I need a script that notifies any change in real time the key in the
registry:
KHLM \ Microsoft \ system \ CurrentControlSet \ Enum \ USBSTOR
The notice may be by courier to my team and by email.
As I do?
Thank you
Script: change in real time the key in the registry
- 30 Aug 2009 #1
Salvador GuestMy System SpecsScript: change in real time the key in the registry
- 30 Aug 2009 #2
Pegasus [MVP] GuestMy System SpecsRe: Script: change in real time the key in the registry
"Salvador" <salvador.carrero@xxxxxx> wrote in message
news:O$eAzFYKKHA.4168@xxxxxxHere you go (based on an idea by the Scripting Guy).
>I need a script that notifies any change in real time the key in the
>registry:
> KHLM \ Microsoft \ system \ CurrentControlSet \ Enum \ USBSTOR
>
> The notice may be by courier to my team and by email.
>
> As I do?
> Thank you
>
Note that the registry key you quote (KHLM \ Microsoft \ system \
CurrentControlSet \ Enum \ USBSTOR) does not exist. You must specify the
correct key in order to get the script to work.
sHive = "'HKEY_LOCAL_MACHINE'"
sPath = "'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'"
Set objWMIService = GetObject("winmgmts:\\.\root\default")
Set colEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM RegistryKeyChangeEvent " _
& "WHERE Hive= " & sHive _
& "And KeyPath=" & sPath)
Do
Set objLatestEvent = colEvents.NextEvent
WScript.Echo Now & ": The registry key" & VbCrLf _
& Replace(sHive & "\" & Replace(sPath, "\\", "\"), "'", "") _
& VbCrLf & "has been modified."
Loop
What do you mean with "by courier"?
- 30 Aug 2009 #3
Salvador GuestMy System SpecsRe: Script: change in real time the key in the registry
Thanks, I mean that the user does not leave any popup, it is sent by email
if you can notify the administrator that the user has connected a USB or is
a popup to the administrator.
Is it possible?
With the key is: HKLM / system / currentcontrolset / enum / usbstor
"Pegasus [MVP]" <news@xxxxxx> wrote in message
news:Oe55V$YKKHA.4376@xxxxxx
>
> "Salvador" <salvador.carrero@xxxxxx> wrote in message
> news:O$eAzFYKKHA.4168@xxxxxx>
>>I need a script that notifies any change in real time the key in the
>>registry:
>> KHLM \ Microsoft \ system \ CurrentControlSet \ Enum \ USBSTOR
>>
>> The notice may be by courier to my team and by email.
>>
>> As I do?
>> Thank you
>>
> Here you go (based on an idea by the Scripting Guy).
> Note that the registry key you quote (KHLM \ Microsoft \ system \
> CurrentControlSet \ Enum \ USBSTOR) does not exist. You must specify the
> correct key in order to get the script to work.
>
> sHive = "'HKEY_LOCAL_MACHINE'"
> sPath = "'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'"
> Set objWMIService = GetObject("winmgmts:\\.\root\default")
> Set colEvents = objWMIService.ExecNotificationQuery _
> ("SELECT * FROM RegistryKeyChangeEvent " _
> & "WHERE Hive= " & sHive _
> & "And KeyPath=" & sPath)
>
> Do
> Set objLatestEvent = colEvents.NextEvent
> WScript.Echo Now & ": The registry key" & VbCrLf _
> & Replace(sHive & "\" & Replace(sPath, "\\", "\"), "'", "") _
> & VbCrLf & "has been modified."
> Loop
>
> What do you mean with "by courier"?
>
- 30 Aug 2009 #4
Pegasus [MVP] GuestMy System SpecsRe: Script: change in real time the key in the registry
"Salvador" <salvador.carrero@xxxxxx> wrote in message
news:OJ1RykaKKHA.4608@xxxxxxYou can try the code below. Note that it will pick up changes at the usbstor
> Thanks, I mean that the user does not leave any popup, it is sent by email
> if you can notify the administrator that the user has connected a USB or
> is a popup to the administrator.
> Is it possible?
