The original tip isn’t wrong — it’s just dangerously incomplete. Here’s every method attackers use to steal your keystrokes, and which ones OSK actually blocks.

Type	How It Works	OSK Blocks It?	Detection Difficulty
Hook-based (SetWindowsHookEx)	Installs a global keyboard hook via DLL injection — every key event passes through attacker’s filter function	Yes	Easy — injected DLL visible in all processes
Polling-based (GetAsyncKeyState)	Loops through all 255 virtual keys every 50ms checking which are pressed	Yes	Medium — high API call frequency is detectable
Raw Input Model (RegisterRawInputDevices)	Registers as a background raw input sink — receives keystrokes directly from HID layer	No	Medium — RIDEV_INPUTSINK flag is suspicious
DirectInput	Uses legacy gaming input API to read keyboard state	No	Hard — looks like normal game input
Hotkey-based (RegisterHotKey)	Registers system hotkeys for every key, captures keystrokes, then emulates them back	No	Very hard — no ETW monitoring exists for this API
Kernel-mode driver	Filter driver sits in the keyboard driver stack (kbdclass.sys), captures scan codes before they reach any app	No	Very hard — runs at highest privilege
Screen capture	Takes periodic screenshots — reads whatever’s on screen, including password fields	No	Medium — unusual screen capture API calls
Acoustic	Records typing sounds via microphone, uses ML to reconstruct keystrokes at 92-95% accuracy	No	Nearly impossible from the victim’s side
Form grabber (browser-level)	Hooks browser functions to capture form data at submission — before encryption	No	Hard — runs inside browser process
Clipboard logger	Monitors clipboard for copy-paste of passwords	No	Easy — clipboard API monitoring

The math: OSK protects against 2 out of 10 methods. That’s a 20% defense rate. You need the full stack.

These tools encrypt your keystrokes in the Windows kernel — before any hook, poll, or raw input reader can intercept them. Even if a keylogger captures your typing, it only gets encrypted garbage.

Tool	What It Does	Free Tier	Link
KeyScrambler	Encrypts keystrokes at kernel driver level in real-time. Free version covers all major browsers. Pro/Premium covers 200-500+ apps. 19 years in production.	Free (browsers only)	qfxsoftware.com
Ghostpress	Hides keystrokes system-wide by breaking low-level hooks. Portable — runs from USB. Includes anti-hook-overwriting protection and typing delay randomization.	Free (full)	schiffer.tech/ghostpress
ScreenWings	Blocks ALL screenshot capture system-wide — any screenshot taken while active returns a black image. Same developer as Ghostpress.	Free	schiffer.tech/screenwings

How KeyScrambler works under the hood: It installs a kernel-mode encryption driver that sits between your physical keyboard and Windows. When you press a key, KeyScrambler encrypts it immediately — before the keystroke enters the Windows message queue where hook-based and polling-based keyloggers intercept. The encrypted keystroke travels through the entire OS, and only gets decrypted inside the destination app. Any keylogger capturing in between sees only randomized characters.

Ghostpress vs KeyScrambler: Different approach, same goal. Ghostpress doesn’t encrypt — it hides your keystrokes by breaking the hook chain and suppressing low-level keyboard events from reaching unauthorized listeners. It also randomizes keystroke timing to defeat behavioral analysis (attackers can fingerprint you by how you type).

Combo move: Run Ghostpress (free, system-wide protection) + ScreenWings (blocks screen capture keyloggers) together. Both are portable — keep them on a USB for public/shared computers.

If you think you might already be compromised, here’s the forensic checklist — from the cutting-edge research presented at NULLCON Goa 2025 by Elastic’s Asuka Nakajima.

The 4 Keylogger Types and Their Detection Signatures

Keylogger Type	Windows API Used	ETW Event ID	Detection Signal
Polling-based	GetAsyncKeyState	1003	MsSinceLastKeyEvent > 100 AND BackgroundCallCount > 400
Hook-based	SetWindowsHookEx	1002	FilterType = WH_KEYBOARD_LL
Raw Input	RegisterRawInputDevices	1001	Flags = RIDEV_INPUTSINK (background capture)
Hotkey-based	RegisterHotKey	None	No ETW monitoring — requires kernel memory scanning

Source: Asuka Nakajima, NULLCON 2025 — “Windows Keylogger Detection: Targeting Past and Present Keylogging Techniques”

Free Detection Tools

Manual Forensic Checklist (No Tools Required)

