Make Your Microsoft Dynamics Investment Count & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Hooking into Event Log writes
Posted on 2001-09-05
Hi,
Can anyone point me in the right direction as to how to write a VB program which is notified every time an event is written to the System or Application Event Logs by any application (Windows NT 4/2000) ?
This program would sit idle until it was notified that something had been written. Ideally the notification would contain all the info that was written to the event log so that the log itself would never need to be opened?
Can this be achieved by intercepting the OS ReportEvent function in some way?
TIA,
/\/\
Can anyone point me in the right direction as to how to write a VB program which is notified every time an event is written to the System or Application Event Logs by any application (Windows NT 4/2000) ?
This program would sit idle until it was notified that something had been written. Ideally the notification would contain all the info that was written to the event log so that the log itself would never need to be opened?
Can this be achieved by intercepting the OS ReportEvent function in some way?
TIA,
/\/\
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
5-
4
- +2
12 Comments
Active 1 day ago
Have a look at this example
http://www.mvps.org/st-software/VB_Code_LJ.htm
Scroll down to Administering NT Event Logs
http://www.mvps.org/st-software/VB_Code_LJ.htm
Scroll down to Administering NT Event Logs
Maybe hook into the system message stream :
SetWindowsHookEx API:
'In a module
Public Const WH_KEYBOARD = 2
Public Const VK_SHIFT = &H10
Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Long, ByVal ncode As Long, ByVal wParam As Long, lParam As Any) As Long
Declare Function GetKeyState Lib "user32" (ByVal nVirtKey As Long) As Integer
Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Public hHook As Long
Public Function KeyboardProc(ByVal idHook As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
'if idHook is less than zero, no further processing is required
If idHook < 0 Then
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
Else
'check if SHIFT-S is pressed
If (GetKeyState(VK_SHIFT) And &HF0000000) And wParam = Asc("S") Then
'show the result
Form1.Print "Shift-S pressed ..."
End If
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
End If
End Function
'In a form, called Form1
Private Sub Form_Load()
'KPD-Team 2000
'URL: http://www.allapi.net/
'E-Mail: KPDTeam@Allapi.net
'set a keyboard hook
hHook = SetWindowsHookEx(WH_KEYBOA
End Sub
Private Sub Form_Unload(Cancel As Integer)
'remove the windows-hook
UnhookWindowsHookEx hHook
End Sub
Example from allapi.net.
D'Mzzl!
RoverM
SetWindowsHookEx API:
'In a module
Public Const WH_KEYBOARD = 2
Public Const VK_SHIFT = &H10
Declare Function CallNextHookEx Lib "user32" (ByVal hHook As Long, ByVal ncode As Long, ByVal wParam As Long, lParam As Any) As Long
Declare Function GetKeyState Lib "user32" (ByVal nVirtKey As Long) As Integer
Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hHook As Long) As Long
Public hHook As Long
Public Function KeyboardProc(ByVal idHook As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
'if idHook is less than zero, no further processing is required
If idHook < 0 Then
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
Else
'check if SHIFT-S is pressed
If (GetKeyState(VK_SHIFT) And &HF0000000) And wParam = Asc("S") Then
'show the result
Form1.Print "Shift-S pressed ..."
End If
'call the next hook
KeyboardProc = CallNextHookEx(hHook, idHook, wParam, ByVal lParam)
End If
End Function
'In a form, called Form1
Private Sub Form_Load()
'KPD-Team 2000
'URL: http://www.allapi.net/
'E-Mail: KPDTeam@Allapi.net
'set a keyboard hook
hHook = SetWindowsHookEx(WH_KEYBOA
End Sub
Private Sub Form_Unload(Cancel As Integer)
'remove the windows-hook
UnhookWindowsHookEx hHook
End Sub
Example from allapi.net.
D'Mzzl!
RoverM
roverm,
>>BTW: This is an example for hooking into the keyboard stream...
