How to Monitor and Log Print Job Events in Windows 7 Using C# and PowerShell


14 views

Windows 7's native PrintService logging is surprisingly limited when it comes to tracking individual print jobs. While you can enable basic printer logging through the Event Viewer (Windows Logs → System), these logs don't capture crucial details like document names, user information, or job timestamps.

The real solution lies in tapping into the Windows Spooler API. Here's a C# implementation that monitors print jobs in real-time:

using System;
using System.Runtime.InteropServices;

public class PrintMonitor
{
    [DllImport("winspool.drv", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern bool OpenPrinter(string pPrinterName, out IntPtr phPrinter, IntPtr pDefault);

    [DllImport("winspool.drv", SetLastError = true)]
    public static extern bool ClosePrinter(IntPtr hPrinter);

    public static void MonitorPrinter(string printerName)
    {
        IntPtr printerHandle;
        if (OpenPrinter(printerName, out printerHandle, IntPtr.Zero))
        {
            // Set up change notification here
            ClosePrinter(printerHandle);
        }
    }
}

For administrators preferring PowerShell, here's an effective script:

$printServer = "localhost"
$printers = Get-Printer -ComputerName $printServer

foreach ($printer in $printers) {
    $jobs = Get-PrintJob -PrinterName $printer.Name
    $jobs | ForEach-Object {
        [PSCustomObject]@{
            Printer = $printer.Name
            JobName = $_.Name
            User = $_.SubmittedUserName
            Pages = $_.TotalPages
            Time = $_.SubmittedTime
        }
    }
}

To maintain a historical record, consider this approach:

# Create event log source if not exists
if (![System.Diagnostics.EventLog]::SourceExists("PrintMonitor")) {
    New-EventLog -LogName Application -Source "PrintMonitor"
}

# Log print job to Windows Event Log
Write-EventLog -LogName Application -Source "PrintMonitor" -EntryType Information -EventId 1001 -Message "Print job logged: $($_.Name) by $($_.SubmittedUserName)"

For enterprise environments, these tools offer robust monitoring:

  • PaperCut Print Logger
  • Print Manager Plus
  • Sysgem Print Inspector

Add these registry values under HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers:

  • EventLog (DWORD) = 1
  • LogLevel (DWORD) = 5

While Windows 7 does include basic print logging through the PrintService operational log (accessible via Event Viewer), it lacks detailed job-level tracking. The native logging only records service start/stop events and high-level spooler activities, not individual print job details like document names, user information, or timestamps.

Here are three practical methods to achieve complete print job monitoring:

Method 1: Using Print Monitor DLL

Create a custom print monitor that hooks into the spooler pipeline:


// Sample C# code for print monitor initialization
[DllImport("winspool.drv", CharSet = CharSet.Auto)]
public static extern bool MonitorFirst([In] string pName);

public class PrintJobLogger
{
    private const int PRINTER_NOTIFY_TYPE = 0x00;
    private const int JOB_NOTIFY_FIELD_DOCUMENT = 1;
    
    public void StartMonitoring()
    {
        PRINTER_NOTIFY_OPTIONS opts = new PRINTER_NOTIFY_OPTIONS();
        opts.Version = 2;
        opts.Flags = PRINTER_NOTIFY_OPTIONS_REFRESH;
        // Implementation continues...
    }
}

Method 2: WMI Event Subscription

Leverage Windows Management Instrumentation to capture print events:


// PowerShell script to monitor print jobs
$query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_PrintJob'"
Register-WmiEvent -Query $query -Action {
    $job = $event.SourceEventArgs.NewEvent.TargetInstance
    $logEntry = "$(Get-Date) - User: $($job.Owner) | Document: $($job.Document) | Pages: $($job.TotalPages)"
    Add-Content -Path "C:\PrintLogs\print_jobs.log" -Value $logEntry
}

Method 3: ETW (Event Tracing for Windows)

Capture low-level print spooler events using the Microsoft-Windows-PrintService provider:


logman create trace "PrintJobTracker" -ow -o C:\Traces\PrintJob.etl -p "Microsoft-Windows-PrintService" 0xffffffffffffffff -nb 16 16 -bs 1024 -f bincirc -max 4096 -ets

For enterprise environments, consider these storage solutions:

  • SQL Server database with stored procedures for job analysis
  • ELK Stack (Elasticsearch, Logstash, Kibana) for large-scale deployments
  • Simple text file rotation with compression for small setups

When implementing print logging:

  • Ensure proper permissions (requires administrator privileges)
  • Secure log files with appropriate ACLs
  • Consider GDPR/DPA compliance for user tracking
  • Implement log rotation to prevent disk space issues

If logging stops working:

  1. Verify the Print Spooler service is running
  2. Check available disk space for log files
  3. Confirm the monitoring process has sufficient privileges
  4. Validate WMI repository integrity (winmgmt /verifyrepository)