kajuberdut Posted January 27, 2009 Share Posted January 27, 2009 Hi, I wrote a little script to watch for common USB flash drives with infected files and invoke a .bat to remove them if they exist. The problem is I'm using windows taskscheduler to make it runas administrator when a normal user logs on. The script works great if its run as whatever user is logged in (assuming they have permissions), but seems to do nothing if its run as administrator when a different user is logged in. I "borrowed" the section to check for USB devices from another script, so I dont really understand this section: expandcollapse popup$strComputer = "." $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2") $colEvents = $objWMIService.ExecNotificationQuery _ ("Select * From __InstanceOperationEvent Within 5 Where " _ & "TargetInstance isa 'Win32_LogicalDisk'") While 1 $objEvent = $colEvents.NextEvent If $objEvent.TargetInstance.DriveType = 2 Then Select Case $objEvent.Path_.Class()="__InstanceCreationEvent"oÝ÷ Ù8^Â%zÇ+_¢YhÂËajy,v½©Üyú+¶¡zZZºÚ"µÍÕÈØÜØZ]ÈÜHTÐÚ]HÈH]XÝYÙXÚÈH]HÜÙZ[[ËÛÈHÙ[Y[ÝÙY^XÝ]ÈH]È[[ÝHØZY[ËÕHÛÛ[ÈÙ^H]ÚØÜHØØ]Y[ÛÛ[Y[È]HÝÛKÕH^XÝY[YH[ØØ][ÛÙ]ØÜ]Ú]Y^]ÛÎÔÙÜ[H[ËÕTÐØ]ÚË]]Ú]Ù]Ü[Û ][ÝÝ^ZXÛÛYI][ÝËJHØÚ[ÙHÈÈÈXZÙHH]]Ú]XÛÛÚXH[È^XÝ][ÛÛØ[ ÌÍÙ]XÙHH ][ÝÉ][ÝÂÛØ[ ÌÍÛX[ÛÛXÚÙH ][ÝÉ][ÝÂÛØ[ ÌÍÔÔÕH ][ÝÉ][ÝÂÛØ[ ÌÍÛ]ÙÛH ][ÝÉ][ÝÂÛØ[ ÌÍÚY^ÜHH ][ÝÉ][ÝÂÛØ[ ÌÍØHH ][ÝÉ][ÝÂÛØ[ ÌÍÜÞÝ[HH ][ÝÉ][ÝÂÛØ[ ÌÍÜ][ÛH ][ÝÉ][ÝÂÛØ[ ÌÍÚX XHH ][ÝÉ][ÝÂÛØ[ ÌÍÜÝÚÜÝH ][ÝÉ][ÝÂÛØ[ ÌÍØ]]Ü[H ][ÝÉ][ÝÂÛØ[ ÌÍØ[ÝÙH ][ÝÉ][ÝÂÌÍÜÝÛÛ]H ][ÝË][ÝÂÌÍÛØÓRTÙXÙHHØÙ] ][ÝÝÚ[YÛ]ÎÌLÉÌLÉ][ÝÈ [È ÌÍÜÝÛÛ] [È ][ÝÉÌLÜÛÝ ÌLØÚ[]][ÝÊB[ÈÛX HÐÛXHÝÙ[XÝY[ÈHXXBÛØ[ ÌÍÛX[ÛÛXÚÙH ][ÝÉ][ÝÂÛØ[ ÌÍÔÔÕH ][ÝÉ][ÝÂÛØ[ ÌÍÛ]ÙÛH ][ÝÉ][ÝÂÛØ[ ÌÍÚY^ÜHH ][ÝÉ][ÝÂÛØ[ ÌÍØHH ][ÝÉ][ÝÂÛØ[ ÌÍÜÞÝ[HH ][ÝÉ][ÝÂÛØ[ ÌÍÜ][ÛH ][ÝÉ][ÝÂÛØ[ ÌÍÚX XHH ][ÝÉ][ÝÂÛØ[ ÌÍÜÝÚÜÝH ][ÝÉ][ÝÂÛØ[ ÌÍØ]]Ü[H ][ÝÉ][ÝÂ[[Â[È[PÚXÚÊ NØÚXÚÜÈÜÝÜXÚ[ÝÈ[ÂRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÐ]]Ü[[][ÝÊH[BIÌÍØ]]Ü[H ][ÝÐ]]Ü[[][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÓ]ÈÛ^I][ÝÊH[BIÌÍÛ]ÙÛH ][ÝÛ]ÙÛ^I][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÜÝÚÜÝ^I][ÝÊH[BIÌÍÜÝÚÜÝH ][ÝÜÝÚÜÝ^I][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÒX XI][ÝÊBU[BIÌÍÚX XHH ][ÝÚX XI][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÔ][Û^I][ÝÊH[BIÌÍÜ][ÛH ][ÝÔ][Û^I][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÜÞÝ[K^I][ÝÊH[BIÌÍÜÞÝ[HH ][ÝÜÞÝ[K^I][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÐKÉ][ÝÊH[BIÌÍØHH ][ÝØKÉ][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÒY^ÜKÉ][ÝÊH[BIÌÍÚY^ÜHH ][ÝÒY^ÜKÉ][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÓ]×ÑÛ^I][ÝÊH[BIÌÍÛ]ÙÛH ][ÝÛ]ÙÛ^I][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÔÜÝ^I][ÝÊH[BIÌÍÔÔÕH ][ÝÔÜÝ^I][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÔPÖPÓT][ÝÊH[BIÌÍÛX[ÛÛXÚÙH ][ÝÓX[ÐÛÛXÚÙ][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÔXÞXÛY ][ÝÊH[BIÌÍÛX[ÛÛXÚÙH ][ÝÓX[ÐÛÛXÚÙ][ÝÂQ[Y[[Â[ÈÙÛ BBBRY ÌÍÛX[ÛÛXÚÙH ][ÝÓX[ÐÛÛXÚÙ][ÝÈ[BBBP[ÝÙ BBBQ[ÙRY ÌÍÔÔÕH ][ÝÔÜÝ^I][ÝÈ[BBBP[ÝÙ BBBQ[ÙRY ÌÍÛ]ÙÛH ][ÝÛ]ÙÛ^I][ÝÈ[BBBBP[ÝÙ BBBQ[ÙRY ÌÍÚY^ÜHH ][ÝÒY^ÜKÉ][ÝÈ[BBBBP[ÝÙ BBBQ[ÙRY ÌÍØHH ][ÝØKÉ][ÝÈ[BBBP[ÝÙ BBBQ[ÙRY ÌÍÜÞÝ[HH ][ÝÜÞÝ[K^I][ÝÈ[BBBBP[ÝÙ BBBQ[ÙRY ÌÍÜ][ÛH ][ÝÔ][Û^I][ÝÈ[BBBP[ÝÙ BBBQ[ÙRY ÌÍÚX XHH ][ÝÚX XI][ÝÈ[BBBP[ÝÙ BBBQ[ÙRY ÌÍÜÝÚÜÝH ][ÝÜÝÚÜÝ^I][ÝÈ[BBBP[ÝÙ BBBQ[Y[[Â[ÈZ BBBRY ÌÍØ[ÝÙH [BBBBTÚ[^XÝ]UØZ] ][ÝÐÎÌLÔÙÜ[H[ÉÌLÕTÐØ]Ú ÌLÑÚ]Q^] ][ÝË ][ÝÉ][ÝË ÌÍÙ]XÙK ][ÝÛÜ[][ÝËÕ×ÒQJBBBBBQ[UÜ]S[J ][ÝÐÎÌLÔÙÜ[H[ÉÌLÕTÐØ]Ú ÌLÕTÐØ]ÚÙË ][ÝË ÌÍÙ]XÙH [È ][ÝÈZYÙ ][ÝÈ [È ÌÍÛX[ÛÛXÚÙ [È ][ÝÈ ][ÝÈ [È ÌÍÔÔÕ [È ][ÝÈ ][ÝÈ [È ÌÍÛ]ÙÛ [È ][ÝÈ ][ÝÈ [È ÌÍÚY^ÜH [È ][ÝÈ ][ÝÈ [È ÌÍØH [È ][ÝÈ ][ÝÈ [È ÌÍÜÞÝ[H [È ][ÝÈ ][ÝÈ [È ÌÍÜ][Û [È ][ÝÈ ][ÝÈ [È ÌÍÚX XH [È ][ÝÈ ][ÝÈ [È ÌÍÜÝÚÜÝ [È ][ÝÈ ][ÝÈ [È ÌÍØ]]Ü[ [È ][ÝÈÝXÙÜÙ[ ][ÝÈ [ÈÔBBBBB[ÙØÞ ][ÝÔZY ][ÝË ][ÝÕ[È[ÝK[Ý]XÙHÈYHÛÝÚ[È[È[[ÝY ][ÝÈ [ÈÔ [È ÌÍÛX[ÛÛXÚÙ [ÈÔ [È ÌÍÔÔÕ [ÈÔ [È ÌÍÛ]ÙÛ [ÈÔ [È ÌÍÚY^ÜH [ÈÔ [È ÌÍØH [ÈÔ [È ÌÍÜÞÝ[H [ÈÔ [È ÌÍÜ][Û [ÈÔ [È ÌÍÚX XH [ÈÔ [È ÌÍÜÝÚÜÝ [ÈÔ [È ÌÍØ]]Ü[ [ÈÔ [È ][ÝÒY[ÝH[[ÝÚ]H[XÝYÙ[[ÝÛÛ]X^HH[XÝYXÙH[HÈØØ[][ÝÈ [ÈÔ [ÈÔ [ÈÔ [È ][ÝÕTÐØ]ÚÈÜ][H Ú[È]]Ú]ËI][ÝÊBBBBIÌÍÙ]XÙHH ][ÝÉ][ÝÂBBBPÛX BBBBNÒYÙHHÝÙ]È[K[ÝXYZ[ÈYYÈH[[Ý[ÙH]XÙKHÈHÜÜÚX[]H]HÙXÛÛÚ]HÚ[HÜÝ[YYÈH[XÝY]ÈYÙÙY[Ú[HHÝÈÝ[Ù[BBBBBBQ[ÙRY ÌÍØ[ÝÙH È[BBB[ÙØÞ ][ÝÔXÙHÛÛXÝ[Ý]ÛÜÈYZ[Ý]Ü][ÝË ][ÝÓÝØ[ÈÈHÚYÛYXØ[Ø[HÚ]È[XÝ[ÛÈ[ÙYHTÐÚ]KY[ÝHHÙZ[[ÝHÈÝÚÚÈ[[ÝHÙH[Î ][ÝÈ [ÈÔ [È ÌÍÛX[ÛÛXÚÙ [È ][ÝÈ ][ÝÈ [È ÌÍÔÔÕ [È ][ÝÈ ][ÝÈ [È ÌÍÛ]ÙÛ [È ][ÝÈ ][ÝÈ [È ÌÍÚY^ÜH [È ][ÝÈ ][ÝÈ [È ÌÍØH [È ][ÝÈ ][ÝÈ [È ÌÍÜÞÝ[H [È ][ÝÈ ][ÝÈ [È ÌÍÜ][Û [È ][ÝÈ ][ÝÈ [È ÌÍÚX XH [È ][ÝÈ ][ÝÈ [È ÌÍÜÝÚÜÝ [È ][ÝÈ ][ÝÈ [È ÌÍØ]]Ü[ [È ][ÝÈ ][ÝÈ [ÈÔ [ÈÔ [È ][ÝÔXÙHÛÛXÝH]ÛÜÈYZ[Ý]ÜÈ][HÛÝÈÚKY[ÝH]HÚ[ÙY[ÝZ[XÙHØY[H[[ÝK[Z[Ù ][ÝÈ [È ÌÍÙ]XÙH [ÈÔ [ÈÔ [È ][ÝÈKU[È[ÝK][ÝÈ [ÈÔ [ÈÔ [ÈÔ [È ][ÝÕTÐØ]ÚÈÜ][H Ú[È]]Ú]ËI][ÝÊBBBBIÌÍÙ]XÙHH ][ÝÉ][ÝÂBBBPÛX BBBQ[Y[[Â[È[ÝÙ BÌÍØ[ÝÙHÙÐÞ ][ÝÕÈØØ[][ÝË ][ÝÕHÛÝÚ[È[ÈÛÚ]H ][ÝÈ [È ÌÍÙ]XÙH [È ][ÝÈ]HY[]XÝYÈØXHÙÎ ][ÝÈ [ÈÔ [È ÌÍÛX[ÛÛXÚÙ [ÈÔ [È ÌÍÔÔÕ [ÈÔ [È ÌÍÛ]ÙÛ [ÈÔ [È ÌÍÚY^ÜH [ÈÔ [È ÌÍØH [ÈÔ [È ÌÍÜÞÝ[H [ÈÔ [È ÌÍÜ][Û [ÈÔ [È ÌÍÚX XH [ÈÔ [È ÌÍÜÝÚÜÝ [ÈÔ [È ÌÍØ]]Ü[ [ÈÔ [È ][ÝÔXÙHÛXÚÈYÈÈ[ÝÈÙH[ÈÈH[[ÝY[ÝÛÛ[[ÈÚÝ[ÝHYXÝY][ÝÈ [ÈÔ [ÈÔ [ÈÔ [È ][ÝÈUY[][ÝÊB[[ÂBB ÌÍØÛÛ][ÈH ÌÍÛØÓRTÙXÙK^XÓÝYXØ][Û]YH ][ÝÔÙ[XÝ ÛH×Ò[Ý[ÙSÜ][Û][Ú][ HÚH ][ÝÈ [È ][ÝÕÙ][Ý[ÙHØH ÌÎNÕÚ[ÌÓÙÚXØ[ÚÉÌÎNÉ][ÝÊBÚ[HB ÌÍÛØ][H ÌÍØÛÛ][Ë^][Y ÌÍÛØ][Ù][Ý[ÙK]UHH[Ù[XÝØÙH