and later a hardware device is found attached to their keyboard cable. What type of attack has occurred?" The correct answer is a keylogger attack. They also test your knowledge of prevention methods, such as using two-factor authentication or an on-screen keyboard.

In the Certified Ethical Hacker (CEH) exam, keyloggers are covered in more depth. You may be asked to demonstrate how to install a keylogger as part of a penetration testing engagement, or to analyze a scenario where a keylogger was used to capture credentials. The exam expects you to understand different software keyloggers like Ardamax or Refog, and to know how to detect them using tools like Process Monitor or netstat to look for suspicious network connections. You might also encounter a question about how to deploy a hardware keylogger during a social engineering test.

In the CISSP exam, keyloggers are relevant to the Identity and Access Management (IAM) domain and the Security Operations domain. The focus shifts to the broader implications for organizational security. A question might describe a situation where a keylogger was found on a server, and ask you to determine the appropriate incident response steps. Alternatively, you might need to evaluate the effectiveness of different authentication mechanisms in the presence of a keylogger, such as why smart cards or biometrics are more secure than passwords alone.

Other exams like the Certified Information Systems Auditor (CISA) might also touch on keyloggers in the context of auditing security controls. You could be asked to review a company's policy on software installation and identify gaps that would allow a keylogger to be installed. Always remember that exam authors like to present keyloggers in scenarios involving public computers, shared workstations, or suspicious USB devices. They also often combine keyloggers with social engineering attacks, where an attacker tricks a user into installing a program that contains a hidden keylogger. Being able to recognize these patterns will help you answer correctly.

Simple Meaning

Imagine you are sitting at your desk writing a private letter. You type each word carefully, one letter at a time. Now imagine there is a tiny camera hidden inside your keyboard that takes a picture of every single key you press, and then sends those pictures to someone else. That is basically what a keylogger does.

A keylogger captures all the keystrokes you make on your keyboard. Keystrokes are just the individual presses on keys like the letter A, the number 9, or the Enter key. When you type a password like "MyP@ssw0rd", a keylogger records every letter, number, and symbol in the exact order you type them. The person who put the keylogger on your computer then gets a complete list of everything you typed.

There are two main kinds of keyloggers: software-based and hardware-based. A software keylogger is a program that runs secretly in the background of your computer. It might be a virus, a piece of spyware, or even a legitimate monitoring tool used by a company to watch its employees. Hardware keyloggers are small electronic devices that you physically plug in between your keyboard and your computer, often on the keyboard cable. They look like an ordinary adapter, so they can be very hard to spot.

Keyloggers matter to everyday people because they can be used to steal online banking credentials, email passwords, credit card numbers, and private messages. For IT certification learners, understanding how keyloggers work is essential because you will need to protect systems from them, detect when they are present, and respond to security incidents involving them. Think of a keylogger as a secret spy sitting inside your keyboard, and your job as an IT professional is to find that spy and remove them.

Full Technical Definition

A keylogger, also known as keystroke logging software or hardware, is a form of surveillance technology that records every keystroke made on a computer keyboard. Technically, keyloggers can operate at various levels of the operating system and hardware stack, making them difficult to detect with standard antivirus tools.

From a low-level perspective, a hardware keylogger is a physical device, often a small adapter or inline connector, that is placed between the keyboard cable and the computer's USB or PS/2 port. These devices contain a microcontroller and flash memory that captures the electrical signals sent by the keyboard when a key is pressed. When the keystroke data is stored, an attacker can later physically retrieve the device and download the captured logs. Hardware keyloggers are especially dangerous because they do not rely on any software on the target computer, so they are invisible to operating system security tools.

Software keyloggers, on the other hand, are programs that run as background processes on the operating system. They can capture keystrokes by several methods. One common technique is hooking into the keyboard input chain at the kernel level using a device driver or a filter driver. In Windows, for example, a software keylogger might use a global hook via the SetWindowsHookEx API function to intercept all keyboard messages before they reach any application. On Linux, similar functionality can be achieved using ptrace or by reading from the /dev/input/event devices directly. Modern software keyloggers are often bundled with trojans, rootkits, or other malware to avoid detection and to escalate privileges.

From a network and security perspective, some keyloggers transmit captured data over the internet to a remote server controlled by the attacker. This can happen over HTTP, HTTPS, FTP, or even custom protocols using port knocking techniques. Advanced keyloggers may encrypt the keystroke data before sending it to avoid detection by network monitoring systems.

