ClipboardMonitor is a lightweight background utility that tracks clipboard usage. It
- filters text for high-risk tokens (
POWERSHELL,MSHTA,CMD,MSIEXEC, etc.) copied from well-known browsers, and submits matches to AMSI for antivirus verdicts; - detects payment-card PANs, masks them, and scrubs the clipboard (sample DLP);
- warns the user if they press Win + R within 30 s of a risky copy;
- logs every incident asynchronously to the Windows Event Log.
- uses a toast notification to inform the user.
Logs are written to the Windows Event Log. Creating (or removing) the log source requires elevation.
- Open an elevated PowerShell / CMD window and run
ClipboardMonitor -i(or/i,--install) to register the event-log source. - Launch
ClipboardMonitor.exenormally (or place it in Startup / Task Scheduler). - Done.
Run as Administrator:
ClipboardMonitor -u (or /u, --uninstall) to remove the event-log source.
USAGE: ClipboardMonitor [ARGUMENTS]
-i,/i,--install Registers the Windows-Event-Log source (Admin required).
-u,/u,--uninstall Removes the Windows-Event-Log source (Admin required).
-?, -h, /h, --help Displays this message box.
ClipboardMonitor itself runs fine under a standard user account.
An optional ENABLE_CRITICAL_PROCESS block (currently commented-out for safety) can mark the process as critical; if re-enabled and the process is forcibly terminated, Windows will bug-check with CRITICAL_PROCESS_DIED. Enable only in hardened production builds—never during normal development.
The application and test projects are built with .NET Framework 4.8.1 and WPF/C# 7.x and using Winforms components when needed.
Open the solution in Visual Studio (with .NET Desktop Development workload).
I'd like to present my gratitute to;
- Tim MalcomVetter for the UnstoppableService that provides a single-executable Windows service with installer capability, similar to Sysmon.
- Gérald Barré, aka. Meziantou for the AMSI in .NET article.
- Eric Lawrence for ClipShield and his attack-techniques article.