Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.
Course Of The Month
8 days, 2 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Hooking into Event Log writes
Posted on 2001-09-05
Hi,
Can anyone point me in the right direction as to how to write a VB program which is notified every time an event is written to the System or Application Event Logs by any application (Windows NT 4/2000) ?
This program would sit idle until it was notified that something had been written. Ideally the notification would contain all the info that was written to the event log so that the log itself would never need to be opened?
Can this be achieved by intercepting the OS ReportEvent function in some way?
TIA,
/\/\
Can anyone point me in the right direction as to how to write a VB program which is notified every time an event is written to the System or Application Event Logs by any application (Windows NT 4/2000) ?
This program would sit idle until it was notified that something had been written. Ideally the notification would contain all the info that was written to the event log so that the log itself would never need to be opened?
Can this be achieved by intercepting the OS ReportEvent function in some way?
TIA,
/\/\
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
5-
4
- +2
12 Comments
Have a look at this example
http://www.mvps.org/st-software/VB_Code_LJ.htm
Scroll down to Administering NT Event Logs
http://www.mvps.org/st-software/VB_Code_LJ.htm
Scroll down to Administering NT Event Logs
Maybe hook into the system message stream :
SetWindowsHookEx API:
'In a module
Public Const WH_KEYBOARD = 2
Public Const VK_SHIFT = &H10
Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Long, ByVal ncode As Long, ByVal wParam As Long, lParam As Any) As Long
Declare Function GetKeyState Lib "user32" (ByVal nVirtKey As Long) As Integer
Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Public hHook As Long
Public Function KeyboardProc(ByVal idHook As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
'if idHook is less than zero, no further processing is required
If idHook < 0 Then
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
Else
'check if SHIFT-S is pressed
If (GetKeyState(VK_SHIFT) And &HF0000000) And wParam = Asc("S") Then
'show the result
Form1.Print "Shift-S pressed ..."
End If
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
End If
End Function
'In a form, called Form1
Private Sub Form_Load()
'KPD-Team 2000
'URL: http://www.allapi.net/
'E-Mail: KPDTeam@Allapi.net
'set a keyboard hook
hHook = SetWindowsHookEx(WH_KEYBOA
End Sub
Private Sub Form_Unload(Cancel As Integer)
'remove the windows-hook
UnhookWindowsHookEx hHook
End Sub
Example from allapi.net.
D'Mzzl!
RoverM
SetWindowsHookEx API:
'In a module
Public Const WH_KEYBOARD = 2
Public Const VK_SHIFT = &H10
Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Long, ByVal ncode As Long, ByVal wParam As Long, lParam As Any) As Long
Declare Function GetKeyState Lib "user32" (ByVal nVirtKey As Long) As Integer
Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Public hHook As Long
Public Function KeyboardProc(ByVal idHook As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
'if idHook is less than zero, no further processing is required
If idHook < 0 Then
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
Else
'check if SHIFT-S is pressed
If (GetKeyState(VK_SHIFT) And &HF0000000) And wParam = Asc("S") Then
'show the result
Form1.Print "Shift-S pressed ..."
End If
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
End If
End Function
'In a form, called Form1
Private Sub Form_Load()
'KPD-Team 2000
'URL: http://www.allapi.net/
'E-Mail: KPDTeam@Allapi.net
'set a keyboard hook
hHook = SetWindowsHookEx(WH_KEYBOA
End Sub
Private Sub Form_Unload(Cancel As Integer)
'remove the windows-hook
UnhookWindowsHookEx hHook
End Sub
Example from allapi.net.
D'Mzzl!
RoverM
roverm,
>>BTW: This is an example for hooking into the keyboard stream...
Exactly. I haven't the foggiest idea how to do it, or what to look for when hooking into the "system message stream"! Don't hooks only work when messages are being sent to Graphical objects such as windows, buttons, menus etc or when they are triggered by hardware, like the keyboard? How do you hook into the system messages when there is nothing visual or of a hardware nature to work with. Maybe I misunderstand the nature of hooks???
Rgds,
/\/\
>>BTW: This is an example for hooking into the keyboard stream...
Exactly. I haven't the foggiest idea how to do it, or what to look for when hooking into the "system message stream"! Don't hooks only work when messages are being sent to Graphical objects such as windows, buttons, menus etc or when they are triggered by hardware, like the keyboard? How do you hook into the system messages when there is nothing visual or of a hardware nature to work with. Maybe I misunderstand the nature of hooks???
Rgds,
/\/\
This is where you can put the hook on:
? idHook
Specifies the type of hook procedure to be installed. This parameter can be one of the following values:
WH_CALLWNDPROC
Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc hook procedure.
WH_CALLWNDPROCRET
Installs a hook procedure that monitors messages after they have been processed by the destination window procedure. For more information, see the CallWndRetProc hook procedure.
WH_CBT
Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure.
WH_DEBUG
Installs a hook procedure useful for debugging other hook procedures. For more information, see the DebugProc hook procedure.
WH_GETMESSAGE
Installs a hook procedure that monitors messages posted to a message queue. For more information, see the GetMsgProc hook procedure.
WH_JOURNALPLAYBACK
Installs a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure. For more information, see the JournalPlaybackProc hook procedure.
WH_JOURNALRECORD
Installs a hook procedure that records input messages posted to the system message queue. This hook is useful for recording macros. For more information, see the JournalRecordProc hook procedure.
WH_KEYBOARD
Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure.
WH_MOUSE
Installs a hook procedure that monitors mouse messages. For more information, see the MouseProc hook procedure.
WH_MSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. For more information, see the MessageProc hook procedure.
WH_SHELL
Installs a hook procedure that receives notifications useful to shell applications. For more information, see the ShellProc hook procedure.
