[isapros] OFF TOPIC: USB/CDROM Drive Insertion and Removal WMI Subscriptions
- From: Jerry Young <jerrygyoungii@xxxxxxxxx>
- To: isapros@xxxxxxxxxxxxx
- Date: Wed, 3 Mar 2010 16:26:38 -0500
Sorry for the off topic post, but given the boon to security these WMI
subscriptions can provide (assuming USB and CDROM drives aren't disabled), I
thought I might share this script I worked with Microsoft to create. I'm
hoping Microsoft will eventually post this at the Script Center and the Hey,
Scripting Guy! Blog (Jim, I can provide a case ID if you'd like it).
The CDROM subscription was fairly simple and multiple examples existed on
the Internet but the USB piece took some work to achieve.
The event logging isn't as nice as I might want it, but since I couldn't
figure out how to get EventCreate to pass CRLF in the description of the
event, I ended up simply using the LogEvent method from the VBScript Shell
Object.
Here are examples of the events that are written.
*USB Drive Insertion Event*
----------------------------------------
Log Name: Application
Source: WSH
Date: 3/1/2010 1:43:49 PM
Event ID: 2
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: TESTBOX.testdom.local
Description:
USB Drive O: (KINGSTON) has been inserted at 1:43:49 PM on 3/1/2010
User Sessions:
SESSIONNAME USERNAME ID STATE TYPE DEVICE
>services 0 Disc
console Gerald.Young 1 Active
rdp-tcp 65536 Listen
*USB Drive Removal Event*
----------------------------------------
Log Name: Application
Source: WSH
Date: 3/1/2010 1:44:41 PM
Event ID: 2
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: TESTBOX.testdom.local
Description:
USB Drive O: (KINGSTON) has been removed at 1:44:41 PM on 3/1/2010
User Sessions:
SESSIONNAME USERNAME ID STATE TYPE DEVICE
>services 0 Disc
console Gerald.Young 1 Active
rdp-tcp 65536 Listen
*CDROM Drive Insertion Event*
---------------------------------------------
Log Name: Application
Source: WSH
Date: 3/1/2010 1:44:26 PM
Event ID: 2
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: TESTBOX.testdom.local
Description:
CDROM Drive F: (WIN_OPTDSK) has been inserted at 1:44:26 PM on 3/1/2010
User Sessions:
SESSIONNAME USERNAME ID STATE TYPE DEVICE
>services 0 Disc
console Gerald.Young 1 Active
rdp-tcp 65536 Listen
*CDROM Drive Removal Event*
---------------------------------------------
Log Name: Application
Source: WSH
Date: 3/1/2010 1:44:41 PM
Event ID: 2
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: TESTBOX.testdom.local
Description:
CDROM Drive F: (WIN_OPTDSK) has been removed at 1:44:41 PM on 3/1/2010
User Sessions:
SESSIONNAME USERNAME ID STATE TYPE DEVICE
>services 0 Disc
console Gerald.Young 1 Active
rdp-tcp 65536 Listen
The code below is what does this. To use it yourself (if you want to),
simply perform the following:
Save the code into a file with a .mof extension.
Place the file in C:\Windows\system32\wbem. (Microsoft said this shouldn't
be necessary but because I use the autorecover flag in the MOF file, I
thought better safe than sorry.)
Execute the following command from the command line (elevated on W2K8) at
the above path.
mofcomp <filename>.mof
where <filename> is the name you gave the saved file.
As with any user-submitted code, the standard as-is use statement applies.
I make no guarantees on the quality of the code and cannot provide support
(beyond the volunteer kind).
