Desktop Shark is a proprietary keylogger for Windows. On the installations I tested, the keylogger missed more than 80% of keystrokes, and what was captured was written across multiple log files in an undocumented non-chronological manner. The following notes document what I learned while reviewing Desktop Shark for an institutional client, but I found both the software and support to be totally unsatisfactory.
Desktop Shark requires .NET Framework 2.0 or later, which is shipped with Windows Vista and later. The Desktop Shark installer will offer to download and install an appropriate version of .NET Framework if needed. However the one time I tested this, on an unpatched XP SP2 box, Desktop Shark installed without apparent error but did not work.
In July 2011, Desktop Shark was not detected by F-Prot or Windows Defender.
INSTALLATION AND CONFIGURATION
Download Desktop Shark and install it in the normal manner. An MSI installer is not available, making institution-wide deployment tedious. TODO: Note if installing as administrator is recommended.
By default, the installer will place shortcuts to the application on the desktop and application menu of both the installing user and the administrative account. Under most circumstances you will want to immediately delete these. Desktop Shark does not, however, appear on the list of installed applications, nor is its presence revealed by CCleaner.
Desktop Shark is installed to %SystemDrive%\DS\, a hidden directory. Henceforth I shall refer to this location as the installation root.
Desktop Shark’s administrative console can be opened by any of the following means:
- From the application menu or a desktop shortcut. As mentioned above, however, you will probably want to delete these items.
- By entering the application’s passphrase (by default, “desktopshark”) or keybinding (by default, tab – home – end). These methods were unreliable on the installations I tested and for that reason I deactivated them.
- By directly running the executable Desktop Shark.exe in the installation root. This was the only method that was reliable for me.
Whichever way you open it, be aware that even on modern hardware it can take several seconds for the console to appear.
Once open, go to Application Settings and configure as desired. My preferred settings include:
- General: Enable automatic updates and running on Windows startup.
- Console unlocker – Secret text: As there appears to be no way to disable this feature, I enter a long random string of characters and save it.
- Key combination to open console: Disabled.
The console contains scripts to check for updates and to uninstall. The uninstall script leaves behind the installation root directory, which must be deleted manually.
Open the console as described above to view the key log. TODO: Finish this section.
Logs are saved to the Logs directory in the installation root. The active log is a plain text file; previous logs are zipped. It is only practical to review the logs from within the application, however: data is not logged chronologically. Further, Desktop Shark’s compression is buggy, so you will need to suppress stderr when using tools such as zegrep on compressed logs.
Email support is provided, but the one time I used it I was curtly informed that the problem I was reporting, unrecorded keystrokes, was impossible.
The console contains an uninstall script. It silently fails to remove the installation root directory and the directories %SystemDrive%\Users\USERNAME\AppData\Local\Desktop Shark\, where USERNAME is every user account that Desktop Shark monitored. All of these directories must be deleted manually.
Impress on the client the need to comply with local law and to use common sense when implementing user monitoring. Regardless of local law or custom, it is usually wise to clearly inform employees what constitutes acceptable use of employer-provided computers and that management reserves the right to monitor compliance.
These notes are based upon Desktop Shark 2.82 and were last updated 30 July 2011.