WH_CBT Hooking

If you want to monitor programs in your computer: which programs execute, activate, or destroy , use the hook type WH_CBT.

The following messages are captured:

HCBT_ACTIVATE — program is activated
HCBT_CREATEWND — new window is created;
HCBT_DESTROYWND — exsist window is destroyed;
HCBT_MINMAX ;
HCBT_MOVESIZE

Here' s the sample code of the DLL .

// FileMonitor.cpp : Defines the entry point for the DLL application.
//

#include <windows.h>


HHOOK SysHook;
HINSTANCE hInst;

BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID
  lpReserved)
{
  hInst = (HINSTANCE)hModule;
  return TRUE;
}

LRESULT CALLBACK SysMsgProc(

int code,  // hook code
WPARAM wParam,  // removal flag
LPARAM lParam  // address of structure with message
)
{  
  CallNextHookEx(SysHook, code, wParam, lParam);

  if (code == HCBT_ACTIVATE)
  {
    char windtext[255];
    HWND Wnd = ((tagMSG*)lParam)->hwnd;
    GetWindowText(Wnd, windtext, 255);

    // Here you can save active window title    
  }

  if (code == HCBT_CREATEWND)
  {
    char windtext[255];
    HWND Wnd = ((tagMSG*)lParam)->hwnd;
    GetWindowText(Wnd, windtext, 255);

    // Here you can save New file title    
  }
  return 0;
}

///////////////////////////////////////////////////////////////////

extern "C" __declspec(dllexport) void RunStopHook(bool State, HINSTANCE hInstance)
{
  if (true)
    SysHook = SetWindowsHookEx(WH_CBT, &SysMsgProc, hInst, 0);
  else
    UnhookWindowsHookEx(SysHook);
}