WH_SYSMSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. The hook procedure monitors these messages for all applications in the system. For more information, see the SysMsgProc hook procedure.
But the example/link hes provided is exact what you need I guess.
D'Mzzl!
RoverM
? idHook
Specifies the type of hook procedure to be installed. This parameter can be one of the following values:
WH_CALLWNDPROC
Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc hook procedure.
WH_CALLWNDPROCRET
Installs a hook procedure that monitors messages after they have been processed by the destination window procedure. For more information, see the CallWndRetProc hook procedure.
WH_CBT
Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure.
WH_DEBUG
Installs a hook procedure useful for debugging other hook procedures. For more information, see the DebugProc hook procedure.
WH_GETMESSAGE
Installs a hook procedure that monitors messages posted to a message queue. For more information, see the GetMsgProc hook procedure.
WH_JOURNALPLAYBACK
Installs a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure. For more information, see the JournalPlaybackProc hook procedure.
WH_JOURNALRECORD
Installs a hook procedure that records input messages posted to the system message queue. This hook is useful for recording macros. For more information, see the JournalRecordProc hook procedure.
WH_KEYBOARD
Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure.
WH_MOUSE
Installs a hook procedure that monitors mouse messages. For more information, see the MouseProc hook procedure.
WH_MSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. For more information, see the MessageProc hook procedure.
WH_SHELL
Installs a hook procedure that receives notifications useful to shell applications. For more information, see the ShellProc hook procedure.
WH_SYSMSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. The hook procedure monitors these messages for all applications in the system. For more information, see the SysMsgProc hook procedure.
But the example/link hes provided is exact what you need I guess.
D'Mzzl!
RoverM
RoverM,
The example Hes gave is very useful for interpreting the eventlog records, but it uses the Management Information scripting objects to get notification of an event log write. This scripting subsystem may not be on the client PC.
I would prefer to use Hooks if they can do the job, but the only one that may servr the purpose seems to be the WH_CALLWNDPROC hook and I cannot find any examples of how to use this. I have examined the help on MSDN for this and, like most Microsoft help, it only becomes clear to me once I know how to do what it is trying to explain!
What I was really looking for was an example that I could follow that did something similar that could be adapted to use with the event log. Unfortunately, the keyboard example isn't similar enough for my use!
If you know of anything that uses a WH_CALLWNDPROC hook that may be nearer.
Rgds,
/\/\
The example Hes gave is very useful for interpreting the eventlog records, but it uses the Management Information scripting objects to get notification of an event log write. This scripting subsystem may not be on the client PC.
I would prefer to use Hooks if they can do the job, but the only one that may servr the purpose seems to be the WH_CALLWNDPROC hook and I cannot find any examples of how to use this. I have examined the help on MSDN for this and, like most Microsoft help, it only becomes clear to me once I know how to do what it is trying to explain!
What I was really looking for was an example that I could follow that did something similar that could be adapted to use with the event log. Unfortunately, the keyboard example isn't similar enough for my use!
If you know of anything that uses a WH_CALLWNDPROC hook that may be nearer.
Rgds,
/\/\
Ok, I've got an example of a 'systemwidehook' (I thought Ark gave it to me) but it's at home, so you'll have to wait for approx. 7 hours....(at work now)...
D'Mzzl!
RoverM
D'Mzzl!
RoverM
Whoops: very sorry, forgot complete about this thread.
Here it is:
http://www.mvps.org/btmtz/shnotify/
Please also take a look at Brad's site: http://www.mvps.org/btmtz/ it's full of cool stuff!
D'Mzzl!
RoverM
Here it is:
http://www.mvps.org/btmtz/shnotify/
Please also take a look at Brad's site: http://www.mvps.org/btmtz/ it's full of cool stuff!
D'Mzzl!
RoverM
RoverM,
Looked at the shnotify stuff - its cool, but it doesn't help with the event log. It would appear that event log writes don't get notified to the shell.
I am still looking, but reckon that NotifyChangeEventLog may be my best bet.
Rgds,
/\/\
Looked at the shnotify stuff - its cool, but it doesn't help with the event log. It would appear that event log writes don't get notified to the shell.
I am still looking, but reckon that NotifyChangeEventLog may be my best bet.
Rgds,
/\/\
Hi martyn_bannister,
It appears that you have forgotten this question. I will ask Community Support to close it unless you finalize it within 7 days. I will ask a Community Support Moderator to:
Accept hes's comment(s) as an answer.
martyn_bannister, if you think your question was not answered at all or if you need help, just post a new comment here; Community Support will help you. DO NOT accept this comment as an answer.
EXPERTS: If you disagree with that recommendation, please post an explanatory comment.
==========
DanRollins -- EE database cleanup volunteer
It appears that you have forgotten this question. I will ask Community Support to close it unless you finalize it within 7 days. I will ask a Community Support Moderator to:
Accept hes's comment(s) as an answer.
martyn_bannister, if you think your question was not answered at all or if you need help, just post a new comment here; Community Support will help you. DO NOT accept this comment as an answer.
EXPERTS: If you disagree with that recommendation, please post an explanatory comment.
==========
DanRollins -- EE database cleanup volunteer
Featured Post
Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Introduction
While answering a recent question about filtering a custom class collection, I realized that this could be accomplished with very little code by using the ScriptControl (SC) library. This article will introduce you to the SC library a…
If you have ever used Microsoft Word then you know that it has a good spell checker and it may have occurred to you that the ability to check spelling might be a nice piece of functionality to add to certain applications of yours. Well the code that…
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…
This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code.
This l…
Suggested Courses
Course of the Month8 days, 2 hours left to enroll
Earn Certification
CompTIA IT Fundamentals
$49.00$44.10
729 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.