SpyShelter Detailed User Guide

Downloading and Installing

To begin using SpyShelter, first download it from our website (opens in a new tab). Once you’ve found the installer double click it, then click next to continue until SpyShelter is installed and running.

To install SpyShelter silently in an IT environment, use the /silent command with the Windows Command Prompt.

To install SpyShelter clean with all the default settings and no data from a previous install, please use the /clean command with the Windows Command Prompt. All previous data will be deleted with a clean install.


When SpyShelter first launches you’ll be greeted with the Activity screen. The Activity screen shows a graph of how many executables are running on your PC at any time, and shows that SpyShelter is actively checking those executables for known threats.

As a new user, you will most likely see many +1 icons, which you can click to learn more about. +1 icons mean that this is a new executable that SpyShelter has never seen before on your PC. As a new user, SpyShelter will find many new executables and these +1 alerts may be noisy at first but will soon die down as SpyShelter monitors all your executables.

At the top right of the graph, you’ll see a small Terminal icon. Click this icon to see SpyShelter’s Terminal feature. This feature shows you the real-time activity of all the executables on your PC in a computer terminal style. When developing SpyShelter we learned that many executables start and stop so suddenly, they don’t even appear in the task manager. However, SpyShelter should always show all executable activity in the Terminal, even if the executable starts and stops in milliseconds.

Under the graph and Terminal is a search box. Here you can type in a partial name, or full name of any executable and it will start to appear in the results. To the right of the search box is the “view” pull-down menu. Choose this menu to change to a Publisher view if you prefer to have your activate processes sorted by Publisher. This view will put any unsigned processes at the top of the list, to bring them to your attention.

Below the search box and view option you’ll see a list of active processes that are running on your PC. You can tell they are running because they have a small blue dot next to their names. Please note that some processes can start and stop in milliseconds. To keep you from missing these strangely be having processes, we keep them listed on our activity tab for a little while after they exit so you can see their behavior. If you see a process with an empty dot, then it means that it recently exited and it’s no longer running. You may also notice these dots on different SpyShelter screens to help you quickly understand if a process is active or not.

In the app list, the apps are divided into Apps or Background Processes categories. “Apps" refer to software programs with user interfaces for tasks like web browsing or document editing, whereas "background processes" operate behind the scenes, managing system resources and supporting the operating system.

On the left side of SpyShelter’s Activity window you will see a Safe or Threat designation. This means SpyShelter has scanned this executable for known threats and has found that it is most likely Safe. If a Threat is found, SpyShelter will automatically quarantine it and disable it and its designation will appear as a “Threat”.

You may also see x3 or something similar next to some process names. This means there are that many (3) instances of that process running on your PC.

If you want to know details about any executable in the list, click its icon and a side drawer will open with more details. Check the Side Drawers section of the help guide below to learn more about this feature.

To the right of the process name you’ll see a publisher name if the process is signed. The publisher’s name will be in grey text.

Right next to the publisher's name, you will find a three dot menu. Under the menu you can choose to trust an application so it can do whatever it wants on your PC, get details about an application to learn more about it, make a new SpyShelter rule for an application to control what it’s allowed to do, or forget an application (that is no longer running or present) where it no longer appears in SpyShelter.

You may also see different green colored icons that represent the activities that have taken place with that executable. For example, you might see an icon of Four Green Stacked Boxes. This shows that the program has or can make changes to the Windows Registry. If these boxes are red and crossed out, it means the program is prevented from making these changes by a SpyShelter rule.

The color coding of the icons is straightforward. Green Icons signify that an action is allowed by a SpyShelter rule, regardless of whether it has occurred. Conversely, Red Icons signal that an action is blocked by a rule. For example, if you see a red microphone icon then it means that mic access is blocked by SpyShelter for that specific application.

The rules

Look at the bottom of the SpyShelter main window and find the Rules tab. Click the tab to see all of SpyShelter’s Windows Application Control Rules.

You’ll quickly notice some publishers are marked as Trusted with a seal icon showing a check mark in the middle. We mark all Microsoft specific publishers as Trusted by default. It’s important to do so or your PC may not function properly. For example, if you did not trust a specific Microsoft driver that controls your PC monitor and it was terminated by a rule, then your screen could turn black and not function until you re-enable the driver.

Do you have some publishers of certain software on your PC that you fully trust? For example, someone may want to trust the Mozilla Corporation, the makers of the Firefox browser. To do so you would find the row with Mozilla, then mouse over that row and a “…” three dot menu will appear at the opposite side of the row far to the right. Click that three-dot menu to choose to Trust that publisher.

