Are There Hidden Files that Save Every Keystroke I’ve Ever Typed?

No. But of course, nothing is that simple.

Worried your computer is secretly saving everything you type? It’s not. While there are hidden files and places keystrokes can live temporarily, there’s no master file of your entire typing history (unless malware is involved). Learn what’s real, what’s myth, and how to truly erase your data.
Typing on a Laptop
(Image: adobestock.com)
Question: This is a multi-part question and pertains to computer forensics — specifically, locating those mysterious, deeply hidden files that (supposedly) contain your computer’s entire history — every keystroke ever made. Accessing those files. Viewing the contents. Deleting the contents. Understanding how a utility like DBAN can “find” and nuke them, but I, as the computer owner, can’t. And finally, if every keystroke has been recorded to some hidden file, how come it doesn’t wipe out available space on my hard drive?

This is a relatively persistent family of questions that come around from time to time, particularly in times of concern about individual privacy.

These questions exhibit several misconceptions.

However, those misconceptions are based on kernels of truth. I can’t just say, “That’s wrong”; instead, it’s more a case of “It’s not like that, it’s like this.”

Let’s see if I can clear up the confusion. To do so, we need to talk about keystrokes, loggers, hidden files, erasing files, and really erasing files.

TL;DR:

A record of every keystroke ever?

No, your computer isn’t secretly saving every word you type. Some programs and parts of your computer remember things for a short time, but nothing keeps it all forever… unless, of course, you’ve got malware. Stay safe, and you don’t need to worry. Just erase things properly when you’re done.

Recording keystrokes

Let’s start with this: There is no hidden file containing every keystroke you’ve ever typed on your computer.

If every keystroke were being recorded somehow, there’s no way it would still be some kind of secret. We’d be hearing about a lot more successful prosecution of cyber criminals, along with a plethora of lawsuits regarding privacy concerns.

So no, there is no hidden permanent record of every keystroke recorded by the operating system, drivers, or other official software.

However, there are a few kernels of truth in the question.

  • As I write this, every keystroke is being recorded to create this article. That’s what we would expect. The documents you create and the emails you send are all records of your keystrokes.
  • Keyboard buffers hold every keystroke for a while. These allow you to keep typing while your computer is doing something else. When the computer is ready, everything you typed suddenly appears. Those buffers range anywhere from a few bytes to several thousand, and as they fill up, they remove older keystrokes to make room. Normally, they’re in memory only; turn your computer off, and they’re gone. There may also be one in your actual keyboard, but again, turn the power off, and it’s gone too.
  • Keyboard buffers may be written to disk-swap files as the operating system manages memory between all the running programs. If you turn off your computer, the swap file remains. It could be recovered and examined. It’s easy to get the swap file but extremely difficult to make sense of its contents. There’s no predicting what the swap file will contain or for how long it will survive.

It’s also worth remembering that all bets are off if you have malware such as a keystroke logger.

Ask Leo! is temporarily Ad-Free!
Help make it permanent by becoming a Patron.

Keystroke loggers

Keystroke loggers, or “keyloggers”, are a type of malware that hackers use to gain access to your usernames and passwords. As its name implies, keyloggers record or “log” every keystroke and send them off to the hacker, typically over the internet. Once sent, of course, there’s nothing you can do.

I often hear from people asking if one technique or another will somehow “bypass” keyloggers so they can log in safely without the keylogger logging anything. The answer is no. There are two important points to realize about keyloggers.

  • A keylogger is just malware that happens to log keystrokes.
  • As malware, a keylogger can also do anything else it wants, including logging whatever fancy trick you use to bypass it.

From my perspective, malware, including keystroke loggers, is the only practical reason for concern about keeping any record of your keystrokes.

The good news is that since keyloggers are just malware, the techniques you already have in place to avoid malware will keep you safe.

Hidden files

The amount of data that would be collected by recording every keystroke is no longer a reason why it couldn’t be done.

Let’s say you’re a prolific typist, and you type 100,000 keystrokes a day (that’s over three keystrokes every second for a solid eight-hour work day). In a year, that adds up to 36 megabytes of data. Keep your computer for 10 years, and that’s 360 megabytes. On today’s hard disks, that’s next to nothing. You’d probably never notice it.

So are all your keystrokes being written to some hidden file? No.

But there are hidden files on your machine.

