Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows VistaWindows XPWindows MeWindows 98Windows 95Virtual PCInternet ExplorerOutlook ExpressWindows MediaSecurity
Related Topics
MS Server ProductsMS OfficePC HardwareMore Topics ...
Windows Forum / Windows XP / Configuration / April 2006

Tip: Looking for answers? Try searching our database.

XP Remote Detection of Removeable Media Write

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
ASecurityGuy - 27 Apr 2006 21:06 GMT
I am looking for hook that I can pull up remotely on WindowsXP desktops
that indicates that a file has been written to a CD, USB or removeable
media.  I see some info in the event log when there is a file queued to
write to CD (7035 IMAPI CD-Burn start/stop) and I can pick up a USB
removeable media under NTMSmgr.msc, but I just can't seem to find a
good indicator that a file has been written.

Is anyone playing in this area?  Or does anyone have any suggestion for
places I can look.  I preferr not to have to turn on audit or run a
background script on the machines... It would really be nice if we
could figure a way to push it to the system.evt to pull reports.

TIA,
SG
Reply to this Message
Shenan Stanley - 28 Apr 2006 07:16 GMT
> I am looking for hook that I can pull up remotely on WindowsXP
> desktops that indicates that a file has been written to a CD, USB
[quoted text clipped - 8 lines]
> if we could figure a way to push it to the system.evt to pull
> reports.

So - how will you be able to tell if they open the file in
Word/Excel/Powerpoint/Notepad/Wordpad/WordPerfect/etc and SAVE it to the
external media?

What if they use a third party burner?

What if they use their own file explorer from the USB drive they plug in?

What if they just take screenshots of the data and save those to the
external media or email them elsewhere?

What I am saying is that while there may be some ways you can track some
things - there is almost always ways around it - usually simple and low-tech
ones that are much more difficult to detect.

Signature

Shenan Stanley
    MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Reply to this Message
ASecurityGuy - 28 Apr 2006 15:58 GMT
Shenan,
Well, generically, the OS looks at USB, CD and Floppy and removable
media. So in essence, these media devices share common system functions
under that umbrella.

Similarly, the function of "write" to is a common function regardless
of
which application issues the 'save' or 'copy' command.

A the system level there is likely not more that a handful of actual
system calls which are used to accomplish this 'write to removable'
function.

While I have not been able to find the specific call references in the
Developers documentation, I am fairly confident that these calls are
present and can be monitored at the system level as evidenced by a
number of third party products that accomplish this very task. I figure
if they can be monitored and managed by third party tools, there is
likely a MS switch in XP that will allow me to run something like MDM
or debug mode to pick these activities up.

As far as 'ways around it', I'm not building Fort Knox, but I would
guess if we get this to the lowest OS level, it is unlikely that most
developers will go to the trouble of re-writing basic system calls and
device drivers to circumvent some obscure monitor that might be
implemented.

SG
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.