Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.
Hooking into Event Log writes
Hi,
Can anyone point me in the right direction as to how to write a VB program which is notified every time an event is written to the System or Application Event Logs by any application (Windows NT 4/2000) ?
This program would sit idle until it was notified that something had been written. Ideally the notification would contain all the info that was written to the event log so that the log itself would never need to be opened?
Can this be achieved by intercepting the OS ReportEvent function in some way?
TIA,
/\/\
Can anyone point me in the right direction as to how to write a VB program which is notified every time an event is written to the System or Application Event Logs by any application (Windows NT 4/2000) ?
This program would sit idle until it was notified that something had been written. Ideally the notification would contain all the info that was written to the event log so that the log itself would never need to be opened?
Can this be achieved by intercepting the OS ReportEvent function in some way?
TIA,
/\/\
Asked:
Who is Participating?
Maybe hook into the system message stream :
SetWindowsHookEx API:
'In a module
Public Const WH_KEYBOARD = 2
Public Const VK_SHIFT = &H10
Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Long, ByVal ncode As Long, ByVal wParam As Long, lParam As Any) As Long
Declare Function GetKeyState Lib "user32" (ByVal nVirtKey As Long) As Integer
Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Public hHook As Long
Public Function KeyboardProc(ByVal idHook As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
'if idHook is less than zero, no further processing is required
If idHook < 0 Then
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
Else
'check if SHIFT-S is pressed
If (GetKeyState(VK_SHIFT) And &HF0000000) And wParam = Asc("S") Then
'show the result
Form1.Print "Shift-S pressed ..."
End If
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
End If
End Function
'In a form, called Form1
Private Sub Form_Load()
'KPD-Team 2000
'URL: http://www.allapi.net/
'E-Mail: KPDTeam@Allapi.net
'set a keyboard hook
hHook = SetWindowsHookEx(WH_KEYBOA
End Sub
Private Sub Form_Unload(Cancel As Integer)
'remove the windows-hook
UnhookWindowsHookEx hHook
End Sub
Example from allapi.net.
D'Mzzl!
RoverM
SetWindowsHookEx API:
'In a module
Public Const WH_KEYBOARD = 2
Public Const VK_SHIFT = &H10
Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Long, ByVal ncode As Long, ByVal wParam As Long, lParam As Any) As Long
Declare Function GetKeyState Lib "user32" (ByVal nVirtKey As Long) As Integer
Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Public hHook As Long
Public Function KeyboardProc(ByVal idHook As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
'if idHook is less than zero, no further processing is required
If idHook < 0 Then
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
Else
'check if SHIFT-S is pressed
If (GetKeyState(VK_SHIFT) And &HF0000000) And wParam = Asc("S") Then
'show the result
Form1.Print "Shift-S pressed ..."
End If
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
End If
End Function
'In a form, called Form1
Private Sub Form_Load()
'KPD-Team 2000
'URL: http://www.allapi.net/
'E-Mail: KPDTeam@Allapi.net
'set a keyboard hook
hHook = SetWindowsHookEx(WH_KEYBOA
End Sub
Private Sub Form_Unload(Cancel As Integer)
'remove the windows-hook
UnhookWindowsHookEx hHook
End Sub
Example from allapi.net.
D'Mzzl!
RoverM
roverm,
>>BTW: This is an example for hooking into the keyboard stream...
Exactly. I haven't the foggiest idea how to do it, or what to look for when hooking into the "system message stream"! Don't hooks only work when messages are being sent to Graphical objects such as windows, buttons, menus etc or when they are triggered by hardware, like the keyboard? How do you hook into the system messages when there is nothing visual or of a hardware nature to work with. Maybe I misunderstand the nature of hooks???
Rgds,
/\/\
>>BTW: This is an example for hooking into the keyboard stream...
Exactly. I haven't the foggiest idea how to do it, or what to look for when hooking into the "system message stream"! Don't hooks only work when messages are being sent to Graphical objects such as windows, buttons, menus etc or when they are triggered by hardware, like the keyboard? How do you hook into the system messages when there is nothing visual or of a hardware nature to work with. Maybe I misunderstand the nature of hooks???
Rgds,
/\/\
This is where you can put the hook on:
? idHook
Specifies the type of hook procedure to be installed. This parameter can be one of the following values:
WH_CALLWNDPROC
Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc hook procedure.
WH_CALLWNDPROCRET
Installs a hook procedure that monitors messages after they have been processed by the destination window procedure. For more information, see the CallWndRetProc hook procedure.
WH_CBT
Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure.
WH_DEBUG
Installs a hook procedure useful for debugging other hook procedures. For more information, see the DebugProc hook procedure.
WH_GETMESSAGE
Installs a hook procedure that monitors messages posted to a message queue. For more information, see the GetMsgProc hook procedure.
WH_JOURNALPLAYBACK
Installs a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure. For more information, see the JournalPlaybackProc hook procedure.
WH_JOURNALRECORD
Installs a hook procedure that records input messages posted to the system message queue. This hook is useful for recording macros. For more information, see the JournalRecordProc hook procedure.
WH_KEYBOARD
Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure.
WH_MOUSE
Installs a hook procedure that monitors mouse messages. For more information, see the MouseProc hook procedure.
WH_MSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. For more information, see the MessageProc hook procedure.
