Author Posts

July 22, 2017 at 8:40 am

I'm to retrieve a list of all the usb devices connected or disconnected from a Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx file.

This is my current script

#clear the screen
cls

#ignore any errors
#$ErrorActionPreference = "SilentlyContinue"

#Variables start

#empty if needed
$USBevents = @()
#result log
$SavedName = "Devices Connected Disconnected Report $(get-date -f yy-MM-dd).htm"
$USBresults = $PSScriptRoot + "\" + $SavedName
#event log to load
$LoadName = "Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx"
$USBlog = $PSScriptRoot + "\" + $LoadName
#xml paths
$ns = @{'ns'='http://schemas.microsoft.com/win/2004/08/events/event'}
$UMDF_xpath = "//ns:Data[@Name='UMDFHostDeviceRequest instance']"
$ComputerID_xpath = "//ns:[@Name='Computer']"
$usersid_xpath = "//ns:System[@Name='Security UserID']"
#In the XPath statement, prefix each node name with the namespace name and a colon, such as //namespaceName:Node.

#ensure results have suitable descriptions
    $type_lu = @{2003 = 'Query to load USB Drivers'
                 2004 = 'Loading Drivers for new Device'
                 2005 = 'Loading Drivers for new Device'
                 2100 = 'Power Operation for USB Device'
                 2101 = 'Power Operation for USB Device'
                 2102 = 'Power Operation for USB Device'
                 2105 = 'Power Operation for USB Device'
                 2106 = 'Power Operation for USB Device'
                 2103 = 'Error for Power Operation for USB Device'
                 2104 = 'USB Device Power Event'
                 2107 = 'USB Device Power Event'
                 2108 = 'USB Device Power Event'
                 2109 = 'USB Device Power Event'
                }

#variables end


#set HTML style for results
$HTMLstyle = ""
$HTMLstyle = $HTMLstyle + "BODY{background-color:peachpuff;}"
$HTMLstyle = $HTMLstyle + "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"
$HTMLstyle = $HTMLstyle + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:thistle}"
$HTMLstyle = $HTMLstyle + "TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:palegoldenrod}"
$HTMLstyle = $HTMLstyle + ""
$HTMLbodySYS = "USB Devices - Connected and Disconnected"
$HTMLbodySEC = "USB Devices - Connected and Disconnected"
$CSSStyle = @'
            
            ul {
                padding-left: 5px;
               }
            body { background-color:White;
            font-family:Tahoma;
                font-size:12pt;
                 }
            td, th {border:1px solid black;} 
            th {
                color: black;
                background-color:peachpuff;
               }
            td { border-width: 1px;padding: 1px;border-style: solid;border-color: black; }
            TR:Hover TD { Background-Color: #C1D5F8; }
            table, tr, td, th { align:left; padding: 10px; margin: 0px; }
            table { width:75% }
            table { margin-left:0px; }
            
'@
$Head = $HTMLstyle + $CSSStyle


#write to host to user knows script is running
Write-Host "Processing... Please wait ..."


#filter the xml from operational log
$FilterXML = @"
              
              
              *[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=2003 or EventID=2004 or EventID=2005 or EventID=2100 or EventID=2101 or EventID=2102 or EventID=2105 or EventID=2106 or EventID=2103 or EventID=2104 or EventID=2107 or EventID=2108 or EventID=2109)]]
              
              
"@
#file://C:\Users\David\OneDrive\Powershell Scripts\Events Log - System - Devices Connected\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx


$USBevents = Get-WinEvent -Filterxml $FilterXML


#pull filtered data from xml
If($USBevents) {
               $XMLUSBresults = ForEach($USBevent in $USBevents) {
                                                                 $xmlUSB = $USBevent.ToXml()
                                                                 $USBUMDF = (Select-Xml -Content $xmlUSB -Namespace $ns -XPath $UMDF_xpath).Node.'#text'
                                                                 Break            
                                                                 $USBsid = (Select-Xml -Content $xmlUSB -Namespace $ns -XPath $usersid_xpath).Node.'#text'
                                                                 Break
                                                                 $USBComp = (Select-Xml -Content $xmlUSB -Namespace $ns -XPath $ComputerID_xpath).Node.'#text'
                                                                 #Translates needed to make usernames readablefrom SID to USER
                                                                 $USBuser = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $USBsid).Translate([System.Security.Principal.NTAccount]).Value
                                                                 Break
                                                                 }
               New-Object -TypeName PSObject -Property @{
                                                        Time = $USBevent.TimeCreated
                                                        Computer = $USBComp
                                                        User = $USBsid
                                                        Id   = $USBevent.Id
                                                        Message = $type_lu[$USBevent.Id]
                                                        }
              #convert results to a html file
              If($XMLUSBresults) {
                   $XMLUSBresults | Sort Time -Descending | ConvertTo-Html -head $Head -body $HTMLbodySEC | Set-Content $USBresults
                   }
              }


#show success for user
Write-Host "USB devices logfile Success."
#open the created html file
Invoke-Item $USBresults

I've tried pasting a copy of an event's xml here but it won't format correctly. If you log this log on your system and click an event, you can seethe format of the xml view.

Currently I'm failing to retrieve the 'Computer' and 'User' which are returning only as all blank.

I suspect I've got the following lines incorrect, but cant find the right solution. I've been trying to add system or without it but with no joy

$ComputerID_xpath = "//ns:[@Name='Computer']"
$usersid_xpath = "//ns:System[@Name='Security UserID']"

Ideas anyone?

July 24, 2017 at 11:18 pm

You can't paste XML; it's your web browser refusing to render it. As indicated in the instructions above the posting textbook, use a Gist, which we can pull in if you paste the Gist URL into your message.

I'll say this, though – for XQuery/XPath advice, which is basically what you're doing, nothing beats StackOverflow.com.