How to Monitor and Log Print Job Events in Windows 7 Using C# and PowerShell


4 views

Windows 7's native PrintService logging is surprisingly limited when it comes to tracking individual print jobs. While you can enable basic printer logging through the Event Viewer (Windows Logs → System), these logs don't capture crucial details like document names, user information, or job timestamps.

The real solution lies in tapping into the Windows Spooler API. Here's a C# implementation that monitors print jobs in real-time:

using System;
using System.Runtime.InteropServices;

public class PrintMonitor
{
    [DllImport("winspool.drv", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern bool OpenPrinter(string pPrinterName, out IntPtr phPrinter, IntPtr pDefault);

    [DllImport("winspool.drv", SetLastError = true)]
    public static extern bool ClosePrinter(IntPtr hPrinter);

    public static void MonitorPrinter(string printerName)
    {
        IntPtr printerHandle;
        if (OpenPrinter(printerName, out printerHandle, IntPtr.Zero))
        {
            // Set up change notification here
            ClosePrinter(printerHandle);
        }
    }
}

For administrators preferring PowerShell, here's an effective script:

$printServer = "localhost"
$printers = Get-Printer -ComputerName $printServer

foreach ($printer in $printers) {
    $jobs = Get-PrintJob -PrinterName $printer.Name
    $jobs | ForEach-Object {
        [PSCustomObject]@{
            Printer = $printer.Name
            JobName = $_.Name
            User = $_.SubmittedUserName
            Pages = $_.TotalPages
            Time = $_.SubmittedTime
        }
    }
}

To maintain a historical record, consider this approach:

# Create event log source if not exists
if (![System.Diagnostics.EventLog]::SourceExists("PrintMonitor")) {
    New-EventLog -LogName Application -Source "PrintMonitor"
}

# Log print job to Windows Event Log
Write-EventLog -LogName Application -Source "PrintMonitor" -EntryType Information -EventId 1001 -Message "Print job logged: $($_.Name) by $($_.SubmittedUserName)"

For enterprise environments, these tools offer robust monitoring:

  • PaperCut Print Logger
  • Print Manager Plus
  • Sysgem Print Inspector

Add these registry values under HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers:

  • EventLog (DWORD) = 1
  • LogLevel (DWORD) = 5

While Windows 7 does include basic print logging through the PrintService operational log (accessible via Event Viewer), it lacks detailed job-level tracking. The native logging only records service start/stop events and high-level spooler activities, not individual print job details like document names, user information, or timestamps.

Here are three practical methods to achieve complete print job monitoring:

Method 1: Using Print Monitor DLL

Create a custom print monitor that hooks into the spooler pipeline:


// Sample C# code for print monitor initialization
[DllImport("winspool.drv", CharSet = CharSet.Auto)]
public static extern bool MonitorFirst([In] string pName);

public class PrintJobLogger
{
    private const int PRINTER_NOTIFY_TYPE = 0x00;
    private const int JOB_NOTIFY_FIELD_DOCUMENT = 1;
    
    public void StartMonitoring()
    {
        PRINTER_NOTIFY_OPTIONS opts = new PRINTER_NOTIFY_OPTIONS();
        opts.Version = 2;
        opts.Flags = PRINTER_NOTIFY_OPTIONS_REFRESH;
        // Implementation continues...
    }
}

Method 2: WMI Event Subscription

Leverage Windows Management Instrumentation to capture print events:


// PowerShell script to monitor print jobs
$query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_PrintJob'"
Register-WmiEvent -Query $query -Action {
    $job = $event.SourceEventArgs.NewEvent.TargetInstance
    $logEntry = "$(Get-Date) - User: $($job.Owner) | Document: $($job.Document) | Pages: $($job.TotalPages)"
    Add-Content -Path "C:\PrintLogs\print_jobs.log" -Value $logEntry
}

Method 3: ETW (Event Tracing for Windows)

Capture low-level print spooler events using the Microsoft-Windows-PrintService provider:


logman create trace "PrintJobTracker" -ow -o C:\Traces\PrintJob.etl -p "Microsoft-Windows-PrintService" 0xffffffffffffffff -nb 16 16 -bs 1024 -f bincirc -max 4096 -ets

For enterprise environments, consider these storage solutions:

  • SQL Server database with stored procedures for job analysis
  • ELK Stack (Elasticsearch, Logstash, Kibana) for large-scale deployments
  • Simple text file rotation with compression for small setups

When implementing print logging:

  • Ensure proper permissions (requires administrator privileges)
  • Secure log files with appropriate ACLs
  • Consider GDPR/DPA compliance for user tracking
  • Implement log rotation to prevent disk space issues

If logging stops working:

  1. Verify the Print Spooler service is running
  2. Check available disk space for log files
  3. Confirm the monitoring process has sufficient privileges
  4. Validate WMI repository integrity (winmgmt /verifyrepository)