Is there a way to programmatically disable usb storage devices from working while still keeping usb ports functional for other types of devices like keyboards and mice?
+3
A:
Taken from here, not tested:
Directions for Use:
1.) Take the following blue text, copy it, and paste it into a text document. Then, save it as USBSTOR.ADM.
CLASS MACHINE
CATEGORY "Custom Policies"
KEYNAME "SYSTEM\CurrentControlSet\Services\UsbStor"
POLICY "USB Mass Storage Installation"
EXPLAIN "When this policy is enabled, USB mass storage device permissions can be changed by using the drop down box.
Selecting 'Grant Permission' will allow USB mass storage devices to be installed. Selecting 'Deny Permission' will prohibit
the installation of USB mass storage devices.
IF REMOVING THIS POLICY: Reset to original setting and let policy propegate before deleting policy."
PART "Change Settings:" DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME "Grant Permission" VALUE NUMERIC 3 DEFAULT
NAME "Deny Permission" VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
2.) Open a group policy management console (gpedit.msc), and right click on "administrative templates" under "Computer Configuration". Select "Add/Remove Templates".
3.) Browse to the text document you just saved and click OK. You'll now see "Custom Policies" under "Administrative Templates". Right click on it, select "View", then select "Filtering". Uncheck the bottom box, labeled "Only show policy settings that can be fully managed".
4.) Click ok. Now you'll see the USB policy available for use under the custom policy heading. From there, you can enable or disable it just like any other policy.
or (to disable USB storage devices, tested on XP SP3)
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 4 /f
(to enable USB storage devices, tested on XP SP3)
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 3 /f
PabloG
2008-12-13 14:10:05
A:
Best thing to do is to apply this as a Domain GPO across the group of users you do not wish to give USB access to. Best speak to your friendly sysadmin if you have one.
Applying this on each computer as a local policy is sub-optimal.
Nick Kavadias
2008-12-13 14:18:32
Is there a way to programmatically disable usb storage devices????
Aizaz
2010-10-18 09:36:14
A:
It works only if MASS storage needs to be disabled, however we also need data card to be working
Satinder
2010-01-05 08:33:39
+1
A:
Hi,
We can use Below Dos batch files to disable and enable USB Storage.............
Disable_usb_storage.bat
@echo off
:: Disable USBstor driver reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 4 /f
:: USB Read Only Mode reg add HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f
:: USB Disable startup
reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Boot /t REG_DWORD /d 0 /f
rem reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v System /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Auto Load /t REG_DWORD /d 0 /f
:: Disable read permissions on USBstor driver
:: Remove Access for Users from files
cacls %SystemRoot%\inf\usbstor.inf /E /R users cacls %SystemRoot%\inf\usbstor.PNF /E /R users cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R users cacls %SystemRoot%\inf\usbstor.inf /E /D users cacls %SystemRoot%\inf\usbstor.PNF /E /D users cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D users
:: Remove Access for System cacls %SystemRoot%\inf\usbstor.inf /E /R system cacls %SystemRoot%\inf\usbstor.PNF /E /R system cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R system cacls %SystemRoot%\inf\usbstor.inf /E /D system cacls %SystemRoot%\inf\usbstor.PNF /E /D system cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D system
:: Remove Access for ower Users cacls %SystemRoot%\inf\usbstor.inf /E /R "Power Users" cacls %SystemRoot%\inf\usbstor.PNF /E /R "Power Users" cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R "Power Users" cacls %SystemRoot%\inf\usbstor.inf /E /D "Power Users" cacls %SystemRoot%\inf\usbstor.PNF /E /D "Power Users" cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D "Power Users"
:: Remove Access for Administrators cacls %SystemRoot%\inf\usbstor.inf /E /R Administrators cacls %SystemRoot%\inf\usbstor.PNF /E /R Administrators cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R Administrators cacls %SystemRoot%\inf\usbstor.inf /E /D Administrators cacls %SystemRoot%\inf\usbstor.PNF /E /D Administrators cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D Administrators
:: Remove Access for EveryOne cacls %SystemRoot%\inf\usbstor.inf /E /R Everyone cacls %SystemRoot%\inf\usbstor.PNF /E /R Everyone cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R Everyone cacls %SystemRoot%\inf\usbstor.inf /E /D Everyone cacls %SystemRoot%\inf\usbstor.PNF /E /D Everyone cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D Everyone
REM ::USB_REG_PERMISSION_changes
:: If parameter recover then undo all this IF [%1]==[enable] GOTO Enable :: Create a temporary .REG file - DISABLE USB
"%Temp%.\u1.ini" ECHO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR [0 0 0 0] regini "%Temp%.\u1.ini" DEL "%Temp%.\u1.ini"
:Exit
:: Leave state
========================================
Enable_usb_storage.bat
@echo off
:: Enable USBstor driver from registry reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 3 /f
:: Enable USBstor READ / Write mode reg add HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 0 /f
REM :: Remove permissions of actual USBSTORAGE Files
:: Provide Access for Users from files cacls %SystemRoot%\inf\usbstor.inf /E /G users:F cacls %SystemRoot%\inf\usbstor.PNF /E /G users:F cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G users:F rem cacls %SystemRoot%\inf\usbstor.inf /E /D users rem cacls %SystemRoot%\inf\usbstor.PNF /E /D users
:: Provide Access for System cacls %SystemRoot%\inf\usbstor.inf /E /G system:F cacls %SystemRoot%\inf\usbstor.PNF /E /G system:F cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G system:F rem cacls %SystemRoot%\inf\usbstor.inf /E /D system rem cacls %SystemRoot%\inf\usbstor.PNF /E /D system
:: Provide Access for ower Users cacls %SystemRoot%\inf\usbstor.inf /E /G "Power Users":F cacls %SystemRoot%\inf\usbstor.PNF /E /G "Power Users":F cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G "Power Users":F rem cacls %SystemRoot%\inf\usbstor.inf /E /D "Power Users" rem cacls %SystemRoot%\inf\usbstor.PNF /E /D "Power Users"
:: Provide Access for Administrators cacls %SystemRoot%\inf\usbstor.inf /E /G Administrators:F cacls %SystemRoot%\inf\usbstor.PNF /E /G Administrators:F cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G Administrators:F rem cacls %SystemRoot%\inf\usbstor.inf /E /D Administrators rem cacls %SystemRoot%\inf\usbstor.PNF /E /D Administrators
:: Provide Access for EveryOne cacls %SystemRoot%\inf\usbstor.inf /E /G Everyone:F cacls %SystemRoot%\inf\usbstor.PNF /E /G Everyone:F cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /F Everyone:F rem cacls %SystemRoot%\inf\usbstor.inf /E /D Everyone rem cacls %SystemRoot%\inf\usbstor.PNF /E /D Everyone rem cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D Everyone
REM ::USB_REG_PERMISSION_changes
:: If parameter recover then undo all this IF [%1]==[enable] GOTO Enable :: Create a temporary .REG file - DISABLE USB
"%Temp%.\u1.ini" ECHO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR [1 5 8 11 17] regini "%Temp%.\u1.ini" DEL "%Temp%.\u1.ini"
:Exit
:: Leave state
=====================================================
A:
Hi there
1.first restart your machine 2.open registry 3.Hkey_Local_Machine 4.system 5.currentconteolset 6.service 7.USBstore
In a start to change Value apply to Disable for 4 & Enable to 3
Thanks & Regards
Ankit moradiya
ankit moradiya
2010-07-30 07:19:32