0

Our company is looking to implement a policy of monitoring USB additions and removals to our corporate PC's running the Windows operating system. We know that we can just block USB usage for users with policies under certain condition, but our prefered option is to report these changes into the EventViewer so that they could be collected and reviewed on a daily, weekly, hourly basis.

Does anyone know of any tools or options which could be implemented across the Windows platform. I don't really need help with centralized collection of the information, only reliable reporting at the PC level.

KodeTitan
  • 871
  • 2
  • 9
  • 15

2 Answers2

1

You can do this with PowerShell.

Your script would look something like this:

. .\eventhandler.ps1

function logEvent([string] $message)
{
    $evt=new-object System.Diagnostics.EventLog("System")
    $evt.Source = "USB Drive Watcher"
    $infoevent = [System.Diagnostics.EventLogEntryType]::Information
    $evt.WriteEntry($message,$infoevent,70)
}

$handleUSBEvent = {
    param ($sender, $args)
    $event = $args[1].NewEvent.__CLASS
    if ($event -eq "__InstanceCreationEvent")
    {
        logEvent("USB Drive Inserted")
    }
    elseif ($event -eq "__InstanceDeletionEvent")
    {
        logEvent("USB Drive Removed")
    }

}

$timespan = new-object System.TimeSpan(0,0,1)
$scope = new-object System.Management.ManagementScope("\\.\root\cimV2")
$query = new-object System.Management.WqlEventQuery("__InstanceOperationEvent",$timespan,"TargetInstance ISA 'Win32_LogicalDisk' AND TargetInstance.DriveType=2")
$watcher = new-object System.Management.ManagementEventWatcher($scope,$query)
$watcher.Start()
add-eventhandler (gv watcher) EventArrived $handleUSBEvent
Do-Events $false

Call that file something like USBNotifier.ps1. You will need to download and install PSEventing and the file EventHandler.ps1 that is in its Download Area.

As this is an unsigned script, you will need to set PowerShell's execution policy to "RemoteSigned" (and right-click "unblock" the EventHandler.ps1 script).

This script writes to the System Event log, so it should be run with Admin privileges.

To make this program hidden and run in the background, you can use the following VBScript:

Dim objShell

set objShell=CreateObject("WScript.Shell")

strPath = "c:\users\adam\desktop\USBNotification.ps1" 'The path to your script.

strCMD = "powershell -nologo -command " & Chr(34) & "&{" & strPath & "}" & Chr(34)

objShell.Run strCMD, 0

This script file should be in the same folder as your USBNotifier.ps1 script and your EventHandling.ps1 script. Then all you need to do is set a startup item for this VBScript to run on login as administrator. Alternatively, you could make a batch file that calls the USBNotifier script and create a user-defined service.

If you wanted to install PowerShell 2.0, you could probably make use of its event handling capabilities (eliminating the need for PSEventing), and you could also use the Background Jobs functionality of PS 2.0.

Adam Brand
  • 6,057
  • 2
  • 28
  • 40
0

May be you'll find something more simple suitable for you but Devicelock is very good for such (and related) tasks

Sergey
  • 2,091
  • 15
  • 14