Windows on device disconnect > shut down all processes and shut down?

Hello,

I was wondering if anyone knew if there is a solution / way that say if you unplugged a USB device with a specific ID that I could set up a script / we to shut down all processes / shut down PC?

Just one of them things I can’t seem to google effectively and wondering if anyone has any insights?

Regards

UHI :slight_smile:

1 Like

You could write a program to do that. You could have a program running in the background listening for events or have one fire off every time a specific event is logged by windows.

Windows also already has some functionality to lock the screen for example when a security key is removed, though that’s not quite what your looking for.

1 Like

I’m curious what OP is trying to accomplish here, as that’s what it sounds like, but a jerryrig solution without spending the $$ on security keys.

1 Like

Its Micrsofts smart card group policy and registry settings

Interactive logon; Smart card removal behaviour

This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:

No Action
Lock Workstation : The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.

Force Logoff : The user is automatically signed out when the smart card is removed.

Disconnect if a Remote Desktop Services session : Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that’s equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the Lock Workstation option.

It might depend a little on exactly what you want to achieve and why. The simplest options may be to use scheduled tasks to trigger on hardware change events

you could use the Microsoft-Windows-DriverFrameworks-UserMode/Operational log (youll need to enable the log)
Another log option to trigger on is to enable advanced audit
Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access
Enable: Audit Removable Storage

This is logged under windows security logs, but it might not be as robust as its mainly logging read/write events

there might be other log options to choose from

you can then make your powershell script to run on the task scheduler triggering on the event to check for the type of usb etc and run your shutdown commands

the other way of doing it might be more robust which would be to listen for hardware events yourself in your own program. youd need to look into that one more, if done event listening before for file live file writes, but im not sure what i did with the code.

1 Like

Hi Ken willing to drop the cash but I think eden hit the nail on the head with his response:)

1 Like

Perfect this will do the trick I think a combination of both would do the trick. Just was not sure where the first place to start would have been. This is a good place to start. As a security focused student this is what I am interested in:)

Hope all is well Eden o7

1 Like

Doing well.

Let us know how you get on with this and what your solution ends up being

1 Like

Will do,

Doing a python code jam and then will be moving on to this :smiley: