Copying file name

[AutoHelp]

Can we get a file's name after it was copied to a removable drive?(please help, ps: eny file)

idea: replace windows copier

[omikron48]

Your question is a bit vague. The context of you question is confusing. Perhaps a lengthier description of the situation would be better.

What was used to copy the file to the removable drive?

How do you know which file was the one that was copied?

[AutoHelp]

What was used to copy the file to the removable drive?

How do you know which file was the one that was copied?

1. To copy the file: the built-in windows copier(copy-paste) was used.

2. That's what I'm trying to find out.When the copier is run, then the operation that we are trying to observe was done, but what file was copied and where I don't know at this state.

*trying to do a script that will monitor and write to a log file, files that where writen to removable drives.

[KaFu]

Do a copy&paste operation and then run this code:

MsgBox(0,"",ClipGet())

[kaotkbliss]

sounds like someone is trying to catch another stealing files.

[jchd]

Can we get a file's name after it was copied to a removable drive?(please help, ps: eny file)

What are you trying to do precisely?

Do you want to know exactly which file were copied from a given machine onto any removable device plugged into it by someone else than you?

Is it actually to trace unwanted file "evasion" or do you want to monitor someone else activity?

[AutoHelp]

Do a copy&paste operation and then run this code:

MsgBox(0,"",ClipGet())

It returns the path of the file: "c:\test\test.txt" in a message box.Nice idea!

but how do we get to know if the copy operation has been made?, I can put an item in the clipbord without actually copying it.Is there a process or something like that windows runs when a file operation is done?

[AutoHelp]

[jchd]

Try to make the search area less fuzzy, try to answer my questions. I asked them on purpose, not for wasting electrons.

[wolf9228]

Can we get a file's name after it was copied to a removable drive?(please help, ps: eny file)

idea: replace windows copier

expandcollapse popup

#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
HotKeySet("{ESC}", "Terminate")

CIM_LogicalFile_Notification("C:\temp")

Func CIM_LogicalFile_Notification($Dir_OR_Drive_Path,$FileExtension = "")
Local $strComputer = "."
$objWMIServices = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMv2")
if Not IsObj($objWMIServices) Then Return -1
$sink = ObjCreate( _
    "WbemScripting.SWbemSink")
if Not IsObj($sink) Then Return -2
ObjEvent($sink,"SINK_")
if Not FileExists($Dir_OR_Drive_Path) Then Return -3
if StringRight($Dir_OR_Drive_Path,1) == "\" Then _
$Dir_OR_Drive_Path = StringTrimRight($Dir_OR_Drive_Path,1)
$PathArray = StringSplit($Dir_OR_Drive_Path,":")
$Drive = $PathArray[1] & ":"
$Path = StringReplace(StringTrimLeft($PathArray[2],1),"\","\\")
if (StringLen($FileExtension) <> 0) Then
$FileExtension = StringReplace($FileExtension,".","")
$objWMIServices.ExecNotificationQueryAsync ($sink, _
     "SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE " & _
    "TargetInstance ISA 'CIM_LogicalFile'" & _
    " AND TargetInstance.Drive = '" & $Drive & "'" & _
    " AND TargetInstance.Extension = '" & $FileExtension & "'" & _
    " AND TargetInstance.Path = '\\" & $Path & "\\'")
Else
Local $Backslash = "\\"
If ($Path) == "" Then $Backslash = ""
$objWMIServices.ExecNotificationQueryAsync ($sink, _
    "SELECT * FROM __InstanceOperationEvent WITHIN 3 WHERE " & _
    "TargetInstance ISA 'CIM_LogicalFile'" & _
    " AND TargetInstance.Drive = '" & $Drive & "'" & _
    " AND TargetInstance.Path = '\\" & $Path & $Backslash & "'")
EndIf
EndFunc


While 1
Wend

Func SINK_OnObjectReady($objObject, $objAsyncContext)
ConsoleWrite($objObject.GetObjectText_())
EndFunc

Func Terminate()
    Exit 0
EndFunc

Edited February 23, 2010 by wolf9228

[AutoHelp]

Thank's wolf9228 .Trying to expand the idea... I'l post the updates after it is complete.

Edited February 24, 2010 by AutoHelp

[AutoHelp]

jchd: I thought I already answered that in the 3rd post>It's a log tool.

Edited February 25, 2010 by AutoHelp

[kaotkbliss]

actually, I think from a business standpoint, it's a very good tool. It would catch anyone attempting to copy sensitive data to a thumb drive and take it home to do whatever. Would be a great security tool for businesses

with a bit of tweeking it could also be used in reverse. Could check to see if anyone copied anything from a thumb drive to the pc. Maybe catch someone trying to upload a virus to a public computer, or introduce a trojan in the work pcs or something.

Edited February 25, 2010 by kaotkbliss

[jchd]

@AutoHelp:

Sorry I didn't fully read or rather get the content of post#3. I'm not a former agent of Stasi, hopefully, and I didn't imply you were trying to acheive anything nasty. I was just trying to make the possible framework more precise and narrow.

Now, if you mean by "removable device" essentially USB/Firewire (removable) filesystems, there might be something possible. Have a look at this. In your case, you can either block the operation (but it would show!) or simply silently acknowledge the copy. Of course such hooks can't just be an AutoIt native code part, they have to be thread safe (I would guess) so an indirect implementation needs to be made, typically as a C dll. But if your read the page, the requirements should be easily matched.

What you could investigate: have a main AutoIt executable which registers a copy hook handler (in an ad hoc .dll) and monitor the available volumes, say every 5 seconds (It would be hard to plug a USB stick, have it ready, copy file(s) on it and remove it in less than 5s: even 10s would do). While new removable devices are present, repeatidly ask the dll, using an AutoIt<-->dll specific call, what file(s) were copied and where since the last call. There is no need to keep track of operations taking place on the same device (but beware of links then!).

The MSDN page tells you that you don't get any confirmation that files are successfully copied or not, but if you feel that having a confirmation is important to you, it's still possible to periodically look at the USB device if the files that went accross the hook were finally copied on that device.

Of course, this doesn't cover other means to copy material: make a Ghost image and copy it on a DAT tape, use MS backup and burn a CD, you name it!

[AutoHelp]

Hmm....Looks like the situation has turned 90 degrees. ...

[AutoHelp]

I will see what i can do with .dl...