Filter driver RRS feed

  • Question

  • Hi,

    I want to write a code in C# or C++ to get all keys which the user press, and check for example sound card actions or VGA actions. In fact, I want to check all I/O on all devices in a computer.

    I would thank you very much if help me to find the best way to do it?



    Friday, February 17, 2017 2:53 AM

All replies

  • To filter key presses (and releases) you would need to write a kernel-mode driver, which cannot be done using C#. There is a keyboard filter driver in the WDK samples (\WDK10_Samples\input\kbfiltr) that you can start with. As for the rest of your request, VGA isn't used anymore, and what do you mean by "check all I/O on all devices"? I suppose that you could put filter drivers on the DevStacks you're interested in, and examine the IRPs being sent to those devices. To accomplish any of this, you're going to have to spend a great deal of quality time with the WDK documentation and learn how drivers work on Windows.


    Azius Developer Training Windows device driver, internals, security, & forensics training and consulting. Blog at

    Friday, February 17, 2017 3:47 AM
  • As Brian noted this will require a lot of Windows kernel filter drivers.  Since the drivers for different devices require different filters, this is a lot of learning and studying.

    Before you start this can you indicate what your long term goal is?  I did something like this for a client years ago using techniques that are no longer supported, and I can state that the performance of the computer was miserable.   If you can give us an idea of what you are trying to accomplish this forum may be able to give you approaches that will work.

    Don Burn Windows Driver Consulting Website:

    Friday, February 17, 2017 11:49 AM
  • Perhaps you could implement that as a patch or plug-in for some virtualization program, e.g. QEMU. Then you'd have complete control on the I/O of the guest OS.
    Saturday, February 18, 2017 1:16 PM
  • The reason I suggested the OP give us what he is trying to do, is that the interception can be at many layers.   If the OP is interested in what specific actions a given program and user is doing they need a different layer than if they want the general the system is writing a set of blocks to the disk, which is yet different than what can be captured depending on the virtualization layer.

    There are a huge number of approaches here, all of them are complex depending on what the OP's goals are, but without some clue of what the goal is, giving a specific suggestion is just potentially leading the OP astray.

    Don Burn Windows Driver Consulting Website:

    Saturday, February 18, 2017 1:23 PM