WinScope. (Windows Workshop) (Column)
by Clifton Karnes
WinScope lurks on your desktop and spies on messages, API calls, hooks, and more.
If you spend your spare time peeping through other people's windows, you're liable to wind up in jail. But if you confine your voyeurism to other people's Windows programs, you're liable to become a Windows guru.
But what kind of binoculars do you use to see through the curtains, shades, and screens that hide what's going on behind the scenes in Windows? The answer to this questiob came recently from Periscope, a company famous for making hardware and software debugging equipment. Last June, it introduced WinScope, a Windows debugging and diagnostic tool that can literally show you how Windows works.
WinScope is a Windows app that lurks in the background on your desktop and traces a program's messages, API calls, and hooks, as well as ToolHelp notifications and Debug kernel messages. It's akin to MIcrosoft's Spy and Borland's InSight, but it goes way beyond both in power and features.
When you run WinScope, you'll see that's an MDI (Multiple Document Interface) program with a toolbar and a host of child windows. The Messages window shows a hierarchical list of all Windows messages. When you're tracing a program, you can tell it to record all messages, or you can select a small group. The API window likewise lists all of the Windows 3.1 API functions (including the undocumented ones from Schulman's Undocumented Windows), and you can have WinScope record all API calls or a subset. Two of the most important remaining windows let you select the modules and windows you want to trace.
At this point, you might be thinking that WinScope is complicated to use, but it's much easier to use it may seem at first. Let's walk through a short WinScope session to see what it's like.
Recently, I wanted to find out how Windows Task List (called Task Manager in 3.0) tiles the windows on the desk-top. I'd searched the 3.1 SDK documentation and couldn't find and API call that looked like it would perform this crucial task. WinScope might provide an answer, I thought, and it did. In fact, it gave me more information that I asked for.
The easiest way to trace a program in WinScope is to choose Load Application from the File menu. I did this, and from the file browser I chose TASKMAN.EXE. WinScope ran Task List, minimized itself, and started tracing. I pressed Task List's Tile button and, since that was the only thing I needed to check, pressed the Ctrl-Alt-S key combination that tongles WinScope's tracing on and off (as with most options in WinScope, you can customize this hot key).
I double-clicked on the Win-Scope icon to make it fullscreen and started examining the Trace buffer. The Trace window displays messages and functions, including return values, and gives the time each event occurred relative to the previous event. Parameters, handles, and just about all the information you'd ever need are there.
Even though Task List was on my desktop for only a few seconds and I pushed only one button, the program and Windows generated a zillion messages and function calls. This is normal. There's are a lot going on behind the often-simple scenery in Windows, and a program like WinScope shows you how much is happening.
The Trace buffer was far too large to scan line by line, so I decided to try WinScope's Find command. The first thing I did was to search for the word tile from the top of the buffer, but I started getting all of the stuff dealing with didsplaying the Tile button I wanted to find the sequence of events that started with pressing the Tile button, so I decided to search from the bottom of the buffer up. I hit dirt doing this.
There was the API call I was looking for: TileChildWidows But I hadn't been able to find this call in my references. I double-right-clicked on the function name to automatically call up the 3.1 SDK Help and was told that no function by that name existed. Aha! It must be undocumented! I took a look at Undocumented Windows, and there it was! And there was something very interesting just above the call to TileChildWindows--a call to GetKeyState with a parameter of 10.0 checked , and the key represented by 10 is the Shift key. Now, why was Task List checking the status of the Shift key? I experimented, and sure enough, when I held down the Shift key and pressed the Tile button, the windows on the desktop tiled horizontally instead of vertically. WinScope had revealed an undocumented API call and an undocumented feature!
This is just one simple example of the kinds of things you can discover with WinScope. It's without a doubt the coolest Windows discovery tool I've ever seen.