-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCheckIfApprovedUSB.ps1
135 lines (103 loc) · 5.09 KB
/
CheckIfApprovedUSB.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# We will write events to the Windows Application log with source name of CheckUSB
If ( -not [System.Diagnostics.Eventlog]::SourceExists("CheckUSB") ) {
# Event log source does not exist, so we create it
New-EventLog -LogName Application -Source "CheckUSB"
}
# Unregister this event only
#
Unregister-Event RemovableDiskDetection -Force
# $query = "SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LogicalDisk' AND TargetInstance.DriveType=2"
$query = "SELECT * From __InstanceOperationEvent WITHIN 5 Where TargetInstance ISA 'Win32_PNPEntity' And TargetInstance.Description LIKE '%USB Mass Storage Device%' "
$action = {
$strUSBSerialFilename = "C:\programdata\usbcontrol\usb_serial.json"
$strClass = $eventArgs.NewEvent.__CLASS
$strPNPdeviceID = $eventArgs.NewEvent.TargetInstance.DeviceID
$arraySplitPNPdeviceID = $strPNPdeviceID.split("\")
$strConnectedUSBSerial = $arraySplitPNPdeviceID[-1]
$strlogfile = 'c:\programdata\usbcontrol\usbcontrol.log'
$strdatetime = Get-Date
$strdatetime = $strdatetime.GetDateTimeFormats()[19]
function Read-approved-USB($strFileWithPath) {
if(Test-Path $strFileWithPath) {
$tempObj = $null
try {
$tempObj = Get-Content -Raw -Path $strFileWithPath | ConvertFrom-Json
Write-Output $tempObj # Return powershell representation of JSON file back . Must have this line.
}
catch {
$ErrorMessage = $_.Exception.Message
$FailedItem = $_.Exception.ItemName
$strMessageToSend = " [$strdatetime] Error: $ErrorMessage for $FailedItem"
Write-Host " $strMessageToSend "
Write-Output " $strMessageToSend " | Out-File $strlogfile -Append
Write-Error $StrMessageToSend -ErrorAction Stop
}
}
}
function Check-for-approved-USB ($strSerialFileName, $strConUSBSerial) {
$IntReturnValue = 0
$objSerials = Read-approved-USB $strSerialFileName
$objSerials.ValidSerialNumbers | foreach {
$ApprovedSN = $_; if ($ApprovedSN.USBSerial -eq $strConUSBSerial) {
#The USB serial is on the approved list, indicate that by setting IntReturnValue to 1
$IntReturnValue = 1
$strMessageToSend = "USB [$strdatetime]JSON value: " + $ApprovedSN.USBSerial + " Equals " + $USBSerialNumber
Write-Host "$strMessageToSend"
Write-Output "$strMessageToSend " | Out-File $strlogfile -Append
}
else {
$strMessageToSend = "USB [$strdatetime] JSON value: " + $ApprovedSN.USBSerial + " Not equals " + $USBSerialNumber
Write-Host " $strMessageToSend"
Write-Output "$strMessageToSend " | Out-File $strlogfile -Append
}
}
Write-Output $IntReturnValue
}
switch($strClass)
{
__InstanceCreationEvent {
$intApprovedUSB = 0
Disable-PnpDevice -InstanceId $strPNPdeviceID -Confirm:$false
$intApprovedUSB = Check-for-approved-USB $strUSBSerialFilename $strConnectedUSBSerial
$strMessageToSend = "USB [$strdatetime] Insertion event for $strPNPdeviceID. Check if approved returned: $intApprovedUSB"
Write-Host $strMessageToSend
Write-Output " $strMessageToSend " | Out-File $strlogfile -Append
if ($intApprovedUSB -eq 1 ) {
$strMessageToSend = "USB [$strdatetime] Inserted, device id: $strPNPdeviceID with serial: $strConnectedUSBSerial on approved list."
Write-Host $strMessageToSend
Write-Output " $strMessageToSend " | Out-File $strlogfile -Append
Enable-PnpDevice -InstanceId $strPNPdeviceID -Confirm:$false
}
else {
$strMessageToSend = "USB [$strdatetime] Inserted, device id: $strPNPdeviceID with serial: $strConnectedUSBSerial not on approved list."
Write-Host $strMessageToSend
Write-Output "$strMessageToSend " | Out-File $strlogfile -Append
}
}
__InstanceDeletionEvent {
$strMessageToSend = "USB [$strdatetime] Removed, device id: $strPNPdeviceID with serial: $strConnectedUSBSerial"
Write-Host $strMessageToSend
Write-Output " $strMessageToSend " | Out-File $strlogfile -Append
}
__InstanceModificationEvent {
$intApprovedUSB = 0
Disable-PnpDevice -InstanceId $strPNPdeviceID -Confirm:$false
$intApprovedUSB = Check-for-approved-USB $strUSBSerialFilename $strConnectedUSBSerial
$strMessageToSend = "USB [$strdatetime] Modification event for $strPNPdeviceID. Check if approved returned: $intApprovedUSB"
Write-Host $strMessageToSend
Write-Output " $strMessageToSend " | Out-File $strlogfile -Append
if ($intApprovedUSB -eq 1 ) {
$strMessageToSend = "USB [$strdatetime] Inserted, device id: $strPNPdeviceID with serial: $strConnectedUSBSerial on approved list."
Write-Host $strMessageToSend
Write-Output " $strMessageToSend " | Out-File $strlogfile -Append
Enable-PnpDevice -InstanceId $strPNPdeviceID -Confirm:$false
}
else {
$strMessageToSend = "USB [$strdatetime] Inserted, device id: $strPNPdeviceID with serial: $strConnectedUSBSerial not on approved list."
Write-Host $strMessageToSend
Write-Output " $strMessageToSend " | Out-File $strlogfile -Append
}
}
}
}
Register-WmiEvent -Query $query -SourceIdentifier RemovableDiskDetection -Action $action -computername $ENV:COMPUTERNAME