Or let’s say you accidentally installed an app that included a bundled toolbar, or some other type of software from an adware publisher you despise. In this case you can find that adware publisher name, then quarantine that publisher. Now if any application from that publisher tries to launch anytime in the future it should fail.

You can also quarantine specific apps and trust specific apps using this same method. If you wanted to trust only one specific app under one publisher, you can do so by clicking its three-dot menu.

To find any publisher or app use the top search bar. You can also sort by App Launch, Registry Key Modification, Camera Access, Mic Access, and File Access under the Rules menu directly under the search bar, on the left side.

If you only want to see apps and publishers with rules, choose the Has Rules button under the search bar. To quickly sort Trusted items, click Trusted. Quarantined allows you to quickly find the quarantined apps or publishers.

Activities can let you show what apps have already had App Launches, Registry Key Modifications, Mic Access, Camera Access, or File access. File access refers to our protected file feature under the SpyShelter Protection tab, so it may not show any options unless you actively use this feature.

If you use Paranoid or Suspicious SpyShelter Protection modes, you may receive Allow or Deny windows. If that’s the case, then every time you Allow or Deny an action, a rule will appear on this rules screen. So, if you make a mistake with an Allow or Deny prompt, you can always go to this screen and fix the issue immediately.

To un-quarantine an app or publisher. First click the "..." three dot menu in the same row as the app or publisher you want to un-quarantine. Next choose Rules under the three dot menu. Change the red colored Deny option by clicking it, and then choose Remove Rule. Now the rule is removed, and the app can launch.


Next, click SpyShelter’s Protection tab to see all of SpyShelter’s Antispyware protection features. At the top middle you will see SpyShelter’s different protection modes. All Off shuts off all of SpyShelter’s security features. If you are having a technical issue with your PC and you want to quickly rule out SpyShelter, you should change your mode to All Off, then try to recreate the issue.

Paranoid is our most strict security mode. In this mode all security settings are set to high and all applications that aren’t trusted should be controlled by SpyShelter so you can Allow or Deny their behaviors. SpyShelter will automatically quarantine all known executable threats, but in this mode SpyShelter will also stop and ask you to Allow or Deny any untrusted app changes. For example, if you install a new software then before the installer can start SpyShelter will ask you if you really want to allow this software to launch.

Suspicious mode only stops and shows Allow or Deny windows for unsinged executables that have no publisher. So, in this case, if you download software and launch the installer SpyShelter will allow it to run as long as it’s signed by a publisher. The software will also be allowed to take any action, like Registry changes, as long as it’s signed.

If you change any of the settings under the Protection screen, then your mode will be changed to Custom mode. Because you have made a change that changes you from the strict Paranoid or Suspicious modes.

Easy mode is our default simple mode that anyone can use to help protect their PC from spyware. Just turn on this mode and that’s it. SpyShelter will look for known executable threats, then quarantine them for you. There is nothing else for you to do. If you’re a basic PC user, we recommend our Easy mode.

Below the different mode options on the Protection screen, the first option you’ll see is Threat Protection. Threat Protection checks your executables to see if they are a known threat, by comparing their hashes to a known threat database we’re always updating. If a known threat is found SpyShelter will automatically quarantine the process to help protect you. We recommend always keeping this feature on. This feature is what shows you that your processes under Activity are Safe or Threats.

Next on the list is Application Security Control. Application Security Control is one of our most popular features, because it allows you to control what apps on your PC are allowed to start, and what actions they are allowed to take.

Click the arrow on the right side of the screen to choose your security mode for this feature. High blocks any untrusted apps from doing anything without an Allow or Deny window appearing. Moderate blocks unsigned untrusted apps from doing the same as High, and Normal lets all apps run and take actions without your permission. However, SpyShelter is still checking and stopping known executable threats no matter which mode you choose here.

Next is our Insights feature. Executable Insights can tell you what a process on your PC does. Click the app icon under one of your screens, like the activity screen, then if insights are available, they will appear for that app.

Registry Integrity Control lets you deny untrusted apps from accessing your Windows Registry. The different security modes you can select by clicking the right-side arrow are identical to the behaviors of the Application Security Control modes, where you can choose to control this for all untrusted apps, or only keep watch over unsigned apps.

Once again, System Integrity Control modes match Registry Integrity Control and Application Security Control modes. But, in this case System Integrity Control watches over what Windows Services you want to allow on your PC.

File Integrity Control is a completely different feature from the ones above it. With this feature you can add a certain file to a list where no other apps can read, write, or modify it without your permission. You can then set what apps you allow to modify the files. This is a good feature to use on highly critical documents, or other files you don’t want a third party accessing or modifying.

