[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 166
  • Last Modified:

Trapping folder location from where an app was launched by association

Suppose someone launches winzip from Explorer by clicking on a zip file.

I would like to know the name of that folder, so I can pass it to an app that is monitoring running processes.

Is there some way of hooking this "launch by association" event so I can find the folder (or even the file) name?

2 Solutions
Check out the documentation for the windows API call, SetWindowsHookEx, what you will discover is that what you are allowed to hook are lots of different kinds of events -- message queue, keystrokes, mouse moves, system messages, etc.

If you run a message monitor (such as winsight32 that comes with delphi), you might be able to find a message that you can use, but it will be a diffiicult task, windows messages do not include think like strings (representing the filename you might want) in them.

This is what most people think of as hooking and you are unlikely to be happy with this approach.

I would recommend you take a look at http://www.madshi.net and look at the MadCodeHook package. With this, you can hook the CreateProcessEX call globally, and this is probably the way you want to go. I'm not sure Windows Explorer uses CreateProcessEx() or CreateProcess, but if this is how it launches documents, this would be the easiest way to trap them. Of course, you would see all such WinAPI calls, but this is likely to be the easiest method.

Madshi is historically a frequent poster on Experts Exchange. (No. 2 on the Delphi list), but he has slacked off this year. His stuff is very good when you need it.

Enumerate the processes, the last in the list will be the most current. Using the PID gained through enumeration you can extract the filepath. Have a look here:



Thanks gwalkeriq!

Mutley, what folder are you talking about exactly? The one in which WinZip.exe is stored? Or the one in which the zip file is stored (which was double clicked)?

In the first case Hypoviax has the right link. In the latter case you could hook the process creation call (as gwalkeriq suggested). But there's an easier solution: Ask the command line of the running processes. See here:


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

I was suggested using Madshi hooking over enumerating processes mainly to avoid the overhead of a polling loop. Using MadCodeHook, you only respond to process launch events. When polling, you have to decide how often to poll, go through the  overhead of the polling loop, as well as only respond to the process creation a single time.

Obviously, I should have pointed out RemoteCmdLine too, but since Madshi himself did so, the reference is quite credible.

Madshi, you're welcome.

Mutley2003Author Commented:
Hypoviax, thanks for that excellent link but it is, as Madshi says, the folder for the exe.
 I want the folder which was clicked in explorer ie where the .zip file is.

I gotta say that RemoteCmdLine stuff is brilliant.  I think it will do what I need, but the idea of hooking the process creation call is intriguing.

As usual, I wish I had more points to distribute. Points to gwalkeriq, points to madshi for RemoteCmdLine

thanks everyone

Hook process creation is much more complex. If you can get along with RemoteCmdLine that would be by far the better solution, because it has much less impact on the OS.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now