Task Trigger For USB

exodia508766 · Dec 23, 2023

I'm striving on how to create a XML filter to trigger a task when a SPECIFIC usb drive is plugged in. Ive tried this, but it does not work. How do I incorporate the part where it says LifetimeID and InstanceID ???

XML:

<QueryList>
<Query Id="0" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">
<Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[Provider[@Name='Microsoft-Windows-DriverFrameworks-UserMode'] and  EventID=2101]] and *[UserData[UMDFHostDeviceRequest[InstanceID=SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_SANDISK&PROD_ULTRA_LUXE&REV_1.00#0401541BBF5130DCEB261125DABC6ADAC9E64C0769F7BCA89389DE7F531B9A4#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}"]]]]</Select>
</Query>
</QueryList>

This is the FULL EVENT LOG :

XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2e35aaeb-857f-4beb-a418-2e6c0e54d988}" />
<EventID>2101</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>37</Task>
<Opcode>2</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2023-12-23T23:57:41.981685900Z" />
<EventRecordID>14</EventRecordID>
<Correlation />
<Execution ProcessID="2632" ThreadID="10192" />
<Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>
<Computer>KARC</Computer>
<Security UserID="S-1-5-19" />
</System>
- <UserData>
- <UMDFHostDeviceRequest xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
<LifetimeId>{bb9ecb99-c430-4a39-89b7-f197286b362d}</LifetimeId>
<InstanceId>SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_SANDISK&PROD_ULTRA_LUXE&REV_1.00#0401541BBF5130DCEB261125DABC6ADAC9E64C0769F7BCA89389DE7F531B9A4#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}</InstanceId>
<RequestMajorCode>27</RequestMajorCode>
<RequestMinorCode>9</RequestMinorCode>
<Argument1>0x2c000010040</Argument1>
<Argument2>0xffffffffffffffff</Argument2>
<Argument3>0x100000000</Argument3>
<Argument4>0x400000004</Argument4>
<Status>0</Status>
</UMDFHostDeviceRequest>
</UserData>
</Event>

garlin · Dec 24, 2023

Someone submitted an answer on Stack Overflow, which I've tweaked.
Run this PowerShell script as Administrator, and it will trigger one of two actions when a named USB device is plugged in/removed.

1. Edit $DeviceID to a wildcard expression matching 'USBSTOR%Vendor%Model%' or 'USBSTOR%Vendor%Model%UniqueID%'

For your example, 'USBSTOR%SANDISK%ULTRA%'

Users who own multiple drives of the same model will need to add an UniqueID.

2. Insert your external commands in the { .. } Action blocks. This can be any literal command you type in CMD.

To replace the existing trigger actions, update and re-run the script. It will unregister the previous set of triggers/actions.

3. USB connection events are always captured, but sometimes disconnect events get missed (?)

Code:

# https://stackoverflow.com/questions/54482594/powershell-wmi-trigger-action-when-specific-device-is-plugged-in

# Use '%' for wildcard
$DeviceID = 'USBSTOR%CORSAIR%VOYAGER%'

Unregister-Event -SourceIdentifier USBConnected -ErrorAction Ignore
Unregister-Event -SourceIdentifier USBDisconnected -ErrorAction Ignore


# Event when plugged in (InstanceCreationEvent)

$Connect_Action = {
    msg * Corsair Voyager plugged in
}

$query = "Select * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_PNPEntity' and TargetInstance.DeviceID like '$DeviceID'"
Register-WMIEvent -Query $query -Action $Connect_Action -SourceIdentifier USBConnected


# Event when disconnected (InstanceDeletionEvent)

$Disconnect_Action = {
    msg * Corsair Voyager disconnected
}

$query = "Select * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_PNPEntity' and TargetInstance.DeviceID like '$DeviceID'"
Register-WMIEvent -Query $query -Action $Disconnect_Action -SourceIdentifier USBDisconnected

exodia508766 · Dec 24, 2023

Thankyou for your script. I created a task, put powershell to run the .PS1 script. So I changed the script to $DeviceID = 'USBSTOR%SANDISK%ULTRA%', changed $Connect_Action = {C:\Windows\system32\cmd.exe} and $Disconnect_Action = {C:\windows\notepad.exe} so it runs those programs to notify me if it works. The task ran the script, but none of those Actions worked thought.

garlin · Dec 24, 2023

This works for me:

Code:

$Connect_Action = {
     Start-Process cmd.exe
}

$Disconnect_Action = {
    notepad.exe
}

cmd.exe needs to be launched by Start-Process, since you're asking for an interactive shell.
notepad.exe is \Windows\System32

exodia508766 · Dec 24, 2023

May I ask what type of trigger do I assign it, at logon, on an event, etc? I updated it to what you just said, but still did not do anything. For the Task's Action, I put Powershell.exe and its argument is -File C:\USB.ps1. This is correct right ?!

garlin · Dec 24, 2023

exodia508766 said:
May I ask what type of trigger do I assign it, at logon, on an event, etc? I updated it to what you just said, but still did not do anything. For the Task's Action, I put Powershell.exe and its argument is -File C:\USB.ps1. This is correct right ?

1. If you need a different trigger, then you need a different type of event query. You asked for USB events.

Register-ObjectEvent: A more efficient way to trigger a PowerShell script on a Windows Event

One of the things that is really cool about the Windows Task Scheduler is that there are so many different ways you can trigger an action. One of them is on a Windows Event. If you don’t need to know any data in the event, then this way is fine. You might find that it doesn’t trigger on every...

theposhwolf.com

2. Run an external PS script.

Code:

Start-Process powershell -ArgumentList '-ExecutionPolicy Bypass -File C:\Path\script.ps1"

But if you already have another PS script, why not drop that existing code inside the Action block?

3. If you messed up the previous actions, then manually delete the existing ones:

Code:

powershell Unregister-Event -SourceIdentifier USBConnected; Unregister-Event -SourceIdentifier USBDisconnected

exodia508766 · Dec 24, 2023

Im getting confused. I did this manually.

In task scheduler

Triggers Tab :

I created a Task Trigger as 'On an event'

Log: Microsoft-Windows-DriverFrameworks-UserMode/Operational
Source: DriverFrameworks-UserMode
EventID: 2101

Actions Tab :

Powershell.exe -ArgumentList -ExecutionPolicy Bypass -File C:\Path\script.ps1"

thats the script you posted, edited with my SANDISK info and other $Connect_Action and $Disconnect_Action. No external script or anything.

garlin · Dec 24, 2023

Task Scheduler's command semantics are different from what PS uses. If you prefer working it out using TS, I leave you to it.

At this point, you're mixing and matching things out of context. "-ArgumentList" is a parameter that belongs with Start-Process, it doesn't belong on a command line outside of a PS script. PS needs it to refer to another PS script. Any command which isn't a built-in PS instruction is automatically assumed as an external command.

So "notepad.exe" runs by itself, but PS needs to know -ArgumentList arguments are meant for the other PS instance.

exodia508766 · Dec 24, 2023

Im not well versed in powershell. Can any PS1 script be triggered by an eventID, then if the script recognizes that if its lets say, specifically, the SANDISK USB, itll do something? I just know this is possible.