Any software or code to detect USB Storage connection & Get notified by email?

Christian de Bellefeuille
Christian de Bellefeuille used Ask the Experts™
on
Is it possible to detect when a user inserted an USB storage device and get notified by email or SMS?

I'm not looking for a solution which is blocking the usage of this device, just get notified.

Note: We are using PC's with Windows 10 mostly, and maybe some Windows 7.  All Home Edition, not pro and not on domain either.

The solution can be a software that we buy, or even C# code... anything useful and afordable.

Thanks you
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
It should be possible...., Linux can do this more or less (not the email part) using usbguard
it can set to block everything except for known USB objects.

I would think this could also be done on Windows. (it should be).
Most Valuable Expert 2013
Commented:
Windows already has this, use the event code for connection of USB storage to trigger an email.
Dustin SaundersCo-Founder and Chief Architect
Top Expert 2016
Commented:
You can also use Powershell to interact when this happens, and do things such as if a USB device is added you can eject it.  

When this script runs at startup, it registers an event that watches for new drives and emails the changes out.  Just an example of how to create custom code to watch for these events.

$action = { 
    $drives = Get-WmiObject -Query "select * from win32_diskdrive"
    $message = "Number of disk drives changed on $env:COMPUTERNAME`n`n"
    foreach ($drive in $drives)
    {
        $message += "$($drive.DeviceID)`n$($drive.Model)`n$($drive.Size)`n$($drive.Caption)`n`n"
    }
    Send-MailMessage -From "notification@company.com" -To "who@company.com" -Body $message -Subject "New Disk on $env:COMPUTERNAME" -SmtpServer "192.168.1.x"
 }

Register-WmiEvent -Query "select * from __instancecreationevent within 5 where targetinstance isa 'win32_diskdrive'" -Action $action -SourceIdentifier "DeviceChange"

Open in new window

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018

Commented:
I wrote a tool that monitors USB drives for malicious files. The code can easily be modified to send out a mail.
Basically, I just monitor the drive collection and trigger when the collection changes

Author

Commented:
Sorry for the late response.  We were trying to figure out how to make it work in ESET.  We are using ESET with ERA (ESET Remote Administrator) and we heard that it was possible.  But our tests show erratic results (drives not recognized anymore, even internal harddrive was driven by these Device Controls in ESET).  

@Dustin, i've tried your solution but i'm not getting any result.  I've just changed the action to show a messagebox like this because i don't know yet how to setup credentials in your example.  When i run it, i get this table saying "NotStarted".  Do i have anything else to do?

Note: I've ran the code within Powershell ISE for test purpose.  I don't think it should affect the way it work.  Correct me if i'm wrong.

CODE TO SHOW THE MESSAGE BOX

[System.Windows.Forms.MessageBox]::Show("Drive connected/disconnected")

Open in new window


TABLE RESULT OF REGISTER-WMIEVENT

Id     Name            PSJobTypeName   State         HasMoreData     Location             Command                  
--     ----            -------------   -----         -----------     --------             -------                  
3      DeviceChange                    NotStarted    False                                 ...    

Open in new window

Author

Commented:
@Shaun, if it doesn't bother you, you can send it to me at [address removed]
thanks
Most Valuable Expert 2013

Commented:
Hi Christian, sorry but using email in threads is prohibited.

Shaun might be able to upload the tool though and link to it.

Hope that will work for you both

MASQ
EE Topic Advisor

Author

Commented:
ok for me MASQ

Author

Commented:
@Dustin, one serious caveat about your solution is that as soon as you close the ISE windows, bye bye registration.  So my guess is that when you run this in a logon script, the event won't trigger anymore.  Am i wrong?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial