Disk Change Monitor Best Practices: Logging, Notifications, and Security

Automating Responses with a Disk Change Monitor Script

Monitoring disk changes—such as USB insertions, removals, or new drive mounts—lets you trigger automated actions: backups, virus scans, logging, or notifications. This article shows a practical approach to building a reliable disk change monitor script, with examples for Windows (PowerShell) and Linux (systemd + udev + Bash), plus tips for stability and security.

Why automate disk-change responses

Efficiency: Immediately run tasks (backups, copies) when media appears.
Security: Trigger scans or block untrusted devices.
Auditing: Keep comprehensive logs of removable-storage activity.

Design considerations

Event source: Use OS event systems (Windows Management Instrumentation / Win32 API; udev, systemd on Linux).
Idempotence: Ensure the script can be re-run safely if the same event fires multiple times.
Debounce: Prevent duplicate handling when devices briefly disconnect/connect.
Least privilege: Run actions with only necessary permissions. Avoid auto-executing untrusted binaries from external media.
Logging & alerts: Record events and optionally notify admins (email, system notifications, webhook).

Windows: PowerShell-based monitor

This approach uses WMI event queries to watch for Win32VolumeChangeEvent and reacts by running a handler function.

Example script (PowerShell):

powershell
# DiskChangeMonitor.ps1 Register-WmiEvent -Query “SELECTFROM Win32_VolumeChangeEvent” -SourceIdentifier DiskChangeEvent function Handle-DiskChange { param(\(Event) \)eventType = \(Event.SourceEventArgs.NewEvent.EventType # EventType: 2 = ConfigChanged, 3 = MediaInserted, 4 = MediaRemoved (varies by system) \)driveLetter = \(Event.SourceEventArgs.NewEvent.DriveName # Basic debounce: ignore empty drive names if (-not \)driveLetter) { return } \(time = Get-Date -Format o \)logLine = “\(time - EventType:\)eventType - Drive:\(driveLetter" Add-Content -Path "C:\Logs\disk_changes.log" -Value \)logLine if (\(eventType -eq 3) { # Example actions: copy a folder, run antivirus scan, send notification Start-Job -ScriptBlock { param(\)d) robocopy ”\(d\Important" "C:\Backup\\)(\(d.TrimEnd('\'))" /MIR Start-Process -FilePath "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 3 -File \)d“ -Wait } -ArgumentList \(driveLetter } } # Main loop: wait for events and dispatch while (\)true) { \(event = Wait-Event -SourceIdentifier DiskChangeEvent Handle-DiskChange -Event \)event Remove-Event -EventIdentifier \(event.EventIdentifier } </code></div></div></pre> Notes: <ul> <li>Run as an account with rights to access drives and write logs.</li> <li>Use signed scripts and execution policy to prevent tampering.</li> <li>Adjust event type mapping for your Windows version.</li> </ul> <h2>Linux: udev rule + systemd service + handler script</h2> Use udev to detect device addition/removal and hand off to a systemd service that runs a Bash handler script. This avoids running heavy tasks inside udev directly. <ol> <li>udev rule (/etc/udev/rules.d/99-disk-change.rules):</li> </ol> <pre><div class="XG2rBS5V967VhGTCEN1k"><div class="nHykNMmtaaTJMjgzStID"><div class="HsT0RHFbNELC00WicOi8"><svg width="16" height="16" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill="currentColor" fill-rule="evenodd" clip-rule="evenodd" d="M15.434 7.51c.137.137.212.311.212.49a.694.694 0 0 1-.212.5l-3.54 3.5a.893.893 0 0 1-.277.18 1.024 1.024 0 0 1-.684.038.945.945 0 0 