Screenshot Protection prevents spyware or malware from taking screenshots of your screen. Instead of seeing your screen the malware will only pick up a black box. To test this, turn on this feature, then take a screenshot of your screen and paste it. The result should be a black box. You can turn this on/off by clicking the SpyShelter notification area icon, or by going back to this protection screen. Many people use this feature when accessing banking files, medical records, or other critical or private documents.

Keyboard Encryption protects you from keylogger spyware. Keyloggers sit on your PC recording everything you type, then send them back to someone who can use the data to access your banking, or other private services. For example, if you type in your banking logon and password the keylogger will pick up this information, then send it back to the criminal who can use it to access your bank account illegally.

To foil keyloggers we invented a unique kind of Keyboard Encryption technology. This makes it where all your keystrokes are encrypted, so all the keylogger picks up are randomly generated texts, making the keylogging worthless. Many people use this feature when using their online banking, or when logging on to other sensitive areas, or writing sensitive information.

Allow or Deny

If you are in SpyShelter’s Paranoid or Suspicious modes, or if your Application Security Control feature is in High or Moderate you may occasionally see Allow or Deny Windows. This means that SpyShelter is asking you if you want to allow or deny an executable to do something.

At the top left of the window, you’ll see a +1 icon, or an icon representing what the executable is asking to do. If the executable is running for the first time, then you will see our +1 icon. Then next to the icon you’ll see the application name, and if it’s Safe. If the executable is a known threat, then SpyShelter will automatically quarantine it. There should also be a blue dot that represents if the app is running or not. However, in the case of SpyShelter’s application control we put a hook between the moment when it's created and before the code starts executing and this is where we show the popup. Therefore, the app is not executed in this specific case, even though it has a blue dot in the Allow or Deny window.

As you look further down the window, the .exe name appears below and explains what the executable is trying to do. For example, it will most likely say that the executable is trying to launch.

Below there are Allow or Deny options. If you Allow, then the executable will launch and turn into a running process on your PC, and if you Deny, then the executable will be quarantined and can’t run. Want more options? Click the “More…” to Allow the executable to run once only, to Trust the app so it can do whatever it wants, or to Trust the Publisher, so any apps signed by this publisher can do whatever they want.

Below More there is a small See Details arrow. Click it to see Insights about what this executable does, to help you decide if you should allow it or not. Some apps don’t have Insights, and in this case, you can look at the Publisher, and its Path and Hash. Don’t fully trust our Threat Detection Feature? That means you’re paranoid like us… so in this case you can right click the hash and copy it, and easily check it with third party file reputation tools before deciding. For example, you could paste the hash into VirusTotal.com.

Whenever you Allow or Deny, or take an action with these windows you’ll make some sort of Rule. So, if you make a mistake go to SpyShelter’s Rules tab to fix it. Just search for the publisher or app name to change the rule and click its … three-dot menu to make the change.

SpyShelter can also alert you as soon as an executable tries to access your microphone or camera. When this alert appears, it means the executable is actively accessing your mic or camera in real-time. Deny the activity to terminate the app, and stop the camera or microphone access immediately.

Side Drawers

A lot of processes are running on your PC at any one time, and SpyShelter shows you they’re running. But, what exactly is that process? It’s easy to learn about your processes with SpyShelter’s Side Drawers. Click the app icon in the SpyShelter window and a side drawer will appear with all the information about the process.

At the top of the drawer, you’ll see the app name, if it’s running, and if it’s safe or not. Then below you have an option to Quarantine or just Terminate the app. Terminating the app just stops it once temporarily where it may start again, and Quarantine keeps the app, so it’s disabled permanently.

Insights give you information about what the app does to help you decide if you should keep it or not. Insights aren’t always perfect, so if something looks strange consider checking with a separate source.

Below the Insights are the executable name, version number, Installation date, Modification date, Country where created, and the Company that created it.

IMPORTANT: Did you know executables can have a completely fake Company name? Company names aren’t the same as a publishing certificate, so always keep that in mind. Anyone can create an executable and insert any Company name they want.

The Publisher is below the company name, and that should be real and official because it requires a real verified signing certificate. You can click the Publisher name to take action on a publisher if you choose to do so. For example, you can quarantine an entire Publisher from this screen if you’d like to do so.

The file’s Path is below the publisher. Click it to go exactly where the file is, without launching it. The file will be highlighted for you so you can access it easily. Be careful not to launch it if it’s suspicious, but if you’re in SpyShelter’s Paranoid mode, you should still be OK!

The Hash or unique ID of the file is next on the list and you can easily copy/paste it to check the file with third parties.

Next, we show who the process was launched by, all detected activities along with their dates, and any associated rules.

