2026-07-02 –, Amphitheater 122
Modern businesses routinely handle sensitive data—entering passwords, managing internal documents and emails, or conducting confidential meetings in applications such as Zoom and Signal. Windows desktop isolation can block basic keyloggers from capturing keystrokes from applications running on newly created desktops. Several security tools rely on this mechanism by running sensitive applications or password-entry screens on isolated desktops, providing effective defense against unsophisticated keyloggers. In practice, however, this protection is often treated as “good enough” once a protected desktop has been created.
This talk shows why that assumption is wrong: Windows Desktop Isolation is not a true isolation boundary.
The focus of this research is not kernel-mode interception, but high-privilege user-mode keyloggers. In other words, the talk addresses attackers that remain in user space, yet possess enough privileges to actively interfere with desktop-based protections and attach spying logic to sensitive contexts. This makes the problem especially relevant in Man-at-the-End (MATE) scenarios common in business environments.
I will present a series of experiments covering the four most common Windows keystroke interception techniques—SetWindowsHookEx, GetAsyncKeyState, Raw Input, and DirectInput—as well as ETW-based monitoring. The results show that privileged attackers can still capture keystrokes from protected desktop contexts, including Secure Desktop environments such as Winlogon, for example by launching a high-privilege process via PsExec/Sysinternals.
To address this weakness, I will introduce DesktopRanger, an open-source defensive prototype for creating hardened Windows desktops for secret input. DesktopRanger creates a protected desktop with a restrictive security descriptor, expressed in SDDL as D:P, preventing unauthorized opening through the standard desktop access path and limiting the attacker’s ability to obtain even the desktop name. When a legitimate application must be launched, access is relaxed only for a very short period. At the same time, desktop enumeration is blocked at the Window Station level to prevent hostile processes from discovering or attaching to the target desktop. Once the application has been initialized, the original restrictive state is restored: the user can again enumerate active desktops, but the protected desktop does not appear in the returned list.
I will explain the Windows Desktop and Window Station internals behind this design. I will also discuss how this approach can be combined with the open-source MemoryRanger bare-metal hypervisor to protect relevant kernel-side security structures against tampering, including BYOVD-style attacks.
The experiments show a clear contrast: a high-privilege attacker can still spy on Secure Desktop-style protected contexts, including Winlogon, whereas the same attacker is unable to attach to and spy from a desktop created by DesktopRanger.
This talk examines a practical and widely misunderstood security question: can Windows desktop isolation really protect sensitive keyboard input against a privileged attacker?
The problem is highly relevant because keylogging is not a legacy threat: modern spyware, stealers, and surveillance-oriented malware continue to use keystroke interception in active campaigns. This makes secure input a live defensive problem for password managers, privacy tools, and other applications handling credentials or confidential text on Windows.
I will begin with a concise explanation of the Windows desktop model, including the relationship between Window Sessions, Window Stations, and Windows Desktops, and why many security tools rely on isolated desktops for password entry and other sensitive workflows. I will show that this mechanism is effective against basic user-mode keyloggers, which is why it is often treated as a sufficient defense in practice.
The talk then presents the experimental results. I will show tests covering the four major Windows keystroke interception techniques—SetWindowsHookEx, GetAsyncKeyState, Raw Input, and DirectInput—as well as ETW-based monitoring. These experiments demonstrate that a privileged attacker can still deploy spying logic against protected desktop contexts, including Secure Desktop-style environments such as Winlogon, for example by launching a high-privilege process via PsExec/Sysinternals.
The second half of the talk introduces DesktopRanger, an open-source defensive prototype designed to harden the existing Windows desktop model. Its core goal is to create a protected desktop that an attacker cannot easily discover, open, or attach to. DesktopRanger creates the target desktop with a restrictive D:P security descriptor and limits the attacker’s ability to obtain even the desktop name. When a legitimate application must be started, access is relaxed only briefly, while desktop enumeration is blocked at the Window Station level, and the original restrictive state is restored immediately after initialization. In addition, DesktopRanger can deploy multiple desktop honeypots to mislead hostile attachment attempts toward decoy desktops instead of the real protected one. I will explain the Windows internals behind this workflow and why it changes the attack surface compared to conventional isolated-desktop designs.
Finally, I will show the security contrast observed in the experiments: a high-privilege attacker can still spy on Secure Desktop-style protected contexts, while the same attacker is unable to attach to and spy from a desktop created by DesktopRanger. I will also discuss how this design can be strengthened with the open-source MemoryRanger bare-metal hypervisor to protect relevant kernel-side security structures against tampering and BYOVD-style abuse.
The talk is intended for developers of password managers, desktop security tools, and other Free Software projects that need reliable secure-input mechanisms on Windows.
Igor Korkin, Ph.D., is a security researcher, developer, and innovator with over 15 years of experience in system security—holding a Huawei security patent, authoring over 50 research papers and a monograph Kernel Protection of Operating Systems Under Countermeasures.
Specializing in advanced security research and development, he focuses on Windows and Linux kernel security, Rootkit Detection, Memory Forensics, Bare-metal Hypervisors, Data Storage Protection, Ransomware Defense, and Evasion Techniques.
He is open to new challenges and international collaboration, seeking opportunities to work with global partners on innovative security projects.