Monitor USB Usage

This is a script to monitor Data being placed on a USB.

It then emails with attached file to show whats been added and by who it can run as a background process so the user does not see it. This script is to help with Data Loss Prevention which is becoming more of an issue in the workplace.

The SMTP settings are all that is required to make this script run

See Below

Data being written to the text file

Write-Host "The file '$name' was $changeType at $timeStamp on USB for Asset $computer" -fore green

Where the file is outputted to with updated data added

Out-File -FilePath c:\$computer.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp on USB for Asset $computer by $user"

Insert your SMTP server

$smtpServer = "your.smtp.server"

$file = "c:\$computer.txt"

$att = new-object Net.Mail.Attachment($file)

$msg = new-object Net.Mail.MailMessage

$smtp = new-object Net.Mail.SmtpClient($smtpServer)

Change to your Domain

$msg.From = USBMonitor@yourdomain.com

Insert your email address

$msg.To.Add("yourname@yourdomain.com")

Email Subject

$msg.Subject = "Notification from USB Monitor $user has created files on USB"

$msg.Attachments.Add($att)

$smtp.Send($msg)

Command line to run the script

powershell -noexit .\USBMonitor.ps1

PowerShell

Edit|Remove

########################################################################
# USB Monitor
# Created By: djjos70
# Run string powershell -noexit .\USBMonitor.ps1
########################################################################

do {
          $UsbDisk = gwmi win32_diskdrive | ?{$_.interfacetype -eq "USB"} | %{gwmi -Query "ASSOCIATORS OF {Win32_DiskDrive.DeviceID=`"$($_.DeviceID.replace('\','\\'))`"} WHERE AssocClass = Win32_DiskDriveToDiskPartition"} |  %{gwmi -Query "ASSOCIATORS OF {Win32_DiskPartition.DeviceID=`"$($_.DeviceID)`"} WHERE AssocClass = Win32_LogicalDiskToPartition"} | %{$_.deviceid} 
        if ( $UsbDisk -eq $null ) {  
                Write-Host "There is no USB drive detected, please insert a USB drive"
        
        }
}
while ($UsbDisk -eq $null)

$filter = '*.*' 

 $folder = $UsbDisk                        
$fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $True;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'} 

Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action { 
$computer=$(Get-WmiObject Win32_Computersystem).name
$Var =GWMI -Comp $computer-CL Win32_ComputerSystem
$User = $Var.UserName
$name = $Event.SourceEventArgs.Name 
$changeType = $Event.SourceEventArgs.ChangeType 
$timeStamp = $Event.TimeGenerated 
Write-Host "The file '$name' was $changeType at $timeStamp on USB for Asset $computer" -fore green 
Out-File -FilePath c:\$computer.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp on USB for Asset $computer by $user"
$smtpServer = "your.smtp.server"
$file = "c:\$computer.txt"
$att = new-object Net.Mail.Attachment($file)
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = "USBMonitor@yourdomain.com"
$msg.To.Add("yourname@yourdomain.com")
$msg.Subject = "Notification from USB Monitor $user has created files on USB"
$msg.Attachments.Add($att)
$smtp.Send($msg)
$att.Dispose()
} 
 
Register-ObjectEvent $fsw Deleted -SourceIdentifier FileDeleted -Action { 
$User = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$computer=$(Get-WmiObject Win32_Computersystem).name
$name = $Event.SourceEventArgs.Name 
$changeType = $Event.SourceEventArgs.ChangeType 
$timeStamp = $Event.TimeGenerated 
Write-Host "The file '$name' was $changeType at $timeStamp on USB for Asset $computer " -fore red 
Out-File -FilePath c:\$computer.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp on USB for Asset $computer by $user"} 
 
Register-ObjectEvent $fsw Changed -SourceIdentifier FileChanged -Action { 
$User = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$computer=$(Get-WmiObject Win32_Computersystem).name
$name = $Event.SourceEventArgs.Name 
$changeType = $Event.SourceEventArgs.ChangeType 
$timeStamp = $Event.TimeGenerated 
Write-Host "The file '$name' was $changeType at $timeStamp on USB for Asset $computer " -fore white 
Out-File -FilePath c:\$computer.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp on USB for Asset $computer by $user"}

######################################################################## 
# USB Monitor 
# Created By: djjos70 
# Run string powershell -noexit .\USBMonitor.ps1 
######################################################################## 
 
do { 
          $UsbDisk = gwmi win32_diskdrive | ?{$_.interfacetype -eq "USB"} | %{gwmi -Query "ASSOCIATORS OF {Win32_DiskDrive.DeviceID=`"$($_.DeviceID.replace('\','\\'))`"} WHERE AssocClass = Win32_DiskDriveToDiskPartition"} |  %{gwmi -Query "ASSOCIATORS OF {Win32_DiskPartition.DeviceID=`"$($_.DeviceID)`"} WHERE AssocClass = Win32_LogicalDiskToPartition"} | %{$_.deviceid}  
        if ( $UsbDisk -eq $null ) {   
                Write-Host "There is no USB drive detected, please insert a USB drive" 
         
        } 
} 
while ($UsbDisk -eq $null) 
 
$filter = '*.*'  
 
 $folder = $UsbDisk                         
$fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $True;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'}  
 
Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action {  
$computer=$(Get-WmiObject Win32_Computersystem).name 
$Var =GWMI -Comp $computer-CL Win32_ComputerSystem 
$User = $Var.UserName 
$name = $Event.SourceEventArgs.Name  
$changeType = $Event.SourceEventArgs.ChangeType  
$timeStamp = $Event.TimeGenerated  
Write-Host "The file '$name' was $changeType at $timeStamp on USB for Asset $computer" -fore green  
Out-File -FilePath c:\$computer.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp on USB for Asset $computer by $user" 
$smtpServer = "your.smtp.server" 
$file = "c:\$computer.txt" 
$att = new-object Net.Mail.Attachment($file) 
$msg = new-object Net.Mail.MailMessage 
$smtp = new-object Net.Mail.SmtpClient($smtpServer) 
$msg.From = "USBMonitor@yourdomain.com" 
$msg.To.Add("yourname@yourdomain.com") 
$msg.Subject = "Notification from USB Monitor $user has created files on USB" 
$msg.Attachments.Add($att) 
$smtp.Send($msg) 
$att.Dispose() 
}  
  
Register-ObjectEvent $fsw Deleted -SourceIdentifier FileDeleted -Action {  
$User = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name 
$computer=$(Get-WmiObject Win32_Computersystem).name 
$name = $Event.SourceEventArgs.Name  
$changeType = $Event.SourceEventArgs.ChangeType  
$timeStamp = $Event.TimeGenerated  
Write-Host "The file '$name' was $changeType at $timeStamp on USB for Asset $computer " -fore red  
Out-File -FilePath c:\$computer.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp on USB for Asset $computer by $user"}  
  
Register-ObjectEvent $fsw Changed -SourceIdentifier FileChanged -Action {  
$User = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name 
$computer=$(Get-WmiObject Win32_Computersystem).name 
$name = $Event.SourceEventArgs.Name  
$changeType = $Event.SourceEventArgs.ChangeType  
$timeStamp = $Event.TimeGenerated  
Write-Host "The file '$name' was $changeType at $timeStamp on USB for Asset $computer " -fore white  
Out-File -FilePath c:\$computer.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp on USB for Asset $computer by $user"}