Windows Examples

windwiny edited this page Apr 25, 2013 · 57 revisions


Send a keystroke

(use the keybd_event method).
require 'ffi'

module Win
  extend FFI::Library
  ffi_lib 'user32'
  ffi_convention :stdcall

  attach_function :keybd_event, [ :uchar, :uchar, :int, :pointer ], :void
  # simulate pressing the mute key on the keyboard
  keybd_event(VK_VOLUME_MUTE, 0, 0, nil);
  keybd_event(VK_VOLUME_MUTE, 0, KEYEVENTF_KEYUP, nil);


System Local Time

This example shows the common task of calling a native function with a pointer to a new struct, then using that same struct once it has been populated and returned by the native function.

require 'ffi'

module Win
  extend FFI::Library

  class SystemTime < FFI::Struct
    layout :year, :ushort,
           :month, :ushort,
           :day_of_week, :ushort,
           :day, :ushort,
           :hour, :ushort,
           :minute, :ushort,
           :second, :ushort,
           :millis, :ushort

  ffi_lib 'kernel32'
  ffi_convention :stdcall

  attach_function :GetLocalTime, [ :pointer ], :void

mytime =

args = [
  mytime[:month], mytime[:day], mytime[:year],
  mytime[:hour], mytime[:minute], mytime[:second]

puts "Date: %u/%u/%u\nTime: %02u:%02u:%02u" % args


Convert a path to 8.3 style pathname

module Win
  extend FFI::Library
  ffi_lib 'kernel32'
  ffi_convention :stdcall
DWORD WINAPI GetShortPathName(
  __in   LPCTSTR lpszLongPath,
  __out  LPTSTR lpszShortPath,
  __in   DWORD cchBuffer
  attach_function :path_to_8_3, :GetShortPathNameA, [:pointer, :pointer, :uint], :uint
out = 256 # bytes
Win.path_to_8_3("c:\\program files", out, out.size)
p out.get_string # be careful, the path/file you convert to 8.3 must exist or this will be empty

Enumerate Top Level Windows

This example shows how to use a native function that takes a callback specifying simple input parameters. The callback itself calls a native function which returns a string via its pointer to a character buffer parameter.

require 'ffi'
module Win
  extend FFI::Library

  ffi_lib 'user32'
  ffi_convention :stdcall

  # BOOL CALLBACK EnumWindowProc(HWND hwnd, LPARAM lParam)
  callback :enum_callback, [ :pointer, :long ], :bool

  # BOOL WINAPI EnumDesktopWindows(HDESK hDesktop, WNDENUMPROC lpfn, LPARAM lParam)
  attach_function :enum_desktop_windows, :EnumDesktopWindows,
                  [ :pointer, :enum_callback, :long ], :bool

  # int GetWindowTextA(HWND hWnd, LPTSTR lpString, int nMaxCount)
  attach_function :get_window_text, :GetWindowTextA,
                  [ :pointer, :pointer, :int ], :int

win_count = 0
title = :char, 512

Win::EnumWindowCallback = do |wnd, param|
  Win.get_window_text(wnd, title, title.size)
  puts "[%03i] Found '%s'" % [ win_count += 1, title.get_string(0) ]

if not Win.enum_desktop_windows(nil, Win::EnumWindowCallback, 0)
  puts 'Unable to enumerate current desktop\'s top-level windows'

Note that the param you can pass “through” to the enum call is basically a pointer. An example of using this pointer for multiple objects can be found in the win32screenshot gem.

