Post by SalvadorThanks, I mean that the user does not leave any popup, it is sent by email
if you can notify the administrator that the user has connected a USB or
is a popup to the administrator.
Is it possible?
With the key is: HKLM / system / currentcontrolset / enum / usbstor
You can try the code below. Note that it will pick up changes at the usbstor
level but not at any deeper level.
sHive = "'HKEY_LOCAL_MACHINE'"
sPath = "'SYSTEM\\CurrentControlSet\\Enum\\USBSTOR'"
Set objWMIService = GetObject("winmgmts:\\.\root\default")
Set colEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM RegistryKeyChangeEvent " _
& "WHERE Hive= " & sHive _
& "And KeyPath=" & sPath)
Do
Set objLatestEvent = colEvents.NextEvent
SendMail sHive, sPath
Loop
Sub SendMail(Hive, Path)
Set oWshShell = CreateObject("WScript.Shell")
cdoBasic = 1
schema = "http://schemas.microsoft.com/cdo/configuration/"
Set objEmail = CreateObject("CDO.Message")
With objEmail
.From = "***@company.com"
.To = "***@company.com"
.Subject = "Registry change report - " _
& oWshShell.ExpandEnvironmentStrings("%Computername%")
.Textbody = "The key " & Hive & "\" & Path _
& " was modified on " & Date & " at " & Time & "."
With .Configuration.Fields
.Item (schema & "sendusing") = 2
.Item (schema & "smtpserver") = "mail.company.com"
.Item (schema & "smtpserverport") = 25
.Item (schema & "smtpauthenticate") = cdoBasic
.Item (schema & "sendusername") = "***@company.com"
.Item (schema & "smtpaccountname") = "***@company.com"
.Item (schema & "sendpassword") = "smtppassword"
End With
.Configuration.Fields.Update
.Send
End With
End Sub