Monitor shell operations using undisclosed Functions

Monitor wwwa.applevb.com by using undisclosed Functions

In Windows, there is an undisclosed function shchangenotifyregister. You can add it to the system message monitoring chain in your window. This function is available in Delphi.
Is defined as follows:
Function shchangenotifyregister (hwnd, uflags, dweventid, umsg, citems: longword;
Lpps: pidlstruct): integer; stdcall; External 'shell32. dll 'index 2;
The hwnd parameter defines the window handle for monitoring system operations, the uflags dweventid parameter defines the monitoring operation parameters, the umsg parameter defines the operation message, and the citems Parameter
Define additional parameters. The lpps parameter specifies a pidlstruct structure, which specifies the monitored directory.
After the function is successfully called, the function returns a monitoring operation handle, and the system adds the Windows specified by hwnd to the operation monitoring chain. When a file operation occurs
The system will send the message specified by umsg to hwnd. We only need to add the message processing function to the program to monitor system operations.
To exit program monitoring, call another undisclosed function shchangenotifyderegister to cancel program monitoring.
The following is an example of a specific program written in Delphi. First, create a new project file, and then add a button control and a memo control to form1,
The program code is as follows:

Unit unit1;

Interface

Uses
Windows, messages, sysutils, classes, graphics, controls, forms, dialogs,
Stdctrls, shlobj, ActiveX;

Const
Shcn_renameitem = $1;
Shcn_create = $2;
Shcn_delete = $4;
Shcn_mkdir = $8;
Shcn_rmdir = $10;
Shcn_mediainserted = $20;
Shcn_mediaremoved = $40;
Shcn_driveremoved = $80;
Shcn_driveadd = $100;
Shcn_netshare = $200;
Shcn_netunshare = $400;
Shcn_attributes = $800;
Shcn_updatedir = $1000;
Shcn_updateitem = $2000;
Shcn_serverdisconnect = $4000;
Shcn_updateimage = $8000;
Shcn_driveaddgui = $10000;
Shcn_renamefolder = $20000;
Shcn_freespace = $40000;
Shcn_assocchanged = $8000000;
Shcn_diskevents = $ 2381f;
Shcn_globalevents = $ c0581e0;
Shcn_allevents = $7 fffffff;
Shcn_interrupt = $80000000;

Shcnf_idlist = 0; // lpitemidlist
Shcnf_patha = $1; // path name
Shcnf_printera = $2; // printer friendly name
Shcnf_dword = $3; // DWORD
Shcnf_pathw = $5; // path name
Shcnf_printerw = $6; // printer friendly name
Shcnf_type = $ ff;

Shcnf_flush = $1000;

Shcnf_flushnowait ==$ 2000;
Shcnf_path = shcnf_pathw;
Shcnf_printer = shcnf_printerw;

Wm_shnotify = $401;
Noerror = 0;

Type
Tform1 = Class (tform)
Button1: tbutton;
Memo1: tmemo;
Procedure formclose (Sender: tobject; var action: tcloseaction );
Procedure button1click (Sender: tobject );
Procedure formcreate (Sender: tobject );
Private
{Private Declarations}
Procedure wmshellreg (VAR message: tmessage); message wm_shw.y;
Public
{Public declarations}
End;

Type pshpolicystruct = ^ shpolicystruct;
Shpolicystruct = record
Dwitem1: pitemidlist;
Dwitem2: pitemidlist;
End;

Type pshfileinfobyte = ^ shfileinfobyte;
_ Shfileinfobyte = record
Hicon: integer;
Iicon: integer;
Dwattributes: integer;
Szdisplayname: array [0 .. 259] of char;
Sztypename: array [0 .. 79] of char;
End;
Shfileinfobyte = _ shfileinfobyte;

Type pidlstruct = ^ idlstruct;
_ Idlstruct = record
Pidl: pitemidlist;
Bwatchsubfolders: integer;
End;
Idlstruct = _ idlstruct;

Function shpolicy_register (hwnd: integer): bool;
Function shpolicy_unregister: bool;
Function sheventname (strpath1, strpath2: string; lparam: integer): string;

Function shchangenotifyderegister (hnotify: integer): integer; stdcall;
External 'shell32. dll 'index 4;
Function shchangenotifyregister (hwnd, uflags, dweventid, umsg, citems: longword;
Lpps: pidlstruct): integer; stdcall; External 'shell32. dll 'index 2;
Function shgetfileinfopidl (pidl: pitemidlist;
Dwfileattributes: integer;
Psfib: pshfileinfobyte;
Cbfileinfo: integer;
Uflags: integer): integer; stdcall;
External 'shell32. dll 'name' shgetfileinfoa ';

VaR
Form1: tform1;
M_hshnotify: integer;
M_pidldesktop: pitemidlist;

