monitor of file copy to/from usb

[decoyboy]

Hey All,

New to the forum but been here as guest for awhile.

Here is the code I put together from others.

What this script does it is monitors for cdrom/usb, then when detected does a dir of the cdrom/usb and emails it to me, it alerts me when it is plugged in and disconnected.

I want to thank you for those who made the different parts of the code as I just put it together.

What I am looking to do is trigger an email if a file is copied to/from the usb/cdrom? Is there a wmi event or autoit event I can use?

Thanks in advance

decoyboy

CODE

;

;##################################

; Include

;##################################

#Include<file.au3>

;##################################

; Variables

;##################################

$SmtpServer = "192.168.1.1" ; address for the smtp-server to use - REQUIRED

$FromName = "usb/cdrom watcher" ; name from who the email was sent

$FromAddress = "admin@admin.com" ; address from where the mail should come

$ToAddress = "admin@admin.com" ; destination address of the email - REQUIRED

$Subject = @ComputerName & ' ' & @UserName ; subject from the email - can be anything you want it to be

$Body = "" ; the messagebody from the mail - can be left blank but then you get a blank mail

$AttachFiles = 'c:\' & @UserName & '-' & @ComputerName ; the file you want to attach- leave blank if not needed

$CcAddress = "" ; address for cc - leave blank if not needed

$BccAddress = "" ; address for bcc - leave blank if not needed

$Importance = "Normal" ; Send message priority: "High", "Normal", "Low"

$Username = "" ; username for the account used from where the mail gets sent - REQUIRED

$Password = "" ; password for the account used from where the mail gets sent - REQUIRED

$IPPort = 25 ; port used for sending the mail

$ssl = 0 ; enables/disables secure socket layer sending - put to 1 if using httpS

$strComputer = "."

$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")

$colEvents = $objWMIService.ExecNotificationQuery _

("Select * From __InstanceOperationEvent Within 5 Where " _

& "TargetInstance isa 'Win32_LogicalDisk'")

;~ $IPPort=465 ; GMAIL port used for sending the mail

;~ $ssl=1 ; GMAILenables/disables secure socket layer sending - put to 1 if using httpS

;##################################

; Script

;##################################

Global $oMyRet[2]

Global $oMyError = ObjEvent("AutoIt.Error", "MyErrFunc")

TraySetState(2)

;

While 1

$objEvent = $colEvents.NextEvent

If $objEvent.TargetInstance.DriveType = 2 Then

Select

Case $objEvent.Path_.Class()="__InstanceCreationEvent"

Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & "has been added." & @CR)

RunWait(@ComSpec & " /c " & 'dir ' & $objEvent.TargetInstance.DeviceId & ' /s > c:\' & @UserName & '-' & @ComputerName & '-usb.txt', "", @SW_HIDE)

$rc = _INetSmtpMailCom($SmtpServer, $FromName, $FromAddress, $ToAddress, $Subject & ' detected usb', $Body, $AttachFiles & '-usb.txt', $CcAddress, $BccAddress, $Importance, $Username, $Password, $IPPort, $ssl)

If @error Then

MsgBox(0, "Error sending message", "Error code:" & @error & " Description:" & $rc)

EndIf

Case $objEvent.Path_.Class()="__InstanceDeletionEvent"

Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & "has been removed."& @CR)

$rc = _INetSmtpMailCom($SmtpServer, $FromName, $FromAddress, $ToAddress, $Subject & ' ejected usb', $Body, $AttachFiles & '-usb.txt', $CcAddress, $BccAddress, $Importance, $Username, $Password, $IPPort, $ssl)

If @error Then

MsgBox(0, "Error sending message", "Error code:" & @error & " Description:" & $rc)

EndIf

RunWait(@ComSpec & " /c " & 'del c:\' & @UserName & '-' & @ComputerName & '-usb.txt', "", @SW_HIDE)

EndSelect

EndIf

If $objEvent.TargetInstance.DriveType = 5 Then

$drivestatus = DriveStatus( $objEvent.TargetInstance.DeviceId & "\" )

Select

Case $drivestatus="READY"

Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & " has cdrom." & @CR)

RunWait(@ComSpec & " /c " & 'dir ' & $objEvent.TargetInstance.DeviceId & ' /s > c:\' & @UserName & '-' & @ComputerName & '-cdrom.txt', "", @SW_HIDE)

$rc = _INetSmtpMailCom($SmtpServer, $FromName, $FromAddress, $ToAddress, $Subject & ' detected cdrom', $Body, $AttachFiles & '-cdrom.txt', $CcAddress, $BccAddress, $Importance, $Username, $Password, $IPPort, $ssl)

If @error Then

MsgBox(0, "Error sending message", "Error code:" & @error & " Description:" & $rc)

EndIf

Case $drivestatus="NOTREADY"

Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & " has no cdrom."& @CR)

$rc = _INetSmtpMailCom($SmtpServer, $FromName, $FromAddress, $ToAddress, $Subject & ' ejected cdrom', $Body, $AttachFiles & '-cdrom.txt', $CcAddress, $BccAddress, $Importance, $Username, $Password, $IPPort, $ssl)

If @error Then

MsgBox(0, "Error sending message", "Error code:" & @error & " Description:" & $rc)

EndIf

RunWait(@ComSpec & " /c " & 'del c:\' & @UserName & '-' & @ComputerName & '-cdrom.txt', "", @SW_HIDE)

EndSelect

EndIf

Consolewrite($objEvent.TargetInstance.DriveType & @CR)

WEnd

; The UDF

Func _INetSmtpMailCom($s_SmtpServer, $s_FromName, $s_FromAddress, $s_ToAddress, $s_Subject = "", $as_Body = "", $s_AttachFiles = "", $s_CcAddress = "", $s_BccAddress = "", $s_Importance="Normal", $s_Username = "", $s_Password = "", $IPPort = 25, $ssl = 0)

Local $objEmail = ObjCreate("CDO.Message")

$objEmail.From = '"' & $s_FromName & '" <' & $s_FromAddress & '>'

$objEmail.To = $s_ToAddress

Local $i_Error = 0

Local $i_Error_desciption = ""

If $s_CcAddress <> "" Then $objEmail.Cc = $s_CcAddress

If $s_BccAddress <> "" Then $objEmail.Bcc = $s_BccAddress

$objEmail.Subject = $s_Subject

If StringInStr($as_Body, "<") And StringInStr($as_Body, ">") Then

$objEmail.HTMLBody = $as_Body

Else

$objEmail.Textbody = $as_Body & @CRLF

EndIf

If $s_AttachFiles <> "" Then

Local $S_Files2Attach = StringSplit($s_AttachFiles, ";")

For $x = 1 To $S_Files2Attach[0]

$S_Files2Attach[$x] = _PathFull($S_Files2Attach[$x])

ConsoleWrite('@@ Debug(62) : $S_Files2Attach = ' & $S_Files2Attach & @LF & '>Error code: ' & @error & @LF) ;### Debug Console

If FileExists($S_Files2Attach[$x]) Then

$objEmail.AddAttachment ($S_Files2Attach[$x])

Else

ConsoleWrite('!> File not found to attach: ' & $S_Files2Attach[$x] & @LF)

SetError(1)

Return 0

EndIf

Next

EndIf

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = $s_SmtpServer

If Number($IPPort) = 0 then $IPPort = 25

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = $IPPort

;Authenticated SMTP

If $s_Username <> "" Then

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusername") = $s_Username

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendpassword") = $s_Password

EndIf

If $ssl Then

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = True

EndIf

;Update settings

$objEmail.Configuration.Fields.Update

; Set Email Importance

Switch $s_Importance

Case "High"

$objEmail.Fields.Item ("urn:schemas:mailheader:Importance") = "High"

Case "Normal"

$objEmail.Fields.Item ("urn:schemas:mailheader:Importance") = "Normal"

Case "Low"

$objEmail.Fields.Item ("urn:schemas:mailheader:Importance") = "Low"

EndSwitch

$objEmail.Fields.Update

; Sent the Message

$objEmail.Send

If @error Then

SetError(2)

Return $oMyRet[1]

EndIf

$objEmail=""

EndFunc ;==>_INetSmtpMailCom

;

;

; Com Error Handler

Func MyErrFunc()

$HexNumber = Hex($oMyError.number, 8)

$oMyRet[0] = $HexNumber

$oMyRet[1] = StringStripWS($oMyError.description, 3)

ConsoleWrite("### COM Error ! Number: " & $HexNumber & " ScriptLine: " & $oMyError.scriptline & " Description:" & $oMyRet[1] & @LF)

SetError(1); something to check for when this function returns

Return

EndFunc ;==>MyErrFunc

[decoyboy]

hey all,

I hope someone can assist me with translating this wmi to autoit,

WMI forums for Microsoft I got this.

This is an Example for a MOF File that Monitors File Creation in Drive E: (Assumed to be the USB Drive), and Send an SMTP Email Message each time a File is Being Created there (There is no Specific Filter for File Creation - This is a very Simple implementation, You can try to Modify it a little so it will be more relevant only to File Copy)

// 1. Change the context to Root\Subscription namespace

// All standard consumer classes are

// registered there.

#pragma namespace("\\\\.\\root\\subscription")

// 2. Create an instance of __EventFilter class

// and use it's Query property to store

// your WQL event query.

instance of __EventFilter as $EventFilter

{

Name = "File Copy Filter";

EventNamespace = "Root\\Cimv2";

Query = "SELECT * From __InstanceCreationEvent WITHIN 5 Where "

"TargetInstance ISA \"CIM_DATAFile\" And TargetInstnace.Drive=\"E:\" ";

QueryLanguage = "WQL";

};

// 3. Create an instance of __EventConsumer

// derived class. (ActiveScriptEventConsumer

// SMTPEventConsumer etc...)

instance of SMTPEventConsumer as $Consumer

{

Name = "File Copy SMTP Consumer";

FromLine = "Administrator@Domain.Com";

Message = "A File Named %TargetInstnace.FileName% Was Copied to Drive %TargetInstance.Drive%\n"

"Probably a USB Device";

SMTPServer = "SMTPSRV.Domain.Com";

Subject = "File Copy to USB on Computer %TargetInstance.CSName%";

ToLine = "SecurityTeam@Domain.Com";

};

// 4. Join the two instances by creating

// an instance of __FilterToConsumerBinding

// class.

instance of __FilterToConsumerBinding

{

Filter = $EventFilter;

Consumer = $Consumer;

}; Inorder to modify it or play with it a little I would check Changing the SMTPEventConsumer to an ActiveScriptEventConsumer and in the Filter Section Filter on File Modification (__InstanceModificationEvent) and then in the Consumer check the Previous File size of the file being modified,

if the Current Size is bigger then most chances that the file is being copied.