1-.302-.148.787.787 0 0 1-.213-.234.652.652 0 0 1-.045-.58.74.74 0 0 1 .175-.256l3.045-3-3.045-3a.69.69 0 0 1-.22-.55.723.723 0 0 1 .303-.52 1 1 0 0 1 .648-.186.962.962 0 0 1 .614.256l3.541 3.51Zm-12.281 0A.695.695 0 0 0 2.94 8a.694.694 0 0 0 .213.5l3.54 3.5a.893.893 0 0 0 .277.18 1.024 1.024 0 0 0 .684.038.945.945 0 0 0 .302-.148.788.788 0 0 0 .213-.234.651.651 0 0 0 .045-.58.74.74 0 0 0-.175-.256L4.994 8l3.045-3a.69.69 0 0 0 .22-.55.723.723 0 0 0-.303-.52 1 1 0 0 0-.648-.186.962.962 0 0 0-.615.256l-3.54 3.51Z"></path></svg>Code</div><div class="CF2lgtGWtYUYmTULoX44"><button type="button" class="st68fcLUUT0dNcuLLB2_ ffON2NH02oMAcqyoh2UU MQCbz04ET5EljRmK3YpQ CPXAhl7VTkj2dHDyAYAf" data-copycode="true" role="button" aria-label="Copy Code"><svg viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill="currentColor" fill-rule="evenodd" clip-rule="evenodd" d="M9.975 1h.09a3.2 3.2 0 0 1 3.202 3.201v1.924a.754.754 0 0 1-.017.16l1.23 1.353A2 2 0 0 1 15 8.983V14a2 2 0 0 1-2 2H8a2 2 0 0 1-1.733-1H4.183a3.201 3.201 0 0 1-3.2-3.201V4.201a3.2 3.2 0 0 1 3.04-3.197A1.25 1.25 0 0 1 5.25 0h3.5c.604 0 1.109.43 1.225 1ZM4.249 2.5h-.066a1.7 1.7 0 0 0-1.7 1.701v7.598c0 .94.761 1.701 1.7 1.701H6V7a2 2 0 0 1 2-2h3.197c.195 0 .387.028.57.083v-.882A1.7 1.7 0 0 0 10.066 2.5H9.75c-.228.304-.591.5-1 .5h-3.5c-.41 0-.772-.196-1-.5ZM5 1.75v-.5A.25.25 0 0 1 5.25 1h3.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-3.5A.25.25 0 0 1 5 1.75ZM7.5 7a.5.5 0 0 1 .5-.5h3V9a1 1 0 0 0 1 1h1.5v4a.5.5 0 0 1-.5.5H8a.5.5 0 0 1-.5-.5V7Zm6 2v-.017a.5.5 0 0 0-.13-.336L12 7.14V9h1.5Z"></path></svg>Copy Code</button><button type="button" class="st68fcLUUT0dNcuLLB2_ WtfzoAXPoZC2mMqcexgL ffON2NH02oMAcqyoh2UU MQCbz04ET5EljRmK3YpQ GnLX_jUB3Jn3idluie7R"><svg fill="none" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path fill="currentColor" fill-rule="evenodd" d="M20.618 4.214a1 1 0 0 1 .168 1.404l-11 14a1 1 0 0 1-1.554.022l-5-6a1 1 0 0 1 1.536-1.28l4.21 5.05L19.213 4.382a1 1 0 0 1 1.404-.168Z" clip-rule="evenodd"></path></svg>Copied</button></div></div><div class="mtDfw7oSa1WexjXyzs9y" style="color: var(--sds-color-text-01); font-family: var(--sds-font-family-monospace); direction: ltr; text-align: left; white-space: pre; word-spacing: normal; word-break: normal; font-size: var(--sds-font-size-label); line-height: 1.2em; tab-size: 4; hyphens: none; padding: var(--sds-space-x02, 8px) var(--sds-space-x04, 16px) var(--sds-space-x04, 16px); margin: 0px; overflow: auto; border: none; background: transparent;"><code class="language-text" style="color: rgb(57, 58, 52); font-family: Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace; direction: ltr; text-align: left; white-space: pre; word-spacing: normal; word-break: normal; font-size: 0.9em; line-height: 1.2em; tab-size: 4; hyphens: none;">ACTION=="add", SUBSYSTEM=="block", ENV{ID_FS_TYPE}!="", RUN+="/usr/bin/systemd-run --unit=disk-change-handler %E{DEVNAME} add" ACTION=="remove", SUBSYSTEM=="block", RUN+="/usr/bin/systemd-run --unit=disk-change-handler %E{DEVNAME} remove" </code></div></div></pre> <ol start="2"> <li>Handler script (/usr/local/bin/disk-change-handler.sh):</li> </ol> <pre><div class="XG2rBS5V967VhGTCEN1k"><div class="nHykNMmtaaTJMjgzStID"><div class="HsT0RHFbNELC00WicOi8"><svg width="16" height="16" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill="currentColor" fill-rule="evenodd" clip-rule="evenodd" d="M15.434 7.51c.137.137.212.311.212.49a.694.694 0 0 1-.212.5l-3.54 3.5a.893.893 0 0 1-.277.18 1.024 1.024 0 0 