Damon Cortesi's blog

Musings of an entrepreneur.

Monitor Network Shares Using Windows Scripting

| Comments

Somebody asked a question on microsoft.public.scripting.wsh recently about monitoring network shares using Windows scripting. I wasn’t sure if this was possible (i.e. using event sinks or something of the like), so I started Googling around to see what I could find. After several unsuccessful searches, I finally came across something useful - Running a Script Based on an Event [WMI].

Although it was a little complex, it got me on the right track regarding monitoring events and the Win32 class I would need to focus on, Win32_ServerConnection. Once I knew what I was looking for, it was only a matter of time before I found some sample code to monitor connections to network shares.

The end result, for those of you at home, if that link above dissappears, is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

<div class='bogus-wrapper'><notextile><figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
</pre></td><td class='code'><pre><code class=''><span class='line'><font color="#000080"><b>Set </b></font>services <font color="#808080">= </font><font color="#000080"><b>GetObject</b></font><font color="#808080">(</font><font color="#800000">"WinMgmts:"</font><font color="#808080">)
</span><span class='line'>
</span><span class='line'></font>services<font color="#808080">.</font>security_<font color="#808080">.</font>privileges<font color="#808080">.</font>addasstring <font color="#800000">"sedebugprivilege"
</span><span class='line'>
</span><span class='line'></font><font color="#000080"><b>Set </b></font>sink <font color="#808080">= </font>WScript<font color="#808080">.</font><font color="#000080"><b>CreateObject</b></font><font color="#808080">(</font><font color="#800000">"WbemScripting.SWbemSink"</font><font color="#808080">,</font><font color="#800000">"SINK_"</font><font color="#808080">)
</span><span class='line'>
</span><span class='line'></font>services<font color="#808080">.</font>ExecNotificationQueryAsync sink<font color="#808080">, </font>_
</span><span class='line'>  <font color="#800000">"select * from __InstanceCreationEvent " </font><font color="#808080">& </font>_
</span><span class='line'>    <font color="#800000">"WITHIN 1 where Targetinstance ISA 'Win32_ServerConnection'"
</span><span class='line'></font><font color="#000080"><b>MsgBox </b></font><font color="#800000">"Wait for an event. " </font><font color="#808080">& </font>VBCRLF <font color="#808080">& </font><font color="#800000">"Click OK to stop watching for events!"
</span><span class='line'>
</span><span class='line'></font><font color="#000080"><b>Sub </b></font>SINK_OnObjectReady<font color="#808080">(</font>objWbemObject<font color="#808080">, </font>objAsyncContext<font color="#808080">)
</span><span class='line'>  </font>Wscript<font color="#808080">.</font>Echo <font color="#800000">" Share Name: " </font><font color="#808080">& </font>_
</span><span class='line'>    objWbemObject<font color="#808080">.</font>TargetInstance<font color="#808080">.</font>ShareName
</span><span class='line'>  Wscript<font color="#808080">.</font>Echo <font color="#800000">" Computer : " </font><font color="#808080">& </font>_
</span><span class='line'>    objWbemObject<font color="#808080">.</font>TargetInstance<font color="#808080">.</font>ComputerName
</span><span class='line'>  Wscript<font color="#808080">.</font>Echo <font color="#800000">" User : " </font><font color="#808080">& </font>_
</span><span class='line'>    objWbemObject<font color="#808080">.</font>TargetInstance<font color="#808080">.</font>UserName
</span><span class='line'>  Wscript<font color="#808080">.</font>Echo
</span><span class='line'><font color="#000080"><b>End Sub
</span><span class='line'></b></font></span></code></pre></td></tr></table></div></figure></notextile></div>

This will print out a line with the share name, and originating IP address and username any time a connection is made to a share. I learn more about Windows Scripting Host every day.

Comments