SecurityTube

MoVP 1.2 Window Stations and Clipboard Malware

JB

We previously discussed sessions, which are containers for processes and other objects related to a user's logon session. Among those other objects are window stations, which act as security boundaries for processes and desktops. If you're not already familiar with these objects, see Sessions, Desktops, and Window Stations (Technet) or Window Stations and Desktops (MSDN). From a forensic standpoint, by analyzing window stations objects, you can detect applications snooping on clipboard activity along with the frequency of clipboard usage and the available data formats.