Monitor Everything with Monitis – And do it easily with PowerShell – Part 11

Monitoring Removable Disks on Many Computers with Monitis and PowerShell

In the last articles, we talked about how to use Register-WMIEvent and with custom monitors to track when a user connects to a shared folder.   Today, we’ll use the same techniques to cover a very common systems administrator need:  Knowing when a USB drive has been plugged in.

The basic pattern of this script is the same as the one we did last time:

Register-WmiEvent -Query 'Stuff From WMI' –Action {
    Update-MonitisCustomMonitor -Name MyMonitor –value @{…}
}

Monitoring shared folders was actually a notch harder than this will be, because shared folders use intrinsic events (or events built into WMI’s core), like __InstanceCreationEvent.  Some other events can be a little more efficient, and can give information a lot closer to the surface, and this will let us check for new drives very easily.

Let’s show the code that hooks into an event from WMI and updates a custom monitor in Monitis, and walk thru it bit by bit.

Register-WmiEvent -Query "Select * from Win32_VolumeChangeEvent" -Action {
    $newDriveName = $eventArgs.NewEvent.DriveName
    $driveAdded = if ($eventArgs.NewEvent.EventType -eq 2) { "Added" } else { "Removed" }
    $computerName = $sender.Scope.Path.Path.Split("\", [StringSplitOptions]"RemoveEmptyEntries")|
        Select-Object -First 1
    Update-MonitisCustomMonitor -Name "DriveAddedOrRemoved" -value @{
        DriveName = $driveName
        DriveAddedOrRemoved = $driveAdded
        ComputerName = $computerName
    }
}

The query we use this time is “Select * from Win32_VolumeChangeEvent”.  That’s a lot easier than yesterday’s query to catch new connections to a share: ‘SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA “Win32_SessionConnection”‘ This is because the designers of the part of WMI that works with the filesystem were nice enough to include the volume change event.

In the event args of the removable disk, we have the same NewEvent property we ran into the other day.  Every WMI event has this.  Intrinsic events will then have information buried inside of TargetInstance.  Extrinsic events (like Win32_VolumeChangeEvent) will keep information right on NewEvent.

$DriveName the DriveName in NewEvent, and DriveAdded is set by looking at the EventType.  If the type was 2, we say the drive was added, otherwise, we say it’s removed.

The tricky part is how we get the computer name.  Every event in Powershell has two items, the sender and the event args.  The event args, as you’ve seen normally contain data about what’s going on.  The sender tells you where it came from.  In WMI, the sender contains a path to where in WMI it comes from, and which computer sent the event.

This last little tidbit is key.  Because WMI is installed on every Windows machine since 2000, and natively supports remoting, and we can use this technique to find out when a drive is plugged in to any machine in our network, and upload those results to a custom monitor in Monitis… in just 16 lines of code.

And here are those 16 sweet lines, assuming you’ve got a file on your desktop named computers.txt that has a list of computers in your domain:

Import-Module Monitis
Connect-Monitis
$computers = Get-Content $home\Desktop\computers.txt
foreach ($computer in $computers) {
    Register-WmiEvent -ComputerName $computer -Query "Select * from Win32_VolumeChangeEvent" -Action {
        $newDriveName = $eventArgs.NewEvent.DriveName
        $driveAdded = if ($eventArgs.NewEvent.EventType -eq 2) { "Added" } else { "Removed" }
        $computerName = $sender.Scope.Path.Path.Split("\", [StringSplitOptions]"RemoveEmptyEntries")|
            Select-Object -First 1
        Update-MonitisCustomMonitor -Name "DriveAddedOrRemoved" -value @{
            DriveName = $driveName
            DriveAddedOrRemoved = $driveAdded
            ComputerName = $computerName
        }
    }
}

You really can monitor absolutely anything with Monitis and PowerShell.   PowerShell gives you a world of information at your fingertips, and Monitis lets you track that information and keep it safe in the cloud.  Of course, PowerShell’s not limited to just WMI, and Monitis isn’t limited to just tracking information.  Tomorrow, we’ll start to introduce event logs monitoring and notification rules.

See also:

Monitor Everything with Monitis – And do it easily with PowerShell – Part 1

Part 2: Managing External Monitors with Monitis and PowerShell

Part 3: Mining External Monitor Results with Monitis and PowerShell

Part 4: Monitoring Web Applications with Monitis

Part 5: Testing Web Content with Monitis, Excel, and PowerShell

Part 6: Monitoring Anything with a Custom Monitor

Part 7:  Hardware Inventory with Monitis Custom Monitors

Part 8: Monitoring Logons with Monitis

Part 9: Monitoring Connections to Shared Folders with Monitis and Custom Monitors

Part 10: Inventory Windows Installations with Monitis and PowerShell

 

 

You might also like