Exactly. I haven't the foggiest idea how to do it, or what to look for when hooking into the "system message stream"! Don't hooks only work when messages are being sent to Graphical objects such as windows, buttons, menus etc or when they are triggered by hardware, like the keyboard? How do you hook into the system messages when there is nothing visual or of a hardware nature to work with. Maybe I misunderstand the nature of hooks???
Rgds,
/\/\
>>BTW: This is an example for hooking into the keyboard stream...
Exactly. I haven't the foggiest idea how to do it, or what to look for when hooking into the "system message stream"! Don't hooks only work when messages are being sent to Graphical objects such as windows, buttons, menus etc or when they are triggered by hardware, like the keyboard? How do you hook into the system messages when there is nothing visual or of a hardware nature to work with. Maybe I misunderstand the nature of hooks???
Rgds,
/\/\
This is where you can put the hook on:
? idHook
Specifies the type of hook procedure to be installed. This parameter can be one of the following values:
WH_CALLWNDPROC
Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc hook procedure.
WH_CALLWNDPROCRET
Installs a hook procedure that monitors messages after they have been processed by the destination window procedure. For more information, see the CallWndRetProc hook procedure.
WH_CBT
Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure.
WH_DEBUG
Installs a hook procedure useful for debugging other hook procedures. For more information, see the DebugProc hook procedure.
WH_GETMESSAGE
Installs a hook procedure that monitors messages posted to a message queue. For more information, see the GetMsgProc hook procedure.
WH_JOURNALPLAYBACK
Installs a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure. For more information, see the JournalPlaybackProc hook procedure.
WH_JOURNALRECORD
Installs a hook procedure that records input messages posted to the system message queue. This hook is useful for recording macros. For more information, see the JournalRecordProc hook procedure.
WH_KEYBOARD
Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure.
WH_MOUSE
Installs a hook procedure that monitors mouse messages. For more information, see the MouseProc hook procedure.
WH_MSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. For more information, see the MessageProc hook procedure.
WH_SHELL
Installs a hook procedure that receives notifications useful to shell applications. For more information, see the ShellProc hook procedure.
WH_SYSMSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. The hook procedure monitors these messages for all applications in the system. For more information, see the SysMsgProc hook procedure.
But the example/link hes provided is exact what you need I guess.
D'Mzzl!
RoverM
? idHook
Specifies the type of hook procedure to be installed. This parameter can be one of the following values:
WH_CALLWNDPROC
Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc hook procedure.
WH_CALLWNDPROCRET
Installs a hook procedure that monitors messages after they have been processed by the destination window procedure. For more information, see the CallWndRetProc hook procedure.
WH_CBT
Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure.
WH_DEBUG
Installs a hook procedure useful for debugging other hook procedures. For more information, see the DebugProc hook procedure.
WH_GETMESSAGE
Installs a hook procedure that monitors messages posted to a message queue. For more information, see the GetMsgProc hook procedure.
WH_JOURNALPLAYBACK
Installs a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure. For more information, see the JournalPlaybackProc hook procedure.
WH_JOURNALRECORD
Installs a hook procedure that records input messages posted to the system message queue. This hook is useful for recording macros. For more information, see the JournalRecordProc hook procedure.
WH_KEYBOARD
Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure.
WH_MOUSE
Installs a hook procedure that monitors mouse messages. For more information, see the MouseProc hook procedure.
WH_MSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. For more information, see the MessageProc hook procedure.
WH_SHELL
Installs a hook procedure that receives notifications useful to shell applications. For more information, see the ShellProc hook procedure.
WH_SYSMSGFILTER
Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. The hook procedure monitors these messages for all applications in the system. For more information, see the SysMsgProc hook procedure.
But the example/link hes provided is exact what you need I guess.
D'Mzzl!
RoverM
RoverM,
The example Hes gave is very useful for interpreting the eventlog records, but it uses the Management Information scripting objects to get notification of an event log write. This scripting subsystem may not be on the client PC.
