How to Screen Record Protected Apps Without Black Screen in 2026

Why Apps Block Screen Recording

The black screen you see when trying to record a protected app is intentional. Applications block screen recording for several reasons: DRM enforcement on streaming platforms like Netflix, Disney+, and Amazon Prime Video prevents content piracy. Banking and financial apps use it to stop malware from capturing account credentials, balances, and transaction details. Exam proctoring software blocks recording to prevent students from sharing exam content. And enterprise security tools prevent capture of sensitive corporate data.

The protection mechanisms differ across platforms, but the result is the same — your screen recorder captures a black frame instead of the actual window content. Understanding which protection is in play is the first step toward bypassing it.

How Screen Recording Protection Works

Android: FLAG_SECURE

On Android, the primary mechanism is the FLAG_SECURE window flag. When an app sets getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE), the Android compositor (SurfaceFlinger) marks that surface as protected. Any attempt to capture the screen — whether through MediaProjection, screencap, or third-party recording apps — returns black pixels for that window. This operates at the compositor level, so it cannot be bypassed by simply using a different recording app. Banking apps, password managers, Snapchat, and many government apps use this flag.

Windows: SetWindowDisplayAffinity

On Windows, applications call SetWindowDisplayAffinity(hwnd, WDA_EXCLUDEFROMCAPTURE) to make their window invisible to all standard capture APIs. This includes BitBlt, DXGI Desktop Duplication, PrintWindow, and the Windows Graphics Capture API used by the Xbox Game Bar and OBS. The Desktop Window Manager (DWM) enforces this at the composition stage — the window content is simply excluded from the captured frame. This is used by some DRM players, secure browsers, and enterprise applications.

DRM & Widevine

Streaming services use Widevine DRM (on Chromium browsers, Android) or FairPlay (Apple devices) with hardware-level encryption. At Widevine L1, the video is decrypted and rendered entirely within a Trusted Execution Environment (TEE) — the decrypted frames never exist in normal system memory. HDCP (High-bandwidth Digital Content Protection) encrypts the signal between the GPU and the display, preventing capture even at the hardware output level.

Browser-Level: EME

In browsers, Encrypted Media Extensions (EME) provide the JavaScript API that streaming sites use to request DRM decryption. The Content Decryption Module (CDM) handles the actual decryption and rendering. When hardware acceleration is enabled, the decrypted video frames go directly to the GPU overlay, completely bypassing the browser's rendering pipeline and making screen capture return black frames for the video element.

Bypass Methods for Android

Virtual Display / Screen Mirroring

The simplest approach: mirror your Android screen to another device using scrcpy or Miracast, then record on the receiving device. Some mirroring tools create a virtual display that does not enforce FLAG_SECURE on the mirrored output. This works because FLAG_SECURE is enforced per-display, and the mirroring protocol sometimes creates a separate display context that does not inherit the secure flag. Success rate varies by Android version and device manufacturer — test with your specific combination.

ADB Screen Capture

Running adb shell screencap /sdcard/screenshot.png or adb shell screenrecord /sdcard/video.mp4 bypasses FLAG_SECURE on some older Android versions and custom ROMs. On stock Android 12+, this is patched — ADB captures respect FLAG_SECURE. However, on rooted devices you can modify the SurfaceFlinger to ignore the secure flag before issuing the capture command.

Xposed / Magisk Modules

The most reliable Android method requires root. Install Magisk for root access, then LSPosed (Xposed framework for modern Android). The DisableFlagSecure Xposed module hooks the Window.setFlags() method and strips the FLAG_SECURE flag before it reaches SurfaceFlinger. Once active, every app behaves as if it never set FLAG_SECURE — screenshots and screen recording work normally everywhere. This is the cleanest solution, but requires an unlocked bootloader and root, which some banking apps detect via SafetyNet / Play Integrity.

HDMI Capture Card

The hardware approach works regardless of software protection. Connect your phone via USB-C to HDMI adapter, then feed the HDMI signal into a capture card (Elgato, AVerMedia, or a cheap USB3 HDMI grabber). The capture card records the raw display output. FLAG_SECURE does not affect the physical display signal. This method always works, but requires additional hardware and the recording quality is limited by the capture card's capabilities.

