You use the WH_JOURNALRECORD hook to intercept mouse, keyboard, and other hardware messages that the system receives. The system redirects these messages to this hook’s filter function. The filter function can then either monitor the message or copy it to memory for later use; it cannot modify the message in any way. After the filter function is finished processing the message, it passes the message on to the message loop of the thread for which it was originally destined.

When you use this hook to copy messages to memory, you can play them back using the WH_JOURNALPLAYBACK hook, which we discuss in Chapter 20. Typically, you refer to these two hooks, WH_JOURNALRECORD and WH_JOURNALPLAYBACK, as journaling hooks.

The function prototype for the WH_JOURNALRECORD hook’s filter function is:

Public Function JournalProc(ByVal uCode As Long, _
				ByVal wParam As Long, _
				lParam As EVENTMSG) As Long

The uCode parameter contains a special code that informs the filter function of the actions that it can take on each message. The codes passed in to the uCode argument are discussed later in this section. An EVENTMSG structure is always passed in to the lParam argument of this filter function. The wParam argument of this function is not used.

A message is passed into this hook’s filter function through the EVENTMSG structure, which is defined as follows:

Private Type EVENTMSG
        message As Long
        paramL As Long
        paramH As Long
        time As Long
        hwnd As Long
End Type

The members of the EVENTMSG