Logging Printer Activity

Hooking spoolsv.exe

Printers in an organization are an easy target for abuse. Developing an application to log printer activity requires expertise in Microsoft Windows internals. The simple code below allows you to quickly use our Deviare Interception Engine to log printer activity. The application runs on the computer the printer is connected to and logs all print jobs.

We can hook the undocumented PrvStartDocPrinterW function, similar to StartDocPrinter, inside the spoolsv.exe and use it to retrieve the name of the document being printed. If we want additional information beyond the name of the document, we can also potentially hook functions such as YSetJob, similar to SetJob, also undocumented. This requires further research. Assuming the research is done we can retrieve among other information, printer name, computer name, username, and total number of pages. This is the complete JOB_INFO_1 data structure:

  1. DWORD JobId
  2. LPTSTR pPrinterName
  3. LPTSTR pMachineName
  4. LPTSTR pUserName
  5. LPTSTR pDocument
  6. LPTSTR pDatatype
  7. LPTSTR pStatus
  8. DWORD Status
  9. DWORD Priority
  10. DWORD Position
  11. DWORD TotalPages
  12. DWORD PagesPrinted

Hooks can also be added to the GDI functions to capture document content. Documents are rendered internally in a DC (Device Context). The process must wait for all rendering operations to finish before dumping the entire DC to a file for later reviewing.

There is a market for printer loggers. If you do a quick search of this market you will find that most commercial applications log information that is similar to the one logged with this simple code. You can use the Deviare interception engine to develop your own product for this market or to rapidly customize a solution. Deviare is in charge of the complex task of intercepting binary applications. This works both on 32 and 64 bit platforms. If you want an advantage over the competition you can add GDI hooking to log all content being printed.
Microsoft Windows also adds event logging for printing services. See Enable or disable logging of printing events. To log additional information you will need to use hooking.

The above techniques can also be used to develop other interesting printer applications such as:

  1. User-based print job quotas can be used to enforce organizational policies related to printer usage.
  2. Ink usage can be monitored. Organizations with large printing facilities can statistically correlate the ink consumption of their different printer models. Google did a similar study with hard drives and published it online as Failure Trends in a Large Disk Drive Population.

Code

This code is for 64 bit systems. Follow these steps:

  1. Download and install the Nektra’s Deviare interception engine
  2. Retrieve the code
  3. Copy the following Deviare files to binx64Debug and binx64Release

Nektra.Deviare2.dll
DeviareCOM64.dll
DeviareCOM64.X.manifest
DvAgent.dll
DvAgent64.dll
Deviare32.db
Deviare64.db

  1. Run Visual Studio as Administrator (Visual Studio 2008 and Visual Studio 2010 solutions included)
  2. Run the project
  3. Print something

Additional Resources

  1. Deviare hook engine quickstart
  2. GDI Print API Functions
  3. StartPage function
  4. Windows 2003 Print Log Parsing Script

Related Services

  1. Reverse Engineering
  2. Interception and Filter Drivers Services
  3. Application Virtualization and Packaging
  • http://blog.databigbang.com Sebastian Wain

    Good comment thread on Windows Management Instrumentation and other printer logging functions at: 
    http://www.reddit.com/r/ReverseEngineering/comments/ttp9u/logging_printer_activity_using_a_hook_engine/

  • Jacob Swanner

     

    I high appreciate this post. It’s hard to find the good from
    the bad sometimes but I think you’ve nailed it! would you mind updating your
    blog with more information?

    http://scarprin.biz/

  • For more info click here

    Lots of Good information in your post,

    I favorited your blog post so I can

    visit again in the future, Thanks.

  • For more info click here

    Hi – It’s good to read such interesting

    stuff on the Internet as I have been

    able to discover here. I agree with

    much of what is written here and I’ll

    be coming back to this website again.

    Thanks again for posting such great

    reading material!!

    For more info http://www.scarprin.com/

  • mena99260

    How to Export suggested contacts to an excel file from Outlook 2007 Also Custom Fields !

    cookware
    sets

    http://www.danscookware.com

  • mena99260

    How to Export suggested contacts to an excel file from Outlook 2007 Also Custom Fields !
    grigoro
    adynatisma

  • mena99260

    I would like to thank you for your best written post, its informative and your writing style helped me to read it till end.
    Discover More Here

  • mena99260

    In November 2012, the task force published a report calling for action
    on better engagement between business schools, MSBs, Government and the
    wider business community.

    Ft
    Lauderdale Escorts

    http://www.mazemodels.com/ft-lauderdale-escorts.php

  • mena99260

    In November 2012, the task force published a report calling for action
    on better engagement between business schools, MSBs, Government and the
    wider business community.
    natural
    cures allergies

  • mena99260

    In November 2012, the task force published a report calling for action
    on better engagement between business schools, MSBs, Government and the
    wider business community.
    twitter account

  • Ashar Arain

    Hi – It’s good to read such interesting

    stuff on the Internet as I have been

    able to discover here. I agree with

    much of what is written here and I’ll

    be coming back to this website again.

    Thanks again for posting such great

    reading material!!..
    Free PDF Links