Using OpsMgr to Detect SMB (Shared Folders) Connections to Windows Computers

I wrote this simple management pack couple of weeks ago to detect new SMB (Shared Folders) connection as well as disconnection events on OpsMgr agents.

The MP contains two (2) WMI event rules, one for new connection event and one for disconnection event. Each rule generates a Informational alert:

New Connection alert:


Disconnection Alert:


I’ve used the Microsoft.Windows.WmiEventProvider.EventProvider module as the data source module for both rules. The WMI queries used for these rules are:

New Connection Rule:

Select * from __InstanceCreationEvent within 1 where TargetInstance ISA 'Win32_ServerConnection' and TargetInstance.ShareName !='IPC$'


Disconnection Rule:

Select * from __InstanceDeletionEvent within 1 where TargetInstance ISA 'Win32_ServerConnection' and TargetInstance.ShareName !='IPC$'

Both rules are disabled by default, you will need to enable them via overrides:


I left this running on my laptop at work. It was pretty funny yesterday a colleague of mine connected to my C$ to check few ConfigMgr client log files. I found out straightaway and forwarded the alert notification email that OpsMgr sent to me and asked him what was he looking for on my C drive. Smile

Please be very cautious on which computers you are enabling these rules on. Please try not to enable them on servers like domain controllers, file & print servers, ConfigMgr servers etc. if you are not prepared to deal with the large number of alerts these rules may generate!

The unsealed MP can be downloaded HERE.


  1. Hi, If I just want to monitor c$ shares only? This is to monitor if shares in a server is accessible. I have this situation in my company whenever users unable to access to their shared folder (in some cases the server was in hung state.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: