It depends on your aim, what platforms you wish to protect …
Traditional way is to create kernel-mode drivers ( Hook ). This is because hook drivers are easy to install, have much common source for different platforms.
But if you’d like to support 2k and higher, I’d recommend to write IM-driver.
It’s supported by MS and it will be easier to get licence for it.