8

Is it possible to write a global Keyboard Hook from windows(xp and 7) service ? ( using SetWindowsHookEx didn't work from a system service )

jacob
  • 1,397
  • 1
  • 26
  • 53

2 Answers2

12

The documentation for SetWindowsHookEx says:

or with all threads in the same desktop as the calling thread.

So you need to be associated with the same desktop (and there will be multiple desktops even without considering terminal services: the normal desktop, the secure desktop (used for UAC and login) and the screen saver).

Since services are not associated with an interactive session (and, from Windows V6, cannot be) you'll need a process within the user's session to do the hooking, and communicate with the backend service (eg. via a named pipe). And don't forget to test with no-one logged in, and multiple users logged in.

Richard
  • 106,783
  • 21
  • 203
  • 265
6

To summarize what Richard said (and to add my own commentary): You cannot directly set a global keyboard hook from a Windows service starting with Windows Vista. However, it still would be a logical choice to use a Windows service as you will have all the necessary privileges to set global hooks. You can duplicate your privileges to child processes that you create in each logged-on user's session to enable your child processes to set global hooks within their own desktop/session even if the user does not hold adequate privileges.

Personally, (assuming you're writing a keylogger) instead of aggregating all of the logged keystrokes to one process and writing them to disk, it might make sense to have each individual process write separate files according to their username.

subwar
  • 279
  • 1
  • 3
  • 1
    How would something that doesn't work be a "good logical choice"? And what makes you say that a service is highly privileged. That does not follow a priori. People often run services under high priv accounts, but that's just convention. – David Heffernan Apr 28 '11 at 23:32
  • Having one system service and multiple logged-on user processes sounds like a good idea but how can I duplicate the services privileges to a user process ? – jacob Apr 30 '11 at 17:41
  • 1
    Setting hooks INDIRECTLY from a service is a logical choice because services by DEFAULT (yes, even up to Windows 7) run with a set of privileges that allow them to set global hooks and gain any other privileges they require (SeTcbPrivilege -> Authority to act as part of the operating system). The system will only create processes with the SeTcbPrivilege if the process is loaded by the svchost component during service invocation. Using a service allows you to set global hooks regardless of the privileges of the interactive user that you are monitoring by allowing other users to use its token. – subwar May 11 '11 at 05:05
  • DuplicateHandle(). You'll need some form of IPC in order to coordinate and authorize your specific keylogger child processes so that other applications may not use your service as a backdoor to elevate privileges. – subwar May 11 '11 at 05:06
  • How would you go about detecting a new user session and then creating a process in it? I need to do something similar to this (I need to make a service that responds to a 'hotkey'). – Tim Long Dec 16 '12 at 04:20