We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Solved
Hooking into Event Log writes
Posted on 2001-09-05
Hi,
Can anyone point me in the right direction as to how to write a VB program which is notified every time an event is written to the System or Application Event Logs by any application (Windows NT 4/2000) ?
This program would sit idle until it was notified that something had been written. Ideally the notification would contain all the info that was written to the event log so that the log itself would never need to be opened?
Can this be achieved by intercepting the OS ReportEvent function in some way?
TIA,
/\/\
Can anyone point me in the right direction as to how to write a VB program which is notified every time an event is written to the System or Application Event Logs by any application (Windows NT 4/2000) ?
This program would sit idle until it was notified that something had been written. Ideally the notification would contain all the info that was written to the event log so that the log itself would never need to be opened?
Can this be achieved by intercepting the OS ReportEvent function in some way?
TIA,
/\/\
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
5-
4
- +2
12 Comments
Active 6 days ago
Have a look at this example
http://www.mvps.org/st-software/VB_Code_LJ.htm
Scroll down to Administering NT Event Logs
http://www.mvps.org/st-software/VB_Code_LJ.htm
Scroll down to Administering NT Event Logs
Maybe hook into the system message stream :
SetWindowsHookEx API:
'In a module
Public Const WH_KEYBOARD = 2
Public Const VK_SHIFT = &H10
Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Long, ByVal ncode As Long, ByVal wParam As Long, lParam As Any) As Long
Declare Function GetKeyState Lib "user32" (ByVal nVirtKey As Long) As Integer
Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Public hHook As Long
Public Function KeyboardProc(ByVal idHook As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
'if idHook is less than zero, no further processing is required
If idHook < 0 Then
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
Else
'check if SHIFT-S is pressed
If (GetKeyState(VK_SHIFT) And &HF0000000) And wParam = Asc("S") Then
'show the result
Form1.Print "Shift-S pressed ..."
End If
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
End If
End Function
'In a form, called Form1
Private Sub Form_Load()
'KPD-Team 2000
'URL: http://www.allapi.net/
'E-Mail: KPDTeam@Allapi.net
'set a keyboard hook
hHook = SetWindowsHookEx(WH_KEYBOA
End Sub
Private Sub Form_Unload(Cancel As Integer)
'remove the windows-hook
UnhookWindowsHookEx hHook
End Sub
Example from allapi.net.
D'Mzzl!
RoverM
SetWindowsHookEx API:
'In a module
Public Const WH_KEYBOARD = 2
Public Const VK_SHIFT = &H10
Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Long, ByVal ncode As Long, ByVal wParam As Long, lParam As Any) As Long
Declare Function GetKeyState Lib "user32" (ByVal nVirtKey As Long) As Integer
Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Public hHook As Long
Public Function KeyboardProc(ByVal idHook As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
'if idHook is less than zero, no further processing is required
If idHook < 0 Then
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
Else
'check if SHIFT-S is pressed
If (GetKeyState(VK_SHIFT) And &HF0000000) And wParam = Asc("S") Then
'show the result
Form1.Print "Shift-S pressed ..."
End If
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
End If
End Function
'In a form, called Form1
Private Sub Form_Load()
'KPD-Team 2000
'URL: http://www.allapi.net/
'E-Mail: KPDTeam@Allapi.net
'set a keyboard hook
hHook = SetWindowsHookEx(WH_KEYBOA
End Sub
Private Sub Form_Unload(Cancel As Integer)
'remove the windows-hook
UnhookWindowsHookEx hHook
End Sub
Example from allapi.net.
D'Mzzl!
RoverM
roverm,
>>BTW: This is an example for hooking into the keyboard stream...
Exactly. I haven't the foggiest idea how to do it, or what to look for when hooking into the "system message stream"! Don't hooks only work when messages are being sent to Graphical objects such as windows, buttons, menus etc or when they are triggered by hardware, like the keyboard? How do you hook into the system messages when there is nothing visual or of a hardware nature to work with. Maybe I misunderstand the nature of hooks???
Rgds,
/\/\
>>BTW: This is an example for hooking into the keyboard stream...
Exactly. I haven't the foggiest idea how to do it, or what to look for when hooking into the "system message stream"! Don't hooks only work when messages are being sent to Graphical objects such as windows, buttons, menus etc or when they are triggered by hardware, like the keyboard? How do you hook into the system messages when there is nothing visual or of a hardware nature to work with. Maybe I misunderstand the nature of hooks???
Rgds,
/\/\
This is where you can put the hook on:
? idHook
Specifies the type of hook procedure to be installed. This parameter can be one of the following values:
WH_CALLWNDPROC
Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc hook procedure.
WH_CALLWNDPROCRET
Installs a hook procedure that monitors messages after they have been processed by the destination window procedure. For more information, see the CallWndRetProc hook procedure.
WH_CBT
Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure.
WH_DEBUG
Installs a hook procedure useful for debugging other hook procedures. For more information, see the DebugProc hook procedure.
WH_GETMESSAGE
Installs a hook procedure that monitors messages posted to a message queue. For more information, see the GetMsgProc hook procedure.
WH_JOURNALPLAYBACK
Installs a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure. For more information, see the JournalPlaybackProc hook procedure.
WH_JOURNALRECORD
Installs a hook procedure that records input messages posted to the system message queue. This hook is useful for recording macros. For more information, see the JournalRecordProc hook procedure.
WH_KEYBOARD
Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure.
WH_MOUSE
Installs a hook procedure that monitors mouse messages. For more information, see the MouseProc hook procedure.
WH_MSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. For more information, see the MessageProc hook procedure.
WH_SHELL
Installs a hook procedure that receives notifications useful to shell applications. For more information, see the ShellProc hook procedure.
