USB Mass Storage Device Monitoring


 This MOF File Monitors Only PNP Entities that are Disk Drives or USB Mass Storage Devices.


The Consumers that are Registered here are SMTP, NT Event Log and Active Script.


  • The NT Event Log Writes an Event Log to the Event Viewer every Time a DOK is Connected to the Computer.
  • The Active Script Writes a Log File to C:\PNPDevice-Log.txt every Time a DOK is Connected to the Computer.
  • The SMTP Consumer send an E-Mail Message to SecurityTeam@Domain.Com every Time a DOK is Connected to the Computer.


// 1. Change the context to Root\Subscription namespace

//    All standard consumer classes are

//    registered there.


#pragma namespace("\\\\.\\root\\subscription")



// 2. Create an instance of __EventFilter class

//    and use it's Query property to store

//    your WQL event query.


instance of __EventFilter as $EventFilter

{

    Name  = "PNP Device";

    EventNamespace = "Root\\Cimv2";

    Query = "SELECT * From __InstanceCreationEvent WITHIN 5 Where "

            "TargetInstance ISA \"Win32_PNPEntity\" "

            "And (TargetInstance.Description Like '%USB Mass Storage Device%' "

            "or TargetInstance.Description Like '%Disk drive%') ";

    QueryLanguage = "WQL";

};



// 3. Create an instance of __EventConsumer

//    derived class. (ActiveScriptEventConsumer

//    SMTPEventConsumer etc...) 


instance of SMTPEventConsumer as $SMTPConsumer

{

    Name = "PNP Device SMTP Consumer";

    FromLine = "Administrator@Domain.Com";

    Subject = "A USB Device Has been Connected to %TargetInstance.SystemName%";

    SMTPServer = "SMTPSRV.Domain.Com";

    Message = "A USB Device %TargetInstance.Caption% was connected to %TargetInstance.SystemName% on %TIME_CREATED%\n"

    "The USB Device is a %TargetInstance.Description%\n";

    ToLine = "SecurityTeam@Domain.Com";

};


instance of ActiveScriptEventConsumer  as $ScriptConsumer

{

    Name = "PNP Device Script Consumer";

    ScriptingEngine = "VBScript";

    ScriptText = 

    "Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\n"

    "Set objFile = objFSO.OpenTextFile(\"c:\\PNPDevice-Log.txt\", 8, True)\n"

    "objFile.WriteLine \"A USB Device Has been Connected to \" & TargetEvent.TargetInstance.SystemName\n"

    "objFile.WriteLine \"A USB Device \" & TargetEvent.TargetInstance.Caption & \" was connected to \" & TargetEvent.TargetInstance.SystemName & \" on \" & NOW\n"

    "objFile.WriteLine \"The USB Device is a \" & TargetEvent.TargetInstance.Description\n"

    "objFile.Close\n";    

};


instance of NTEventLogEventConsumer  as $EVTLogConsumer

{

    Name = "PNP Device Event Log Consumer";

    SourceName = "PNP Device"

    Category = 1;

    EventID = 80;

    EventType = 1; // Error event

    NumberOfInsertionStrings  = 1;

    InsertionStringTemplates = { "A USB Device Has been Connected to %TargetInstance.SystemName%\n"

    "A USB Device %TargetInstance.Caption% was connected to %TargetInstance.SystemName% on %TIME_CREATED%\n"

    "The USB Device is a %TargetInstance.Description%\n"};

};


// 4. Join the two instances by creating

//    an instance of __FilterToConsumerBinding

//    class.


instance of __FilterToConsumerBinding

{

    Filter = $EventFilter;

    Consumer = $ScriptConsumer;

};  

Comments