Keylogger-Detector

A Windows-based 3-layer keylogger detection tool that scans running processes, Windows Registry startup entries, and the filesystem for keylogger-like indicators.

Comment

🛡️ Keylogger Detector

Python Platform License Status Category

A Windows-based 3-layer keylogger detection tool that scans running processes, Windows Registry startup entries, and the filesystem for keylogger-like indicators.

📸 Preview

╔══════════════════════════════════════════╗
║     🛡️  KEYLOGGER DETECTOR              ║
║     Windows Process & Registry Scanner  ║
╚══════════════════════════════════════════╝

  [1/3] Scanning running processes...
     ⚠  1 suspicious process(es) found

  [2/3] Scanning Windows Registry startup entries...
     ✅ No suspicious startup entries detected

  [3/3] Scanning common malware directories for suspicious files...
     ✅ No suspicious files detected

  ════════════════════════════════════════════════════════════
  KEYLOGGER DETECTION REPORT
  ════════════════════════════════════════════════════════════

  🔴 SUSPICIOUS PROCESSES (1 found):

    [HIGH] spyagent.exe
      PID    : 4821
      Path   : C:\Users\user\AppData\Roaming\spyagent.exe
      Reason : Matches known keylogger name: 'spyagent'

🚀 Features

  • Layer 1 — Process Scanner: Checks all running processes against a database of known keylogger names and suspicious keywords
  • Layer 2 — Registry Scanner: Reads Windows startup registry keys where keyloggers hide to auto-start on boot
  • Layer 3 — File Scanner: Walks AppData, Temp, and ProgramData for suspicious filenames
  • ✅ Risk ratings — HIGH vs MEDIUM flags
  • ✅ Actionable remediation steps when threats are found
  • ✅ Colour-coded terminal report

⚙️ Installation & Usage

Requirements

  • Python 3.8+
  • Windows OS

Install dependencies

pip install psutil pywin32

Run it

git clone https://github.com/yourusername/keylogger-detector.git
cd keylogger-detector
python keylogger_detector.py

💡 Run as Administrator for full registry and process access

🔍 What It Scans

Layer 1 — Running Processes

Checks every active process using psutil against:

  • A list of known keylogger/spyware executable names
  • Suspicious keywords in process names and file paths

Layer 2 — Registry Startup Keys

Reads these Windows Registry locations:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Keyloggers register here to survive reboots.

Layer 3 — Filesystem

Scans these common malware hiding spots:

  • %APPDATA%
  • %TEMP% / %TMP%
  • C:\Windows\Temp\
  • C:\ProgramData\

📁 Project Structure

keylogger-detector/
│
├── keylogger_detector.py   # Main script
└── README.md               # This file

🧠 What I Learned

  • How keyloggers achieve persistence using Windows Registry Run keys
  • How to enumerate and inspect processes using psutil
  • How to read the Windows Registry using Python's winreg module
  • Common directories malware uses to hide on Windows
  • Difference between detection heuristics vs signature-based detection

⚠️ Disclaimer

This tool is for educational and defensive purposes only. It detects indicators — some legitimate software may trigger flags. Always verify before deleting any files or registry entries.

📄 License

MIT — free to use, modify, and distribute.

Built With

Share this project:

Updates