Monitor File Creation

Temporary event consumer that issues an alert any time a file is created in the C:\Scripts folder. Best when run under Cscript.exe.

5 Star
Add to favorites
E-mail Twitter Digg Facebook
  • Can objDisk.DeviceID be passed to to the query instead of a static value?
    2 Posts | Last post January 17, 2011
    • So this script looks for type 2 (removable) drives, alerts when it finds one, and monitors file creation on the first one it finds. The drive letter for the first removable is set to DriveLetter from objDisk.DeviceID
      I would like to pass the drive letter to the query instead of entering a static path like E:\\\\ in order to fully automate this script.
      Resulting query language would be something like WHERE Drive = DriveLetter..I cannot figure out how to compose this query. How can it be done?
      Set colDisks = objWMIService.ExecQuery _
       ("SELECT * FROM Win32_LogicalDisk")
      	For Each objDisk in colDisks
      	If objDisk.DriveType <> 2 Then
      	Wscript.Sleep 1000
      	ElseIf objDisk.DriveType = 2 Then
      	Wscript.Echo  VbCrLf
      	Wscript.Echo "***** A removable disk has been detected *****" & VbCrLf
      	DriveLetter = objDisk.DeviceID
      	Wscript.Echo "Monitoring for file creation on removable disk " & DriveLetter
      		Set colMonitoredEvents = objWMIService.ExecNotificationQuery _ 
          		("SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE " _ 
              	& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _ 
                  	& "TargetInstance.GroupComponent= " _ 
                      & "'Win32_Directory.Name=""E:\\\\""'") 
          		Set objLatestEvent = colMonitoredEvents.NextEvent 
          		Wscript.Echo objLatestEvent.TargetInstance.PartComponent 
      	End If
    • whoops, never mind; it was a simple mistake..have it working using strDrive = objDisk.DeviceID and a more complex query to catch all file events in addition to just file creation..resulting script is too long to post here but will post online..thx