After properly setting up your profiling environment and knowing which Windows Performance Recorder UI options to select for your trace, you want to perform key presses in such a way that will make it easier to spot the recording process later on when you inspect the data. In this video the Windows Performance Recorder is started and note pad is opened up to perform some simple key presses.
- [Narrator] With the settings in place on the WPR UI, and the SVCHost key logging shortcut on our desktop, let's open up Notepad. First, let's double-click on the svchost shortcut, and start the key logging. Let's open up Task Manager and make sure it's running. It's the process with the same Windows background service symbol, but there is no name. If we right-click on it, and select Go To Details, it will take us to the Details tab. And under the description, it will have the same description of Host Process for Windows Services that the other svchost processes have, the real ones.
So, it's already pretty hidden. We now know it's running. Let's close out of Task Manager, and let's pull out our stop watch. I'm going to use my phone to keep track of time. What we are going to do is click start on the WPR UI menu, and then minimize the window. Then, we click start on our stopwatch. Then, inside Notepad, after 10 seconds, we are going to press and hold down the letter J on our keyboard for 10 seconds. So, from the 10-second mark to the 20-second mark, on our stopwatch, we're going to be pressing down and holding the letter J on our keyboard.
Then at the 20-second mark, on our stopwatch, we are going to lift our finger and wait for 10 seconds. And then press down and hold the letter K on our keyboard for another 10 seconds, before lifting our finger at the 40-second mark. We will do this one more time. We will wait 10 more seconds before pressing down and holding the letter L at the 50-second mark for 10 seconds. The entire collection process is 70 seconds. With us pressing down and holding a button on our keyboard every 10 seconds, for 10 seconds.
We do this three times, because in the Windows Performance Analyzer, it will be very clear which process is recording us. If it comes in all three times. This is simply to rule out any coincidences and remove any doubt that the process was maybe doing something else. Let's click start, and then immediately minimize the WPR UI window. After that, let's click start on our stopwatch to start the timer. After 10 seconds, let's press down and hold the letter J.
We're going to do that for 10 seconds. Once it says 20 on the stopwatch, let's lift our finger, and wait for 10 seconds. Once it says 30 on our stopwatch, let's press down and hold the letter K. We're going to press and hold for 10 seconds. Once it says 40 on the stopwatch, lift. And let's wait for 10 seconds.
And one last time, once it says 50 on the stopwatch, press and hold down L. Do this until it says 60 on the stopwatch. Lift. And once it says 1:10 on the stopwatch, 70 seconds has passed, we're going to go back to the WPR UI menu and click save. For the comment, let's put key logging evidence and click save.
By default, the trace file is saved in the user's Documents directory, in the folder WPR Files. Let's go there now by clicking on the Open Folder button. Let's minimize this window to get it out of the way. By default, the trace is named after the computer name, dot, date of the collection, dot etl. And there's a corresponding folder with the same name, only with a dot NGENPDB extension. These are the symbols that are for this trace. It lets us see the function names.
Let's rename both to something more meaningful, like keylogger.etl and keyloger.etl.NGENPDB. And that's it, we are done with the collection process. Now, I'm going to keep the key logger running on my machine, so I can show you how to remove it after we find it. But if you want to stop the key logger now, you can, by going back to the Task Manager. It will be in the Background Processes section, in the Processes tab. And it's the one that says it's from Microsoft Corporation, but it has no name.
Right-click on it, and select End Task to kill the process, and to stop the recording.