Hooking spoolsv.exe

Printers in an organization are an easy target for abuse. Developing an application to log printer activity requires expertise in Microsoft Windows internals. The simple code below allows you to quickly use our Deviare Interception Engine to log printer activity. The application runs on the computer the printer is connected to and logs all print jobs.

We can hook the undocumented PrvStartDocPrinterW function, similar to StartDocPrinter, inside the spoolsv.exe and use it to retrieve the name of the document being printed. If we want additional information beyond the name of the document, we can also potentially hook functions such as YSetJob, similar to SetJob, also undocumented. This requires further research. Assuming the research is done we can retrieve among other information, printer name, computer name, username, and total number of pages. This is the complete JOB_INFO_1 data structure:

DWORD JobId LPTSTR pPrinterName LPTSTR pMachineName LPTSTR pUserName LPTSTR pDocument LPTSTR pDatatype LPTSTR pStatus DWORD Status DWORD Priority DWORD Position DWORD TotalPages DWORD PagesPrinted

Hooks can also be added to the GDI functions to capture document content. Documents are rendered internally in a DC (Device Context). The process must wait for all rendering operations to finish before dumping the entire DC to a file for later reviewing.

There is a market for printer loggers. If you do a quick search of this market you will find that most commercial applications log information that is similar to the one logged with this simple code. You can use the Deviare interception engine to develop your own product for this market or to rapidly customize a solution. Deviare is in charge of the complex task of intercepting binary applications. This works both on 32 and 64 bit platforms. If you want an advantage over the competition you can add GDI hooking to log all content being printed.

Microsoft Windows also adds event logging for printing services. See Enable or disable logging of printing events. To log additional information you will need to use hooking.

The above techniques can also be used to develop other interesting printer applications such as:

User-based print job quotas can be used to enforce organizational policies related to printer usage. Ink usage can be monitored. Organizations with large printing facilities can statistically correlate the ink consumption of their different printer models. Google did a similar study with hard drives and published it online as Failure Trends in a Large Disk Drive Population.

Code

This code is for 64 bit systems. Follow these steps:

Nektra.Deviare2.dll

DeviareCOM64.dll

DeviareCOM64.X.manifest

DvAgent.dll

DvAgent64.dll

Deviare32.db

Deviare64.db

Run Visual Studio as Administrator (Visual Studio 2008 and Visual Studio 2010 solutions included) Run the project Print something

Additional Resources

Related Services

Please, support our blog reading Windows driver development, Outlook 365 Plugin Development, Reverse Engineering Services and Data Loss Prevention Solution Development.