1-.684.038.945.945 0 0 1-.302-.148.787.787 0 0 1-.213-.234.652.652 0 0 1-.045-.58.74.74 0 0 1 .175-.256l3.045-3-3.045-3a.69.69 0 0 1-.22-.55.723.723 0 0 1 .303-.52 1 1 0 0 1 .648-.186.962.962 0 0 1 .614.256l3.541 3.51Zm-12.281 0A.695.695 0 0 0 2.94 8a.694.694 0 0 0 .213.5l3.54 3.5a.893.893 0 0 0 .277.18 1.024 1.024 0 0 0 .684.038.945.945 0 0 0 .302-.148.788.788 0 0 0 .213-.234.651.651 0 0 0 .045-.58.74.74 0 0 0-.175-.256L4.994 8l3.045-3a.69.69 0 0 0 .22-.55.723.723 0 0 0-.303-.52 1 1 0 0 0-.648-.186.962.962 0 0 0-.615.256l-3.54 3.51Z"></path></svg>bash</div><div class="CF2lgtGWtYUYmTULoX44"><button type="button" class="st68fcLUUT0dNcuLLB2_ ffON2NH02oMAcqyoh2UU MQCbz04ET5EljRmK3YpQ CPXAhl7VTkj2dHDyAYAf" data-copycode="true" role="button" aria-label="Copy Code"><svg viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill="currentColor" fill-rule="evenodd" clip-rule="evenodd" d="M9.975 1h.09a3.2 3.2 0 0 1 3.202 3.201v1.924a.754.754 0 0 1-.017.16l1.23 1.353A2 2 0 0 1 15 8.983V14a2 2 0 0 1-2 2H8a2 2 0 0 1-1.733-1H4.183a3.201 3.201 0 0 1-3.2-3.201V4.201a3.2 3.2 0 0 1 3.04-3.197A1.25 1.25 0 0 1 5.25 0h3.5c.604 0 1.109.43 1.225 1ZM4.249 2.5h-.066a1.7 1.7 0 0 0-1.7 1.701v7.598c0 .94.761 1.701 1.7 1.701H6V7a2 2 0 0 1 2-2h3.197c.195 0 .387.028.57.083v-.882A1.7 1.7 0 0 0 10.066 2.5H9.75c-.228.304-.591.5-1 .5h-3.5c-.41 0-.772-.196-1-.5ZM5 1.75v-.5A.25.25 0 0 1 5.25 1h3.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-3.5A.25.25 0 0 1 5 1.75ZM7.5 7a.5.5 0 0 1 .5-.5h3V9a1 1 0 0 0 1 1h1.5v4a.5.5 0 0 1-.5.5H8a.5.5 0 0 1-.5-.5V7Zm6 2v-.017a.5.5 0 0 0-.13-.336L12 7.14V9h1.5Z"></path></svg>Copy Code</button><button type="button" class="st68fcLUUT0dNcuLLB2_ WtfzoAXPoZC2mMqcexgL ffON2NH02oMAcqyoh2UU MQCbz04ET5EljRmK3YpQ GnLX_jUB3Jn3idluie7R"><svg fill="none" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path fill="currentColor" fill-rule="evenodd" d="M20.618 4.214a1 1 0 0 1 .168 1.404l-11 14a1 1 0 0 1-1.554.022l-5-6a1 1 0 0 1 1.536-1.28l4.21 5.05L19.213 4.382a1 1 0 0 1 1.404-.168Z" clip-rule="evenodd"></path></svg>Copied</button></div></div><div class="mtDfw7oSa1WexjXyzs9y" style="color: var(--sds-color-text-01); font-family: var(--sds-font-family-monospace); direction: ltr; text-align: left; white-space: pre; word-spacing: normal; word-break: normal; font-size: var(--sds-font-size-label); line-height: 1.2em; tab-size: 4; hyphens: none; padding: var(--sds-space-x02, 8px) var(--sds-space-x04, 16px) var(--sds-space-x04, 16px); margin: 0px; overflow: auto; border: none; background: transparent;"><code class="language-bash" style="color: rgb(57, 58, 52); font-family: Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace; direction: ltr; text-align: left; white-space: pre; word-spacing: normal; word-break: normal; font-size: 0.9em; line-height: 1.2em; tab-size: 4; hyphens: none;">#!/usr/bin/env bash DEVNAME="\)1” ACTION=“\(2" LOG="/var/log/disk_change.log" TIME="\)(date –iso-8601=seconds)” echo “\(TIME \)ACTION \(DEVNAME" >> "\)LOG” # Wait for mount (for add): simple debounce if [ “\(ACTION" = "add" ]; then for i in {1..10}; do MOUNTPOINT=\)(lsblk -no MOUNTPOINT ”\(DEVNAME" 2>/dev/null) if [ -n "\)MOUNTPOINT“ ]; then break; fi sleep 0.5 done if [ -n ”\(MOUNTPOINT" ]; then # Example: copy files from a known folder on device mkdir -p /srv/backup/"\)(basename “\(DEVNAME")" rsync -a --remove-source-files "\)MOUNTPOINT/Important/” /srv/backup/“\((basename "\)DEVNAME”)/” # Trigger malware scan (clamscan example) clamscan -r –log=“\(LOG" "\)MOUNTPOINT” fi fi