Detection and mitigation of keyloggers are critical skills covered in certification exams like CompTIA Security+, CISSP, and CEH. IT professionals use a combination of antivirus scans, anti-malware tools, host-based intrusion detection systems (HIDS), and behavioral analysis to identify suspicious processes. Techniques include checking for unknown device drivers, monitoring network traffic for unusual outbound connections, and using hardware-based security tokens to encrypt keystrokes at the input level. Virtual keyboard and two-factor authentication are common countermeasures that reduce the value of captured keystrokes, because even if a password is logged, the attacker still needs the second factor.

Real-Life Example

Picture this: You are at a public library using one of their computers to log into your email. You sit down, and you see a small, innocuous-looking dongle plugged into the back of the keyboard cable. It looks like an ordinary USB extension adapter, so you think nothing of it. You type your email address and password, then check your messages and log out. Later that week, someone starts sending emails from your account and you realize your password has been stolen. That little dongle was a hardware keylogger, and it recorded every single character you typed, including your password, your email recipient addresses, and even the text of the message you sent.

This is exactly how keyloggers work in the real world. The dongle is like a tiny digital tape recorder. Your keyboard is like a microphone that produces electrical signals when you press keys. The dongle captures those signals and writes them to its own memory. When the attacker returns to the library, they simply unplug the dongle, take it home, and plug it into their own computer to read all the recorded keystrokes.

In the IT world, the same concept applies but often in digital form. Instead of a physical dongle, the keylogger is a piece of software that runs on your computer, listening to every keystroke as you type. It might be hidden inside a download you thought was a free game or a PDF reader. Just like the library dongle, the software records everything you type and either stores it locally for later retrieval or sends it over the internet to the attacker. The mapping is straightforward: the software keylogger acts as the spy, the keyboard is still the input device, and your computer becomes the tool that delivers the secret recording to the thief.

Why This Term Matters

Keyloggers matter in the IT security landscape because they represent a direct threat to the confidentiality of user credentials and sensitive data. Unlike many other types of malware that might try to exploit system vulnerabilities, keyloggers target the most fundamental user interaction: typing on a keyboard. Since passwords, credit card numbers, social security numbers, and confidential business documents are all entered via keystrokes, a successful keylogger infection can compromise an entire organization's security posture.

For IT professionals, understanding keyloggers is crucial because they are often used in targeted attacks against high-value individuals such as network administrators, executives, or employees with access to financial systems. A single compromised keystroke log can lead to a full network breach if an attacker obtains domain administrator credentials. This is why many organizations implement additional security measures like virtual on-screen keyboards for entering passwords, especially on public or shared computers. IT support staff must also know how to inspect workstations for signs of hardware keyloggers during routine maintenance, such as checking for unusual USB devices or looking for inline connectors on keyboard cables.

From a certification exam perspective, keyloggers frequently appear in questions about types of malware, attack vectors, and defense mechanisms. The CompTIA Security+ exam, for example, lists keyloggers under the category of malware and expects you to know how they operate and what countermeasures to apply. In the CEH (Certified Ethical Hacker) exam, you might be asked to demonstrate how a keylogger could be deployed as part of a social engineering attack or a penetration test. Even in the CISSP exam, the concept relates to the domain of access control and cryptography, because keylogging bypasses the confidentiality of the authentication process.

Ultimately, keyloggers matter because they are a real, persistent threat that is easy to deploy and hard to detect. As IT professionals, you need to be equipped with the knowledge to protect systems against them, to educate end users about safe computing practices, and to respond effectively if a keylogger is discovered. Your certification exams will test this knowledge, and your future job may depend on it.

How It Appears in Exam Questions

On certification exams, keylogger questions typically fall into three categories: definition, attack scenario, and countermeasure. In definition questions, you might be asked directly: "Which type of malware records all keystrokes on a system?" The choices might include spyware, ransomware, keylogger, or rootkit. The correct answer is obviously keylogger, but the exam might try to confuse you by offering 'spyware' as a broader category. A keylogger is a specific type of spyware, so you need to choose the most specific correct answer.

