script for: "does any computer have a flash drive?" 4

[wvdba]

hi,
i have been asked to write a script that polls all computers (about 40) in the network and examines the drive letters to see if anybody has a flash drive inserted in the USB port. all the computers in the network have a hard drive (c and a cd-rom drive (d. so, i guess the script will look to see if anybody has drive letters e:, f:, etc. can this be done with a vb script using wmi facility?
thanks.

 

[vicvirk]

Two reason why I can think of that you would want to do this:

1. Steal information from a person's flash drive
2. Ensure people don't steal files from the company by bringing in a flash drive and copy files to it.

If it's #2 - just disable the use of flash drives altogether, here's an article on how to do it:

http://www.petri.co.il/disable_usb_disks_with_gpo.htm

TIP: trying googling the answer before posting, you'll find that more times than not someone else somewhere has had the same request and posted an answer online.
----
I have recently been semi-converted to ensuring all my code (well most of it) works in both javascript and non-javascript enabled browsers

 

[vicvirk]

^ by "you" I meant "your company" - it was not meant to be a personal attack ....

TIP: trying googling the answer before posting, you'll find that more times than not someone else somewhere has had the same request and posted an answer online.
----
I have recently been semi-converted to ensuring all my code (well most of it) works in both javascript and non-javascript enabled browsers

 

[markdmac]

This can be a useful security tool so I decided to build a solution. Here you go. vicvirk Thanks for sharing the link to block via GPO. I've included that link in the comments of the script.

'==========================================================================
'
' NAME: ReportThumbdrives.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 5/8/2009
' COPYRIGHT © 2009, All Rights Reserved
'
' COMMENT: Reports PCs in domain with USB drives attached.
'          Useful for Security audits.
'          Block USB drive access via GPO
'          [URL unfurl="true"]http://www.petri.co.il/disable_usb_disks_with_gpo.htm[/URL]
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS
'    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'
'==========================================================================
On Error Resume Next

strReportPath = "ComputersWithUSB.txt"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WSHShell = CreateObject("Wscript.Shell")
Set objFile = objFSO.OpenTextFile(strReportPath, 8, True, 0)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "File " & strFilePath & " cannot be created"
    Set objFSO = Nothing
    Wscript.Quit
End If

Set oRootDSE = GetObject("LDAP://rootDSE")

strDom = oRootDSE.Get("DefaultNamingContext")

' available categories = computer, user, printqueue, group
qQuery = "<LDAP://" & strDom & ">;" & _
        "(objectCategory=computer)" & _
       ";name;subtree"
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Open "Provider=ADsDSOObject;"
objCommand.ActiveConnection = objConnection
objCommand.CommandText = qQuery
Set objRecordSet = objCommand.Execute

Do until objRecordSet.EOF
    strPingStatus = PingStatus(objRecordSet.Fields("name"))
    If strPingStatus = "Success" Then
            Report = CheckUSB(objRecordSet.Fields("name"))   
    Else
        Report = Report & vbCrLf & "********************************"
        Report = Report & vbCrLf & objRecordSet.Fields("name") & " is offline"
        Report = Report & vbCrLf & "********************************"
        objRecordSet.Fields("name")
    End If
    objFile.Write Report
    objrecordset.MoveNext
loop

adoRecordset.Close
WSHShell.Run "ComputersWithUSB.txt"

Function CheckUSB(strcomputer)
    
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    If Err.Number = 0 Then
        Set colItems = objWMIService.ExecQuery("Select * from Win32_DiskDrive WHERE InterfaceType='USB'",,48)
        For Each objItem in colItems
            If Int(objItem.Size) > 0 Then
                Report = Report & vbCrLf & "********************************"
                Report =Report & vbCrLf & "SystemName: " & objItem.SystemName
                Report = Report & vbCrLf &  "Caption: " & objItem.Caption
                Report =Report & vbCrLf & "InterfaceType: " & objItem.InterfaceType
                Report =Report & vbCrLf & "Size: " & objItem.Size
                Report = Report & vbCrLf & "********************************"
            End If
        Next
    End If
    If Len(Report) = 0 Then
                Report = Report & vbCrLf & "********************************"
                Report = Report & vbCrLf & strComputer & " does not have USB drives."
                Report = Report & vbCrLf & "********************************"
    End If
    CheckUSB = Report
End Function

Function PingStatus(strComputer)

    On Error Resume Next
    Set objWMIService = GetObject("winmgmts:" _
      & "{impersonationLevel=impersonate}!\\" & strWorkstation & "\root\cimv2")
    Set colPings = objWMIService.ExecQuery _
      ("SELECT * FROM Win32_PingStatus WHERE Address = '" & strComputer & "'")
    For Each objPing in colPings
        Select Case objPing.StatusCode
            Case 0 PingStatus = "Success"
            Case 11001 PingStatus = "Status code 11001 - Buffer Too Small"
            Case 11002 PingStatus = "Status code 11002 - Destination Net Unreachable"
            Case 11003 PingStatus = "Status code 11003 - Destination Host Unreachable"
            Case 11004 PingStatus = _
              "Status code 11004 - Destination Protocol Unreachable"
            Case 11005 PingStatus = "Status code 11005 - Destination Port Unreachable"
            Case 11006 PingStatus = "Status code 11006 - No Resources"
            Case 11007 PingStatus = "Status code 11007 - Bad Option"
            Case 11008 PingStatus = "Status code 11008 - Hardware Error"
            Case 11009 PingStatus = "Status code 11009 - Packet Too Big"
            Case 11010 PingStatus = "Status code 11010 - Request Timed Out"
            Case 11011 PingStatus = "Status code 11011 - Bad Request"
            Case 11012 PingStatus = "Status code 11012 - Bad Route"
            Case 11013 PingStatus = "Status code 11013 - TimeToLive Expired Transit"
            Case 11014 PingStatus = _
              "Status code 11014 - TimeToLive Expired Reassembly"
            Case 11015 PingStatus = "Status code 11015 - Parameter Problem"
            Case 11016 PingStatus = "Status code 11016 - Source Quench"
            Case 11017 PingStatus = "Status code 11017 - Option Too Big"
            Case 11018 PingStatus = "Status code 11018 - Bad Destination"
            Case 11032 PingStatus = "Status code 11032 - Negotiating IPSEC"
            Case 11050 PingStatus = "Status code 11050 - General Failure"
            Case Else PingStatus = "Status code " & objPing.StatusCode & _
               " - Unable to determine cause of failure."
        End Select
    Next