I would prefer to use Hooks if they can do the job, but the only one that may servr the purpose seems to be the WH_CALLWNDPROC hook and I cannot find any examples of how to use this. I have examined the help on MSDN for this and, like most Microsoft help, it only becomes clear to me once I know how to do what it is trying to explain!
What I was really looking for was an example that I could follow that did something similar that could be adapted to use with the event log. Unfortunately, the keyboard example isn't similar enough for my use!
If you know of anything that uses a WH_CALLWNDPROC hook that may be nearer.
Rgds,
/\/\
The example Hes gave is very useful for interpreting the eventlog records, but it uses the Management Information scripting objects to get notification of an event log write. This scripting subsystem may not be on the client PC.
I would prefer to use Hooks if they can do the job, but the only one that may servr the purpose seems to be the WH_CALLWNDPROC hook and I cannot find any examples of how to use this. I have examined the help on MSDN for this and, like most Microsoft help, it only becomes clear to me once I know how to do what it is trying to explain!
What I was really looking for was an example that I could follow that did something similar that could be adapted to use with the event log. Unfortunately, the keyboard example isn't similar enough for my use!
If you know of anything that uses a WH_CALLWNDPROC hook that may be nearer.
Rgds,
/\/\
Ok, I've got an example of a 'systemwidehook' (I thought Ark gave it to me) but it's at home, so you'll have to wait for approx. 7 hours....(at work now)...
D'Mzzl!
RoverM
D'Mzzl!
RoverM
Whoops: very sorry, forgot complete about this thread.
Here it is:
http://www.mvps.org/btmtz/shnotify/
Please also take a look at Brad's site: http://www.mvps.org/btmtz/ it's full of cool stuff!
D'Mzzl!
RoverM
Here it is:
http://www.mvps.org/btmtz/shnotify/
Please also take a look at Brad's site: http://www.mvps.org/btmtz/ it's full of cool stuff!
D'Mzzl!
RoverM
RoverM,
Looked at the shnotify stuff - its cool, but it doesn't help with the event log. It would appear that event log writes don't get notified to the shell.
I am still looking, but reckon that NotifyChangeEventLog may be my best bet.
Rgds,
/\/\
Looked at the shnotify stuff - its cool, but it doesn't help with the event log. It would appear that event log writes don't get notified to the shell.
I am still looking, but reckon that NotifyChangeEventLog may be my best bet.
Rgds,
/\/\
Hi martyn_bannister,
It appears that you have forgotten this question. I will ask Community Support to close it unless you finalize it within 7 days. I will ask a Community Support Moderator to:
Accept hes's comment(s) as an answer.
martyn_bannister, if you think your question was not answered at all or if you need help, just post a new comment here; Community Support will help you. DO NOT accept this comment as an answer.
EXPERTS: If you disagree with that recommendation, please post an explanatory comment.
==========
DanRollins -- EE database cleanup volunteer
It appears that you have forgotten this question. I will ask Community Support to close it unless you finalize it within 7 days. I will ask a Community Support Moderator to:
Accept hes's comment(s) as an answer.
martyn_bannister, if you think your question was not answered at all or if you need help, just post a new comment here; Community Support will help you. DO NOT accept this comment as an answer.
EXPERTS: If you disagree with that recommendation, please post an explanatory comment.
==========
DanRollins -- EE database cleanup volunteer
Featured Post
Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
I’ve seen a number of people looking for examples of how to access web services from VB6. I’ve been using a test harness I built in VB6 (using many resources I found online) that I use for small projects to work out how to communicate with web serv…
I was working on a PowerPoint add-in the other day and a client asked me "can you implement a feature which processes a chart when it's pasted into a slide from another deck?". It got me wondering how to hook into built-in ribbon events in Office.
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month5 days, 19 hours left to enroll
Earn Certification
CompTIA IT Fundamentals
$49.00$44.10
627 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.