S
Low RiskWindowsscreenpresso.exeEXECUTABLEScreenpresso - Screen Capture and Recording Tool [2026]
Screenpresso is a screenshot and screen recording tool. While legitimate, it can be abused for surveillance, credential capture via screenshots, and corporate espionage.
Risk Summary
## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Low | | Abuse Potential | Medium | | Prevalence | Common | | Risk Score | 35/100 | Screenpresso is a legitimate screen capture tool that can be abused for surveillance and credential theft via screenshots.
Overview
What is screenpresso.exe?
Screenpresso is a screen capture and screen recording tool developed by Learnpulse SAS.
Key Characteristics
| Attribute | Value |
|---|---|
| File Name | Screenpresso.exe |
| Developer | Learnpulse SAS |
| Digital Signature | LEARNPULSE SAS |
| Typical Size | 15-30 MB |
| Type | Screen Capture |
Technical Details
| Property | Description |
|---|---|
| Process Type | User Application |
| Hotkey Capture | PrintScreen integration |
| Features | Screenshots, video recording, editing |
| Cloud | Optional cloud sharing |
Screenpresso is popular for documentation, tutorials, and bug reporting.
Normal Behavior
Normal Behavior
Legitimate Usage Patterns
Screenpresso.exe (Main application)
Screenpresso.exe /start (Start minimized)
Screenpresso.exe /video (Start video recording)
Expected Characteristics
| Aspect | Expected Behavior |
|---|---|
| Parent Process | explorer.exe |
| User Context | Current user |
| Hotkeys | PrintScreen, Ctrl+PrintScreen |
| Tray Icon | System tray presence |
Storage Locations
| Content | Default Location |
|---|---|
| Screenshots | Documents\Screenpresso |
| Videos | Documents\Screenpresso |
| Quick Access | System tray history |
Common Locations
C:\Program Files (x86)\Screenpresso\Screenpresso.exeC:\Users\<user>\AppData\Local\Learnpulse\Screenpresso\Screenpresso.exeSuspicious Indicators
Suspicious Indicators
Red Flags
| Indicator | Concern Level | Description |
|---|---|---|
| Hidden operation | High | Running without tray icon |
| Scheduled screenshots | High | Automated capture |
| Cloud upload to unknown | High | Exfiltration |
| Installed without consent | Medium | Surveillance tool |
Surveillance Patterns
Concerning Behaviors:
- Running at startup without user knowledge
- Continuous video recording
- Screenshots uploaded to cloud
- Targeting specific applications
- Running on multiple workstations
Credential Capture Risk
| Scenario | Method |
|---|---|
| Password entry | Screenshot during input |
| Sensitive documents | Capture confidential info |
| Screen recording | Record complete sessions |
| Cloud sharing | Automatic upload |
Abuse Techniques
Abuse Techniques
Surveillance
Surveillance Scenario:
1. Install Screenpresso on target (or use existing)
2. Configure automatic startup
3. Set up scheduled screenshots
4. Configure cloud upload
5. Monitor victim activity remotely
Credential Capture
Credential Theft:
1. Run Screenpresso in background
2. Capture screenshots periodically
3. Target password managers, banking
4. Extract credentials from images
5. Exfiltrate screenshots
Corporate Espionage
| Technique | Implementation |
|---|---|
| Document capture | Screenshot sensitive documents |
| Meeting recording | Capture video conferences |
| Email capture | Screenshot confidential emails |
| Source code | Capture development screens |
Automated Collection
:: Startup with auto-recording
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Screenpresso" /t REG_SZ /d "C:\path\Screenpresso.exe /video"
Detection Guidance
Detection Guidance
Sysmon Configuration
<RuleGroup name="Screenpresso Monitoring" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="contains">Screenpresso</Image>
</ProcessCreate>
<FileCreate onmatch="include">
<Image condition="contains">Screenpresso</Image>
<TargetFilename condition="end with">.png</TargetFilename>
</FileCreate>
</RuleGroup>
Sigma Rule
title: Screenpresso Execution Detection
status: experimental
logsource:
product: windows
category: process_creation
detection:
selection:
Image|contains: 'Screenpresso'
suspicious:
CommandLine|contains:
- '/video'
- '/start'
condition: selection and suspicious
falsepositives:
- Legitimate documentation
level: low
KQL Query
DeviceProcessEvents
| where FileName contains "Screenpresso"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName
// Screenshot file creation
DeviceFileEvents
| where InitiatingProcessFileName contains "Screenpresso"
| where FileName endswith ".png" or FileName endswith ".mp4"
| summarize FileCount = count() by DeviceName, bin(Timestamp, 1h)
Remediation Steps
Remediation Steps
Assessment
# Find Screenpresso
Get-ChildItem -Path C:\ -Recurse -Filter "Screenpresso*.exe" -ErrorAction SilentlyContinue
# Check startup entries
Get-CimInstance Win32_StartupCommand | Where-Object { $_.Command -like "*Screenpresso*" }
# Find screenshots
Get-ChildItem -Path "$env:USERPROFILE\Documents\Screenpresso" -Recurse
Policy Considerations
| Context | Response |
|---|---|
| Approved tool | Monitor for abuse |
| Unknown installation | Investigate |
| Automatic upload enabled | Review cloud settings |
Enterprise Controls
| Control | Implementation |
|---|---|
| Approved usage | Define acceptable use |
| Cloud restrictions | Block cloud upload |
| Monitoring | Log screenshot activity |
Investigation Checklist
Investigation Checklist
Installation Analysis
- When was Screenpresso installed?
- Who installed it?
- Is it an approved application?
- What version is running?
Configuration Review
- Is video recording configured?
- Are there scheduled captures?
- Is cloud upload enabled?
- What are the capture hotkeys?
Output Analysis
- Where are captures stored?
- What content has been captured?
- Were sensitive screens captured?
- Are captures being uploaded?
Usage Pattern
- When is Screenpresso used?
- What applications are captured?
- Is there unusual volume?