What is the Windows Clipboard?

The Windows clipboard is a built‑in feature that temporarily stores anything you copy—text, images, files. The clipboard is stored in regular RAM, just like any other application data. There is no dedicated hardware region or special memory bank reserved for it. It is wrapped in OS‑level access control and session isolation.

Here’s how it works:

1. Copy: When you select text, an image, or any other data and press Ctrl+C or right-click and select “Copy,” the operating system copies the selected data to the clipboard.
   
   It ssks the source application: “What formats can you provide this data in?” (Plain text, RTF, HTML, bitmap, file list, custom formats, etc.)
   
   The app registers those formats with the clipboard service.
   
   
   
2. Store: This copied data is stored temporarily in the clipboard’s memory, waiting to be pasted.
   
   Windows stores the data, with a promise that the app will provide the data later (delayed rendering). There only 1 clip available on the current clipboard, and it overwritten every time. 
   
   
   
3. Paste: When you want to use the copied data, you press Ctrl+V or right-click and select “Paste,” and the clipboard sends the data to the active application or document.
   
   When you paste, the target app says: “Give me the best format you have that I understand.”
   
   This is why when you copy 'text' from a HTML page into Word you get formatting and into Notepad, the formatting is stripped. Notepad only accepts plain text.
   
   

With my Clipboard Plaintext Power Tool you can apply transformations to item on the Clipboard, before pasting. Example transformations include, convert case to Title Case, extract sentences, or remove duplicates, get GPS data from an image. Do this in 1-click, comes with smart Clipboard History too. Check it out!


How Windows Protects Clipboard Data

The Windows clipboard uses normal system memory, not a special protected memory region — but Windows does protect access to it. Only processes running in the same user session can access the 

clipboard. A random background service running as SYSTEM cannot read your clipboard unless it explicitly impersonates your user.

Apps must use the official APIs (Using the Clipboard - Win32 apps | Microsoft Learn), to access the clipboard, see below.

Windows enforces:

• Only one process can open the clipboard at a time.

• A process must own the clipboard to modify it.

• Apps cannot read the clipboard without requesting access.

Misclassified as Malware

The use of clipboard API in an executable file can indeed flag it as a trojan. This is because the clipboard API is a system-level interface that allows applications to access and manipulate clipboard data. If the clipboard API is used in an executable file and is a new application that has unknown reputation, it can be flagged as a trojan by antivirus software. This is a common practice in malware detection, where the presence of a clipboard API in an executable file is a red flag for potential malicious intent. Why clipboard-using EXEs get flagged by your anti-virus.

• Behavioral heuristics: Many trojans and stealers monitor or modify the clipboard (for example, swapping crypto addresses, stealing copied passwords, or auto-pasting commands). So “EXE + clipboard API + maybe no signature + uncommon file” is a classic suspicious pattern.
• Low reputation: If it’s a new, custom, or rarely seen executable (internal tool, dev build, etc.), reputation-based systems (Defender SmartScreen, other AV cloud checks) have almost no telemetry on it. New + clipboard access = “better safe than sorry” flag.
• Packing/obfuscation: If the EXE is packed, obfuscated, or built with certain frameworks, its structure can resemble known malware families, and the clipboard calls just tip it over the edge.
  
• No or weak code signing: Unsigned or self-signed binaries that interact with user data (clipboard, keyboard, browser, etc.) are much more likely to be treated as trojan-like. This is easy to check - left-click on Exe, choose Properties, check Digital Signatures tab. If the tab does not exist, then exe is not digitally signed.

Technical Details

The Windows clipboard was designed as a mechanism that Microsoft Windows operating systems use to allow data to be shared between applications. It first appeared in Windows 3.1, although its functionality has greatly increased since then. 

When you copy something, Windows doesn’t just store the raw bytes.

It stores one or more representations of the data, each tagged with a format ID.

A clipboard format tells Windows and applications:

• what kind of data is stored

• how to interpret it

• how to convert it if needed

This is why you can copy text from Word and paste it as plain text, rich text, HTML, or even an image depending on the target app.

With my Clipboard Plaintext Power Tool you can apply transformations to these formats and more!


Live View Clipboard Formats

Clipboard formats commonly used (CF_TEXT, CF_UNICODETEXT, CF_HDROP, custom formats) are stored as handles to memory blocks.

Live look at list all formats when you copy an item. You must REFRESH, on each copy.
InsideClipboard - View the content of all formats stored in the Clipboard (nirsoft.net)

Microsoft also provides the ability for “private data formats”, custom formats that are application specific (for example, fonts in a word processing program), and that could be registered so that other applications could transfer data in these formats. Two private data formats that are used extensively are object link embedding CF_OLE (0xC013) decimal 49171 and CF_ DataObjects (0xC009) decimal 49161.

For an application to send data to the clipboard, it first allocates a block of global memory using GlobalAlloc, Global- Lock, and GlobalUnlock . It then opens the clipboard using OpenClipboard, empties it using EmptyClipboard, places the clipboard data using SetClipboard and then closes the clipboard using CloseClipboard (Microsoft.com). While only one piece of data can be present in the clipboard at any given time, it is possible to send and store that piece of data in multiple formats by performing multiple SetClipboardData functions. 

This allows applications that handle data in different ways to all have access to it (e.g., text in Microsoft Word with or without formatting). Once data is in the clipboard, the block of global memory belongs to the clipboard and other pointers to it become invalid. Getting data from the clipboard is even easier and involves opening the clipboard, determining which of the available clipboard formats to retrieve (this is an application specific task), retrieving a handle to the data, and then closing the clipboard.

