File Size monitoring using VBScript(WMI) — Remote and Local machine.

Image Source: https://www.lifewire.com/what-is-a-file-2625878

So Today we will be writing a simple VBScript program to monitor the size of the file. If the size of the file is found to be more than the threshold mentioned by the user then an alert will be generated. Sounds easy right..? Let’s get to it then.

Also WMI(Windows Management instrumentation) must be installed on the target machine to make this tutorial work for you and since WMI is limited to Windows machine this tutorial will work only for the windows users. (Sorry Linux Folks)

We will first go through some of the main sections of the scripts and then move to the the code part. Full Code of the Script is also available at this Github Repo. You can have a look at the output section of the article to know what exactly we will be achieving.

Without much a do and a backstory how I ended up on vbScript..lets move to the code and implementation part.

Code Sections

The objective of this section is to make you understand different sections of the script. After understanding different section of the script we will move to the code flow section.
Now have a look at these two lines which are part of our main vbscript program:

Set objWbemlocator = CreateObject("WbemScripting.SWbemLocator")
Set wbemServices = objWbemlocator.ConnectServer(strComputer,"ROOT\CIMV2",strUsername,strPassword)

Here ConnectServer method of SWbemLocator is used to connect to the system/computer. strComputer is the name of the machine you are going to connect to i.e it is the machine on which the file residing.
Note: This is not a Hacking tutorial(I wish it was :( ) therefore, you need to have the Computer name, username and password for the remote system. The above code is for connecting to the remote machine.. For the local machine only the local machine name is enough.
For the local machine the connection code will look something like this.

Set objWbemlocator = CreateObject(“WbemScripting.SWbemLocator”)
Set wbemServices = objWbemlocator.ConnectServer(strComputer,”ROOT\CIMV2")

Got the difference between the two? As mentioned above in the notes username and password is not required for local machine.

Now we are done with the connection, this is the perfect time to ask the user for the path of the file to monitor. This piece of code will be used in the script to ask the user about the full path of the file file which he/she is planning to monitor.

strFile = InputBox(“please enter a full path for the file to monitor:”,”Monitor File”)

If you are familiar with the vbscript you will know that this will open a message box and ask for for an input(here it is the full path of the file). Example: C:\\Users\\hackslanger\\Desktop\\test.txt (Use ‘\\’ instead of ‘\’). This is the path of the file which user want to monitor.

So till now connection is made, we also know about the file path So, now we need to give the size limit(a threshold value) so that if the file size increased this limit an alert will be generated to notify you that the file size has increased than the normal threshold value.

sizeLimit = 2000

Here we are manually defining the sizeLimit, you can modify this piece of code to take this value as per users requirement dynamically.(By implementinig a inputBox as we did for the file path).

Now you will be like..i know all this but how do I get the present size of the file ? So, your wait is over :) . This piece of code will get you the size of the file in “bytes”. If you see carefully you can see wbemServices which we used to connect to to machine.

Set colFiles = wbemServices.ExecQuery(“Select * from CIM_Datafile where Name=’” & strFile &”’”)
For Each objFile in colFiles
strOriginalSize = objFile.FileSize
Wscript.Echo “Original Size of the File :: “ & strOriginalSize
Next

The above code “looks like” SQL select query to fetch data from a table named ‘CIM_Datafile’ where the ‘Name’ field is equal to strFile(aka full path of the file which we need to monitor) and its result is stored in the colFiles object. This object can be traversed using a for each loop and necessary data can be extracted. We are using wbemServices object which we received while connecting to the machine. This wbenServices object can be used to execute a query which will return an object of CIM_Datafile class. There are more things which you can receive from CIM_Datafile class about the file like CreationDate, Drive in which the file is saved, FileType, InsatallDate and many more things. Click Here to know more.

Inside the for loop we are just getting the FileSize for the file which we have asked for.

Now we have our file size so that main coding portion is done but still we need to create a particular code flow to make this work.

Code Flow along With Screenshots

You can have a look at the following screenshots to get familiar to the code flow of the program and how we have actually used the above described concepts in the real world scenario to achieve file size monitoring.

Section 1: Line 1 to Line 8
As mention in the beginning of the tutorial that we will be making an object for SWbemLocator. We will later use this object to connect to the remote machine. Other lines are for error handling.
Section 2: Line 10 to Line 26
We Will be executing this programme using the command line. Therefore we will be sending the parameters like username and password in the command line only. Case 1 will be executed when we are only sending one parameter and the monitor which we are willing to monitor is in our local machine. Also you can see that we are sending only the strComputer i.e the computer name as an rgument in the ConnectServer method. Case 2 is executed when we are sending three paramters i.e machine name(strComputer), username, password(thats why Case 3) to the ConnectServer function. All these command line arguments will be accessed using Wscript.Arguments.Item(i). If you are really eager to see the command you can have a quick look at the end of the article where I have given both the commands. And the last case is for the case when the user has given inappropriate number of arguments in command line, program will close automatically when it reached this last case.

Section 3: Line 29 to Line 39
We are just aksing the user to give the full file path in the message box. It is inside Do while loop so that the program will proceed futhur only and only if the user has entered the file path.
Section 4: Line 39
This sizeLimit will be used as a threshold value which means if the size of file is more than 2000 bytes an alert should be generated.
Section 5: Line 43 to Line 50
As explained earlier too, this is the core piece of code to get the size of the file.

Section 6: Line 54 to line 73
This is the section which keeps tracks of the file size continusously. Do Loop is used since this program will be running for ever to keep monitoring the file. 
Wscript.sleep is used to make sure that the file size is monitored after particular period of interval(1800 is the interval time given in the code here). Line 56 to Line 63 are kind of repetition of the previous section, to get the updated value of the size of the file. After getting the updated new value of size of file its now time to check if this new value is greater than sizeLimit or not. Depending on this an alert can be show as shown from Line 68 to line 72.

Follow the following steps to get to know about how to create the file and execute it:

  1. Create a file name fileMonitringBySize.vbs or anything file name with file extension of .vbs.
  2. Write/Copy the code from the Github Repository.
  3. Open the folder path in cmd and execute the script using this command:
' For Remote User
cscript fileMonitoringBySize.vbs <machine_name> <username> <passwd>
'For local machine
cscript fileMonitoringBySize.vbs <machine_name>

Output

This will give you an output like this:

ritesh-pt1879 is the strComputer (Local Machine). Provide the full path for the file in the message box and press OK button.
The file path can be seen in the CMD available on the right side. Where as on the left we have image of the file loop.txt. As shown in the output in cmd the original size ofthe file is 45 bytes.
After adding some content in loop.txt file(While the script is still running) you can seen on the cmd that the strLatestSize is given as 6300 bytes and the alert message is generated.

Hope this tutorial was helpful to you. For any clarification or any recommendation for future posts you can ask it in the comment section.