How can I detect what's calling an .exe when pressing a keyboard button? (and hook it)

Question

On my keyboard, there's a button that opens Windows 7 calculator when pressed. How would you capture what's calling/opening it?

Because it's a Logitech keyboard, common sense would say it's via SetPoint software/service, so I would normally start by observing those in Process Monitor. But because I'm doing this as a hands-on reversing exercise rather than merely reprogramming a keyboard button, I'd like to approach it as if I didn't have background knowledge of SetPoint or third-party keyboard software.

Is there a way I could trace/capture the behind-the-scenes activity from keypress to calc.exe opening?

You would need a USB traffic monitor/capture tool; assuming the keyboard uses a USB interface for communication. — 0xec, May 16 '15 at 13:50

score 3 · Answer 1 · edited Apr 13 '17 at 12:49

3

You could use Process Monitor to monitor the process creation.

If you'd like more granular detail, use Rohitab's API Monitor and monitor on CreateProcess* functions. Here's an answer I gave on this site with regard to monitoring registry reading.

edited Apr 13 '17 at 12:49

Community

1

answered May 16 '15 at 17:25

Mick

7,562
3
26
40

How can I detect what's calling an .exe when pressing a keyboard button? (and hook it)

1 Answers1