1. Task Manager → Details tab — sort by CPU. Any unknown process consuming consistent CPU could be a polling keylogger (they loop every 50ms)
2. Autoruns (Sysinternals) — check Logon, Scheduled Tasks, Services, Drivers tabs for anything unfamiliar. Keyloggers need persistence to survive reboot
3. Device Manager → Keyboards — more than one keyboard driver listed? Could be a kernel-mode keylogger filter driver
4. Physically inspect your USB ports — look for any adapter between your keyboard cable and the port. Hardware keyloggers are small inline devices, sometimes hidden inside USB hubs
5. Wireshark — if a keylogger is exfiltrating data, filter for unusual outbound connections on uncommon ports or to unknown IPs

The strongest anti-keylogger move: stop typing passwords altogether.

Password Manager Autofill (Why It Beats Typing)

Password managers like Bitwarden, 1Password, and KeePassXC don’t type your password — they inject it directly into the browser’s form field via internal APIs. This bypasses:

• Hook-based keyloggers (no keyboard event fires)
• Polling-based keyloggers (no key state changes)
• Acoustic keyloggers (no typing sound)
• OSK loggers (no virtual keyboard clicks)

The catch: Clipboard loggers can still intercept copy-paste. Use autofill, not copy-paste. And form grabbers can still capture data at the browser level — which is why you need Layer 4 (hardening).

FIDO2 Hardware Keys (The Nuclear Option)

A YubiKey or similar FIDO2 security key uses cryptographic challenge-response authentication. No password ever crosses the keyboard. Even if every keylogger on Earth is running on your machine, the attacker gets nothing replayable.

OnlyKey is the sleeper pick — it’s a FIDO2 key AND a hardware password manager. It stores up to 24 accounts directly on the device and types passwords for you via emulated keyboard output. The PIN is entered on the device itself, so even if a keylogger is running, it only sees the OnlyKey typing a pre-stored password — not you typing the master PIN.

Setup priority: Enable FIDO2 on your most critical accounts first — Google, Microsoft, GitHub, banking, password manager vault. One YubiKey + one backup key = keyloggers become irrelevant for those accounts.

These are OS-level defenses that prevent keyloggers from installing or operating in the first place.

Built-In Windows Defenses (Free, Already On Your Machine)

The Real Hardening Checklist

1. Turn on Memory Integrity — this single setting blocks almost all kernel-mode keyloggers. It prevents unsigned drivers from loading, which is how most advanced keyloggers operate. Some old drivers may be incompatible — Windows will tell you which ones
2. Run as Standard User — not admin. Kernel-mode keyloggers require admin/system privileges to install. A standard user account is the simplest, most effective barrier
3. Disable unnecessary USB ports (Group Policy: Computer Configuration → Administrative Templates → System → Removable Storage Access → Deny All) — prevents hardware keyloggers from being plugged in on shared/public machines
4. Enable PowerShell Constrained Language Mode — prevents fileless keyloggers that inject via PowerShell scripts
5. Keep Windows + drivers updated — the VBS spoofing vulnerability (CVE-2025-48813) in October 2025 showed that even Credential Guard can be bypassed if you don’t patch

Acoustic Keyloggers — Your Microphone Is a Keylogger

In 2023, British university researchers trained a deep learning model that reconstructs what you type by listening to your keyboard sounds — with 95% accuracy from a nearby smartphone microphone and 93% accuracy over a Zoom call.

Each key on your keyboard makes a slightly different sound based on its position, the mechanical structure underneath, and how your fingers strike it. ML models (spectrogram analysis via MFCC + vision transformers like ConvMixer) can map these sound signatures to individual keys.

Defenses:

• Use a silent/low-profile keyboard (reduces acoustic signature differentiation)
• Mute your microphone when not actively speaking on calls
• Play background noise/white noise while typing sensitive info — degrades ML model accuracy significantly
• Use password managers with autofill — no typing = no sound
• Mechanical keyboards are actually MORE vulnerable (louder, more distinct per-key sounds)

Screen Capture Keyloggers

Advanced keyloggers take screenshots every few seconds, or specifically when they detect password-field focus. Your carefully protected keystrokes don’t matter if the attacker can just… see your screen.

Defenses:

• ScreenWings (free, portable) — forces any screenshot to return a black image system-wide
• SpyShelter — includes anti-screen capture, anti-webcam, and anti-clipboard modules
• Don’t leave sensitive info visible on screen longer than necessary