Is there any winapi call to get notify when an event occured

Question

I am monitoring process activity on a windows machine. I got one useful link from MSDN saying important Events to Monitor with this information I started building a small piece of code using WINAPI call - SetWinEventHook The code is below

But using this I am unable to get control when those event encountered which is listed on that link Events to Monitor

Can anyone please suggest, why I am not able to receive these mentioned events

LRESULT CALLBACK WndProc(HWND hwnd, UINT iMsg, WPARAM wParam, LPARAM lParam)
{
 switch (iMsg)
 {
    case WM_CREATE:
    {
        HWINEVENTHOOK st;

        // EVENT_SYSTEM_MENUSTART
        st = SetWinEventHook(0x44E, 0x44E, NULL, WinEventProc, 0, 0, WINEVENT_SKIPOWNPROCESS);


        break;
    }


    case WM_SHOWWINDOW:
    {
        //MessageBox(hwnd, L"WM_SHOWWINDOW", L"Message", MB_OK);
        break;
    }


    case WM_DESTROY:
    {

        PostQuitMessage(0);
        ExitProcess(0);
        break;
    }
 }

 return DefWindowProc(hwnd, iMsg, wParam, lParam);
}


void CALLBACK WinEventProc(HWINEVENTHOOK hWinEventHook, DWORD event, HWND hwnd, LONG idObject, LONG idChild, DWORD idEventThread, DWORD dwmsEventTime)
{

 char buffer[100] = {"\0"};

 sprintf_s(buffer, "Event [%d]\n Handle [%p]\n idEventThread [%d]\n EventTime [%d]", event, hwnd, idEventThread, dwmsEventTime);

 MessageBoxA(hwnd, buffer, "Message", MB_OK);
}

No. Control Panel > Administrative Tools > Event Viewer. Those kind of events. Start [reading here](https://learn.microsoft.com/en-us/windows/win32/eventlog/about-event-logging). — Hans Passant, Nov 13 '19 at 12:43
@HansPassant You mean, whatever MSDN mentioned (Link : Events_to_Monitor), that I can't use in program directly ? — Yuvraj Takey, Nov 13 '19 at 13:58

score 1 · Accepted Answer · answered Nov 14 '19 at 03:00

1

SetWinEventHook ：Sets an event hook function for a range of events.

About a range of events, please refer Event Constants.

This topic describes the events that are generated by the operating system and by server applications. The constants are listed in alphabetical order.

Prior to using these events, client applications should use Accessible Event Watcher to verify that these events are used by UI elements.

For more information about events in general, see What Are WinEvents? and System Level and Object Level Events. For more information about the events sent by the system, see Appendix A: Supported User Interface Elements Reference.

It can be said that SetWinEventHook is not so powerful. The events it can detect do not include the malicious activities you mentioned.

answered Nov 14 '19 at 03:00

Strive Sun

5,988
1
9
26

Thanks Strive, I got more clarity about my question, your answer was more useful for me. I'll get to know these details which you have mentioned. One more thing I would like to ask you, how can I include those events [Appendix L: Events to Monitor](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor) to be monitor using programmatically(winapi). I am not getting enough thread for this action. – Yuvraj Takey Nov 14 '19 at 09:03
@YuvrajTakey As Hans said that , no winapi can achieve this except using Event Viewer. – Strive Sun Nov 14 '19 at 09:11
1

Okay, It means only one option left out is to monitor "EventViewer Log" for those (Appendix L: Events to Monitor) kinds of Events – Yuvraj Takey Nov 14 '19 at 09:25
1

@YuvrajTakey Yes. These events are not monitored by just a few APIs. They(Appendix L: Events to Monitor) involve a lot of knowledge that we may not touch. – Strive Sun Nov 14 '19 at 09:29

Is there any winapi call to get notify when an event occured

1 Answers1