rawKeyLogger.exe was created to log and chart keyboard, mouse, and window events. It can be configued to log any or all of those events, and uses the raw input and accessibility event APIs to capture them on a low level. The app can log for days/weeks/months at a time, and can display and export any saved logs.
When displaying logged data, the following modes are available as tabs:
Histogram: A general activity log over time, shows a bar chart of the three event types.
Event log: A chronological list of events, shows all information each event conveyed.
'As Typed' log: Tries to capture what the user typed, and where they typed it. It is intended to be a convenient way to read or copy typed text.
Requirements: Version 4 or better of the .net framework is recommended. Get it from Microsoft.
No installation; just unpack and run. A settings file and ancillary files may be created in the program folder.
After running the program, open the settings dialog and configure the logging options you want. The program displays the active log by default, but you can use the 'Display Log' drop-down to show a saved log, or to hide the display entirely to reduce resource use.
When displaying a log, each of the three display-mode tabs have can navigate the log or export their content to a text file. The 'Activity Histogram' tab is probably the quickest way to navigate the log. Left-clicking on the histogram chart will jump to that position in the 'Event Log', and right-clicking will jump to the 'As Typed' log.
In the 'Event Log', (the full list of all information about all events), the "Event Info" and "Event Details" vary based on the event type:
- For mouse events the Info field will have the x & y cooridinates of the cursor at the event time. In the case of wheel moves the Details field holds the wheel delta value.
- For keyboard events the Info field will list the key, and the Details field will contain the following technical information: flags, virtual key code, scan code, windows message ID. See this reference for an explanation.
Finally, the program includes no way to hide or disguise its operation. It is intended as a productivity tool; not for surreptitious surveillance.
Notes on log files and size:
Whenever logging is turned on, the log file being recorded to is expanded by up to 1MB beyond its 'real' size (where the 'real' size is the size needed to hold all log events). This is done to speed up certain navigation operations. Once logging stops, the program will shrink the log, so it doesn't use any more space than necessary.
The program loads the log as a memory-mapped file. While you don't need to have enough physical RAM to hold the file, you do need the address space for it. Users on 32-bit versions of windows may encounter problems if the file grows larger than 500MB. That represents a lot of logging, so monthly log rotation will be enough to prevent any errors. Users on 64-bit systems should be able to log for years without issue.
To save space and processing the .keylog file format is binary and stores low-level information. You can easily load any binary log file into the application to retrieve a plaintext readout of key presses. Eventually I'll add a specification for the file format, but for now, briefly: The file is divided into 128 bit packets, 1 packet per event. The first 64 bits are the event payload, starting with the event type; the last 64 bits are the time in Ticks. The fact that the format aligns nicely in a hex editor is purely a coincidence. I swear.
Command Line Usage:
- -startlog starts the program with logging enabled, or if the program is already running, starts logging. you can optionally specify a file to log to; ex: -startlog="c:\some file.keylog"
- -stoplog starts the program with logging disabled, or if the program is already running, stops logging.
- -showlog=%FILENAME% shows the specified file name; paths with spaces should be quoted.
Version 0.8; 2020-01-18
- Added: Histogram now shades unlogged time-spans as light grey.
- Fixed: Occasional crash when minimized with the event log tab open.
- Fixed: Some bugs in the event log's "event selector".
- Fixed: Bug in histogram diplay with long-duration logs.
- Changed: Now encrypting the .zip to avoid AV false-positives impacting the website's safe-browsing rating. Password will always be "cresstone".
Version 0.7; 2019-08-22
- Changed: In the activity report, we now quote the app name and properly escape existing quotes; also added 'keystrokes' and 'clicks' columns.
- Changed: Wait cursors added when running exports so the users know the program is working on it.
- Fixed: Improved error handling when reading a log file that was terminated unexpectedly (ie: process termination or power failure).
- Fixed: Typing log fix to reduce window change flood.
- Fixed: Math error in activity reports.
Version 0.6; 2019-01-31
- Added: Export log feature now exports only the selected range of events if there is a range selected.
- Added: Goto-Select button allows date range selection on the Event Log.
- Added (beta/unstable): App Activity report (accessible from the event log) summarizes application use by time & number of events. This can answer questions like: 'what percent of my computer time did I spend browsing the web?'. I'm still testing it.
- Fixed: Semi-rare crash during log rotation.
- Fixed: Logging now resumes correctly when using the -startHidden flag.
Version 0.5; 2017-04-14
- Initial beta release.
This software includes code or resources from the following sources:
This software is distributed as-is, without any representations or warranties of any kind.
The author of this software imposes no additional license terms or limits upon its use or redistribution.
Send to utils@cressto ne.com