User monitoring with Revealer Keylogger

Revealer Keylogger Free Edition (rkfree) is an easy-to-use, proprietary keylogger for Windows available at no cost. It won’t do for forensic use, but might serve the needs of casual users.

The no-cost version is clearly visible in the Windows task manager as rkfree.exe, “Revealer keylogger Free Edition”. The paid version (€25) claims to be invisible to the task manager and adds remote log delivery (email, FTP). All versions have a scheduled uninstall feature, which would be useful in conjunction with remote log delivery.

The following discusses the no-cost version.

The makers’ website has a poor reputation on WOT, but the software is considered safe by Cnet. The website’s secure certificate (seen when requesting the https version of the website) looked suspicious on August 2011; use caution if providing data.

In July 2011, rkfree was detected by F-Prot upon installation and by Ad-Aware on running, but was not detected by Windows Defender.

Download rkfree and install it in the normal manner. An MSI installer is not available, making institution-wide deployment tedious.

Rkfree installs to %SystemDrive%\Program Files\rkfree. The installation location is hardcoded, so it goes there even on versions of Windows localized into languages other than English.

Once installed, open the control panel with the default keybinding Ctrl – Alt – F9 and configure as desired.

Open the control panel as described above to view the key logs. Logs appear in an easy to read format that is fine for casual use. Forensic analysis would need output in a format useful for filtering and parsing, such as that produced by PyKeylogger.

The raw logs are found (on XP) at %SystemDrive%\Documents and Settings\All Users\Program Data\rkfree\data\WINDOWS-USERNAME, with log names taking the format DDMMYYYY.rvl. The raw logs are in an undocumented binary format.

Logs can be manually saved as plain text files. On one installation on Windows 7, they were saved in UTF-16 encoding with no apparent way to change this; I had to convert them to UTF-8 (gedit can do this) before I could use tools such as egrep on the logs.

The control panel contains an uninstallation option. If you excluded rkfree from any malware scanners upon installation, remember to remove the exclusions.

Impress on the client the need to comply with local law and to use common sense when implementing user monitoring. Regardless of local law or custom, it is usually wise to clearly inform employees what constitutes acceptable use of employer-provided computers and that management reserves the right to monitor compliance.

Alternatives to rkfree
Excluding files from malware scanners

These notes are based upon Revealer Keylogger Free Edition 1.4 and were last updated 11 August 2011.


About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

3 Responses to User monitoring with Revealer Keylogger

  1. Pingback: User monitoring software for Windows | A maze of twisty little passages

  2. Omprakash Jha says:


    Today morning I found the logs missing from my interface of Revealer keyloggers. But the data is saved in my laptop in .rvl format which is not readable. How do I convert this .rvl log files into any other readable format ?

    • Balazs says:

      A friend of mine is facing the same issue. :( Have you succeeded maybe to convert the rvl files or have you maybe tried to copy the logs and only put back the one you would like the program to load (or maybe a bunch of them)? I am just thinking on this because suddenly the application behaves that only shows the actualy day log and not the prior ones (as you described), but also the Import button does not work (I thought it should open/read the selected file).
      Thanks in advance,
      Kind regards,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s