Detect if keyboard or mouse events are triggered by a software

Question

Is there a way to determine whether the keyboard or mouse events are triggered from a hardware rather than an application like TeamViewer, Steam or some other remote desktop software in a desktop application running on Windows?

My purpose is not to prevent bots, but to prevent remote access to the application.

It seems that RawInput API lets me detect fake events sent using SendInput API. Is it correct?

Answer 1

The low-level keyboard/mouse hooks provided by SetWindowsHookEx() report if input was generated by actual devices or injected by application code.

For a low-level keyboard hook, the hook provides a pointer to a KBDLLHOOKSTRUCT structure, which has a flags member that contains a LLKHF_INJECTED flag for fake input.

For a low-level mouse hook, the hook provides a pointer to a MSLLHOOKSTRUCT structure, which has a flags member that contains either a LLMHF_INJECTED or LLMHF_LOWER_IL_INJECTED flag for fake input.

Either hook can return a non-zero value to block the input from being passed to the rest of the hook chain, and consequently to the target window.

Regarding the Raw Input API, according to (an older version of ¹) the documentation for the GetRawInputDeviceInfo() function:

hDevice [in, optional]
Type: HANDLE

A handle to the raw input device. This comes from the lParam of the WM_INPUT message, from the hDevice member of RAWINPUTHEADER, or from GetRawInputDeviceList. It can also be NULL if an application inserts input data, for example, by using SendInput.

¹: the highlighted note has been removed in the current version of the documentation, I do not know why.

So, the hDevice that is reported by a WM_INPUT message will be NULL for fake input.

however, it is not possible to block input with the Raw Input API. You still need a low-level hook for that.