  • There are files marked with the “hidden” file attribute. The operating system itself uses this attribute to hide some of its files from casual observers. The system swap file, typically in the root of the C: drive, is a common example. These are easy to find, since both Windows File Explorer and the Command Prompt “DIR” command can be instructed to display files that have this “hidden” attribute.
  • There are sometimes “hidden” partitions on the hard drive. Many computer manufacturers, as well as recent versions of Windows, now use them to store recovery data. These are easy to see with Windows’ built-in disk management tool or any partition management software.
  • There’s an obscure form of hidden data possible in files stored on a disk that’s formatted using the NTFS file system. NTFS supports something called alternate data streams. Not many people know about this feature, and though it’s not difficult to detect whether it’s been used.
  • Lastly, there are techniques, such as VeraCrypt’s “Hidden Volume”, which use various approaches to hiding data within other data.

As you can see, there’s a potential for a lot of hidden information on your PC.

But none of them contains every keystroke you’ve ever typed. 🙂

Deleting files

We also need to understand how files are deleted, because that can cause a different type of “hidden” file: remnants of previously deleted files.

When a file is deleted, its contents are not removed. Instead, the space the file formerly occupied is marked as available for another file to be written to later. Until the overwrite happens, the original deleted information is still there.

This is how many undelete and data-recovery utilities work. It’s also why most of those utilities recommend you stop using your disk if you accidentally delete something; that avoids overwriting the deleted area with something new. So just deleting something doesn’t mean it’s immediately or completely gone.

The article How Does Secure Delete Work? goes into this in more detail, including the steps to take to make sure that your deleted files are really gone.

Which brings us to DBAN.

Drive-wiping utilities

The utility you mention, DBAN, doesn’t find files at all.

But once again, there’s a kernel of truth: it erases your files — all of them.

How? It securely erases everything. Paying no attention to what’s stored on it, DBAN overwrites the entire contents of a hard disk — every sector, whether used or not.

Do this

As long as you follow the fundamentals of keeping your computer safe on the internet, keystroke recording is not something you need to worry about at all. Even then, as I’ve said before, unless you’re doing something illegal or secretive, you’re just not that interesting.

When the time comes to dispose of hardware such as your disk drive, tools like DBAN are a fine way to make sure your private information is sufficiently erased.

Each week, I try to help by removing confusion and explaining some of the complexities of life in the digital age. Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

8 comments on “Are There Hidden Files that Save Every Keystroke I’ve Ever Typed?”

  1. I get an email with files attached. One is a zip, one is word. I am sure at least one contains a keylogger. Knowing this, I have a second, old laptop I use exclusively to open and save attachments from this person. If I put any of the files onto a thumb drive and open on my regular laptop, is the keylogger then activated on that machine? Basically, do keylogger infected files keep that ability, even when transferred between machines via external storage devices? Thanks for your help.

    Reply
    • It depends on what you meant by “opening”. For a key logger to take effect you’d have to run the infected file on your computer. If it’s an .exe file, you would have to run it and agree to the UAC warning. In the case of an infected Word file, open it in Word. Recent versions of Word, by default, warn you of any files containing macros, executable code which runs on your machine. Trying to run an installation program or any program which makes system changes will result in a UAC warning which you have to consent to to run. Those aren’t perfect but offer protection. If you clicked yes to a UAC warning or agreed to run Word macros, malware might have been installed if the files were infected.
      I don’t know what you mean by “keep that ability”. As long as those files exist on an medium, they are executable.
      If you don’t trust emails from someone, mark their emails as spam and avoid opening their attachments.
      If you’re not sure if you have malware, follow the steps in this article: How to Remove Malware.

      Reply
  2. Where do the hidden files from keyloggers (malware) get stored? In temp folders? I’ve just looked at one Temp folder & found lots of strange files created recently.

    Reply
  3. So, essentially, I’m a student and there are these weekly discussion boards, per class, in my online college course on Moodle. And these discussion-boards are set up fairly user-friendly. After making one’s initial post in response to that week’s “discussion question”, 2 replies are owed by that week’s end. You can fulfil those tasks by either pressing the reply button and then directly typing your response into the provided answering box or uploading a previously finished and saved document from the “folders” shortcut appropriate to task at hand. Alas, my problem and thus, subjacent question is that of this: Is there any way to find and retrieve what one has typed (I guess sort of like keystrokes) if there was an unintentional (by accident and misfortunate) page-redirect/closure? I used the right mouse key to bring up the command bar for accessing the “look up definition?” button for a word I highlighted to inspect, and it REDIRECTED me OUT of the answer forum page to this a whole other new page to land me on some little search bar in regard to looking up that “inspected word.” Not the link to an answer, but a link to another link for again, asking for the same answer! Obviously being the bearer of my bad news, my back button didn’t suffice. Nothing to find in my History for neither my laptop’s internal memory, Google’s memory or even Moodle’s. I looked everywhere I can think of. Being that I haven’t yet shutdown my laptop since the incident, nor attempted to mess with deleting or clearing any “catch” or web history or anything like that.. do I still have a chance at finding/retrieving my wayward discussion answer?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.