Listen to this Post
Introduction:
Keyloggers are malicious tools designed to capture every keystroke you type—including passwords, messages, and sensitive data. While modern endpoint detection and response (EDR) solutions like CrowdStrike, SentinelOne, and Huntress aggressively hunt for such threats, Microsoft Windows ships with a native “keylogger” enabled by default that none of these tools flag. The “Improve Inking and Typing Recognition” feature collects all keystrokes and handwritten input, sends them to Microsoft’s cloud for AI-powered personalization (spell check, autocorrect, text predictions), effectively creating a first-party surveillance channel that bypasses conventional security alerts.
Learning Objectives:
- Identify how Windows’ built-in telemetry functions as an undetectable keylogger.
- Disable the feature via Registry, Group Policy, and PowerShell across single or multiple systems.
- Verify the change using network monitoring and system auditing tools.
- Understand why traditional EDR solutions ignore this behavior and how to mitigate residual privacy risks.
You Should Know:
- Disabling the Keylogger via Registry Editor (Single Machine)
What this does:
The registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\TIPC` controls the “Improve Inking and Typing Recognition” feature. Setting the `Enabled` DWORD to `0` stops Windows from collecting and sending keystroke data to Microsoft servers.
Step‑by‑step guide:
- Press
Win + R, typeregedit, and press Enter.
2. Navigate to:
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\TIPC`
- In the right pane, double-click the `Enabled` value.
- Change the value data from `1` to
0.
5. Click OK and close Registry Editor.
- Restart your PC for the change to take effect.
Verification via PowerShell (admin):
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Input\TIPC" -Name "Enabled"
Expected output: `Enabled : 0`
2. Enterprise Deployment: Group Policy and Registry File
What this does:
For IT administrators managing dozens or hundreds of machines, a Group Policy Object (GPO) or a `.reg` file can disable the keylogger silently across the entire domain.
Step‑by‑step guide (Registry file method):
1. Open Notepad and paste the following:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\TIPC] "Enabled"=dword:00000000
2. Save as `DisableWinKeylogger.reg`.
- Deploy via startup script, GPO, or remote management tool (e.g., PDQ, SCCM).
Group Policy path (if available in your Windows edition):
`Computer Configuration → Administrative Templates → System → Input Personalization → Turn off Improve Inking and Typing Recognition` → Set to Enabled.
Remote deployment using PowerShell Invoke-Command:
Invoke-Command -ComputerName PC01,PC02 -ScriptBlock {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Input\TIPC" -Name "Enabled" -Value 0
Restart-Computer -Force
}
3. Verifying Network Traffic to Confirm Cessation
What this does:
Before disabling, you can capture outbound packets to see keystroke telemetry reaching Microsoft. After disabling, the traffic should stop. This uses `netsh` (built-in) or Wireshark.
Step‑by‑step using netsh trace (no extra tools):
1. Open Command Prompt as administrator.
2. Start a trace:
`netsh trace start capture=yes provider=Microsoft-Windows-Input provflags=0xFF tracefile=C:\keylog_trace.etl`
- Type random text in Notepad or any application for 1 minute.
4. Stop the trace: `netsh trace stop`
- Analyze the `.etl` file with Microsoft Message Analyzer (legacy) or convert to `.pcapng` using
etl2pcapng.
Alternative – using Wireshark (more user‑friendly):
1. Install Wireshark and run as administrator.
2. Capture on your active network interface.
- Filter for `dns.qry.name contains “microsoft” or ip.dst==13.107.6.0/24` (Microsoft telemetry ranges).
- Observe packets after rebooting – if no traffic to telemetry endpoints appears when typing, the keylogger is effectively blocked.
4. Why EDRs and Antivirus Ignore This Feature
What this does (explanation):
Endpoint security products operate on a “trusted vendor” list – Microsoft binaries signed by Microsoft are implicitly allowed. The keystroke collection is performed by legitimate system processes like `ctfmon.exe` (Microsoft Input Method Editor) and InputPersonalization.exe. EDRs see these as normal OS components, not malware. Attackers have exploited this trust gap by injecting into these processes to siphon keystrokes without triggering alerts.
Step‑by‑step to test EDR blindness (educational use only):
- On a system with CrowdStrike/SentinelOne installed, enable logging.
- Type sensitive data (e.g.,
password123) while the “Improve Inking” feature is ON. - Check EDR console – no alert for keylogging will appear.
- Now deploy a third-party keylogger (e.g., simple Python script using
pynput). The EDR will likely quarantine it.
