1 of 1 people found this helpful
I guess if the FAA is still using 7 inch floppy disks, someone is still using CD-ROMs, but doe the life of me I can't find an actual CD with content anywhere to test with!
So I mounted my smart-phone, which briefly emulates a CD-ROM to install some auto-run stuff.
It looks like you might be able to monitor for the ProcessStart of WPDShextAutoplay.exe. It's that thing that Windows throws up when you insert a disk, "What do you want to do with this?" Of course, that's not going to be 100% reliable, since you can turn that dialogue off.
If you know that all the CD-ROMs in your environment are going to share a drive-letter, like "D:" you might be able to do ObjectAuditing on that drive and look for "Object open" from that drive?
Update: One of my colleagues, Tim, has solved part of this and wrote it up:
Audit files being written to a CD/DVD in Windows 7 using "C:\Users\<username>\AppData\Local\Microsoft\Windows\Burn\" (also contains the "Temporary Burn Folder" sub-directory).
Audit files being written to a CD/DVD in Windows XP using "C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\CD Burning\".
(This directory will contain a binary file "Cd burning stash file.bin", used in the writing process.)
1- Open Windows explorer and navigate to the folder.
2- Right-click and select properties.
3- Select the Security tab and select Advanced button.
4- Select the Auditing tab, and uncheck the "Include inheritable auditing entries from this object's parent".
5- Select (check) the "Replace all existing inheritable auditing entries on akll descendents with inheritable auditing entries from this object".
6- Select the Add button to add the everyone user, and check the full control for success and failure, to enable all auditing of this fiolder.
7- Select OK three times to close this window.
8- A file auditing filter in the Trigeo Sim-Console should see the files being written to the CD.
Thank you, I'll give it a spin.
I see what you did there.