Reveal Scanner runs deep Windows forensics — BAM, Prefetch, kernel drivers, PE imports, DNS cache — looking for one thing: evidence that OBS or a screen-mirror projector was running on the player's machine.
No software to install. No DLL injection. Just a PowerShell command the player runs on screenshare — results land in your browser instantly.
Click Start Session in the dashboard. You get a unique PIN-coded one-liner valid for 7 days.
iex (irm revealscanner.cc/run/<PIN>)
Paste into Admin PowerShell on screenshare. The script scans 15 forensic sources against 100+ known OBS, projector, and recording-software signatures — no installs, no downloads, no persistent residue.
Report appears in your browser with every finding, the system info, and step-by-step verification instructions for each flag.
We don't just look for OBS or projector executables — we hunt for the forensic artifacts that survive after the file is deleted, renamed, or wiped.
Windows kernel records every executable launched on every user account, with timestamps. Hard to wipe without nuking the SYSTEM hive.
RTCore64, WinRing0, gdrv, mhyprot2, dbutil_2_3 — signed drivers occasionally abused by stealth kernel-mode projectors. Service registration persists after uninstall.
We byte-scan every MuiCache-listed binary for screen-mirror APIs (DwmRegisterThumbnail, IGraphicsCaptureItemInterop, SetWindowDisplayAffinity). Rename-resistant — these are the imports every projector needs.
Projectors and OBS variants are sometimes excluded from Defender to avoid AV interference. The exclusion sticks around even after the file is gone.
Known projector vendor and OBS/streaming domains (obsproject.com, streamlabs.com, medusa.cc, hellstar.cc, vestige.gg) leave traces in the DNS resolver cache for 24 hours.
ConsoleHost_history.txt records every command typed. Projector / recorder installers like iex (irm loader.cc) stay verbatim — direct evidence of intent.
No per-scan fees. No usage limits. Pay once or monthly — your call.
No. The entire scan runs from a single PowerShell command. Nothing is installed, no DLLs are loaded, no persistent registry keys are written. The script lives in memory and exits when finished.
The script doesn't perform any malicious behavior — it reads registry and file metadata. Defender doesn't flag it. SmartScreen may briefly inspect irm traffic but won't block.
Wiping BAM and Prefetch is a major flag in itself. But Reveal Scanner also checks 11 other sources — UserAssist, MuiCache, kernel driver registrations, Defender exclusions, WER reports, DNS cache, hosts file, PowerShell history, AppData folders, scheduled tasks, and PE imports of every executable in MuiCache. Wiping all of those leaves the system bare in a way that's also a flag.
Yes. Every flag in the results report comes with step-by-step instructions to confirm the artifact still exists on the player's screen — exact registry paths, Explorer paths, and PowerShell commands to run.
After purchase you'll receive your license key. Log in with Discord, paste the key into the Redeem page, and the license is HWID-bound to your Discord account. The customer role is assigned automatically.
Due to the nature of digital licenses (instantly usable on delivery), all sales are final. Refunds may be granted at our discretion for technical issues that can't be resolved — open a ticket in Discord.
Reveal Scanner pays for itself the first time you catch an OBS or projector that the player swore wasn't there. Try it on the next screenshare — it takes a minute.
Get started →