Monitor File Creation for the Entire C:\ Drive?????

[qajussi]

Hi!

I am trying to monitor the file creation on C:\ drive.
(when a file/or folder created in any part of of entire C:\ hard drive)

This is a script from MS for the monitoring the file creation in one folder.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\cimv2")
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE " _
& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
& "TargetInstance.GroupComponent= " _
& "'Win32_Directory.Name=""c:\\\\scripts""'")
Do
Set objLatestEvent = colMonitoredEvents.NextEvent
Wscript.Echo objLatestEvent.TargetInstance.PartComponent
Loop




How can I do to check the folder and its subfolders from C:\ ???

Is this a good idea to run the script on the entire hard drive??

Or would it use the all the CPU and lock the computer??

Can you help me to monitor the entire C:\ and its subfolders??
Thank you very much

 

[mrmovie]

leave out the part of the query which specifies the location.

i would say that sort of a WMI query would be a bad idea.
its not too bad monitoring one or 2 dir but the whole c drive. if some app started dumping files or you started browsing the web etc! lots of firings of your event handler,,,but perhaps you can handle it,,,good luck

 

[tfg13]

I know what this individual is trying to do, and the process is going to be on a closed lan (no internet access). Basically, monitoring file creation/deletions. "leave out the part of the query which specifies the location" does not work. It has been tried. Any more suggestions?

 

[mrmovie]

i think i gave my opinion on a few of the questions.

1. is this a good idea, i would say no
2. how to get it to monitor the whole c drive,
this part of the WQL query string specifys a scripts folder on the c drive

'Win32_Directory.Name=""c:\\\\scripts""'

therefore if you remove it you will no longer be monitoring one folder you will be registering and tell wmi you want to be notified when a file creation event if triggered. (which i think could be lots and could hit the cpu hard under some instances)

Question:
what has
and the process is going to be on a closed lan (no internet access
got to do with anything? are you suggesting the LAN has something to do with a computers C drive? what happens if you unplug a computers network cable? does the c drive no longer exist? or are you suggesting this programmer is trying to monitor file creations/deletions on remote machines? or is that what you are trying to do and have failed at?

Question: you say you have tried "leave out the part of the query which specifies the location" but it doesnt work.
where is your code?

Anymore suggestions from me? no, i dont think so.

If you post your code i can try and run it on my computer if you like.

mrmovie

 

[mrmovie]

sorry penny dropped, no internet access. sorry my bull in a china shop approach, apologies.
perhaps the browsing the web and temp files could be changed to something else which creates files on a computer,,,,not sure at the moment. but, if i thought someone was monitoring file creation on my machine and logging it i would write something like this

intA = 0
Do
intA = intA + 1
Set objTS = FSO.CreateTextFile("c:\temp\kissmyarse" & intA & ".bum", True)
objTS.Close
Set objTS = Nothing
Loop

;-)

 

[tfg13]

Wow, what a chip on the shoulder. Not much of a user friendly guy are you?

 

[mrmovie]

well flame away, my wife left me on the weekend so bite my arse.
and no i didnt come on this site today to vent my anger but to stop my head from falling off!

to be frank i think i am a user friend kind of guy and sometimes yes i do have a chip on my shoulder when it comes to the way some people use these tek-tips websites.

i found your initial comments to be not fair

you said:
"leave out the part of the query which specifies the location" does not work. It has been tried. Any more suggestions?

i take it you changed
'Win32_Directory.Name=""c:\\\\scripts""'

to

"leave out the part of the query which specifies the location"

you will find that the 'leave' keyword is not supported by WQL.

what have you offered in the way of help and advice to this, as you put it 'user', what code have you offered or shown which does or doesnt work?( i am not sat here getting paid on a flippin helpdesk and i dont see other people on this site as 'users' who need my assistance.)


regards
mrmovie

 

[tfg13]

As only you can be satiated in your own glory, and believe that you are the only one with knowledge, you assume to much. As far as you believing that I need to show code, well, I don't as I have stated that I know what the individual is trying to accomplish, because, well, we work together. Before you go postal, you need to see a doctor, as they do prescribe medication for your particular ills.

Neither one of use are going to get anymore out of this conversation, so I suggest we let it drop, and look for other reasons to be at this great site.

 

[qajussi]

I don't as I have stated that I know what the individual is trying to accomplish, because, well, we work together."


Do I know you tfg13???


Thanks for trying to help me by posting comments on my thread.

I researched and tested but I don't think it is a good idea to monitor the entire C: drive.

 

[teckiejon]

Mr Movie
I hope you're taking no notice of tfg13 at all. Your replies to posts have been inspirational and helped me on my way with VB scripting alot. As far as you not being user friendly goes, in my opinion yourself and the other contributrs to this site have the patience of saints and real skill that you choose to share with others. Keep up the good work!

 

[tfg13]

Qajussi, I am pretty sure that we work for the same company, as an email of this has been sent to a bunch of us with the same comments and requests. I work at BCO if that helps....

 

[mrmovie]

tfg13, qajussi

have you decided if you are going to use a blocking method call as you have posted or async event notification?

 

[tfg13]

mrmovie, I should apologize as reading through some of your other posts, you are actually a very good scripter (and a teacher of scripting). I became defensive as soon as you stated the "kiss my arse" bit. The reason I started looking at this is due to security in that area(yes, monitoring remote PC's for certain activities). I got as far as qajussi and started looking for help. You offered, and I didn't ask the correct questions to your first post, and the conversation just went down hill from there.

You are an exceptional scripter, keep up the good work for us "rookies" and please, accept my apologies.

 

[mrmovie]

tfg13, i took your advice and saw a doctor...feeling much better now ;-)

 

[tfg13]

Hope to see more of your help in this forum. I am now getting the hang of scripting, and after some review, I now understand why you don't want to "monitor" the entire hard drive. Man, what a killer of RAM and space....