End Function

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[wvdba]

vicvirk,
thanks for responding. I have been asked by the management to do this, due to sensitive information (personal identification of clients) being carried out of the system. as a programmer in the I.T. department not only myself, but most of the I.T. staff have full access to users' drives. and besides, i didn't want to "steal" anything off of anybody's flash drive. just a list of computer names to give to the management so that those users can be told not to bring any flash drives to work. i have always appreciated all your support and helpful answers.
cheers.

 

[wvdba]

thanks markdmac
i think that will do what i need.
cheers.

 

[wvdba]

markdmac,
i tried this code. but i'm not getting a good hit on my own machine. i have a usb drive attached to it.
what could be the problem?

 

[markdmac]

Is it a member of a domain? The script binds to AD and enumerates all of the computers. It then does a WMI query for drives of type USB.

You can test WMI access on your PC witht he following abridged version:

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    If Err.Number = 0 Then
        Set colItems = objWMIService.ExecQuery("Select * from Win32_DiskDrive WHERE InterfaceType='USB'",,48)
        For Each objItem in colItems
            If Int(objItem.Size) > 0 Then
                Report = Report & vbCrLf & "********************************"
                Report =Report & vbCrLf & "SystemName: " & objItem.SystemName
                Report = Report & vbCrLf &  "Caption: " & objItem.Caption
                Report =Report & vbCrLf & "InterfaceType: " & objItem.InterfaceType
                Report =Report & vbCrLf & "Size: " & objItem.Size
                Report = Report & vbCrLf & "********************************"
            End If
        Next
        If Len(Report) = 0 Then
        	Report = "No USB Drives Found"
        End If
    Else
    	WScript.Echo "Error accessign WMI- ErrorID:" & Err.Number & " " &Err.Description
    End If
WScript.Echo Report

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[wvdba]

thanks mark,
this latest code worked. but the other one on top didn't. it says everything is offline. i'm not sure if i have the domain right. when i look at "my computer" properties, under computer name it has this:
Domain: xyz.com
full computer name: mypc.xyz.com
where do i need to input this info in your code?
thanks.

 

[markdmac]

OK, sounds like we have a problem with getting the domain info. Please execute this and tell me the result.

Set oRootDSE = GetObject("LDAP://rootDSE")
strDom = oRootDSE.Get("DefaultNamingContext")
wscript.echo strDom

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[wvdba]

i ran this small code snippet. this is what displayed:
DC=xyz,DC=com

 

[markdmac]

OK, so that is good. We are successfully getting domain information. From what OS are you executing the script? The Ping function uses newer WMI capabilities, does your network user IPV6? Can you test running the script from a Vista machine or Server 2008?

From MSDN:

http://msdn.microsoft.com/en-us/library/aa394350(VS.85).aspx[/URL]]
Win32_PingStatus Class

The Win32_PingStatus?WMI class represents the values returned by the standard ping command. More information about ping can be found in RFC 791.

Starting with Windows Vista, Win32_PingStatus can return data for computers that have both IPv4 addresses and IPv6 addresses.

Windows Server 2003 and Windows XP: Win32_PingStatus only returns data for computers running IPv4. For more information, see IPv6 and IPv4 Support in WMI

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[wvdba]

our server is windows serer 2003
i'm running windows xp.

 

[wvdba]

i think the reason it's not working is because the variable workstation is not defined.

 

[markdmac]

Thanks for the debug assistance wvdba. Bad copy paste on my part when grabbing my ping function from another script.

Change this

Function PingStatus(strComputer)

to this

Function PingStatus(strWorkstation)

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[wvdba]

thanks mark.
that worked and pointed to some machines that had usb. but, it's repeating the same machines 10-20 times. any reason why it's doing that?

 

[wvdba]

it's stuck in a loop. it has created a test file with size of 40 GB. it's still writing to it.

 

[markdmac]

That doesn't make sense.

The loop is controlled by this:

[red]
Do until objRecordSet.EOF[/red]
    strPingStatus = PingStatus(objRecordSet.Fields("name"))
    If strPingStatus = "Success" Then
            Report = CheckUSB(objRecordSet.Fields("name"))   
    Else
        Report = Report & vbCrLf & "********************************"
        Report = Report & vbCrLf & objRecordSet.Fields("name") & " is offline"
        Report = Report & vbCrLf & "********************************"
        objRecordSet.Fields("name")
    End If
    objFile.Write Report
    [red]objrecordset.MoveNext[/red]
loop

The parts in red control moving through the records.

You can stop the script via Task Manager. Stop Wscript.exe.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[markdmac]

Did you figure anything out why you were getting an endless loop? Does not do that on my end.



I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[wvdba]

thanks mark,
i haven't been able to figure out why. it just goes in a loop. i think the ping status doesn't return a good value or something.