WH_SHELL
Installs a hook procedure that receives notifications useful to shell applications. For more information, see the ShellProc hook procedure.
WH_SYSMSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. The hook procedure monitors these messages for all applications in the system. For more information, see the SysMsgProc hook procedure.
But the example/link hes provided is exact what you need I guess.
D'Mzzl!
RoverM
? idHook
Specifies the type of hook procedure to be installed. This parameter can be one of the following values:
WH_CALLWNDPROC
Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc hook procedure.
WH_CALLWNDPROCRET
Installs a hook procedure that monitors messages after they have been processed by the destination window procedure. For more information, see the CallWndRetProc hook procedure.
WH_CBT
Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure.
WH_DEBUG
Installs a hook procedure useful for debugging other hook procedures. For more information, see the DebugProc hook procedure.
WH_GETMESSAGE
Installs a hook procedure that monitors messages posted to a message queue. For more information, see the GetMsgProc hook procedure.
WH_JOURNALPLAYBACK
Installs a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure. For more information, see the JournalPlaybackProc hook procedure.
WH_JOURNALRECORD
Installs a hook procedure that records input messages posted to the system message queue. This hook is useful for recording macros. For more information, see the JournalRecordProc hook procedure.
WH_KEYBOARD
Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure.
WH_MOUSE
Installs a hook procedure that monitors mouse messages. For more information, see the MouseProc hook procedure.
WH_MSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. For more information, see the MessageProc hook procedure.
WH_SHELL
Installs a hook procedure that receives notifications useful to shell applications. For more information, see the ShellProc hook procedure.
WH_SYSMSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. The hook procedure monitors these messages for all applications in the system. For more information, see the SysMsgProc hook procedure.
But the example/link hes provided is exact what you need I guess.
D'Mzzl!
RoverM
RoverM,
The example Hes gave is very useful for interpreting the eventlog records, but it uses the Management Information scripting objects to get notification of an event log write. This scripting subsystem may not be on the client PC.
I would prefer to use Hooks if they can do the job, but the only one that may servr the purpose seems to be the WH_CALLWNDPROC hook and I cannot find any examples of how to use this. I have examined the help on MSDN for this and, like most Microsoft help, it only becomes clear to me once I know how to do what it is trying to explain!
What I was really looking for was an example that I could follow that did something similar that could be adapted to use with the event log. Unfortunately, the keyboard example isn't similar enough for my use!
If you know of anything that uses a WH_CALLWNDPROC hook that may be nearer.
Rgds,
/\/\
The example Hes gave is very useful for interpreting the eventlog records, but it uses the Management Information scripting objects to get notification of an event log write. This scripting subsystem may not be on the client PC.
I would prefer to use Hooks if they can do the job, but the only one that may servr the purpose seems to be the WH_CALLWNDPROC hook and I cannot find any examples of how to use this. I have examined the help on MSDN for this and, like most Microsoft help, it only becomes clear to me once I know how to do what it is trying to explain!
What I was really looking for was an example that I could follow that did something similar that could be adapted to use with the event log. Unfortunately, the keyboard example isn't similar enough for my use!
If you know of anything that uses a WH_CALLWNDPROC hook that may be nearer.
Rgds,
/\/\
Ok, I've got an example of a 'systemwidehook' (I thought Ark gave it to me) but it's at home, so you'll have to wait for approx. 7 hours....(at work now)...
D'Mzzl!
RoverM
D'Mzzl!
RoverM
Whoops: very sorry, forgot complete about this thread.
Here it is:
http://www.mvps.org/btmtz/shnotify/
Please also take a look at Brad's site: http://www.mvps.org/btmtz/ it's full of cool stuff!
D'Mzzl!
RoverM
Here it is:
http://www.mvps.org/btmtz/shnotify/
Please also take a look at Brad's site: http://www.mvps.org/btmtz/ it's full of cool stuff!
D'Mzzl!
RoverM
RoverM,
Looked at the shnotify stuff - its cool, but it doesn't help with the event log. It would appear that event log writes don't get notified to the shell.
I am still looking, but reckon that NotifyChangeEventLog may be my best bet.
Rgds,
/\/\
Looked at the shnotify stuff - its cool, but it doesn't help with the event log. It would appear that event log writes don't get notified to the shell.
I am still looking, but reckon that NotifyChangeEventLog may be my best bet.
Rgds,
/\/\
Hi martyn_bannister,
It appears that you have forgotten this question. I will ask Community Support to close it unless you finalize it within 7 days. I will ask a Community Support Moderator to:
Accept hes's comment(s) as an answer.
martyn_bannister, if you think your question was not answered at all or if you need help, just post a new comment here; Community Support will help you. DO NOT accept this comment as an answer.
EXPERTS: If you disagree with that recommendation, please post an explanatory comment.
==========
DanRollins -- EE database cleanup volunteer
It appears that you have forgotten this question. I will ask Community Support to close it unless you finalize it within 7 days. I will ask a Community Support Moderator to:
Accept hes's comment(s) as an answer.
martyn_bannister, if you think your question was not answered at all or if you need help, just post a new comment here; Community Support will help you. DO NOT accept this comment as an answer.
EXPERTS: If you disagree with that recommendation, please post an explanatory comment.
==========
DanRollins -- EE database cleanup volunteer
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
http://www.mvps.org/st-software/VB_Code_LJ.htm
Scroll down to Administering NT Event Logs