Implementation

{$ R *. DFM}

Function sheventname (strpath1, strpath2: string; lparam: integer): string;
VaR
Sevent: string;
Begin
Case lparam of file: // message prompted Based on parameter settings
Shcn_renameitem: sevent: = 'rename The file' + strpath1 + 'to' + strpath2;
Shcn_create: sevent: = 'create file name: '+ strpath1;
Shcn_delete: sevent: = 'delete file name: '+ strpath1;
Shcn_mkdir: sevent: = 'new directory name: '+ strpath1;
Shcn_rmdir: sevent: = 'name of the directory to be deleted: '+ strpath1;
Shcn_mediainserted: sevent: = strpath1 + 'insert removable storage media ';
Shcn_mediaremoved: sevent: = strpath1 + 'move in Removable storage media '+ strpath1 + ''+ strpath2;
Shcn_driveremoved: sevent: = 'remove drive '+ strpath1;
Shcn_driveadd: sevent: = 'add driver '+ strpath1;
Shcn_netshare: sevent: = 'change the shared attribute of directory '+ strpath1 + ';

Shcn_attributes: sevent: = 'change file directory attribute filename '+ strpath1;
Shcn_updatedir: sevent: = 'Update directory' + strpath1;
Shcn_updateitem: sevent: = 'Update file name: '+ strpath1;
Shcn_serverdisconnect: sevent: = 'disconnect from the server '+ strpath1 + ''+ strpath2;
Shcn_updateimage: sevent: = 'shcne _ updateimage ';
Shcn_driveaddgui: sevent: = 'shcne _ driveaddgu ';
Shcn_renamefolder: sevent: = 'rename the folder '+ strpath1 +' to '+ strpath2;
Shcn_freespace: sevent: = 'disk space size changed ';
Shcn_assocchanged: sevent: = 'change file association ';
Else
Sevent: = 'unknown operation' + inttostr (lparam );
End;
Result: = sevent;
End;

Function shpolicy_register (hwnd: integer): bool;
VaR
PS: pidlstruct;
Begin
{$ R -}
Result: = false;
If m_hshnotify = 0 then begin
File: // obtain the pidl of the Desktop Folder
If shgetspecialfolderlocation (0, csidl_desktop,
M_pidldesktop) <> noerror then
Form1.close;
If Boolean (m_pidldesktop) then begin
PS. bwatchsubfolders: = 1;
PS. pidl: = m_pidldesktop;

// Use the shchangenotifyregister function to register the system for Message Processing
M_hshnotify: = shchangenotifyregister (hwnd, (shcnf_type or shcnf_idlist ),
(Shnning_allevents or shnning_interrupt ),
Wm_shnotify, 1, PS );
Result: = Boolean (m_hshnotify );
End
Else
// Use the cotaskmemfree function to release the handle if an error occurs.
Cotaskmemfree (m_pidldesktop );
End;
{$ R +}
End;

Function shpolicy_unregister: bool;
Begin
Result: = false;
If Boolean (m_hshnotify) then
File: // cancel system message monitoring and release pidl of the desktop
If Boolean (shchangenotifyderegister (m_hshnotify) then begin
{$ R -}
M_hshnotify: = 0;
Cotaskmemfree (m_pidldesktop );
Result: = true;
{$ R -}
End;
End;

Procedure tform1.wmshellreg (VAR message: tmessage); file: // system message processing function
VaR
Strpath1, strpath2: string;
Charpath: array [0 .. 259] of char;
Pidlitem: pshpolicystruct;
Begin
Pidlitem: = pshpolicystruct (message. wparam );
File: // obtain the path related to the system message
Shgetpathfromidlist (pidlitem. dwitem1, charpath );
Strpath1: = charpath;
Shgetpathfromidlist (pidlitem. dwitem2, charpath );
Strpath2: = charpath;

Memo1.lines. Add (sheventname (strpath1, strpath2, message. lparam) + CHR (13) + CHR (10 ));
End;

Procedure tform1.formclose (Sender: tobject; var action: tcloseaction );
Begin
File: // Delete monitoring when the program exits
If Boolean (m_pidldesktop) then
Shpolicy_unregister;
End;

Procedure tform1.button1click (Sender: tobject); file: // click message of button1
Begin
M_hshnotify: = 0;
If shpolicy_register (form1.handle) then begin file: // register shell monitoring
Showmessage ('Shell monitoring program successfully registered ');
Button1.enabled: = false;
End
Else
Showmessage ('Shell monitoring program registration failed ');
End;

Procedure tform1.formcreate (Sender: tobject );
Begin
Button1.caption: = 'open monitoring ';
End;

End.

Run the program and click the "open monitoring" button. If a dialog box displays "successful registration of shell monitoring program", it indicates that form1 has been added to the system operation monitoring chain,
You can create and delete folders and move files in the resource manager. You can find that these operations are recorded and displayed in the text box.
In the above program, a pitemidlist structure is used multiple times. This data structure specifies a "project" in Windows for unified resource management in windows.
A project can be a file, a folder, a printer, and other resources. Some API functions also involve shell (Windows Shell) operations.
Readers can refer to relevant references.