This explains how to disable ONLY USB storage devices(flash/Jump/external HD's) completely without disabling keyboards, mice, etc.

I decided to go this route after trying every other option I could find on the internet. So far this is the only way I have found to completely kill USB drives without ways to get around restrictions. edit: WITHOUT PURCHASING THIRD PARTY SOFTWARE

First thing to do is this:

1.Run regedit and navigate to HKLM\system\currentcontrolset\services\USBstor.

2.Change the value of the dword "Start" from 3 to 4. If the dword "Start" doesnt exist, create it. This will prevent a previously installed USB device from loading when the device is plugged into the machine. ((As most of you know this a Microsoft suggestion, which does work perfectly at disabling previously installed devices, however, this alone will not disable USB storage completely. If a user plugs a new USB storage device into the machine the device will install and the dword value will be reset to 3. Now if you incorporate adding this into a script it alone will disable USB drives, but only after a user plugs a device in, removes it without uninstalling it, logs off then logs back on, thereby running the script. This means that there is a window of opportunity for users to have access to new devices, this may be acceptable for some, but not for others.))

3. The next thing to do is to change the permisions on the USBSTOR key. You need to DENY full control on the "system" group.

((What this does is denies everyone the ability to access the USBStor key, effectively killing the ability for any user (including admins) to install USB storage devices. Now the reason you deny the "system" group is because windows will use this account if no one is logged onto the machine yet. What I mean by this is if say you want to deny a group of users called "staff", you would need to deny them using GP or a logon script. This will work great, but, if a "staff" group user plugs a USB drive in before logging in to Windows the device will be installed using in the backgroud using the "system" group, then when the user logs in the "staff" group policy is applied dening the user access to the USBstor key, but by this point it makes no difference because the devices is already installed and accessible and once a device is installed the usbstor key is no longer used.))

3. So now that these two steps are are done, *NO ONE* will be able to install USB drives.

If a user tries to use a previously installed drive the device will be blocked and nothing will happen, no prompts, nothing. This is accomplished through step 1, the dword value.

What happens if a user plugs in a "New" device that was not previously installed, the hardware wizard will run, asking for the location of drivers. Regardless of whether a user selects the "automatically" search and install or if they attempt to manually install 3rd party drivers, the HW wizard will prompt the user that "access is denied" once the drivers are selected. This is the result of step 2, denying "system".


Now that we know how to disable USB storage devices we need to find an efficient way to do this without driving through the registry on each and every machine.

continued...

This is what I did to accomplish this method of killing USB drives quickly and easily.

I created 2 batch files, 1 batch to disable and another for administrators(tech support, ie.) that will re-enable USB drives if the need arises.

1: First thing is to get a copy of the tool "subinacl.exe". This tool is included with MS Server 2003 RK.

((What subinacl allows you to due is set specific permissions on the exact group or user, etc.. that you need to, this includes permissions on registry Keys which is what we will be doing.))

2: Once you have a copy of "subinacl.exe" set up a folder for your batch files. In my particular case I wanted these batch files available on the network so I created a shared folder named "DisableUSB" on a server. Next I created a subfolder within "DisableUSB" called "subinacl". Put a copy of "subinacl.exe" in this folder.


3. Next thing to do is create 2 “reg” files in the subfolder “subinacl”. I named the 2 files “dword3.reg” and “dword4.reg”. These files are going to be used to change the value of the dword “start” in the registry key Usbstor.

I assume most probably know how do create reg files, this is what should be in the files:

For “dword3.reg”
******
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\USBSTOR]
"Start"=dword:00000003

*change the 3 to a 4 for “dword4.reg”*


4. Now put these 2 files in the “subinacl” folder if they weren’t created there.

OK, all the pieces should now be in place. For this example we have a shared folder (on no particular server) called “disableUSB”. Within this folder is a subfolder “subinacl” that has subinacl.exe, dword3.reg, and dword4.reg within it.

