Leave a comment

Capture “removable storage device serial number(s)” using Powershell

03/23/2021 – Product overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers.  It can be configured to have security policies for computers and/or groups of users.

Article details: One of the most popular security policies for removable storage is to only allow certain devices into your environment.  This is done using the removable storage device “serial number”.  Every device has a unique serial number.  secRMM has a property called “AllowedSerialNumbers”.  So, all you have to do is to tell secRMM which devices you want to allow (white-list) into your environment by telling it the serial number of the device(s).  Easy…but how do you get the serial number to begin with?  Well, you can use secRMM to do this.  Just plug in the device and go into the secRMM event log.  There will be an ONLINE event for the device you just plugged in and it will tell you the serial number.  But, somewhat of a pain if you must do this for tens or hundreds of devices.  OK, let’s combine Powershell and secRMM to put the serial numbers into the clipboard so we can just do a paste each time we plug in a device:

Sorry some of the lines wrap in the script but just copy the whole script and save it to a ps1 file.
We named it GetSecRMMOnlineEventsFromEventLog.ps1 but you can name it anything you like, just make sure the file has a ps1 extension so that Windows will associate the file with the PowerShell program.

#****************************************************************************
#
#  Module: GetSecRMMOnlineEventsFromEventLog.ps1
#
#  Purpose: Get secRMM ONLINE Events asynchronously.
#           The script will put the device serial number into the Clipboard.
#           It can be pasted into the secRMM AllowedSerialNumbers property.
#
#  Copyright (c) 2021 Squadra Technologies 
#   
#****************************************************************************

$secRMM = "secRMM";
$secRMMEventId = 400;
$secRMMPowershellModule = "secRMMParsingPowershell";
$sourceIdentifier = $secRMM;
$messageData = $secRMM;

$WMINamespace = "root\CIMV2";
$WMIClass = "Win32_NTLogEvent";
$WMIQueryFormatString = 
	"select * from __InstanceCreationEvent " + `
	"where TargetInstance isa '{0}' " + `
	"and TargetInstance.logfile = '{1}' " + `
	"and (TargetInstance.EventCode = '{2}')";
$WMIQuery = $WMIQueryFormatString -f $WMIClass, $secRMM, $secRMMEventId;
    
$OutputFormat = "xml"; # csv, xml, html, json

	# [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');

$PsModulePath =  [Environment]::GetEnvironmentVariable('PSModulePath',						[System.EnvironmentVariableTarget]::Machine);

	if ($PsModulePath -like '*AdminUtils\\SDK\\Powershell\\secRMMParsingPowershell*')
	{
		$AssemblyName = $secRMMPowershellModule + ".dll";
	}
	else
	{
		$AssemblyName = 
		"C:\\Program Files\\secRMM\\AdminUtils\\SDK\\Powershell\\secRMMParsingPowershell\\secRMMParsingPowershell.dll"
	}

	Import-Module $AssemblyName;

	try
	{
		try
		{
			$message = 
			'Waiting on {0} event.  Please hit CTRL-C to stop waiting.' `
			-f $secRMM;
			
			Register-WmiEvent `
				-ComputerName "." `
				-Namespace $WMINamespace `
				-Query $WMIQuery `
				-Timeout 0 `
				-SourceIdentifier $sourceIdentifier `
				-MessageData $messageData;
			
			Clear-Host;

			While ($true) 
			{
				Write-Host $message;
				$event = Wait-Event -SourceIdentifier $sourceIdentifier;
				Remove-Event -SourceIdentifier $sourceIdentifier;
				$TimeGenerated =
				[Management.ManagementDateTimeConverter]::ToDateTime(
				$event.SourceEventArgs.NewEvent.TargetInstance.TimeGenerated);
				$secRMMEventInterface =
				Get-secRMMEventData `
					-Id $event.SourceEventArgs.NewEvent.TargetInstance.EventCode `
					-TimeCreated $TimeGenerated `
					-MachineName $event.SourceEventArgs.NewEvent.TargetInstance.ComputerName `
					-Message $event.SourceEventArgs.NewEvent.TargetInstance.Message;
				if ($secRMMEventInterface)
				{
					$secRMMEvent =
					$secRMMEventInterface.
						Output("OnlyRelevantColumns", # OnlyRelevantColumns, AllColumns
						$OutputFormat);
					if ($secRMMEvent)
					{
						[xml]$Xml = $secRMMEvent;
						$Xpath = "/secRMMEvent/SerialNumber";
						$XmlNodes = $Xml.SelectNodes($Xpath)
						if ($null -ne $XmlNodes) 
						{
							foreach ($XmlNode in $XmlNodes) 
							{
								$innerText = $XmlNode.InnerText;
								if ($innerText)
								{
									Set-Clipboard -Value $innerText;
									# $messageBoxMessage = ("serial number: {0} in Clipboard" -f $innerText);
									# [System.Windows.Forms.MessageBox]::Show($messageBoxMessage, $secRMM);
									[System.Console]::Beep(1000,300);
								}
								else
								{
									Write-Error "Could not get serial number";
								}
								break;				
							}
						}						
						else
						{
							Write-Error "Could not get secRMMEvent XML";
						}
					}
					else
					{
						Write-Error "Could not get secRMMEvent";
					}
				}
				else
				{
					Write-Error "Could not get secRMMEventInterface";
				}
			}
		}
		catch
		{
			$Exception = $_;
			Write-Host $Exception.Exception.Message;
			$sourceIdentifier = $null;
		}
	}
	finally
	{
		if ($sourceIdentifier)
		{
			Write-Host 'Unregistering event source and terminating.'
			Unregister-Event -SourceIdentifier $sourceIdentifier -Force;	
		}
		Remove-Module -Name secRMMParsingPowershell;
	}

Just run this script (as a local or domain Administrator) and when you want to stop it from running, just hit CTRL-C.

We hope you find this script useful for your environment.  Please let us know what you think or if you have a requirement for a different script.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

<span>%d</span> bloggers like this: