What is Windows Hooks?


Windows Hooks

Visual C++









In Windows operating system, a hook is a mechanism by which a function can intercept events (messages, mouse actions, keystrokes) before they reach an application. The function can act on events and, in some cases, modify or discard them. Functions that receive events are called filter functions and are classified according to the type of event they intercept. For example, a filter function might want to receive all keyboard or mouse events. For Windows to call a filter function, the filter function must be installed, that is, attached to Windows hook (for example, to a Keyboard hook). Attaching one or more niter functions to a hook is known as setting a hook. If a hook has more than one filter function attached, Windows maintains a chain of filter functions. The most recently installed function is at the beginning of the chain, and the least recently installed function is at the end.

When a hook has one or more filter functions attached and an event occurs that triggers the hook, Windows call the first filter function in the filter function chain. This action is known as calling the hook. For example, if a filter function is attached to the CBT hook and an event that triggered the hook occurs. (for example, a window is about to be created), Windows calls the CBT hook by calling the first function in the filter function chain.

To maintain and access filter functions, applications use the SetWindowsHookEx( ) and the UnhookWindowsHookEx( ) functions. Hooks provide powerful capabilities for Windows-based applications. Given below is a list of hooks and what can be achieved using them.




Process, modify, or remove keyboard events.


Process, modify, or discard mouse events.


Process or modify all messages meant for all the dialog boxes, message boxes, scroll bars, or menus for an application.


Process or modify all messages meant for all the dialog boxes, message boxes, scroll bars, or menus for the system.


Process or modify all messages (of any type) for the system whenever a GetMessage( ) or a PeekMessage( ) function is called.


Process or modify all messages (of any type) whenever a SendMessage( ) function is called.



Record or playback keyboard and mouse events.


Respond to certain system actions, making it possible to develop computer-based training (CBT) for applications.


Prevent another filter from being called.

The SetWindowsHookEx( ) function adds a filter function to a hook. This function takes four arguments:

  • An integer code describing the hook to which to attach the filter function. These codes are defined in WINUSER.H
  • -The address of the filter function.
  • The instance handle of the module containing the filter function. In Win32 this value should be NULL when installing a thread-specific hook.
  • The thread ID for which the hook is to be installed. If the thread ID is non-zero, the installed filter function will be called only in the context of the specified thread. If the thread ID is zero, the installed filter function has system scope and may be called in the context of any thread in the system.

The filter function KeyboardProc( ) receives three parameters: ncode (the hook code), wParam, and lParam. The hook code is an integer code that informs the filter function of any additional data it should know. If the hook code is less than zero, the filter function should not process the event; it should call CallNextHookEx( ). The second and the third parameter passed to the filter function contain information needed by the filter function. Each book attaches different meanings to these parameters. For example, filter functions attached to the WH_KEYBOARD hook receive a virtual-key code in the second parameter, and bit fields describing the state of the keyboard in the third parameter.

In this program I have installed a keyboard hook. Whenever a keyboard event occurs the filter function would get called. In this function the status of the Caps Lock is set to off. As a result, once this program is executed, there onwards any attempt to put on the Caps Lock on would fail. This is because an attempt to put it on would result into transfer of control to our filter function. And this function would put the Caps Lock off. 

To ensure that this effect remains permanent even if we reboot the machine, we have made an entry in the registry under the sub-key "Software\Microsoft\Windows\CurrentVersion\Run" in the HKEY_LOCAL_MACHINE branch. This entry is made when we close our application for the first time. After making this entry when we reboot the machine our program would run automatically. Note that you must specify the path of your '.exe' file in the RegSetValueEx( ) function.


Socket Programming
Data Structures
Windows Programming
Multi Threading