Yes, and no.
Recommendation:
Run Multikey only in a dedicated VM or offline environment if you are unsure of the source. multikey 181 x64 upd
The "x64" in the filename is historically significant. Yes, and no
If deployed in an enterprise, MultiKey 181 x64 leaves traces: Recommendation: Run Multikey only in a dedicated VM
| Artifact | Location |
|----------|----------|
| Driver binary | C:\Windows\System32\drivers\multikey*.sys |
| Service registry | HKLM\SYSTEM\CurrentControlSet\Services\MultiKey |
| Loaded dumps | %ProgramData%\MultiKey\Dumps\*.dng |
| RPC endpoint | netstat -ano | findstr 27000 |
| Event log entry | EventID 7045 (service install) |
MultiKey 181 x64 operates as a kernel-level driver (mk.sys or multikey.sys) with a user-mode service wrapper (mksvr.exe). The 64-bit version is required for systems with Kernel Patch Protection (KPP / PatchGuard) enabled.
Download Windows Device Console (devcon.exe), then:
devcon.exe install multikey.inf "Root\Multikey"