Difference between JournalRecord and Other hooks

Hello experts!
  This is related to my earlier query
(Ref: http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_20750612.html)

I am trying to create a service that tracks idle time on a PC (I have defined idle time as the time when no keyboard or mouse events occur). For now, I am checking for idle time periodically using a timer and saving it to the registry.
I want it to work irrespective of the user (and want to hide it from users), so I have implemented it as a service.
It seems there are two ways to implement it:
1) using Journal record.
2) using keyboard and mouse hooks.

  I am sure (2) works, but not sure about 1. What are the advantages and disadvantages of each method and which one should I use for my task?

Thank you,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

snehanshuAuthor Commented:
I got richer in points by taking the survey, so, I've increased points for this Question.
The advantage of using the Journal hook is that you'll only need to implment one hook, as opposed to two.
That's about the only difference between the two methods.

I can't quite remember but you might have to check the content of the message when using the Journal, where as when implmenting both Keyboard and Mouse hooks, you shouldn't need to do that.  You'll know need to know that there had been a message.

Hope this helps.
snehanshuAuthor Commented:
Hello Colin!
  Thank you for replying.
  I am looking for some concepts: I am an absolute beginer to hooks. Like why is it that all other system-wide hooks need to be called from DLLs while a JournalRecord can be implemented in an application. Also, DLL hooks if called from a service, where the dll does not share memory with proper security attributes cause problems, while Journal hooks are do not have such problems.

  Is it something like journalrecord is called at the end, while other hooks at the begining, which would imply that if one wants to change the events (Like switch mouse buttons, reset keyboard layout etc.) he cannot do it using journal record while if monitoring is the only objective, then journalrecords are a better choice?

  Also, I read some where that a journal hook gets disabled when the ctrl-alt-del key is pressed, but am not sure if this is true.
  If I implement the hook as a service can I not track keyboard/mouse events while the session is locked (NT/2000/XP) or before login/after logoff?
  Since journal records seem too easy to implement, I want to know "what is the catch"?

  Perhaps I am asking for too much information, but being a poor man, I cannot assign too many points to the question, but I would very much appreciate the efforts experts would put in.

Thank you,
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

hello snehanshu ,  Yes, , There is a Difference between the Journal Hooks and most of the other Hook types (maybe all of them), It is a different System implementation than the WH_Mouse and WH_KEYBOARD. . .  The mouse and Keboard Hooks are set in a "Chain" of Hook recievers (users) and the Journal Hooks are Not in a Chain. . . The Mouse and keyboard hooks can alter (change) the input or block it completely. . . the journal hook can Only "Read" what the input is, and can not change or block it. . . . The Journal hook was intented to "Journal" (record) the user input for a short period of time, and then at a later time playback the users input. . .  Because the Journal was suppose to be for a short time, the  Ctrl-Alt-Del key press (and some other system key pressses) will cancel the Journal hook (this seems logical for the intened purpose of the hook), but the system sends a WM_CANCELJOURNAL message, so you can restart the journal hook once the hook is cancled. . .  Another factor of the Journal hook is that it joins the text code pages, not something usually noticed. . . There are also reports that the journal hook may disable the  Alt-Tab program change focus keypress in some windows systems. . . if you plan on running the hooks for a Long period of time, then the WH_Mouse and WH_Keyboard may be a better thing. . . .

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
snehanshuAuthor Commented:
Thank you Slick. That helped.
I am a bit concerned about the logout/lock scenario.
Can you explain the "WM_CANCELJOURNAL" part?
Do I get that message also in the JournalRecord's hook handling procedure?
If I restart the Journal hook on receiving the cancel message, would it work even when the system is locked or logged off or not logged in?
Would a non-journal hook be always-active (like when the system is locked or logged off or not logged in)?
And finally, considering that my implementation would monitor forever, which approach should I use: Restarting journal hook on cancel, or the DLL hooks?

the WM_CANCELJOURNAL is sent to the instance message queue that is running that hook, it is one of a few messages sent without a destination Handle, you have to get it in the main GetMessage Loop (the Application's OnMessage event),  You should read the win32 API Help for these types of things, her is what it says -

Journal record and playback modes are modes imposed on the system that let an application sequentially record or play back user input. The system enters these modes when an application installs a JournalRecordProc or JournalPlaybackProc hook procedure. When the system is in either of these journaling modes, applications must take turns reading input from the input queue. If any one application stops reading input while the system is in a journaling mode, other applications are forced to wait.

To ensure a robust system, one that cannot be hung up by any one application, Windows NT automatically cancels any journalling activities when a user presses CTRL+ESC or CTRL+ALT+DEL. The system then unhooks any journaling hook procedures, and posts a WM_CANCELJOURNAL message, with a NULL window handle, to the application that set the journaling hook.
Since the WM_CANCELJOURNAL has a NULL window handle, it cannot be dispatched to a window procedure. There are two ways for an application to see a WM_CANCELJOURNAL message: If the application is running in its own main loop, it must catch the message between its call to GetMessage or PeekMessage and its call to DispatchMessage. If the application is not running in its own main loop, it must set a GetMsgProc hook procedure (via a call to SetWindowsHookEx specifying the WH_GETMESSAGE hook type) that watches for the message.

When an application sees a WM_CANCELJOURNAL message, it can assume two things: the user has intentionally cancelled the journal record or playback mode, and the system has already unhooked any journal record or playback hook procedures.
Note that the key combinations mentioned above (CTRL+ESC or CTRL+ALT+DEL) cause the system to cancel journaling. If any one application is hung, they give the user a means of recovery. The VK_CANCEL virtual keycode (usually implemented as the CTRL+BREAK key combination) is what an application that is in journal record mode should watch for as a signal that the user wishes to cancel the journaling activity. The difference is that watching for VK_CANCEL is a suggested behavior for journaling applications, whereas CTRL+ESC or CTRL+ALT+DEL cause the system to cancel journalling regardless of a journalling application's behavior

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

And I have No Idea about the
when the system is locked or logged off or not logged in
I would guess that  as long as the service runs, the hook will, but this is  just a wild guess, I can not remember seeing anything, about that anywhere. . . . . . .
I have already said, but will say again, I would probally go with the DLL hooks WH_MOUSE and WH_KEYBOARD, since they seem to be intended for use in extended time periods, not short periods like the Journal hooks. . . . .  
snehanshuAuthor Commented:
Thanks again Slick.
I have rarely had to use APIs, but I think I'll start reading more about APIs now.
All that information was VERY helpful.
I Journal hook code that I had initially found was also posted by you!
Thank you for that too.

I shall accept the answer now...

Points finally set to 150.
snehanshuAuthor Commented:
  Looks like I need your help in implementing WM_CANCELJOURNAL in my service. I have also uploaded my small 300+ line code.
  Can you give please me a code of how to implement WM_CANCELJOURNAL in my code?
  Please refer this Q:

Thank you,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.