Takeaway: The same behavior (capturing keystrokes) produces opposite security verdicts based solely on the binary’s signature. -
Hardening Beyond the Registry – Firewall Blocking & Privacy Tools
What this does:
Even after disabling the registry key, Windows may re-enable it after feature updates. Adding a firewall rule to block Microsoft telemetry IPs provides defense-in-depth.
Step‑by‑step firewall rule (PowerShell admin):
Block common Microsoft telemetry endpoints
$blockIPs = @("13.107.6.0/24", "13.107.18.0/24", "52.183.8.0/24")
foreach ($ip in $blockIPs) {
New-NetFirewallRule -DisplayName "Block MS Telemetry $ip" -Direction Outbound -RemoteAddress $ip -Action Block -Protocol Any
}
Using O&O ShutUp10++ (GUI tool):
1. Download O&O ShutUp10++ (free, portable).
2. Run as administrator.
- Search for “Improve Inking and Typing Recognition” and set to Disabled.
- Also disable “Send handwritten data samples to Microsoft” and “Typing data collection”.
Linux comparison:
While Linux does not have a built-in keylogger, desktop environments like GNOME may send anonymous usage stats. Disable with:
gsettings set org.gnome.desktop.privacy report-stats false
6. Detecting Existing Keystroke Telemetry Exfiltration (Forensic Approach)
What this does:
If you suspect the feature was enabled in the past, you can check for leftover data transmission logs in Windows Event Viewer or ETW (Event Tracing for Windows).
Step‑by‑step event log analysis:
1. Open Event Viewer (`eventvwr.msc`).
- Navigate to
Applications and Services Logs → Microsoft → Windows → InputPersonalization → Operational.
3. Look for Event IDs:
– `100` – Feature enabled
– `200` – Data sent to Microsoft
4. Export logs for timeline reconstruction:
Get-WinEvent -LogName "Microsoft-Windows-InputPersonalization/Operational" | Export-Csv -Path C:\keylog_events.csv
Using Sysinternals ProcMon to monitor registry reads:
1. Download ProcMon from Microsoft Sysinternals.
- Set filter: `Process Name`
contains`InputPersonalization` theninclude.
3. Monitor `RegOpenKey` operations to `TIPC` key.
- Any process reading that key may be checking the “Enabled” state – useful for hunting persistence.
7. Reversing the Change and Auditing Compliance
What this does:
Organizations with strict data residency requirements (GDPR, HIPAA) must ensure this feature remains disabled. This section shows how to re-enable if needed and how to audit compliance.
Step‑by‑step re-enable (if you later want the AI personalization):
1. Registry: Set `Enabled` back to `1`.
- Group Policy: Set “Turn off Improve Inking…” to Not Configured or Disabled.
3. Reboot.
Compliance audit script (PowerShell):
$regPath = "HKLM:\SOFTWARE\Microsoft\Input\TIPC"
$value = (Get-ItemProperty -Path $regPath -Name "Enabled" -ErrorAction SilentlyContinue).Enabled
if ($value -eq 0) {
Write-Output "PASS: Keylogger disabled."
} else {
Write-Output "FAIL: Keylogger enabled - immediate action required."
}
Deploy this via SCCM or Intune to generate compliance reports.
What Undercode Say:
- Key Takeaway 1: Windows’ “Improve Inking and Typing Recognition” is a functional keylogger that records every keystroke and transmits them to Microsoft – yet no EDR or antivirus flags it because Microsoft signs the binary.
- Key Takeaway 2: Disabling the feature via a simple registry change (
Enabled=0) stops the data collection, but updates can revert it; combining registry, firewall blocks, and Group Policy offers persistent protection.
Analysis: This built-in telemetry represents a massive blind spot in endpoint security. While marketed as an opt‑in AI personalization tool, it is enabled by default on most Windows installations. Attackers can silently re-enable it via malware (if they gain SYSTEM privileges) and exfiltrate keystrokes without ever triggering an alert – because the traffic blends with legitimate Windows telemetry. Enterprises relying solely on EDR for keylogger detection are dangerously exposed. The solution is not just disabling this feature, but also monitoring registry changes to `TIPC` and blocking Microsoft’s telemetry IP ranges at the perimeter.
Prediction:
Within 18 months, a major ransomware group will weaponize this feature – re‑enabling it remotely on compromised endpoints to harvest credentials for lateral movement. This will trigger an industry-wide reckoning, forcing EDR vendors to add explicit detection rules for Microsoft’s own telemetry components. Regulators (especially under GDPR and China’s PIPL) will classify default‑on keystroke collection as unlawful surveillance, leading to heavy fines against Microsoft and any organization that fails to disable it. Expect Microsoft to eventually move this feature to a fully opt‑in, local‑only model, but not before significant backlash.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Charlescrampton Keyloggers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
