I need a keylogger script that knows the schedule.
I want to save all the data entered and copied from the keyboard.
To give an example. Let the keylogger run for an hour. After an hour, let him save the data he received in a txt file. While doing this recording, the name of the txt file should be the date of that day.
There should be no limit on the keylogger’s runtime. It shouldn’t be less than twelve hours.
The language of our country is Turkish. When saving the data taken from the keyboard, it should also properly save Turkish characters.
Like [ç, ğ, ı, ö, ş, ü]
Yes, I am reviewing the scripts you have written. I’ve seen this sharing before, I’ve tried it and I’ve seen it doesn’t work. That’s why I made a separate request.
I’m running the script file. It says successful, but I cannot find the file “C: \ ProgramData \ keylogger.txt”) keyglogger.txt at the specified file path.
I don’t know how long this script has been recording. If we can determine the period of registration, can you tell me how to do this.
But as I said, I’m testing it on myself. Keylogger.txt file does not occur. Can you help me with this.
I have a similar script I have updated and used. You or anyone else is welcome to use it if it will work for your needs
Script Run-Keylogger
This procedure runs a powershell script that logs keys pressed and outputs to a txt file for a duration defined by the timeout variable
Configurable Variables
Timeoutminutes. By default, no timeout is set (or set to 0) therefore logging will run indefinitely. Caution should be used when not applying a timeout and its not recommended, even if just setting it to a high number (like a full day) is better. I am unsure how ITSM handles a script running indefinitely and if it will cancel it
Logfolder. By default if you dont configure a log folder path (or set to 0), it will use the current environment temp folder (Ex: C:\Users\CURRENTUSER\AppData\Local\Temp\). Note, you must include the trailing \ at the end of the path if specified
LogFileName By default if you don't configure a log file name (or set it to 0), it will use the name "COMPUTERNAME-CURRENTDATETIME-keylog.log" where COMPUTERNAME is the current computer the script is run on and CURRENTDATETIME is the current date and time the script was run
How to setup and use
Download the procedure: temporarily removed until better security can be implemented for the output
Import the procedure under Configuration Templates - Procedures - Import Procedure
Configure the default parameters for the procedure from the Parameters tab of the script. You can set this up at run-time if desired. The parameters are explained above.
Notes
There is nothing configured specifically to capture Turkish characters and I have not tested it in any other language other than English. It may or may not work for you, will need to be tested
I have set the default parameters for a timeout of 60 minutes as a test. You can set this to however long you like or set it to 0 to unlimited
The default logfolder is set to the current environment temp folder. If run as user this will be (Ex: C:\Users\CURRENTUSER\AppData\Local\Temp\). Any valid UNC path can be used
Run the script as logged on user.
If a user logs out or the machines is rebooted, the script will cancel. To keep it always running, I could see maybe setting up a monitor for windows logins and then kicks off the script when detected.
I hope this is helpful is anyway. Perhaps the script team can expand or improve on it. If you have any questions on how to use it, please let me know.
It might be a security concern the fact that the keylogger stores the text in plain text format. I wonder if maybe it could be somehow obfuscated or scrambled. For example, it could call the certutil app to encode the keylogger file in base64, which is not a very strong obfuscation but at least avoids showing sensitive data in plain text.
What do you think?
Regards,
– Javier Llorente
Endpoint Security - Devoteam
