RegisterHotkey - list ?

I am curious if anyone knows of a way to list registered hotkeys from apps which used the RegisterHotkey API.


I have seen apps which can do it so I know it is possible:
Hotkey Commander - http://hkcmdr.anymania.com/help.html
Deep System Explorer - http://tds.diamondcs.com.au/dse/screenshots.php


I looked into the internals of RegisterHotkey from ReactOS and it appears that it calls NtUserRegisterHotkey inside win32k.sys and there is a Linked List (named gHotkeyList) which stores all the HOT_KEY_ITEM structures:
http://doxygen.reactos.org/da/d2f/subsystems_2win32_2win32k_2ntuser_2hotkey_8c-source.html

although I am unsure how that would be actually located. (perhaps it is somewhere within some other kernel data structre storing some kernel variables, or maybe it is at a static address?)


Here is what the HOT_KEY_ITEM structure looks like:
http://doxygen.reactos.org/d5/dda/hotkey_8h-source.html

typedef struct _HOT_KEY_ITEM {   LIST_ENTRY ListEntry;   struct _ETHREAD *Thread;   HWND hWnd;   int id;   UINT fsModifiers;   UINT vk; } HOT_KEY_ITEM, *PHOT_KEY_ITEM;

Any info would be great.



Edited by Matts_User_Name - 08 May 2009 at 4:16pm

Interesting, I didn't know it exports that.

I think DSE uses its driver, but it appears HC does not use a driver nor a dll (maybe it uses a driver and then unloads it after it gets the info...)

How would a driver access this exported variable?


Edited by Matts_User_Name - 08 May 2009 at 8:49pm

I see.

So could this be read from WinDbg using a mem dump command (like "dd")?
If so, then how would I locate the address of this exported global variable within the kernel space?


Edited by Matts_User_Name - 08 May 2009 at 7:40pm

it's unexported !

GamingMasteR wrote: it's unexported !

D'oh! You're correct, of course.  (Was not thinking...) It's not exported, and would need to be found using some other technique.