Attack scenario questions are more common on exams like Security+. They usually describe a situation where a user's credentials have been compromised, and you need to identify the attack vector. For example: "A user at a public kiosk reports that their online banking account was accessed by an unknown person. The security team finds a small device attached to the back of the computer tower. What is the most likely cause?" This is a clear signal for a hardware keylogger. Another scenario might involve an employee who downloaded a free screensaver, after which the employee's passwords were stolen. That points to a software keylogger delivered via a Trojan.

Countermeasure questions ask you to choose the best way to protect against keyloggers. You might see: "Which of the following is the most effective method to prevent keyloggers from capturing passwords?" Options could include: (A) Using a password manager, (B) Enabling full disk encryption, (C) Using a virtual on-screen keyboard, (D) Installing a firewall. The best answer is often the on-screen keyboard because it bypasses the physical keyboard input, so a keylogger cannot capture keystrokes that never happen on the keyboard. However, some exams also test that two-factor authentication makes keyloggers less effective because the attacker still needs the second factor.

Troubleshooting questions are less common but appear on technical exams. For example, you might be given a log file showing a process named "keylog.exe" and asked to determine its impact or how to remove it. You could also be shown a network traffic capture with frequent small outbound packets to an unknown IP address, and asked what type of malware is likely causing it. Recognizing that pattern is key.

Finally, some exams include performance-based questions where you need to identify a keylogger on a simulated system. You might have to check running processes, examine startup items, or scan USB devices. In these questions, you need to know that keyloggers often hide their processes under legitimate-sounding names like "svchost.exe" or "services.exe" to avoid detection. Practical familiarity with using tools like Task Manager, Process Explorer, and netstat is invaluable.

Practise Keylogger Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You work as a junior IT support technician for a medium-sized company. One morning, you receive a ticket from the finance department. An employee named Maria says that her computer has been acting strangely ever since she plugged in a USB flash drive she found in the parking lot. She is worried because she just changed her password for the accounting software yesterday, and today she cannot log in at all. Her account seems to have been locked out due to too many failed login attempts.

As you walk to Maria's desk, you recall from your Security+ studies that this is a classic sign of a keylogger attack. The USB drive she plugged in likely contained a software keyloader disguised as an innocent file. When she opened the file, the keylogger installed itself on her computer and began recording every keystroke she typed, including her new password for the accounting system. The attacker then used that password to try to log in repeatedly, which triggered the account lockout.

You arrive at Maria's desk and ask her to show you the USB drive. She hands it to you, and you immediately put it into a sealed evidence bag. You then run an antivirus scan on her computer, but it comes back clean. This does not surprise you, because many keyloggers are designed to evade standard antivirus signatures. Next, you open Task Manager and look for suspicious processes. You notice a process called "winlogon32.exe" running, which looks odd because the legitimate Windows process is named "winlogon.exe". You also check the startup programs and find an entry pointing to an executable in the AppData folder.

You decide to use a dedicated anti-malware tool that specializes in spyware detection. It identifies and removes the keylogger. You then guide Maria to reset her password again, this time using the on-screen keyboard built into Windows to prevent any future keyloggers from capturing her input. You also remind her never to plug in unknown USB devices. You document the incident and report it to your security team, who decide to perform a full scan of the network for other possible infections. This scenario shows how a keylogger can be introduced through a simple social engineering trick and how an IT professional must use multiple detection techniques to find and remove it.

Common Mistakes

Thinking that having antivirus software installed automatically protects against all keyloggers.

Antivirus software primarily relies on signature-based detection, which means it can only catch known keyloggers that have been previously analyzed and added to its database. Many advanced or custom keyloggers are designed to evade antivirus detection by using obfuscation, encryption, or rootkit techniques. A zero-day keylogger that has never been seen before will not be flagged by traditional antivirus.

Always use a layered defense approach. Combine antivirus with anti-malware tools that use behavioral analysis, enable host-based intrusion detection, and educate users about safe computing practices. Relying on one tool is not enough.

Believing that unplugging the keyboard will stop a hardware keylogger from capturing data.

A hardware keylogger is placed in-line between the keyboard and the computer. It captures keystrokes as they travel from the keyboard to the computer. Even if you unplug the keyboard, the keylogger still has stored all previous keystrokes in its internal memory. Unplugging the keyboard only stops new keystrokes from being captured, but the recorded data is already there and can be retrieved later.

Physically inspect all keyboard cables and connectors for unfamiliar devices. If you suspect a hardware keylogger, do not simply remove the keyboard. Instead, safely remove the entire device and hand it over to a security professional for forensic analysis.

