I was wondering if anyone knew if there is a solution / way that say if you unplugged a USB device with a specific ID that I could set up a script / we to shut down all processes / shut down PC?
Just one of them things I can’t seem to google effectively and wondering if anyone has any insights?
You could write a program to do that. You could have a program running in the background listening for events or have one fire off every time a specific event is logged by windows.
Windows also already has some functionality to lock the screen for example when a security key is removed, though that’s not quite what your looking for.
Its Micrsofts smart card group policy and registry settings
Interactive logon; Smart card removal behaviour
This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
No Action Lock Workstation : The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.
Force Logoff : The user is automatically signed out when the smart card is removed.
Disconnect if a Remote Desktop Services session : Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that’s equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the Lock Workstation option.
It might depend a little on exactly what you want to achieve and why. The simplest options may be to use scheduled tasks to trigger on hardware change events
you could use the Microsoft-Windows-DriverFrameworks-UserMode/Operational log (youll need to enable the log)
Another log option to trigger on is to enable advanced audit
Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access
Enable: Audit Removable Storage
This is logged under windows security logs, but it might not be as robust as its mainly logging read/write events
there might be other log options to choose from
you can then make your powershell script to run on the task scheduler triggering on the event to check for the type of usb etc and run your shutdown commands
the other way of doing it might be more robust which would be to listen for hardware events yourself in your own program. youd need to look into that one more, if done event listening before for file live file writes, but im not sure what i did with the code.
Perfect this will do the trick I think a combination of both would do the trick. Just was not sure where the first place to start would have been. This is a good place to start. As a security focused student this is what I am interested in:)