PowerShell&Windows Batch&AutoHotkey: how to protect my computer from someone that plug a USB or an External hard drive in my computer

Windows is already doing this in the background for you :)

You can quiz Event Viewer for event codes 2003 and 2102 (USB Storage attached & USB storage removed respectively) to see if anything has been connected.  The advantage of Event Viewer is it's also logging times.

You could also disable USB ports allowing storage devices to be connected by using the Registry or Group Policy Editor.

Placing two registry files on your desktop you could effectively switch off USB storage and switch it back on again by simply clicking on those files.

Also Windows has the ability to recognise USB devices that have already been connected and allow those but no others.

Simply hitting WinKey+L before leaving your laptop unattended would be the best place to start though.

Hello,
I am not able to get the event codes:
Additionally, I need to export those events as it is for me but also for some family members so they need an easy solution.
It would be great to have a Windows batch or a PowerShell script to export those events.
The recommendation to hit WinKey+L is already applied however if another person bring his computer and plug in my computer, he can transfer files if my computer is locked? I think that the answer is no but I want to confirm.

USB is insecure.  Unfortunately, no software can protect your computer from real USB attacks.  All you can do with windows registry is to block Windows access to USB storage, but not other USB hardware access.  There are plenty of devices that work on USB that don't need Windows access for it to operate.  While you can block your own access to USB storage devices, there are numerous other types of devices that still can connect to your system to exfiltrate data in other ways.

The only sure way is to epoxy your USB ports, cut the traces on the PCB board, or remove the port altogether.  Short of that, you can use some sort of physical barrier like a USB lock to prevent anyone from attaching a device in the first place.

https://rack-a-tiers.com/product/usb-locks-port-blocker-5-pack/

https://www.amazon.com/Lindy-USB-Port-Blocker-Green/dp/B000I2JWJ0

https://www.amazon.com/Piece-Type-Secruity-Blocker-Removal/dp/B09GJLTD5S?th=1

Hello Joe,

I tried to access to the URL in which appears your article but it seems that I don't have access to read the article:

Thank you very much Joe,
I think (I prefer to ask) to keep it this AutoHotkey script alone and not include to my AutoHotkey reference file which has the various AutoHotkey script.
Regards,
Luis.

Hi Luis,
Yes, you should keep this separate from your main AutoHotkey hotkeys/hotstrings file. There's no reason to assign a hotkey/hotstring to it...simply run it from File Explorer (or whatever file manager you use)...or make a shortcut to it, if you prefer that method. In fact, I've been meaning to suggest this for several of your scripts. For example, scripts like BodyMassIndex, DaysBetweenDates, and DistanceSpeedTime do not need hotkeys/hotstrings. In other words, they do not need to be running in the background and at-the-ready via a hotkey/hotstring. They are, in essence, programs that you can run when you need them, much like Excel, PowerPoint, and Word. Keep each one in a separate AHK file and run them by clicking the AHK file in your file manager or clicking a shortcut, not by making them a hotkey/hotstring in your main AutoHotkey hotkeys/hotstrings file. If you want a script to be running all the time, which may be a good choice for DetectDriveUSB (or not, if you just want it to be running when you're away from the PC), you can put a shortcut to its AHK file in the Startup folder or create a task in Task Scheduler with an "At startup" trigger. Regards, Joe

Hello Joe.

Thank you for this advice. I sent the AutoHotkey scirpt to StartUp folder:
I tested it and it works perfectly!
Amazing and very helpful Autohotkey script!

Thank you again for your help!

Regards,
Luis.

Last question, if I want to clear log data as I want to remove the entries related to my tests how can I proceed?

Regards,
Luis.

No problem...you can delete whatever entries you want using a text editor (Notepad, Notepad++, etc.). You can even delete the entire file with your file manager...the script will automatically create a new one the next time it runs. Regards, Joe

Noted, thank you very much for your help!

You're very welcome!

That still doesn't protect you from USB devices that don't get recognized as storage.

> That still doesn't protect you from USB devices that don't get recognized as storage.

Correct. I didn't write it for "protection" purposes. As I said in an earlier comment, I wrote it because "I think it has value other than the 'protection' realm."

Hi Luis,

Two enhancements:

(1) The insertion pop-up and logfile entry now contain the drive label and serial number (if they have them). For example:


2023-04-09_04.39.20 Inserted Drive E  Label: BACKUP-1TB  Serial Number: 1234567890

(2) The "Script started" logfile entry now has the computer name and user name. For example:

2023-04-09_04.46.14 Script started  Computer: PROD17  User: John

Updated script attached. Regards, Joe

DetectDriveUSBupdate1.ahk

Hello Joe,

I tested and I haven't the serial number.
My test has been performed with a External Hard drive: WD My Passeport Ultra

Hi Luis,

Some drives report a serial number, some don't. I'm simply providing what DriveGet returns.

