Powershell event when CD burn starts from file explorer

Question

I have been unsuccessful at finding any reliable way to detect when a CD/DVD burn process starts. The burning tool will only be file explorer.

I know there is an event log "The IMAPI CD-Burning COM Service service was successfully sent a start control."

The problem with this is that this (and the corresponding stop) will be triggered even if a burn never took place. It seems certain things like WMP will trigger that event when you initialize (click on the burn tab).

What I need is a method (wmi, imapi, whatever) that will inform me anytime the burn process actually starts.

Unfortunately I do not know enough powershell to even know where to start looking. I am just googling wildly in the dark at this point hoping that someone did something close enough to what I want and have not yet been able to find anything.

Thank you,

Answer 1

You can monitor status of the write operation, but only in your own application: Monitoring Progress With Events

Several interfaces let you implement an event handler to receive progress information. For example, an event object can be attached to the data writer to receive status of the write operation.

However, there is no Pre-burn action:

there is no hook or callback to preprocess data being burned by someone else

The only thing that I could think of to monitor IMAPI system-wide, is to hook DLL calls:

• hook a COM interface method

Is it possible to hook a COM interface method using MadChook? Actually what I want to do is hook the IMAPI interface (IDiscMaster) for writing CDs. I want to hook the method RecordNow for that interface. Now this interface is implemented via imapi.exe and explorer does an out-of-proc call to this mentod using the proxy "Actxprxy.dll"

I have got around the issue by hooking CoCreateInstance and wrapping all the methods of IDiscMaster, but then I end up getting a lot of unnecessary hits to my hook as explorer call Cocreateinstance many times.

• how to hook live cd burning in vista ?

I'm writing a simple program that monitors the CD burning in windows explorer. I hooked IDiscMaster::RecordDisc in XP and IDiscFormat2Data::Write and it works fine. But if i burns CD as live file system, it doesn't be monitored.

1. Which function should i hook?
2. I hooked ICDBurn::Burn (this function has 0x10 offset from ICDBurn's vft). Whenever i popup menu to click , explorer failed and windows make shut down it. The error code is STATUS_STACK_BUFFER_OVERRUN.

But that's error-prone and requires some specific skills.

Answer 2

Thanks for the help. What I have discovered since asking is that at least in Windows 7 but possibly other versions of Windows does an exclusive lock on the CD drive just before it does a write. This is discussed in the IMAPI reference dox on MSFT. This is actually done by just about every burning app not just file explorer to prevent multiple things from messing up the write process.

An event is sent to System with the id code 133 by cdrom which can be monitored to detect when a burn is started. This event only seems to be generated when a burn starts and not by other things like those discussed in the OP.

The following code snippet will attach an event listener and when the event shows up it will react.

I do not know powershell or windows that well so if anyone has suggestions to make this example better I welcome suggestions This however appears to be functional.

$WMI = @{
    Query = "select * from __InstanceCreationEvent 
        where TargetInstance isa 'Win32_NtLogEvent' 
        and TargetInstance.logfile = 'System' 
        and TargetInstance.SourceName = 'cdrom' 
        and TargetInstance.EventCode = '133'"
    Action = {
    write-host "CD Burn started"
    }
}
$Null = Register-WMIEvent @WMI