Script: change in real time the key in the registry

Discussion in 'Scripting' started by Salvador, Aug 30, 2009.

  1. Salvador

    Salvador Guest

    I need a script that notifies any change in real time the key in the
    registry:
    KHLM \ Microsoft \ system \ CurrentControlSet \ Enum \ USBSTOR

    The notice may be by courier to my team and by email.

    As I do?
    Thank you
     
    Salvador, Aug 30, 2009
    #1
    1. Advertisements

  2. Here you go (based on an idea by the Scripting Guy).
    Note that the registry key you quote (KHLM \ Microsoft \ system \
    CurrentControlSet \ Enum \ USBSTOR) does not exist. You must specify the
    correct key in order to get the script to work.

    sHive = "'HKEY_LOCAL_MACHINE'"
    sPath = "'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'"
    Set objWMIService = GetObject("winmgmts:\\.\root\default")
    Set colEvents = objWMIService.ExecNotificationQuery _
    ("SELECT * FROM RegistryKeyChangeEvent " _
    & "WHERE Hive= " & sHive _
    & "And KeyPath=" & sPath)

    Do
    Set objLatestEvent = colEvents.NextEvent
    WScript.Echo Now & ": The registry key" & VbCrLf _
    & Replace(sHive & "\" & Replace(sPath, "\\", "\"), "'", "") _
    & VbCrLf & "has been modified."
    Loop

    What do you mean with "by courier"?
     
    Pegasus [MVP], Aug 30, 2009
    #2
    1. Advertisements

  3. Salvador

    Salvador Guest

    Thanks, I mean that the user does not leave any popup, it is sent by email
    if you can notify the administrator that the user has connected a USB or is
    a popup to the administrator.
    Is it possible?
    With the key is: HKLM / system / currentcontrolset / enum / usbstor
     
    Salvador, Aug 30, 2009
    #3
  4. You can try the code below. Note that it will pick up changes at the usbstor
    level but not at any deeper level.

    sHive = "'HKEY_LOCAL_MACHINE'"
    sPath = "'SYSTEM\\CurrentControlSet\\Enum\\USBSTOR'"
    Set objWMIService = GetObject("winmgmts:\\.\root\default")
    Set colEvents = objWMIService.ExecNotificationQuery _
    ("SELECT * FROM RegistryKeyChangeEvent " _
    & "WHERE Hive= " & sHive _
    & "And KeyPath=" & sPath)

    Do
    Set objLatestEvent = colEvents.NextEvent
    SendMail sHive, sPath
    Loop

    Sub SendMail(Hive, Path)
    Set oWshShell = CreateObject("WScript.Shell")
    cdoBasic = 1
    schema = "http://schemas.microsoft.com/cdo/configuration/"
    Set objEmail = CreateObject("CDO.Message")
    With objEmail
    .From = ""
    .To = ""
    .Subject = "Registry change report - " _
    & oWshShell.ExpandEnvironmentStrings("%Computername%")
    .Textbody = "The key " & Hive & "\" & Path _
    & " was modified on " & Date & " at " & Time & "."
    With .Configuration.Fields
    .Item (schema & "sendusing") = 2
    .Item (schema & "smtpserver") = "mail.company.com"
    .Item (schema & "smtpserverport") = 25
    .Item (schema & "smtpauthenticate") = cdoBasic
    .Item (schema & "sendusername") = ""
    .Item (schema & "smtpaccountname") = ""
    .Item (schema & "sendpassword") = "smtppassword"
    End With
    .Configuration.Fields.Update
    .Send
    End With
    End Sub
     
    Pegasus [MVP], Aug 30, 2009
    #4
  5. Salvador

    jford Guest

    Just a potential gotcha, if you have anti-virus you may want to check the
    settings because many will not allow a script or custom built application to
    send emails.

    troubleshooting ahead :)
     
    jford, Aug 31, 2009
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.