Defeating the ability of malicious code to record password entries made at a keyboard involves one or two separate strategies. In a first reactive strategy, a protection process executes on a protected machine by determining any processes that hook keyboard messages, and deleting identified modules that correspond with suspected processes. A second proactive strategy further involves attempting to cripple the suspected processes by locating a suspect process' entry point and writing a subroutine return opcode to this suspect process. Further, there is a separate watchdog process, which monitors the dummy keyboard-hook process. This watchdog process runs checksums on the dummy keyboard-hook process and tests its position in the keyboard-hook process chain to ensure that the dummy process is not compromised.