5 . Now to create the 2 batch files. I created these 2 files under the main share folder (disableUSB). One is called “disableUSBdrives.bat” which, you guessed it, disables drives, and the other for re-enabling drives, “enableUSBdrives.bat”. Wow…

This is how disableUSBdrives.bat is set up:

@echo off
cls
regedit /s \\servername\disableUSB\Subinacl\dword4.reg
\\servername\DisableUSB\Subinacl\subinacl.exe /keyreg \system\currentcontrolset\services\usbstor /deny=system
pause
cls
echo.
echo **USB drives disabled**
echo.
Pause

*the path will differ of course. \\servername is just an example.

for “enableUSBdrives.bat” simply change change “dword4.reg” to “dword3.reg” AND “deny=system” to “grant=system”

Notice that the only real meat to these batch’s is running regedit and running subinacl. Everything else (cls,pause,echo) is optional, for my particular situation it was needed.

6. Go the machines that you want to disable USB drives on and run the disableUSBdrives batch from the network share.

And that’s it. USB drives gone.

Now of course running a batch from each machine is still time consuming, but In my particular situation it had to be done this way, and is obviously much faster than driving through the registry.

The most efficient way to incorporate this would be with logon scripting. Unlike with just using the dword start=4 trick, after this script is run, there is no way for joe blow user to use any of his nifty little Jumpdrives or his hot new hard drives.

Also note that folder names and locations can be set up in any way and anywhere as long as the batch files point to the right place.

Anyway. hope this helps someone.

NICE!! Thanks for that.

FYI: there is a new KB about the subject:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555324

I have tried the method in this post to no avail. I am having trouble with the subinacl command. Nothing I try seems to work with this utility, I have downloaded the subinacl.exe file from the Server 2003 resource kit.

In the batch file one of the commands I am typing is:

------------------
SUBINACL /KEYREG \\W20863 \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi c
es\USBSTOR /DENY=system=R
------------------

I have tried various syntax of this command. ie without the R on the end of the line, with or without the the computername "W20863".

When I run the above command, this is the output I get:
------------------------
+KEYREG \\W20863\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlS et\Services\USBSTOR
/GRANT=users=R

Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 0
-------------------------

I don't understand what is happening. I don't get any sucess messages or failures by the look of it, so am finding it hard to know whats going wrong. BTW my PC is Windows XP SP2. Can someone also confirm if Subinacl works on all versions of Windows 2000 and XP?

kev147,

Why not just follow the link provided by Guy, copy the text and import the group policy template? Once you do that remove the check to only show fully managed settings. View->Filtering

Use gpedit.msc if you're not on a domain.

I've created a few pages that'll help you configure these tettings. More will come later.

Disable USB Disks
Disable USB Disks with GPO
Disable Writing to USB Disks in XP SP2
Disable Writing to USB Disks with GPO

See the front page of www.petri.co.il for links to the above articles.

Daniel,

In the article Disable Writing to USB Disks in XP SP2.. You state to find the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\StorageDevicePolicies

I do not have a StorageDevicePolicies under Control.. Has something changed since your articles were posted?

Thanks
David


I've created a few pages that'll help you configure these tettings. More will come later.

Disable USB Disks
Disable USB Disks with GPO
Disable Writing to USB Disks in XP SP2
Disable Writing to USB Disks with GPO

See the front page of www.petri.co.il for links to the above articles.

create StorageDevicePolicies (http://www.google.com.au/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2005-14,GGLD:en&q=create+StorageDevicePolicies)

Thank you :google:

Greetings. This is my first post even though I have been a reader for several years. I just haven't had to ask anything because everything seems to be answered.

Has anyone attempted to try this as a user policy instead of a computer policy yet? I implemented the computer policy with the custom .adm method and it worked like a charm. Now, I have need for this to be on a per-user assignment instead of micromanaging several OU's.

I had a thought as I was posting this and I will report the results of my testing.

In my testing environment I deployed the custom .adm file via GPO in AD. It works great until I connected an external DVD drive. After I removed the DVD drive from the USB port then the USBSTOR driver got enabled again and now I am able to connect any USB storage device to the computer. I rebooted the computer and the GPO is not applying anymore. I waited for replication on the domain and the GOP is not working on this particualr computer anymore. The value on the registry key got changed back to 3. The only way to make work again was by removing the computer from the group where the GPO was being applied to and adding it back in.

