macOS How can I capture all of the system event?

[Gary Gao]

Hi,

I want to capture all of the system event, like key press and mouse click that happened on all of the running Applications.

does it possible? And how?

Thanks.

 

[Detrius]

I'm not certain, but I imagine this has been made rather difficult, as this would be a security breach. This is how key loggers work which is how someone would surreptitiously acquire passwords.

I'm shooting in the dark here, but I imagine you'd need to write a kernel extension to do something like this.

 

[robbieduncan]

I'm shooting in the dark here, but I imagine you'd need to write a kernel extension to do something like this.

Nah, it's not that bad!

You can use Quartz Event Taps to capture everything.

There is also a 10.6 only API that I'm trying to find the references for that enables this at a somewhat higher level...

Edit to add: 10.6 added the Cocoa level API to NSEvent. Take a look at addGlobalMonitorForEventsMatchingMask:handler:

 

[Detrius]

From the documentation, only processes running as root can access events prior to their entering the window server. Therefore, you have to have root access to listen to another user's keystrokes.

It still seems like a bit of a security hole, though, to allow any application to listen to any other application's keystrokes.


EDIT:

from the documentation:

Event taps receive key up and key down events if one of the following conditions is true:

•The current process is running as the root user.
•Access for assistive devices is enabled. In Mac OS X v10.4, you can enable this feature using System Preferences, Universal Access panel, Keyboard view.



Therefore, a user has to explicitly enable the ability to log keystrokes either by allowing the process to run as root or by enabling "Access for assistive devices," which is disabled by default. I guess that's how they mitigate the security hole.