Bypass Methods for Windows

Kernel Driver: GPU Framebuffer Read

The most powerful Windows approach. A kernel-mode driver reads the GPU framebuffer directly, bypassing the DWM composition stage entirely. SetWindowDisplayAffinity only instructs DWM to exclude a window from capture — it does not affect what is actually rendered to the display. By reading VRAM directly through the GPU's memory-mapped I/O or via the display miniport driver interface, you capture the final composited output that includes all windows regardless of their display affinity setting. BypassCore's capture-bypass repository demonstrates this technique.

DKOM: Direct Kernel Object Manipulation

Every window in Windows has a kernel-side tagWNDstructure managed by win32k. The DisplayAffinity value is stored as a field in this structure. With a kernel driver, you can locate the target window's tagWND in kernel memory and overwrite the DisplayAffinity field to WDA_NONE (0x0). Once patched, DWM treats the window as a normal, capturable window. This is clean and effective, but the offset of the DisplayAffinity field changes between Windows builds, so you need to resolve it dynamically or maintain a table of offsets.

Virtual Display / Mirror Driver

Create an Indirect Display Driver (IDD) that acts as a virtual monitor. The virtual monitor receives the full desktop composition including protected windows, because SetWindowDisplayAffinity excludes content from capture APIs, not from display outputs. Record the virtual monitor's output using standard DXGI duplication against the virtual adapter. This approach avoids kernel memory patching and works reliably across Windows versions.

OBS Capture Modes

OBS Studio offers multiple capture methods. Display Capture uses DXGI Desktop Duplication and will show a black window for WDA_EXCLUDEFROMCAPTURE windows. Window Capture with the Windows 10 (1903+) method uses Windows.Graphics.Capture, which also respects display affinity. However, the older BitBlt window capture method in OBS may capture some protected windows on certain GPU driver configurations — test this first as it is the lowest effort approach. For a guaranteed result on Windows, use the kernel driver or HDMI capture card methods.

HDMI Capture Card

Same principle as Android: the physical display output contains all window content regardless of software-level capture protection. Feed your monitor output through an HDMI splitter into a capture card. SetWindowDisplayAffinity only affects software capture — it has zero effect on what is sent to the display. A $20 USB HDMI capture dongle is often sufficient for 1080p recording.

Bypass Methods for Streaming & DRM

DRM protection is the hardest to bypass because it operates at the hardware level. Widevine L1 and HDCP are designed specifically to prevent capture, and software-only approaches have limited success.

HDMI Capture Card + HDCP Stripper

The only fully reliable method for DRM content. An HDCP stripper (or an HDMI splitter that does not forward HDCP handshakes) removes the encryption from the HDMI signal before it reaches the capture card. The workflow is: GPU HDMI output → HDCP stripper → HDMI capture card → recording software. This captures the full-quality video output regardless of DRM level. Be aware that this is the method most likely to violate terms of service and potentially copyright law.

Virtual Machine Capture

Run the streaming app inside a virtual machine (VirtualBox, VMware, QEMU/KVM). Some DRM implementations do not detect VM environments and will play content at reduced DRM levels (e.g. Widevine L3 instead of L1). Record the VM window from the host OS. This works for some services but not all — Netflix and Disney+ have increasingly effective VM detection that forces lower resolution or blocks playback entirely. GPU passthrough configurations make VM detection harder for the DRM system.

Disable Hardware Acceleration in Browser

For Widevine L3 content (lower security tier, used when hardware DRM is unavailable), disabling hardware acceleration in your browser forces the CDM to use software decryption. The decrypted frames pass through the normal rendering pipeline instead of a hardware-protected path, making them capturable by standard screen recording tools. In Chrome: Settings → System → disable “Use hardware acceleration when available” and restart. Note this only works for L3 content — L1 services will either refuse to play or drop to very low resolution (480p).

Which Method for Which Situation

Demo: BypassCore's capture-bypass Driver

Our open-source capture-bypass repository contains a Windows kernel driver that demonstrates the GPU framebuffer read approach for bypassing SetWindowDisplayAffinity. The driver maps the GPU framebuffer through the display miniport interface, reads the final composited output directly from VRAM, and exposes it through a userland API that any screen recording tool can consume. Protected windows appear in the captured output exactly as they appear on the physical display.

Also check out phantom-screen — our virtual display driver that creates cloaked secondary monitors for advanced capture redirection and evasion scenarios.

Related Articles