2

I am writing a Win32 application in C and have been monitoring the Window Messages coming through the message loop. I am getting an unknown message 0xc0e8 and cannot seem to find any information about this particular message. From my understanding all messages below 0x400 (WM_USER) are reserved by the system so I don't understand why I would be getting messages above that integer if I'm not sending any custom messages.

Does anyone know anything about this message and where it may be coming from?

Ken Garrett
  • 25
  • 3
  • Some other application is broadcasting a user message?? – Mark Benningfield Jul 26 '21 at 17:10
  • Hmm that's interesting. I didn't think of that. I wonder would there be a way to trace where it is coming from. I am only receiving it one time at app startup. – Ken Garrett Jul 26 '21 at 17:14
  • Related: [How can my app find the sender of a windows message?](https://stackoverflow.com/questions/910991/how-can-my-app-find-the-sender-of-a-windows-message) – Weather Vane Jul 26 '21 at 17:50

1 Answers1

2

Message 0xC0E8 is in the range of application-defined window messages that are registered at runtime with RegisterWindowMessage().

Range Meaning
0 through WM_USER –1 Messages reserved for use by the system.
WM_USER through 0x7FFF Integer messages for use by private window classes.
WM_APP through 0xBFFF Messages available for use by applications.
0xC000 through 0xFFFF String messages for use by applications.
Greater than 0xFFFF Reserved by the system.

You can use GlobalGetAtomName() or GetClipboardFormatName() to retrieve the original name that was registered, that might give you a clue to which app registered it, as many apps tend to put their own names in the window messages they register. But that is not guaranteed.

And there is no way to determine which application process actually registered the message originally, or is sending it to your app. 1

1: well, not without hooking the RegisterWindowMessage() and (Post|Send)Message() functions in every running process, that is.

You should not be concerning yourself with unknown messages, though. You could potentially receive many unknown messages during your process's lifetime. If you receive a message you don't recognize, simply pass it along to your default message handler (DefWindowProc(), etc) and move on.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • Thank you for your answer. I will mark this as the accepted answer. While I do understand that ultimately unknown messages will be passed on to DefWindowProc, messages broadcasted by other applications are a point of concern as they could be beacons for malware (which is why I was curious in the first place). – Ken Garrett Jul 26 '21 at 18:12
  • "*messages broadcasted by other applications are a point of concern as they could be beacons for malware*" - where did you ever get that idea from? There are numerous reasons why applications would broadcast private messages to each other. Especially *registered* window messages, which are intended for *cooperative* communication between processes. – Remy Lebeau Jul 26 '21 at 18:19
  • 1
    There are documented attacks that use window messages: https://volatility-labs.blogspot.com/2012/09/movp-22-malware-in-your-windows.html – Ken Garrett Jul 26 '21 at 18:27
  • 1
    OK, but that is not the norm. There are a lot of attack vectors in programming. Just because something *can* be abused by malware doesn't mean it *is* being abused on most systems. Window messages are much more likely to be used for legitimate reasons than malicious ones. – Remy Lebeau Jul 26 '21 at 18:29
  • But if it can be abused does it hurt to ponder if it is? I've personally been writing windows apps for years and have never seen that message and honestly have never seen too many broadcasted messages (I usually keep a very thin build). – Ken Garrett Jul 26 '21 at 18:33
  • Whereas I've written plenty of apps that are designed to work together, and use window messages between each other. *Registered* messages have legit uses, even if you don't see them often. – Remy Lebeau Jul 26 '21 at 18:38
  • In corporate networks, there's often logging and antimalware software installed. Some of these ironically use similar methods to malware, like DLL injection and then activate them by broadcasting registered messages. That was the cause of my [problem](http://bytepointer.com/resources/old_new_thing/20050304_055_modality_part_8_a_timed_messagebox_the_better_version.htm) in Raymond Chen's modality series (see comments from "Adrian"). – Adrian McCarthy Jul 26 '21 at 23:52