Lab 7: USB monitoring service

Service that responds to insertion / removal of USB devices. Reports them to log file and Event Log.
Can block certain devices based on Hardware ID.

Features

• Log all USB device connect / disconnect events into Event Log
• Log such events into a file (path is specified in registry)
• Block connection of different devices based on Hardware ID

Options

• install                       Install service *
• uninstall                   Uninstall service *
• deny <HardwareID>     Add device to deny list *
• allow <HardwareID>   Remove device from deny list *
• denylist                     Print deny list
• logfile [path]          Get or set* absolute path (like C:\log.txt) for log file
• h, help                      Print help message

* requires administrative privileges (Run as Admin)

Usage

1. Install UsbMonitor service: usbmon.exe install*
2. (optional) Configure log file path: usbmon.exe logfile "C:\path\to\log.txt"*
3. Start service from Services menu or with sc start UsbMonitor*
4. Connect or disconnect some USB devices
5. Open log file or EventVwr.exe (go to Windows Logs/Application)
6. Notice Hardware ID value of format USB\VID_041D&PID_C584&REV_0409
7. (optional) To block device, use Hardware ID: usbmon.exe deny "USB\VID_041D&PID_C584&REV_0409"*
8. (optional) To unblock device, use Hardware ID: usbmon.exe allow "USB\VID_041D&PID_C584&REV_0409"* and enable it in Device Manager (if needed)

* requires administrative privileges (Run as Admin)

Registry

Service stores its config in registry. Base path is HKLM\SYSTEM\CurrentControlSet\Services\UsbMonitor\ .

Under this key:

• Parameters\
  • LogFile (REG_SZ) - Path to log file, like C:\path\to\log.txt
  • DenyList\
    • USB_VID_041D&PID_C584&REV_0409 (DWORD, always 1) - if value exists, Hardware ID is in deny list
    • < ... >

If some keys don't exist, they are created automatically.
If LogFile is not set, logs are sent to Event Log only.

Improvements

Some Chinese flash drives may have strange Unicode hardware IDs, which can be confusing for Registry if set as a value name.

It can be solved by storing hex-values for hardware IDs (possibly MD5 of ID string) with corresponding user-friendly name of rule.

Example

This scheme allows for quick dereference by hardware ID. Just calculate hash and check if it's there.

• DenyList\
  • 9d2cff9017b505e8beb206df9fd2efb3 (REG_SZ) = <rule_name>
  • < ... >

Alternative

This scheme allows for quick dereference by rule name. Also guarantees that rule names are unique, and it generally looks more natural.

• DenyList\
  • <rule_name> (REG_SZ) = 9d2cff9017b505e8beb206df9fd2efb3
  • < ... >

Supposed usage

MD5 of Hardware IDs should appear in log file and Event Log instead of raw Hardware IDs.

usbmon.exe deny <name> <hwId_MD5>
usbmon.exe allow <name> <hwId_MD5>

I don't know if I implement this in near future, though I hope so  ฅ ^•ﻌ•^ ฅ  °。

References

• Service template: https://learn.microsoft.com/en-us/windows/win32/services/svc-cpp

• Device notifications: https://www.codeproject.com/Articles/15612/Receiving-Device-Event-Notification-in-Windows-Ser

  • Note: do not set DEVICE_NOTIFY_ALL_INTERFACE_CLASSES, instead specify classguid (see SvcMain() in service.c)

• Working with registry: https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regqueryvalueexa

• Handle USB events: https://learn.microsoft.com/en-us/answers/questions/985652/getting-instance-id-of-usb-drive-from-registerdevi

  ∩―――――――――――∩                .      .
  ||   ∧  ﾍ　 ||    . ゜ ﾟ.  ゜     ✧    。
  ||  (* ´ ｰ`) ZZzz     °   ★   ﾟ     ゜    ✧
  |ﾉ^⌒⌒づ`￣￣ ＼             ﾟ。 ﾟ  ★  ｡ﾟ 
  (  ノ　　⌒  ヽ  ＼         ﾟ    ★    。  
  ＼　　 ||￣￣￣￣￣||               ﾟ
  　 ＼,ﾉ||         ||