Make script executable: chmod +x /usr/local/bin/disk-change-handler.sh

systemd service template (optional) to control execution limits: Create /etc/systemd/system/disk-[email protected] with conservative timeouts and resource limits.

Testing and deployment

Test with known removable media and simulate rapid connect/disconnect to exercise debounce.

Run the monitor under a non-root account when possible; use sudo for specific commands.

Monitor logs and add alerts for failures (e.g., service restart on repeated errors).

Security precautions

Never auto-run executables from removable media.

Whitelist specific folders or file patterns for automatic processing.

Scan media before copying sensitive data to the host.

Keep backups and audit trails for all automated actions.

Troubleshooting

No events: Ensure WMI service (Windows) or udev rules (Linux) are active and scripts are executable.

Duplicate triggers: Increase debounce delay or track processed device IDs in a temporary state file.

Permission errors: Run required parts with minimal elevated privileges only.

Conclusion

A disk change monitor script can automate backups, scans, and logging efficiently when designed with event-driven architecture, debounce logic, idempotence, and strict security controls. Start small—log events and run safe read-only actions—then expand automation once reliability is proven.

Disk Change Monitor Best Practices: Logging, Notifications, and Security

Automating Responses with a Disk Change Monitor Script

Why automate disk-change responses

Design considerations

Windows: PowerShell-based monitor

Testing and deployment

Security precautions

Troubleshooting

Conclusion

Comments

Leave a Reply Cancel reply

More posts

i-Net: A Complete Beginner’s Guide to Getting Connected

From MP3s to Masterpiece: Be a Ringtone DJ and Create Custom Mixes

Qnet Software Suite: Complete Overview & Key Features

Quick Reference: Commands and Options for Model C1D0U252 X12 Parser