ÌÍÛØ][]ËÛÜÊ OI][Ý××Ò[Ý[ÙPÜX][Û][ ][Ý ÌÍÙ]XÙHH ÌÍÛØ][Ù][Ý[ÙK]XÙRY [È ][ÝÉÌLÉ][ÝÈÝÚ[H]XÙHÈÙ[YH[YHÈÙ]HÚ[ÝÜÈ[HXXH ÌÍÙ]XÙHØ[HÙHÈY[ÙH]BBBQ[PÚXÚÊ BBBBUÙÛ BBBBTZ BBBBBBPØÙH ÌÍÛØ][]ËÛÜÊ OI][Ý××Ò[Ý[ÙQ[][Û][ ][ÝÂBBB[Ù[XÝ[YÑ[Õ[ÜÈÈ]]ÜÙHTÐ[Û]ÜØÜÙY [Y KØÜÂHÛÝÚ[È]ÙY[HÈÚYÛYÈHH]]ÚØÜÙ[[È[ÎÌLÔÙÜ[H[ÉÌLÕTÐØ]ÚHÜÙHÙÚXÚÈÈÚ[ÙHH]X]ÈÙ[HÝÜXÚ[ÝÈ[ÈÝY[[[]H[KÑ _]XXHÈZ ]]Ü[[]XXHÈZ ][ÝÓ]ÈÛ^I][ÝÊ]XXHÈZ ÝÚÜÝ^J]XXHÈZ X XJ]XXHÈZ ][Û^J]XXHÈZ ÞÝ[K^J]XXHÈZ KÊ]XXHÈZ Y^ÜKÊ]XXHÈZ [Ë^J]XXHÈZ ][ÝÓ]×ÑÛ^I][ÝÊ]XXHÈZ ÜÝ^J]XÑÔÈXHÈZ XÞXÛ]XÑÔÈXHÈZ XÞXÛY [ÑÔH]]Ü[[ ][ÝÓ]ÈÛ^I][ÝË ][ÝÓ]×ÑÛ^I][ÝËÝÚÜÝ^KX XK][Û^KÞÝ[K^KKËY^ÜKË[Ë^KÜÝ^B[ÑÔHXÛXÙ[ÑÔHXÞXÛYØÙ Link to comment Share on other sites More sharing options...
Richard Robertson Posted January 27, 2009 Share Posted January 27, 2009 I believe that the non-current account is not receiving the new USB alert. Try saving a log every time a device is found and check if the admin account even sees the device. Link to comment Share on other sites More sharing options...
kajuberdut Posted January 27, 2009 Author Share Posted January 27, 2009 Your right Richard. Any thoughts on how I might get it to work? Link to comment Share on other sites More sharing options...
kajuberdut Posted January 27, 2009 Author Share Posted January 27, 2009 Sorry for the double post, editing seems to be disabled. I just tried running the .exe with a right click and run as and it works fine. Something about having windows tasks scheduler run it is whats not working. Unless anybody has some idea why that is, I'll just look for a different way to make it run on start up (maybe something as perverse as a au3.exe in the start up folder that runs my virus scan as administrator.) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now