Assuming that using a password manager makes you completely safe from keyloggers.

Password managers help by auto-filling credentials, so you do not need to type them manually. However, if the password manager itself stores the master password, and you have to type that master password once to unlock the vault, a keylogger can capture that single critical input. Many password managers copy passwords to the clipboard, and there are keyloggers that can also monitor clipboard activity. So while password managers reduce risk, they do not eliminate it.

Use a password manager with strong encryption, but also implement multi-factor authentication. Avoid typing the master password on untrusted computers. Use a virtual on-screen keyboard for entering the master password if possible.

Confusing a keylogger with a screen scraper or spyware that only takes screenshots.

A keylogger specifically records keystrokes, while a screen scraper captures screen images. Spyware is a broader category that might include keyloggers, screen scrapers, and other monitoring tools. An exam question might describe a tool that takes periodic screenshots of the user's screen, which is not a keylogger. Mixing up these terms can lead to wrong answers.

Always focus on the mechanism. If the description mentions recording keystrokes, it is a keylogger. If it mentions capturing screen images, it is a screen scraper. If it mentions both or general monitoring, it is spyware. Learn the precise definitions for each term.

Exam Trap — Don't Get Fooled

{"trap":"The exam may ask which countermeasure is most effective against keyloggers, and offer 'full disk encryption' as one of the options. Many learners assume that encrypting the hard drive would protect the keystroke data, but that is wrong.","why_learners_choose_it":"Full disk encryption sounds like a strong security measure.

Learners think that if the keystrokes are stored on the hard drive (for a software keylogger), encryption would prevent the attacker from reading the log file. This reasoning is plausible but flawed because the keylogger runs when the system is already decrypted and operational, so it can write to the unencrypted file system in real time. The encryption only protects data when the computer is off."

,"how_to_avoid_it":"Remember that full disk encryption protects data at rest, not data in use. A keylogger captures keystrokes as they happen and either stores them in memory or writes them to a file while the system is running and the drive is decrypted. The correct countermeasure is to use a virtual on-screen keyboard, which eliminates the physical keyboard input that a keylogger targets, or to implement two-factor authentication so that even if keystrokes are stolen, the attacker cannot access the account."

Step-by-Step Breakdown

1

1. Installation

The keylogger is installed on the target system. For software keyloggers, this could happen via a malicious download, a phishing email attachment, or an infected USB drive. Hardware keyloggers are physically attached between the keyboard and the computer. This step is the initial point of compromise.

2

2. Privilege Escalation

Many keyloggers attempt to gain administrative or kernel-level privileges. This allows them to capture keystrokes at a low level of the operating system, before any application can process them. Without these privileges, the keylogger might only capture keystrokes within user-mode applications, which can be easier to detect.

3

3. Keystroke Capture

The keylogger begins recording every key press. Software keyloggers hook into the keyboard input chain, while hardware keyloggers intercept the electrical signals traveling over the keyboard cable. Each keystroke is logged with a timestamp and possibly the active window title.

4

4. Data Storage

Captured keystrokes are stored in a log file on the system (for software keyloggers) or in the device's internal flash memory (for hardware keyloggers). The log file is often hidden in a directory with a innocuous name, or the data is written to a hidden partition to avoid detection.

5

5. Data Exfiltration

The attacker retrieves the captured data. For software keyloggers, this may involve sending the log file over the internet to a remote server via email, FTP, or HTTP. Hardware keyloggers require physical retrieval of the device. The attacker then analyzes the log to extract passwords, credit card numbers, and other sensitive information.

Practical Mini-Lesson

As an IT professional, knowing how to detect and respond to keyloggers is a practical skill that goes beyond passing exams. In the real world, you might be called to investigate a user's computer that is suspected of being compromised. The first step is always to identify the symptoms. Users often complain of slow performance, unexpected password changes, or suspicious account activity. However, keyloggers can be stealthy and may not cause noticeable symptoms at all.

Your detection toolkit should include both software and hardware inspection techniques. Start by checking the physical ports on the computer. Look at the keyboard cable connection at the back of the computer case. If you see a small dongle or adapter that looks out of place, that could be a hardware keylogger. Compare it with known good devices. Hardware keyloggers are often the size of a standard USB male-to-female adapter and have no visible brand markings.