Hey guys, first post here. I looked at the batch script above, and I find VBscript easier and more full featured. Below is the source for a .vbs to toggle USB flash drives on/off. I have thoroughly tested it on XP, but you may want to add error checking through the err mthod, or OS detection through the expandenvironmentstrings method. A quick Google search on either will return anything you need. Also, if you like VBScript, or want to learn more about it, go to "http://www.devguru.com/Technologies/vbscript/quickref/vbscript_list.html (DevGuru) for reference.

Remember that you need administrative privileges to change this registry key, unless you have changed the permissions already.

If you want to you can cut and paste the routine into two separate .vbs files, but remember to include all of the functions at the bottom.

Have the fun! :beer:
Laters!

-Carter

‘-----------------------------------------------------------------------------
‘BEGIN MAIN
‘-----------------------------------------------------------------------------
Option Explicit
Dim sRegKey, sKeyExist
sRegKey = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\UsbStor\Start"

sKeyExist = keyExist(sRegKey)
If sKeyExist <> FALSE Then
If sKeyExist = "3" Then
'Disable USB Storage Drives
RegWrite sRegKey, "4", "REG_DWORD"
ElseIf sKeyExist = 4 Then
'Enable USB Storage Drives
RegWrite sRegKey, "3", "REG_DWORD"
End If
End If
Wscript.Quit

‘-----------------------------------------------------------------------------
END MAIN
‘-----------------------------------------------------------------------------
'Check if a specific key exists; if so, return value, else return bool(FALSE)
Function keyExist(strRegKey)
dim oShell, strOldName
set oShell = CreateObject("Wscript.Shell")
' Turn error detection off
On Error Resume Next
' Read Key; set Key Value IF exist, ELSE FALSE
strOldName = OShell.RegRead(strRegKey)
If Err.number = 0 Then
keyExist = cInt(strOldName)
Else
keyExist = FALSE
End If
' Turn error detection back on
On Error Goto 0
Set oShell = Nothing
end function

'Write a registry value
Private Sub RegWrite(byVal regpath, byVal strToWrite, byVal regType)
Dim objShl
Set objShl = CreateObject("wscript.shell")
On Error Resume Next

'if the registry key is numeric, convert to integer; else, write as the type specified
if IsNumeric( strToWrite ) Then
objShl.RegWrite regpath, CInt( strToWrite ), "REG_DWORD"
else
objShl.RegWrite regpath, strToWrite, regType
end if
If Err Then Err.Clear
On Error GoTo 0
Set objShl = Nothing
End Sub

I've used this GPO to disable write access to USB drives..

Will this affect USB devices such as scanners and printers??

Thanks
David

Someone is copying the whole tutorial and posting on his site and in other forums without giving any credit to original author and original source!

On his website:

http://www.knowurtech.com/windows/disabling_usb.html

In forums:

http://www.thinkdigit.com/forum/showthread.php?t=73279

I hope you guys will take some action and teach him a lesson so that he'll never do this again in future. Thanks.

Thanks Serial. We appreciate you bring this to our attention.

^^ Welcome. :)

I hope you guys will take some strong action against him. Plagiarism should be never entertained.

When I get some time I will have a look at some of his other posts and see how many others have been stolen form other sites. Not giving credit is not on and it is so damn easy to do. Some day this incident and any others Dinesh Aggarwal, stealer of other peoples work, has been involved with will come back and bite him on the arse. What goes around, comes around. :evil:

When I get some time I will have a look at some of his other posts and see how many others have been stolen form other sites. Not giving credit is not on and it is so damn easy to do. Some day this incident and any others Dinesh Aggarwal, stealer of other peoples work, has been involved with will come back and bite him on the arse. What goes around, comes around. :evil:
haha. Damn true. You can contact him and ask him to delete the post or provide the source with proper credits. ;-)

Hi Guys,

thank you all for this excellent Thread, the methods described above works perfectly for me.

i have created my own VBScript which i will post here.
I have created a Grouppolicy which will run the vbscript as Computer Startup-Script, this works perfectly for me.