Open Source: Standard Clipboard Formats (Winuser.h) - Win32 apps | Microsoft Learn

The clipboard formats defined by the system are called standard clipboard formats. These clipboard formats are described in the following table.

Constant/value	Description
CF_BITMAP 2	A handle to a bitmap (HBITMAP).
CF_DIB 8	A memory object containing a BITMAPINFO structure followed by the bitmap bits.
CF_DIBV5 17	A memory object containing a BITMAPV5HEADER structure followed by the bitmap color space information and the bitmap bits.
CF_DIF 5	Software Arts' Data Interchange Format.
CF_DSPBITMAP 0x0082	Bitmap display format associated with a private format. The hMem parameter must be a handle to data that can be displayed in bitmap format in lieu of the privately formatted data.
CF_DSPENHMETAFILE 0x008E	Enhanced metafile display format associated with a private format. The hMem parameter must be a handle to data that can be displayed in enhanced metafile format in lieu of the privately formatted data.
CF_DSPMETAFILEPICT 0x0083	Metafile-picture display format associated with a private format. The hMem parameter must be a handle to data that can be displayed in metafile-picture format in lieu of the privately formatted data.
CF_DSPTEXT 0x0081	Text display format associated with a private format. The hMem parameter must be a handle to data that can be displayed in text format in lieu of the privately formatted data.
CF_ENHMETAFILE 14	A handle to an enhanced metafile (HENHMETAFILE).
CF_GDIOBJFIRST 0x0300	Start of a range of integer values for application-defined GDI object clipboard formats. The end of the range is CF_GDIOBJLAST. Handles associated with clipboard formats in this range are not automatically deleted using the GlobalFree function when the clipboard is emptied. Also, when using values in this range, the hMem parameter is not a handle to a GDI object, but is a handle allocated by the GlobalAlloc function with the GMEM_MOVEABLE flag.
CF_GDIOBJLAST 0x03FF	See CF_GDIOBJFIRST.
CF_HDROP 15	A handle to type HDROP that identifies a list of files. An application can retrieve information about the files by passing the handle to the DragQueryFile function.
CF_LOCALE 16	The data is a handle to the locale identifier associated with text in the clipboard. When you close the clipboard, if it contains CF_TEXT data but no CF_LOCALE data, the system automatically sets the CF_LOCALE format to the current input language. You can use the CF_LOCALE format to associate a different locale with the clipboard text. An application that pastes text from the clipboard can retrieve this format to determine which character set was used to generate the text. Note that the clipboard does not support plain text in multiple character sets. To achieve this, use a formatted text data type such as RTF instead. The system uses the code page associated with CF_LOCALE to implicitly convert from CF_TEXT to CF_UNICODETEXT. Therefore, the correct code page table is used for the conversion.
CF_METAFILEPICT 3	Handle to a metafile picture format as defined by the METAFILEPICT structure. When passing a CF_METAFILEPICT handle by means of DDE, the application responsible for deleting hMem should also free the metafile referred to by the CF_METAFILEPICT handle.
CF_OEMTEXT 7	Text format containing characters in the OEM character set. Each line ends with a carriage return/linefeed (CR-LF) combination. A null character signals the end of the data.
CF_OWNERDISPLAY 0x0080	Owner-display format. The clipboard owner must display and update the clipboard viewer window, and receive the WM_ASKCBFORMATNAME, WM_HSCROLLCLIPBOARD, WM_PAINTCLIPBOARD, WM_SIZECLIPBOARD, and WM_VSCROLLCLIPBOARD messages. The hMem parameter must be NULL.
CF_PALETTE 9	Handle to a color palette. Whenever an application places data in the clipboard that depends on or assumes a color palette, it should place the palette on the clipboard as well. If the clipboard contains data in the CF_PALETTE (logical color palette) format, the application should use the SelectPalette and RealizePalette functions to realize (compare) any other data in the clipboard against that logical palette. When displaying clipboard data, the clipboard always uses as its current palette any object on the clipboard that is in the CF_PALETTE format.
CF_PENDATA 10	Data for the pen extensions to the Microsoft Windows for Pen Computing.
CF_PRIVATEFIRST 0x0200	Start of a range of integer values for private clipboard formats. The range ends with CF_PRIVATELAST. Handles associated with private clipboard formats are not freed automatically; the clipboard owner must free such handles, typically in response to the WM_DESTROYCLIPBOARD message.
CF_PRIVATELAST 0x02FF	See CF_PRIVATEFIRST.
CF_RIFF 11	Represents audio data more complex than can be represented in a CF_WAVE standard wave format.
CF_SYLK 4	Microsoft Symbolic Link (SYLK) format.
CF_TEXT 1	Text format. Each line ends with a carriage return/linefeed (CR-LF) combination. A null character signals the end of the data. Use this format for ANSI text.
CF_TIFF 6	Tagged-image file format.
CF_UNICODETEXT 13	Unicode text format. Each line ends with a carriage return/linefeed (CR-LF) combination. A null character signals the end of the data.
CF_WAVE 12	Represents audio data in one of the standard wave formats, such as 11 kHz or 22 kHz PCM.

Other Questions
Is there a maximum size for Windows clipboard data? Because I'm getting null for something I know should be there - The Old New Thing (microsoft.com)