For software detection, use Task Manager or Process Explorer to review running processes. Look for processes with names similar to legitimate system processes but slightly different, such as "svch0st.exe" instead of "svchost.exe". Also examine startup programs using tools like Autoruns from Microsoft Sysinternals. Many keyloggers add themselves to startup to survive reboots. Run a scan with a dedicated anti-malware tool like Malwarebytes or Spybot Search & Destroy, which are more effective at detecting spyware than general antivirus.

Network monitoring is also valuable. Use netstat or a tool like Wireshark to look for persistent outbound connections to unknown IP addresses, especially on ports like 80, 443, or 21. A keylogger that exfiltrates data will create periodic outbound traffic. You can also check the Windows Event Log for unusual service installations or driver loading events.

Once you have identified a keylogger, the response should follow your organization's incident response plan. Typically, you would disconnect the computer from the network immediately to prevent further data exfiltration. Do not turn off the computer because that might destroy forensic evidence in memory. Instead, capture a memory dump and a disk image for analysis. Remove the keylogger using appropriate tools, but keep in mind that some keyloggers are resilient and may require a full system reimage to ensure complete removal. Finally, reset all passwords that were typed on that computer and enforce multi-factor authentication as an additional safeguard.

What can go wrong? If you do not properly isolate the infected machine, the attacker might have time to steal more data or pivot to other systems on the network. If you miss a hardware keylogger during physical inspection, it could continue capturing keystrokes from the next user. Also, if you simply delete a software keylogger without analyzing how it got there, the same infection vector could be used again. Always treat a keylogger incident as a full security breach and conduct a root cause analysis.

Memory Tip

K for Keystrokes, L for Log, R for Record. 'KLR', Think 'KLR' as 'Key Logger Records' every tap you make.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

Can a keylogger be installed without me noticing?

Yes, most keyloggers are designed to be stealthy and run silently in the background. They may not show any visible windows or icons, and they often disguise their processes with names that look like legitimate Windows processes. This is why they are so dangerous.

Is my smartphone vulnerable to keyloggers?

Yes, smartphones can be infected with keyloggers as well, especially on Android devices where users can install apps from outside the official store. On-screen keyboard apps can be malicious and record everything you type. iPhones are generally more protected, but jailbroken devices are vulnerable.

Will a firewall stop a keylogger?

A firewall can help if the keylogger tries to send data over the network, but many keyloggers use common ports like HTTP or HTTPS, which are usually allowed through firewalls. A firewall alone is not sufficient protection, but combined with network monitoring it can provide an alert.

Does using incognito mode in a browser protect against keyloggers?

No, incognito mode only prevents your browser from saving your history and cookies locally. It does not prevent a keylogger from capturing keystrokes as you type. Your passwords and other inputs are still recorded by the keylogger regardless of your browser settings.

What is the difference between a keylogger and a form grabber?

A keylogger captures every keystroke globally across the entire system. A form grabber specifically targets web form submissions by intercepting data before it is sent over the internet. Form grabbers are often used by banking trojans. Both are types of credential-stealing malware, but they operate at different levels.

Can keyloggers capture passwords entered using copy-paste?

Some advanced keyloggers can also monitor clipboard activity. If you copy a password and paste it, the keylogger may record the pasted content. However, basic keyloggers only capture keystrokes, so copying and pasting can bypass them. This is why using a password manager with auto-fill is a good practice.

Summary

A keylogger is a stealthy tool, either software or hardware, that records every keystroke a user makes on a keyboard. It is a serious security threat because it targets the most fundamental input method for passwords, confidential messages, and sensitive data. Understanding how keyloggers work is essential for anyone pursuing an IT certification, as they appear in exams like CompTIA Security+, CEH, and CISSP, often in questions about attack identification, detection, and countermeasures.

For the exam, remember that keyloggers are a specific type of spyware, and the most effective countermeasures include using virtual on-screen keyboards, implementing two-factor authentication, and physically inspecting hardware for suspicious devices. Do not rely solely on antivirus or full disk encryption, as these have limitations. Practice identifying keylogger symptoms such as unknown processes running in the background and unexpected outbound network connections.

The final takeaway is that keyloggers represent a real-world threat that IT professionals must be equipped to handle. By learning the detection techniques and response procedures, you not only improve your exam scores but also prepare yourself to protect your future organization from data breaches. Stay vigilant, use layered security, and never underestimate the danger of a hidden keystroke recorder.