WH_SYSMSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. The hook procedure monitors these messages for all applications in the system. For more information, see the SysMsgProc hook procedure.
But the example/link hes provided is exact what you need I guess.
D'Mzzl!
RoverM
? idHook
Specifies the type of hook procedure to be installed. This parameter can be one of the following values:
WH_CALLWNDPROC
Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc hook procedure.
WH_CALLWNDPROCRET
Installs a hook procedure that monitors messages after they have been processed by the destination window procedure. For more information, see the CallWndRetProc hook procedure.
WH_CBT
Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure.
WH_DEBUG
Installs a hook procedure useful for debugging other hook procedures. For more information, see the DebugProc hook procedure.
WH_GETMESSAGE
Installs a hook procedure that monitors messages posted to a message queue. For more information, see the GetMsgProc hook procedure.
WH_JOURNALPLAYBACK
Installs a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure. For more information, see the JournalPlaybackProc hook procedure.
WH_JOURNALRECORD
Installs a hook procedure that records input messages posted to the system message queue. This hook is useful for recording macros. For more information, see the JournalRecordProc hook procedure.
WH_KEYBOARD
Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure.
WH_MOUSE
Installs a hook procedure that monitors mouse messages. For more information, see the MouseProc hook procedure.
WH_MSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. For more information, see the MessageProc hook procedure.
WH_SHELL
Installs a hook procedure that receives notifications useful to shell applications. For more information, see the ShellProc hook procedure.
WH_SYSMSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. The hook procedure monitors these messages for all applications in the system. For more information, see the SysMsgProc hook procedure.
But the example/link hes provided is exact what you need I guess.
D'Mzzl!
RoverM
RoverM,
The example Hes gave is very useful for interpreting the eventlog records, but it uses the Management Information scripting objects to get notification of an event log write. This scripting subsystem may not be on the client PC.
I would prefer to use Hooks if they can do the job, but the only one that may servr the purpose seems to be the WH_CALLWNDPROC hook and I cannot find any examples of how to use this. I have examined the help on MSDN for this and, like most Microsoft help, it only becomes clear to me once I know how to do what it is trying to explain!
What I was really looking for was an example that I could follow that did something similar that could be adapted to use with the event log. Unfortunately, the keyboard example isn't similar enough for my use!
If you know of anything that uses a WH_CALLWNDPROC hook that may be nearer.
Rgds,
/\/\
The example Hes gave is very useful for interpreting the eventlog records, but it uses the Management Information scripting objects to get notification of an event log write. This scripting subsystem may not be on the client PC.
I would prefer to use Hooks if they can do the job, but the only one that may servr the purpose seems to be the WH_CALLWNDPROC hook and I cannot find any examples of how to use this. I have examined the help on MSDN for this and, like most Microsoft help, it only becomes clear to me once I know how to do what it is trying to explain!
What I was really looking for was an example that I could follow that did something similar that could be adapted to use with the event log. Unfortunately, the keyboard example isn't similar enough for my use!
If you know of anything that uses a WH_CALLWNDPROC hook that may be nearer.
Rgds,
/\/\
Ok, I've got an example of a 'systemwidehook' (I thought Ark gave it to me) but it's at home, so you'll have to wait for approx. 7 hours....(at work now)...
D'Mzzl!
RoverM
D'Mzzl!
RoverM
Whoops: very sorry, forgot complete about this thread.
Here it is:
http://www.mvps.org/btmtz/shnotify/
Please also take a look at Brad's site: http://www.mvps.org/btmtz/ it's full of cool stuff!
D'Mzzl!
RoverM
Here it is:
http://www.mvps.org/btmtz/shnotify/
Please also take a look at Brad's site: http://www.mvps.org/btmtz/ it's full of cool stuff!
D'Mzzl!
RoverM
RoverM,
Looked at the shnotify stuff - its cool, but it doesn't help with the event log. It would appear that event log writes don't get notified to the shell.
I am still looking, but reckon that NotifyChangeEventLog may be my best bet.
Rgds,
/\/\
Looked at the shnotify stuff - its cool, but it doesn't help with the event log. It would appear that event log writes don't get notified to the shell.
I am still looking, but reckon that NotifyChangeEventLog may be my best bet.
Rgds,
/\/\
Hi martyn_bannister,
It appears that you have forgotten this question. I will ask Community Support to close it unless you finalize it within 7 days. I will ask a Community Support Moderator to:
Accept hes's comment(s) as an answer.
martyn_bannister, if you think your question was not answered at all or if you need help, just post a new comment here; Community Support will help you. DO NOT accept this comment as an answer.
EXPERTS: If you disagree with that recommendation, please post an explanatory comment.
==========
DanRollins -- EE database cleanup volunteer
It appears that you have forgotten this question. I will ask Community Support to close it unless you finalize it within 7 days. I will ask a Community Support Moderator to:
Accept hes's comment(s) as an answer.
martyn_bannister, if you think your question was not answered at all or if you need help, just post a new comment here; Community Support will help you. DO NOT accept this comment as an answer.
EXPERTS: If you disagree with that recommendation, please post an explanatory comment.
==========
DanRollins -- EE database cleanup volunteer
Featured Post
Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Have you ever wanted to restrict the users input in a textbox to numbers, and while doing that make sure that they can't 'cheat' by pasting in non-numeric text? Of course you can do that with code you write yourself but it's tedious and error-prone …
Here are a few simple, working, games that you can use as-is or as the basis for your own games.
Tic-Tac-Toe
This is one of the simplest of all games.
Â
The game allows for a choice of who goes first and keeps track of the number of wins for…
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…
Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…
Suggested Courses
Course of the Month6 days, left to enroll
688 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.