Please refer the script, to generate alert when the used restore point space of your system meets the certain threshold space and also if there is no restore point is present in your system then it automatically it will Creates Restore Point.
For example, if any restore point is 2.00 GB, then we can put the threshold condition as 1.5 GB, if the conditions matched then it will generate an alert.
NOTE: Here, in the below script “Max_rp_size=1.0” , Max_rp_size is the threshold restore point space (size) , value is 1.0=GB, If you want to put restore size as 2GB just replace the value as 2.0 (or) otherwise if you want to put the Threshold restore space(size) as 800MB just give as 0.80.
Please run the script as System Administrator.
Please, Refer the JSON file for execution.
# The script is a template to check UAC status on device.
Max_rp_size=1.0
import os
import sys
import _winreg
drive= os.environ['SystemDrive']
def alert(arg):
sys.stderr.write("%d%d%d" % (arg, arg, arg))
# Please use "alert(1)" to turn on the monitor(trigger an alert)
# Please use "alert(0)" to turn off the monitor(disable an alert)
# Please do not change above block and write your script below
import re
import getpass
import socket
def ecmd(CMD, r=True):
import ctypes
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
from subprocess import PIPE, Popen
with disable_file_system_redirection():
OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)
out, err = OBJ.communicate()
ret=OBJ.returncode
if r:
return ret
else:
if ret==0:
return out
else:
return ret
print "USER NAME: "+getpass.getuser()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80))
print "IP-ADDRESS : "+(s.getsockname()[0])
from time import gmtime, strftime
time=strftime("%Y-%m-%d %H:%M:%S", gmtime())
print '
'
def ecmd(CMD, r=False):
import ctypes
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
from subprocess import PIPE, Popen
with disable_file_system_redirection():
OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)
out, err = OBJ.communicate()
ret=OBJ.returncode
if r:
return ret
else:
if ret==0:
return out,ret
else:
return err,ret
p,ret1=ecmd('vssadmin list ShadowStorage /For=%s'%drive)
if ret1==1:
print 'No Restore Points presnet in your system'
print '
'
print 'Creating new Restore Point..........'
def ExecuteCMD(CMD, OUT = False):
import ctypes
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
from subprocess import PIPE, Popen
with disable_file_system_redirection():
OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)
out, err = OBJ.communicate()
RET = OBJ.returncode
if RET == 0:
if OUT == True:
if out != '':
return out.strip()
else:
return True
else:
return True
else:
return False
ExecuteCMD(r'reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v SystemRestorePointCreationFrequency /t REG_DWORD /d 0 /f')
print ExecuteCMD(r'WMIC /Namespace:\\root\default Path SystemRestore Call CreateRestorePoint "BY COMODO ITSM %DATE% %TIME%", 100, 12', True)
ExecuteCMD(r'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v SystemRestorePointCreationFrequency /f')
##print ExecuteCMD(r'POWERSHELL Get-ComputerRestorePoint', True)
alert(1)
else:
if p is not None:
reg= re.findall('Used(.*)',p)
ST=''.join(reg).strip('Shadow Copy Storage space:')
if 'GB' in ST:
USED=ST.split(' ')[0]
Used_rp_size=float(USED)
if Used_rp_size >= Max_rp_size:
alert(1)
print 'USED RESTORE POINT STORAGE SPACE ' + str(Used_rp_size) + str(ST.split(' ')[1])+ ' IS GREATER THAN THRESHOLD SPACE'
print '
'
print 'For more details:'
v=os.popen('vssadmin list ShadowStorage /For=%s ' %drive).read()
info=re.findall('(For\svolume|Shadow\sCopy\sStorage\svolume):(.*)',v)
for i in range(0,len(info1)):
print''.join(info1[i]).replace('\\\\?\\',' ').strip('\\')
print '
'
#date and info
fin=ecmd('vssadmin list shadows /for=%s ' %drive)
fin_list=list(fin)
for f in range(0,len(fin_list)-1):
print fin_list[f]
else:
print 'USED RESTORE POINT STORAGE SPACE ' + str(USED)+ str(ST.split(' ')[1]) +' IS LESS THAN THRESHOLD SPACE'
alert(0)
elif 'MB' in ST:
USED=ST.split(' ')[0]
mb_used=float(USED)/1024
if mb_used >= Max_rp_size:
alert(1)
print 'USED RESTORE POINT STORAGE SPACE '+ str(USED) + str(ST.split(' ')[1])+ ' IS GREATER THAN THRESHOLD SPACE'
print 'For more details:'
v1=os.popen('vssadmin list shadowstorage /for=%s '%drive).read()
info1=re.findall('(For\svolume|Shadow\sCopy\sStorage\svolume):(.*)',v1)
for i in range(0,len(info1)):
print''.join(info1[i]).replace('\\\\?\\',' ').strip('\\')
print '
'
## date and info
fin=ecmd('vssadmin list shadows /for=%s ' %drive)
fin_list=list(fin)
for g in range(0,len(fin_list)-1):
print fin_list[g]
else:
print 'USED RESTORE POINT STORAGE SPACE '+ str(USED) + str(ST.split(' ')[1])+' IS LESS THAN THRESHOLD SPACE'
alert(0)
SAMPLE OUTPUT:
20170712-Restorepoint_threshold.json (9.06 KB)