Thanks again to all. Here comes my Script:



'
'Disable USB Ports.vbs
'
'
'Note: This Script requires SUBINACL.EXE Version 5 or higher! Version 4 will not work!
'
' This Script disables installation / usage of USB-Flashdrives for *all* users (even admins!). Mice or Keyboards can be installed.
'
Option Explicit

Const HKEY_LOCAL_MACHINE = &H80000002
Const REG_KEY= "SYSTEM\CurrentControlSet\Control\StorageDevicePoli cies"
Const REG_KEY2= "SYSTEM\CurrentControlSet\Services\USBSTOR"
Const Value1= "WriteProtect"
Const Value11= "1"
Const Value2= "Start"
Const Value22= "4"

Dim WSHShell, strComputer, objRegistry

strComputer = "."

Set WSHShell = CreateObject("WScript.Shell")
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

objRegistry.CreateKey HKEY_LOCAL_MACHINE, REG_KEY
objRegistry.SetDWORDValue HKEY_LOCAL_MACHINE,REG_KEY,Value1,Value11

objRegistry.CreateKey HKEY_LOCAL_MACHINE, REG_KEY2
objRegistry.SetDWORDValue HKEY_LOCAL_MACHINE,REG_KEY2,Value2,Value22

WSHShell.run "cmd.exe /c ""subinacl.exe /keyreg hkey_local_machine\system\currentcontrolset\servic es\usbstor /deny=system""",,True

Intel® G33 Express Chipset has a special feature called USB* Port Disable which enables individual USB ports to be enabled or disabled as needed. This feature provides added protection of data by preventing malicious removal or insertion of data through USB ports.

Thanks JWMAC...i have been searching this for a long time....it just worked fine for me.......i have used many software to lock the usb....but this one is much better....

I used the GPO ADM template from http://www.petri.co.il/disable_usb_disks_with_gpo.htm (thanks) to disable USB mass storage devices.

It must be noted that I did not carry out step 2 (ACL modification). Perhaps I should return to the job and do that, I didn't read the whole article properly, sorry!

Anyway, I found that the user (who had local admin privileges) was able to do:
net start usbstor
to re-start the usbstor service and thus re-enable the USB pen drive.

A disabled service shouldn't be startable, should it?

Or has the service startup type been amended by the system working from the usbstor.inf file that I forgot to deny it access to?

continued...

This is what I did to accomplish this method of killing USB drives quickly and easily.

I created 2 batch files, 1 batch to disable and another for administrators(tech support, ie.) that will re-enable USB drives if the need arises.

1: First thing is to get a copy of the tool "subinacl.exe". This tool is included with MS Server 2003 RK.

((What subinacl allows you to due is set specific permissions on the exact group or user, etc.. that you need to, this includes permissions on registry Keys which is what we will be doing.))

2: Once you have a copy of "subinacl.exe" set up a folder for your batch files. In my particular case I wanted these batch files available on the network so I created a shared folder named "DisableUSB" on a server. Next I created a subfolder within "DisableUSB" called "subinacl". Put a copy of "subinacl.exe" in this folder.


3. Next thing to do is create 2 “reg” files in the subfolder “subinacl”. I named the 2 files “dword3.reg” and “dword4.reg”. These files are going to be used to change the value of the dword “start” in the registry key Usbstor.

I assume most probably know how do create reg files, this is what should be in the files:

For “dword3.reg”
******
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\USBSTOR]
"Start"=dword:00000003

*change the 3 to a 4 for “dword4.reg”*


4. Now put these 2 files in the “subinacl” folder if they weren’t created there.

OK, all the pieces should now be in place. For this example we have a shared folder (on no particular server) called “disableUSB”. Within this folder is a subfolder “subinacl” that has subinacl.exe, dword3.reg, and dword4.reg within it.

5 . Now to create the 2 batch files. I created these 2 files under the main share folder (disableUSB). One is called “disableUSBdrives.bat” which, you guessed it, disables drives, and the other for re-enabling drives, “enableUSBdrives.bat”. Wow…

This is how disableUSBdrives.bat is set up:

@echo off
cls
regedit /s \\servername\disableUSB\Subinacl\dword4.reg
\\servername\DisableUSB\Subinacl\subinacl.exe /keyreg \system\currentcontrolset\services\usbstor /deny=system
pause
cls
echo.
echo **USB drives disabled**
echo.
Pause

*the path will differ of course. \\servername is just an example.

for “enableUSBdrives.bat” simply change change “dword4.reg” to “dword3.reg” AND “deny=system” to “grant=system”

Notice that the only real meat to these batch’s is running regedit and running subinacl. Everything else (cls,pause,echo) is optional, for my particular situation it was needed.

