Discussion:
Script: change in real time the key in the registry
(too old to reply)
Salvador
2009-08-30 14:52:06 UTC
Permalink
I need a script that notifies any change in real time the key in the
registry:
KHLM \ Microsoft \ system \ CurrentControlSet \ Enum \ USBSTOR

The notice may be by courier to my team and by email.

As I do?
Thank you
Pegasus [MVP]
2009-08-30 16:35:05 UTC
Permalink
Post by Salvador
I need a script that notifies any change in real time the key in the
KHLM \ Microsoft \ system \ CurrentControlSet \ Enum \ USBSTOR
The notice may be by courier to my team and by email.
As I do?
Thank you
Here you go (based on an idea by the Scripting Guy).
Note that the registry key you quote (KHLM \ Microsoft \ system \
CurrentControlSet \ Enum \ USBSTOR) does not exist. You must specify the
correct key in order to get the script to work.

sHive = "'HKEY_LOCAL_MACHINE'"
sPath = "'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'"
Set objWMIService = GetObject("winmgmts:\\.\root\default")
Set colEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM RegistryKeyChangeEvent " _
& "WHERE Hive= " & sHive _
& "And KeyPath=" & sPath)

Do
Set objLatestEvent = colEvents.NextEvent
WScript.Echo Now & ": The registry key" & VbCrLf _
& Replace(sHive & "\" & Replace(sPath, "\\", "\"), "'", "") _
& VbCrLf & "has been modified."
Loop

What do you mean with "by courier"?
Salvador
2009-08-30 19:36:47 UTC
Permalink
Thanks, I mean that the user does not leave any popup, it is sent by email
if you can notify the administrator that the user has connected a USB or is
a popup to the administrator.
Is it possible?
With the key is: HKLM / system / currentcontrolset / enum / usbstor
Post by Pegasus [MVP]
Post by Salvador
I need a script that notifies any change in real time the key in the
KHLM \ Microsoft \ system \ CurrentControlSet \ Enum \ USBSTOR
The notice may be by courier to my team and by email.
As I do?
Thank you
Here you go (based on an idea by the Scripting Guy).
Note that the registry key you quote (KHLM \ Microsoft \ system \
CurrentControlSet \ Enum \ USBSTOR) does not exist. You must specify the
correct key in order to get the script to work.
sHive = "'HKEY_LOCAL_MACHINE'"
sPath = "'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'"
Set objWMIService = GetObject("winmgmts:\\.\root\default")
Set colEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM RegistryKeyChangeEvent " _
& "WHERE Hive= " & sHive _
& "And KeyPath=" & sPath)
Do
Set objLatestEvent = colEvents.NextEvent
WScript.Echo Now & ": The registry key" & VbCrLf _
& Replace(sHive & "\" & Replace(sPath, "\\", "\"), "'", "") _
& VbCrLf & "has been modified."
Loop
What do you mean with "by courier"?
Pegasus [MVP]
2009-08-30 20:33:26 UTC
Permalink
Post by Salvador
Thanks, I mean that the user does not leave any popup, it is sent by email
if you can notify the administrator that the user has connected a USB or
is a popup to the administrator.
Is it possible?
With the key is: HKLM / system / currentcontrolset / enum / usbstor
You can try the code below. Note that it will pick up changes at the usbstor
level but not at any deeper level.

sHive = "'HKEY_LOCAL_MACHINE'"
sPath = "'SYSTEM\\CurrentControlSet\\Enum\\USBSTOR'"
Set objWMIService = GetObject("winmgmts:\\.\root\default")
Set colEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM RegistryKeyChangeEvent " _
& "WHERE Hive= " & sHive _
& "And KeyPath=" & sPath)

Do
Set objLatestEvent = colEvents.NextEvent
SendMail sHive, sPath
Loop

Sub SendMail(Hive, Path)
Set oWshShell = CreateObject("WScript.Shell")
cdoBasic = 1
schema = "http://schemas.microsoft.com/cdo/configuration/"
Set objEmail = CreateObject("CDO.Message")
With objEmail
.From = "***@company.com"
.To = "***@company.com"
.Subject = "Registry change report - " _
& oWshShell.ExpandEnvironmentStrings("%Computername%")
.Textbody = "The key " & Hive & "\" & Path _
& " was modified on " & Date & " at " & Time & "."
With .Configuration.Fields
.Item (schema & "sendusing") = 2
.Item (schema & "smtpserver") = "mail.company.com"
.Item (schema & "smtpserverport") = 25
.Item (schema & "smtpauthenticate") = cdoBasic
.Item (schema & "sendusername") = "***@company.com"
.Item (schema & "smtpaccountname") = "***@company.com"
.Item (schema & "sendpassword") = "smtppassword"
End With
.Configuration.Fields.Update
.Send
End With
End Sub
jford
2009-08-31 19:51:01 UTC
Permalink
Just a potential gotcha, if you have anti-virus you may want to check the
settings because many will not allow a script or custom built application to
send emails.

troubleshooting ahead :)
Post by Pegasus [MVP]
Post by Salvador
Thanks, I mean that the user does not leave any popup, it is sent by email
if you can notify the administrator that the user has connected a USB or
is a popup to the administrator.
Is it possible?
With the key is: HKLM / system / currentcontrolset / enum / usbstor
You can try the code below. Note that it will pick up changes at the usbstor
level but not at any deeper level.
sHive = "'HKEY_LOCAL_MACHINE'"
sPath = "'SYSTEM\\CurrentControlSet\\Enum\\USBSTOR'"
Set objWMIService = GetObject("winmgmts:\\.\root\default")
Set colEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM RegistryKeyChangeEvent " _
& "WHERE Hive= " & sHive _
& "And KeyPath=" & sPath)
Do
Set objLatestEvent = colEvents.NextEvent
SendMail sHive, sPath
Loop
Sub SendMail(Hive, Path)
Set oWshShell = CreateObject("WScript.Shell")
cdoBasic = 1
schema = "http://schemas.microsoft.com/cdo/configuration/"
Set objEmail = CreateObject("CDO.Message")
With objEmail
.Subject = "Registry change report - " _
& oWshShell.ExpandEnvironmentStrings("%Computername%")
.Textbody = "The key " & Hive & "\" & Path _
& " was modified on " & Date & " at " & Time & "."
With .Configuration.Fields
.Item (schema & "sendusing") = 2
.Item (schema & "smtpserver") = "mail.company.com"
.Item (schema & "smtpserverport") = 25
.Item (schema & "smtpauthenticate") = cdoBasic
.Item (schema & "sendpassword") = "smtppassword"
End With
.Configuration.Fields.Update
.Send
End With
End Sub
Loading...