I am contemplating writing a keyboard filter driver.
The purpose of the driver is nothing more than to identify
1.) Events that are actually coming from a keyboard.
2.) Events that are coming from SendInput() (‘injected’).
I am familiar with SetWindowsHookEx(WH_KEYBOARD_LL,…).
I am aware that ((((KBDLLHOOKSTRUCT *)lParam)->flags&LLKHF_INJECTED)
tells me that the event is injected (not from a keyboard).
But I do not want to use this approach for various reasons.
Keyboard Filter Driver:
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation; // Specifies device-specific information associated with a keyboard event?
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
Questions (Filter Driver):
1.) Is there something within the KEYBOARD_INPUT_DATA that indicates that the event originated from SendInput() (is injected)?
2.) What / Who fills the ExtraInformation? What is it’s purpose?
Questions (SendInput())
typedef struct tagKEYBDINPUT {
WORD wVk;
WORD wScan;
DWORD dwFlags;
DWORD time;
ULONG_PTR dwExtraInfo;
} KEYBDINPUT, *PKEYBDINPUT
1.) Does the value of KEYBDINPUT.dwExtraInfo show up as the value of KEYBOARD_INPUT_DATA.ExtraInformation?
Thanks.
Hello Chris.
Of course!
My application installs its hook in the hook chain (it is first).
My application hook (when ‘activated’) eats all input that is non-injected
(i.e. does not pass the event down/up the hook chain)
Everything is working as it should.
The customer runs an application that installs a hook in the hook chain.
The customers hook is now first in the chain, My hook is second.
I can now no longer eat all inputs that are non-injected.
Since the customers hook sees the event first it will process it.
The customer hook acts as ‘hot keys’.
The customer does NOT want the hot keys to fire when my application is active.
In order to prevent the next question:
1.) Yes I understand that if the customer starts there application first then my application
I will be ‘first’ in the hook chain and their ‘hot keys’ will not fire.
2.) This has been communicated to the customer.
3.) They want to dynamically start and stop both their application and my application in
no particular order.
4.) Requiring them to start their application first followed by my application is not satisfactory to them
Thanks
- no
- the keyboard port driver typically fills this in. a filter can do so as well. It is one of those features in the system that no one uses nor pays attention to. That means while we think the data should flow from the keyboard stack, through win32k and then into the message dispatcher, no one verifies the chain is complete.
- yes, that is what should happen
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Ameritech.net
Sent: Wednesday, March 2, 2016 8:39 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Keyboard Filter Driver. Identify ‘injected’ input? (SendInput())
I am contemplating writing a keyboard filter driver.
The purpose of the driver is nothing more than to identify
1.) Events that are actually coming from a keyboard.
2.) Events that are coming from SendInput() (‘injected’).
I am familiar with SetWindowsHookEx(WH_KEYBOARD_LL,…).
I am aware that ((((KBDLLHOOKSTRUCT *)lParam)->flags&LLKHF_INJECTED) tells me that the event is injected (not from a keyboard).
But I do not want to use this approach for various reasons.
Keyboard Filter Driver:
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation; // Specifies device-specific information associated with a keyboard event?
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
Questions (Filter Driver):
1.) Is there something within the KEYBOARD_INPUT_DATA that indicates that the event originated from SendInput() (is injected)?
2.) What / Who fills the ExtraInformation? What is it’s purpose?
Questions (SendInput())
typedef struct tagKEYBDINPUT {
WORD wVk;
WORD wScan;
DWORD dwFlags;
DWORD time;
ULONG_PTR dwExtraInfo;
} KEYBDINPUT, *PKEYBDINPUT
1.) Does the value of KEYBDINPUT.dwExtraInfo show up as the value of KEYBOARD_INPUT_DATA.ExtraInformation?
Thanks.
—
NTDEV is sponsored by OSR
Visit the list online at: https:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:
To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>
The injected events don’t go through keyboard driver; I don’t know what you’re trying to achieve here.
Also, your keyboard filter will not be there if the application runs in RDP session.
What actual problem are you trying to solve? What part of the user experience does your application change? What you’re doing is king of kludgey.
Thank you Doron. You have been most helpful.