There are also side drawers on other screens, like the Events screens. These side drawers give you a hint about different Events and what they mean, and to see more details about the related app you’ll need to click the app icon under “App Info” a second time on this first drawer to access the drawer just described directly above.


The SpyShelter Events screen helps you keep track of all the activities taking place with all the executables on your PC.

The top Search bar lets you search for specific apps or publishers. Under the search bar on the left side you can choose to only show Processes that were Blocked, New Binaries, New Hashes, Camera access, Microphone access, when Drivers and Services were Installed or Removed, and also make all Launch/Exits visible.

Launch/Exits has a small, closed eye icon. This icon represents that Launches and Exits are hidden from the Events Log. The reason for this is because Launches and Exits happen frequently and will quickly fill up your Events log. Therefore, you may only want to make these visible when searching for a specific past Launch/Exit related event. If you want to see what apps are Launching and Exiting in real-time, consider going to SpyShelter’s Activity screen, then click the Terminal icon at the top right.

Want to quickly dial down a specific app or publisher? Click the Apps or Publishers menus and select only the Apps or Publishers you want to see in the Events.

Below SpyShelter’s Event Search and options you’ll see a list of all the executable events on your PC. Click the icon of the event to open a side drawer with an explanation of what the icon and event means. Then, if you’re even more curious about the related app, click its icon to see details about what it is in the main app information drawer.

The right side of the screen shows the app’s publisher, so you can quickly see who signed it. Unsigned apps are the most suspicious kind of apps, so keep a look out for those. That’s why we always highlight Unsigned apps in SpyShelter. If you only want to see Unsigned apps, click “Unsigned” under Publishers under the search box.

The Events tab is a great way to keep track of what all your executables are doing, and look back at older Events in case something happened to your PC at a specific time or date. For example, did you start experiencing instability on your PC at a certain date or time? Look in the Events around the time you started crashing and see if you can find the app that was responsible for the issue, then consider quarantining it, or uninstalling it. SpyShelter shows you what apps are new, or updated recently, so it can help you find the cause of unusual or complicated PC issues.


At the top right of the main SpyShelter window you’ll see a small cog icon. Click that icon and choose Settings. Once Settings are chosen, you’ll see all of SpyShelter’s settings options.

The first option lets you choose if SpyShelter should Run on startup, when you start your PC up. We recommend having this on, but you can turn it off if you prefer.

Auto-Update lets your SpyShelter software update, so you can always get new versions.

The Theme option lets you choose a dark or light theme by choosing Day or Night.

Allow Command Tool Access lets you use SpyShelter’s features from your Windows Command Prompt.

When I am away lets you choose how SpyShelter should react to your Allow or Deny preferences when your PC is in a deep sleep or booting up. In these cases, you will be unavailable to see the Allow or Deny option, since your PC is not currently operational.

The default and recommended setting is “Allow all signed”. This means that all signed apps with a publisher will be allowed to do whatever activity they need to do to help your PC boot up, or wake up from sleep. This is important, because if you use any special software that can cause booting or sleep issues, then it is allowed to function properly and allow your PC to work properly. Please note we automatically white list and Trust any Microsoft software, so your PC should never have any boot issues, but to avoid any possibility of SpyShelter causing a boot issue we recommend that you use the “Allow all signed” option.

However, if boot or sleep security is more critical for you and you are sure that you don’t have any third-party applications outside Microsoft apps that can interfere with booting, you may consider changing to “Wait for me”, so you can make the decision yourself. But please note that in some unusual cases this setting can cause boot issues, and if that happens you may need to boot with Windows safe mode. If you run into an emergency situation with this and you attribute this problem to SpyShelter, please look at our Uninstall guide in this help area, to see how to do an emergency uninstall of our software.

Deny all prompts will make it where SpyShelter automatically denies all requests during boot, or deep sleep.

Allow all prompts will allow all apps, even unsigned apps. In case you use unsigned apps that need to fire up randomly during boot for some reason. Unsigned apps are usually suspicious, so use caution before using this mode.


To make the SpyShelter Command Line Tool available in the Windows Terminal, first go to the top right of the SpyShelter main window and look for the settings cog icon. Click the settings cog icon in the SpyShelter window, then choose “settings”. Next turn on “Allow command line tool access”.

Now, launch the Windows Command Prompt, then type: cd "C:\Program Files\SpyShelter" to find the SpyShelter sps Command Line Tool.

Next, type: sps help

You'll then see a list of the available commands for the SpyShelter sps.exe command-line executable and you're ready to start controlling SpyShelter through the Windows Terminal.

Removing SpyShelter

Go to add or remove programs in Windows and click the three-dot menu (…) and choose “Uninstall”. For more detailed instructions visit our SpyShelter Uninstall page (opens in a new tab).