6. Go the machines that you want to disable USB drives on and run the disableUSBdrives batch from the network share.

And that’s it. USB drives gone.

Now of course running a batch from each machine is still time consuming, but In my particular situation it had to be done this way, and is obviously much faster than driving through the registry.

The most efficient way to incorporate this would be with logon scripting. Unlike with just using the dword start=4 trick, after this script is run, there is no way for joe blow user to use any of his nifty little Jumpdrives or his hot new hard drives.

Also note that folder names and locations can be set up in any way and anywhere as long as the batch files point to the right place.

Anyway. hope this helps someone.
Thanks for the post JWMAC, Now i just need to put my head together and get it working in my enviroment.

Ken.

7 month bump... impressive ;)

Great info, but I'm stuck on the subinacl.exe bit in the batch file.


\\server\drive\"folder namewithspace"\zzz\DisableUSB\subinacl.exe /keyreg \system\currentcontrolset\services\usbstor /deny=system


This command gets me an invalid argument.

If I change it to just
\\server\drive\"folder namewithspace"\zzz\DisableUSB\subinacl.exe /help

I still get an invalid argument, yet if I copy and run subinacl.exe locally, the /help argument works fine.

Anyone have any ideas?

Put " " around the whole path, not just a part of it.

Thanks. I thought I'd tried that already.:oops:


Just need to resolve the regedit not working from command line. Works fine if I double click the reg files, but when running from the batch file without the /s option, it says "successfully added to registry" but its not.

Ended up getting it working using regedit4 reg files instead.

Very odd...

This looks like the answer to a question one of our customers asked this morning. :D

Quick question though, do onboard card readers (E.g. SD, MMC etc) also use the usbstor.sys driver? I suspect they probably do and my customer has a load of Dell laptops with onboard readers so he'll want them locked down too.

Edit: Answered my own question. No with a PCI attatched reader. (http://msdn.microsoft.com/en-us/library/ms789980.aspx)

Edit No. 2: usbstor.sys will handle older devices that connected to USB. For newer devices the driver is sffdisk.sys which appears in the same location in the registry. This is a storage only driver, so SDIO Bluetooth, GPS etc would still work. I'll be testing this out so I'll post the results back when I do.

Regarding the registry Hive Key and Batch files that were mentioned at the very beginning.

There is a typo in the original post that has been copied by others (even the vb script that someone wrote carries this typo)
***EDIT*** This doesn't seem to be a typo, per se. For some reason if you type out this key with the braces [] then a space is added to the word Service after posting.

This is what was posted:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\USBSTOR]

There should not be a space in the word Services.

It seems people are getting errors from subinacl.exe because of this and it most likely means that your reg files is not doing what it should.

Secondly when enabling USBdrives again you should swap the placement of the regedit command and the subinacl.exe command. You should change permissions on the key before applying a new value.

Third, MS has the subinacl.exe over at this link if you don't have a CD.
http://www.microsoft.com/downloadS/details.aspx?familyid=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en

Further reading... I use an unattended script to auto install my desktops. I run this bat file as part of the script. But later when I need to visit a computer to update something or install a new program I need access. These files are great for me to switch back and forth. Thanks for this simple solution.

hello guys

there is no need to do so much research on blocking usb drives, just try using uhook personal 2.0, i have been using it in my organization and its really cool. You can selectively block usb drives and even for unblocked ones you can see what files were copied. i downloaded it from URL REMOVED BY MODERATOR and the software is digital signed, so there is no risk of getting any kind of infection etc.

I think this was free for personal use when i downloaded it last time.

The name "Personal" seems to imply that it's not licensed for organisational use... post reported for the URL etc to be checked out. The OP was asking about organisational use... and there are solutions available within the OS so I'm thinking you may be a spammer...

I realise the spammer has been dealt with, but just wanted to say...

the software is digital signed, so there is no risk of getting any kind of infection etc

Digitally signed or not, there is never zero risk. Whenever somebody says that to me, I immediately suspect them of trying to find a way into my system.

GFI's endpoint security is very good for blocking USB, CD-ROM drives and any portable storage device for organisational wide blocking