Feel free to share any improvements, though. ;)
CODE
---------
#pragma autorecover
#pragma namespace ("\\\\.\\root\\subscription")
instance of ActiveScriptEventConsumer as $CDROMConsumer
{
Name = "CDROM Insertion-Removal Consumer";
ScriptingEngine = "VBScript";
ScriptText =
"Dim objShell,strUserSessions,objExecObject\n"
"Set objShell = CreateObject(\"Wscript.Shell\")\n"
"Set objExecObject = objShell.exec(\"cmd /c query session\")\n"
"strUserSessions = objExecObject.StdOut.ReadAll()\n"
"If TargetEvent.TargetInstance.Size > 0 then\n"
"objShell.LogEvent 2,\"CDROM Drive \" &
TargetEvent.TargetInstance.DeviceID & \" (\" &
TargetEvent.TargetInstance.VolumeName & \") has been inserted at \" & time &
\" on \" & date & vbcrlf & \"User Sessions: \" & vbcrlf & strUserSessions &
\"\"\n"
"Else\n"
"objShell.LogEvent 2,\"CDROM Drive \" &
TargetEvent.PreviousInstance.DeviceID & \" (\" &
TargetEvent.PreviousInstance.VolumeName & \") has been removed at \" & time
& \" on \" & date & vbcrlf & \"User Sessions: \" & vbcrlf & strUserSessions
& \"\"\n"
"End If\n"
"Set objExecObject = Nothing\n"
"Set objShell = Nothing";
};
instance of __EventFilter as $CDROMFilter
{
Name = "CDROM Insertion-Removal Event Filter";
EventNamespace = "Root\\Cimv2";
Query = "Select * from __InstanceModificationEvent within 5 WHERE
TargetInstance ISA 'Win32_LogicalDisk' and TargetInstance.DriveType = 5";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding
{
Filter = $CDROMFilter;
Consumer = $CDROMConsumer;
};
instance of ActiveScriptEventConsumer as $USBInsertionConsumer
{
Name = "USB Insertion Consumer";
ScriptingEngine = "VBScript";
ScriptText =
"Dim objShell,strUserSessions,objExecObject\n"
"Set objShell = CreateObject(\"Wscript.Shell\")\n"
"Set objExecObject = objShell.exec(\"cmd /c query session\")\n"
"strUserSessions = objExecObject.StdOut.ReadAll()\n"
"objShell.LogEvent 2,\"USB Drive \" &
TargetEvent.TargetInstance.DeviceID & \" (\" &
TargetEvent.TargetInstance.VolumeName & \") has been inserted at \" & time &
\" on \" & date & vbcrlf & \"User Sessions: \" & vbcrlf & strUserSessions &
\"\"\n"
"Set objExecObject = Nothing\n"
"Set objShell = Nothing";
};
instance of __EventFilter as $USBInsertionFilter
{
Name = "USB Insertion Event Filter";
EventNamespace = "Root\\Cimv2";
Query = "select * from __InstanceCreationEvent within 5 where
TargetInstance isa 'Win32_LogicalDisk' and TargetInstance.DriveType = 2";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding
{
Filter = $USBInsertionFilter;
Consumer = $USBInsertionConsumer;
};
instance of ActiveScriptEventConsumer as $USBRemovalConsumer
{
Name = "USB Removal Consumer";
ScriptingEngine = "VBScript";
ScriptText =
"Dim objShell,strUserSessions,objExecObject\n"
"Set objShell = CreateObject(\"Wscript.Shell\")\n"
"Set objExecObject = objShell.exec(\"cmd /c query session\")\n"
"strUserSessions = objExecObject.StdOut.ReadAll()\n"
"objShell.LogEvent 2,\"USB Drive \" &
TargetEvent.TargetInstance.DeviceID & \" (\" &
TargetEvent.TargetInstance.VolumeName & \") has been removed at \" & time &
\" on \" & date & vbcrlf & \"User Sessions: \" & vbcrlf & strUserSessions &
\"\"\n"
"Set objShell = Nothing\n"
"Set objExecObject = Nothing";
};
instance of __EventFilter as $USBRemovalFilter
{
Name = "USB Removal Event Filter";
EventNamespace = "Root\\Cimv2";
Query = "select * from __InstanceDeletionEvent within 5 where
TargetInstance isa 'Win32_LogicalDisk' and TargetInstance.DriveType = 2";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding
{
Filter = $USBRemovalFilter;
Consumer = $USBRemovalConsumer;
};
---------
CODE
I hope some others can find use for this.
Cheers!
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com
Other related posts:
- » [isapros] OFF TOPIC: USB/CDROM Drive Insertion and Removal WMI Subscriptions - Jerry Young
