views:

8387

answers:

7

Is there a way to find out when in a LAN anyone plugs in a pendrive to the USB port? Programatically (in C# preferably) or through some tool. Basically I'd imagine a client application sits on each terminal and monitors the USB ports and sends the information to the server.

a.) Can I get the details of the file(s) being copied? b.) Is there a way to do this without a client application?

EDIT

I dont want to disable the USB port entirely. its to be on a need to have basis. Basically just want the users on the LAN to share data responsibly and know that whatever data is tranfered is monitored and logged and can be questioned later.

A: 

Are you trying to prevent the use of USB thumb drives? If so there is a Group Policy that allows you to restrict access.

Nick Berardi
Not entirely. its on a need to have basis. Basically just want the users on the LAN to share data responsibly and know that whatever data is tranfered is monitored and logged and can be questioned later.
+1  A: 

If its a small environment and you want to prevent any usb devices from being used, then you can disable the usb ports in device manager, make sure no users are set up as adminstrators on the machines and that should prevent all usb use.

And if you are really paranoid about it, just open the machines and plug out the ports.

+11  A: 

[Assuming Windows, given the C# remark. Please tag accordingly]

Yes, this is possible. And it is possible to get the details of the file. It will require programming, though. Watch for WM_DEVICECHANGE and re-enumerate drives afterwards. It will get you USB pendrives, but also SD cards. I expect that's a bonus for you.

To get more details once you know a drive has arrived, use System.IO.FileSystemWatcher

Update I found a better solution - if you register for volume interface notifications, you'll get the volume path for the new drive. First, create a DEV_BROADCAST_DEVICEINTERFACE with dbcc_classguid=GUID_DEVINTERFACE_VOLUME. Then pass this to RegisterDeviceNotification(). You will again get a WM_DEVICECHANGE but you can now cast the lParam from the message to DEV_BROADCAST_DEVICEINTERFACE*.

You can pass the dbcc_name you receive to GetVolumeNameForVolumeMountPoint(). You can also pass all drive letters from GetLogicalDriveStrings() to GetVolumeNameForVolumeMountPoint(). You'll have one matching volume name; this is the new drive.

MSalters
Bah, URL parser error. WM_DEVICECHANGE docs @ http://msdn.microsoft.com/en-us/library/aa363480(VS.85).aspx
MSalters
+1  A: 

Have a look at this article. Explains the messages and how to work with them. Detecting usb drive removal

Steve
+1  A: 

Also check out the registry where all information is stored about the usb devices. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB

You can hook into changes of that key in the registry and act upon that.

This free utility are a big help when pooking around: http://www.nirsoft.net/utils/usb_devices_view.html

You can select a usb-drive, choose to open the registry key for that drive and enable/disable the device and a lot more.

In the registry you can see if the device is connected, if it's of massstorage type and other interresting information. Its easy to filter the regkeys to just get usb-massstorage drives and then hook into and wait for changes (connect/disconnect).

With Windows Management Instrumentation you can register to recieve Registry events: http://msdn.microsoft.com/en-us/library/aa393035(VS.85).aspx

Check out System.Management in .Net

Stefan
+1  A: 

I've never used it, but the folks at ic#code (sharpdevelop) have a usblib. Maybe it can help you out.

http://www.icsharpcode.net/OpenSource/SharpUSBLib/default.aspx

Bruno Shine
A: 

Thanks guys. All good answers, but I can only select one as the correct one. :)