> With the key is: HKLM / system / currentcontrolset / enum / usbstor
>
level but not at any deeper level.
sHive = "'HKEY_LOCAL_MACHINE'"
sPath = "'SYSTEM\\CurrentControlSet\\Enum\\USBSTOR'"
Set objWMIService = GetObject("winmgmts:\\.\root\default")
Set colEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM RegistryKeyChangeEvent " _
& "WHERE Hive= " & sHive _
& "And KeyPath=" & sPath)
Do
Set objLatestEvent = colEvents.NextEvent
SendMail sHive, sPath
Loop
Sub SendMail(Hive, Path)
Set oWshShell = CreateObject("WScript.Shell")
cdoBasic = 1
schema = "http://schemas.microsoft.com/cdo/configuration/"
Set objEmail = CreateObject("CDO.Message")
With objEmail
.From = "james@xxxxxx"
.To = "jack@xxxxxx"
.Subject = "Registry change report - " _
& oWshShell.ExpandEnvironmentStrings("%Computername%")
.Textbody = "The key " & Hive & "\" & Path _
& " was modified on " & Date & " at " & Time & "."
With .Configuration.Fields
.Item (schema & "sendusing") = 2
.Item (schema & "smtpserver") = "mail.company.com"
.Item (schema & "smtpserverport") = 25
.Item (schema & "smtpauthenticate") = cdoBasic
.Item (schema & "sendusername") = "james@xxxxxx"
.Item (schema & "smtpaccountname") = "john@xxxxxx"
.Item (schema & "sendpassword") = "smtppassword"
End With
.Configuration.Fields.Update
.Send
End With
End Sub
- 31 Aug 2009 #5
jford GuestMy System SpecsRe: Script: change in real time the key in the registry
Just a potential gotcha, if you have anti-virus you may want to check the
settings because many will not allow a script or custom built application to
send emails.
troubleshooting ahead
"Pegasus [MVP]" wrote:
>
> "Salvador" <salvador.carrero@xxxxxx> wrote in message
> news:OJ1RykaKKHA.4608@xxxxxx>
> > Thanks, I mean that the user does not leave any popup, it is sent by email
> > if you can notify the administrator that the user has connected a USB or
> > is a popup to the administrator.
> > Is it possible?
> > With the key is: HKLM / system / currentcontrolset / enum / usbstor
> >
> You can try the code below. Note that it will pick up changes at the usbstor
> level but not at any deeper level.
>
> sHive = "'HKEY_LOCAL_MACHINE'"
> sPath = "'SYSTEM\\CurrentControlSet\\Enum\\USBSTOR'"
> Set objWMIService = GetObject("winmgmts:\\.\root\default")
> Set colEvents = objWMIService.ExecNotificationQuery _
> ("SELECT * FROM RegistryKeyChangeEvent " _
> & "WHERE Hive= " & sHive _
> & "And KeyPath=" & sPath)
>
> Do
> Set objLatestEvent = colEvents.NextEvent
> SendMail sHive, sPath
> Loop
>
> Sub SendMail(Hive, Path)
> Set oWshShell = CreateObject("WScript.Shell")
> cdoBasic = 1
> schema = "http://schemas.microsoft.com/cdo/configuration/"
> Set objEmail = CreateObject("CDO.Message")
> With objEmail
> .From = "james@xxxxxx"
> .To = "jack@xxxxxx"
> .Subject = "Registry change report - " _
> & oWshShell.ExpandEnvironmentStrings("%Computername%")
> .Textbody = "The key " & Hive & "\" & Path _
> & " was modified on " & Date & " at " & Time & "."
> With .Configuration.Fields
> .Item (schema & "sendusing") = 2
> .Item (schema & "smtpserver") = "mail.company.com"
> .Item (schema & "smtpserverport") = 25
> .Item (schema & "smtpauthenticate") = cdoBasic
> .Item (schema & "sendusername") = "james@xxxxxx"
> .Item (schema & "smtpaccountname") = "john@xxxxxx"
> .Item (schema & "sendpassword") = "smtppassword"
> End With
> .Configuration.Fields.Update
> .Send
> End With
> End Sub
>
>
>
Script: change in real time the key in the registry
| Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| AntiSpyware Real-Time Protection | JamesJ | Vista security | 10 | 13 Oct 2009 |
| Turning Off Windows Defender Real-Time | JamesJ | Vista security | 3 | 10 Oct 2009 |
| Vista giving me a real hard time please help!!!! | ISHY | General Discussion | 17 | 18 Oct 2008 |
| Real time command line spy | $hay | PowerShell | 0 | 21 Jan 2007 |
| How to turn on CA EZ Antivirus real-time? | JayKay | Vista security | 4 | 19 Jun 2006 |
Vista Forums is an independent web site and has not been authorized,
sponsored, or otherwise approved by Microsoft Corporation.
"Windows Vista", the Start Orb, and related materials are trademarks of Microsoft Corp.
© Designer Media Ltd