Somebody asked a question on microsoft.public.scripting.wsh recently about monitoring network shares using Windows scripting. I wasn’t sure if this was possible (i.e. using event sinks or something of the like), so I started Googling around to see what I could find. After several unsuccessful searches, I finally came across something useful - Running a Script Based on an Event [WMI].
Although it was a little complex, it got me on the right track regarding monitoring events and the Win32 class I would need to focus on, Win32_ServerConnection. Once I knew what I was looking for, it was only a matter of time before I found some sample code to monitor connections to network shares.
The end result, for those of you at home, if that link above dissappears, is as follows:
{% codeblock %} {% codeblock %}Set services = GetObject("WinMgmts:")services.security_.privileges.addasstring "sedebugprivilege"Set sink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_")services.ExecNotificationQueryAsync sink, _ "select * from _InstanceCreationEvent " & "WITHIN 1 where Targetinstance ISA ‘Win32_ServerConnection’" MsgBox "Wait for an event. " & VBCRLF & "Click OK to stop watching for events!"Sub SINK_OnObjectReady(objWbemObject, objAsyncContext) Wscript.Echo " Share Name: " & _ objWbemObject.TargetInstance.ShareName Wscript.Echo " Computer : " & _ objWbemObject.TargetInstance.ComputerName Wscript.Echo " User : " & _ objWbemObject.TargetInstance.UserName Wscript.Echo End Sub {% endcodeblock %}{% endcodeblock %}This will print out a line with the share name, and originating IP address and username any time a connection is made to a share. I learn more about Windows Scripting Host every day.