Unicode Popup Dialog (MRI 1.9)

This example shows how to use Unicode text from Ruby with the Unicode version of the MessageBox Windows API function.

require "ffi"

module Win
  extend FFI::Library

  ffi_lib "user32"
  ffi_convention :stdcall

  # use MessageBoxA if you want to pass it strings with ASCII encoding
  attach_function :message_box, :MessageBoxW, 
                  [ :pointer, :buffer_in, :buffer_in, :int ], :int

# MSFT uses UTF-16 little endian and expects double NULL
# at the end of Unicode strings.
msg = "Test with umlaut: \u00e4\0".encode("UTF-16LE")
Win.message_box(nil, msg, msg, 0)

There are three crucial points shown in the Ruby FFI code:

  1. The Windows API Unicode function version (MessageBoxW) is explicitly specified to FFI’s attach_function.
  2. Rather than using :string parameter types (as would normally be used with the MessageBoxA ASCII version) :buffer_in parameter types are used for Unicode strings. In Ruby-FFI :string means “null terminated C string” where UTF-16 is closer to a binary blob of data that can contain NULL bytes. NOTE: currently Ruby-FFI checks for NULL chars in :string parameters to help avoid NULL byte poisoning attacks from outside string sources.
  3. The Ruby string needs to be encoded to UTF-16LE and have a Unicode string terminator (double NULL)

Move the Mouse

This example shows how to interface with a native function that takes a pointer to a struct which contains an embedded union, both of which are populated before being provided to the native function.

require 'ffi'

module Win
  extend FFI::Library

  ffi_lib 'user32'
  ffi_convention :stdcall
  class MouseInput < FFI::Struct
    layout :dx, :long,
           :dy, :long,
           :mouse_data, :ulong,
           :flags, :ulong,
           :time, :ulong,
           :extra, :ulong
  class InputEvent < FFI::Union
    layout :mi, MouseInput
  class Input < FFI::Struct
    layout :type, :ulong,
           :evt, InputEvent
  # UINT SendInput(UINT nInputs, LPINPUT pInputs, int cbSize);
  attach_function :SendInput, [ :uint, :pointer, :int ], :uint

myinput =
myinput[:type] = Win::INPUT_MOUSE

in_evt = myinput[:evt][:mi]

in_evt[:dx] = ARGV[0].to_i
in_evt[:dy] = ARGV[1].to_i
in_evt[:mouse_data] = 0
in_evt[:flags] = Win::MOUSEEVENTF_MOVE
in_evt[:time] = 0
in_evt[:extra] = 0

Win.SendInput(1, myinput, Win::Input.size)

The above FFI code takes a shortcut in the name of saving wiki page space. The actual Windows INPUT struct contains an anonymous union member with MOUSEINPUT, KEYBDINPUT, and HARDWAREINPUT members. As the MOUSEINPUT struct is the largest of these members, we can get away with the hacky InputEvent FFI union definition for example purposes.

TODO explain FFI syntax for embedded struct members which is opposite of typical C usage.


Bringing windows to the foreground is tricky, since no single call seems to always force it to the foreground. describes how.

Note that for windows’ core working you use a @ ffi_convention :stdcall@ but with normal DLL’s it appears you do not see here


  • For all functions that take string arguments, the Windows API provides “short name” macros that expand to function names with a suffix indicating ASCII or Unicode. ASCII versions are suffixed with a “A”, and Unicode versions are suffixed with a “W”. For example, the Windows API FindWindow function gets defined as either FindWindowA (ASCII) or FindWindowW (Unicode).


  • DWORD appears to be an :uint (32 bits that is, so :int should work well - NB that MSDN says it is a long-but for MS, long is 32 bits, even in 64 bit architecture)
  • HWND appears to be a :pointer see this thread for why you should not actually read from the value it points to. You may as well just use a :long or :ulong.
  • LPDWORD is a pointer (the P standing for pointer)
  • LPARAM appears to be a long (hence the L)
  • WPARAM appears to be a long (i.e. 64 bits on 64bit OS).
  • BOOL is an :int
  • HANDLE is a :pointer apparently

another good list (the VB list at the bottom is especially helpful)


A few gems use FFI with the windows API.

More examples

class ScreenTracker
  extend FFI::Library
  ffi_lib 'user32'
  # second parameter, pointer, LPRECT is, 4)
  # read it like rect.read_array_of_long(4)
  attach_function :GetWindowRect, [:long, :pointer], :int # returns a BOOL

  def get_coords_of_window_on_display
    out =, 4)
    ScreenTracker.GetWindowRect @hwnd, out