Here's a script, slightly modified from Example #1 of the DriveGet doc, that displays all information about the drive in the Drive variable, and also shows all the drive letters in the system:

Drive:="C:"
DriveGet,AllDrives,List
DriveGet,Cap,Capacity,%Drive%
DriveSpaceFree,Free,%Drive%
DriveGet,FS,FileSystem,%Drive%
DriveGet,Label,Label,%Drive%
DriveGet,Serial,Serial,%Drive%
DriveGet,Type,Type,%Drive%
DriveGet,Status,Status,%Drive%
MsgBox,262208,Drive %Drive% Information,
(
Type: %Type%
Status: %Status%
Capacity: %Cap% MB
Free Space: %Free% MB
Filesystem: %FS%
Volume Label: %Label%
Serial Number: %Serial%

All drive letters in system:`n%AllDrives%
)
ExitApp

Select allOpen in new window

You may find that helpful. Regards, Joe

Noted, thank you very much Joe!

This script is "magnifique":
https://www.experts-exchange.com/questions/29257898/PowerShell-Windows-Batch-AutoHotkey-how-to-protect-my-computer-from-someone-that-plug-a-USB-or-an-External-hard-drive-in-my-computer.html?anchorAnswerId=43525057#a43525057

Nice job Joe, I'll add it to my tools list too.  

Luis,
Protecting your laptop, while you are away from it should include encrypting the hard drive with bitlocker.  Do you have that turned on?   USB access is not the only way to get to your drive data.  Its easy enough to just remove the drive.  For most laptops just a half dozen screws and it opens up.

> This script is "magnifique"
> Nice job Joe, I'll add it to my tools list too.

Thanks, Luis and Fred, I appreciate hearing that! I'm working on a better one that will create a plain text report file with that information for every drive letter in the system. The first line of the report will look like this:

2023-04-09_12.25.03 Script started - All drive letters: CDEFGHXZ  Computer: PROD17  User: John

The last line will look like this:

2023-04-09_12.25.05 Script ended

In between, there will be an entry like this for every drive letter in the system:

Drive: C:
Type: Fixed
Status: Ready
Capacity: 390,092 MB
Free Space: 263,578 MB
Filesystem: NTFS
Volume Label: C-860EVO-1TB
Serial Number: 1234567890

When the script ends, it will automatically open the report file in the program that owns the TXT file type. I'll keep you updated on progress. Regards, Joe

@fred hakim: Yes it is the case but sometimes I can forgot to lock again so it can happens. This is why the best is to buy this:
https://www.amazon.com/Piece-Type-Secruity-Blocker-Removal/dp/B09GJLTD5S?th=1 as proposed by Serialband.
And in the meantime to monitor the activity with Joe's proposal.
As a big fan of AutoHotkey I will use frequently Joe's proposal and use the USB blocker.
It is better to do a lot than a little :-)

Regards,
Luis.

@Joe: just an opinion of a simple user of your codes: it would be great to have info in GB instead of MB the driver capaticy info.

Good idea! No problem...I'll divide by 1024. Here's the actual test result from two of my drives (with SN changed):

Drive: C:
Type: Fixed
Status: Ready
Capacity: 380 GB
Free Space: 257 GB
Filesystem: NTFS
Volume Label: C-860EVO-1TB
Serial Number: 1234567890

Drive: N:
Type: Fixed
Status: Ready
Capacity: 4,657 GB
Free Space: 2,861 GB
Filesystem: NTFS
Volume Label: ST-Black-5TB
Serial Number: 1234567890

Regards, Joe

Hi Fred and Luis,
Attached is the script that I mentioned in my last few posts. Please give it a spin and let me know how it goes. Regards, Joe
DriveReport.ahk

Thank you very much Joe 🙂!

You're very welcome, Luis. I made a minor change to the script while you were entering your last post...I didn't expect you to catch it so fast. :) Please download it again.

You really should still understand that the script only protects you from devices that ID as storage.  USB encompasses a whole slew of other devices and they can still be used to install software and exfiltrate date without triggering this script.

@serialband: correct. This is why I am going to buy: https://www.amazon.com/Piece-Type-Secruity-Blocker-Removal/dp/B09GJLTD5S?th=1

Hi Luis and Fred,

The first article was published today and is now accessible:
Detect USB Drive Insertion and Deletion - AutoHotkey Script

I decided to write an article on the second script, too:
Create Report with Information on All Drives with Letters - AutoHotkey Script

As with the first one, that won't be available until it is published, but the first one was published very quickly, and I'm hoping the same for the second one.

I'll appreciate it if you read both articles and let me know your thoughts. Thanks, Joe

Hi Luis and Fred,

The second one was published today, so both are viewable now:

Detect USB Drive Insertion and Deletion - AutoHotkey Script

Create Report with Information on All Drives with Letters - AutoHotkey Script

If, and only if, you think they are good articles, I'll appreciate it if you endorse them by clicking the thumbs-up icon at the bottom of each article. Thanks, Joe