Community Pick: Many members of our community have endorsed this article.

Bad USB - time to fight back!

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks without using non-microsoft tools or even security software that we would have to pay for.

Let me show the attack types that can be easily defeated:

1 your computer is found unattended and someone connects his USB drive (stick or hard drive or smartphone) to collect some of your data
2 your computer is found unattended and someone tries to run a script to infect your computer. Knowing, that we are prepared for item-1-attacks, he comes with a USB rubber ducky style device, that is a special USB memory stick that camouflages as keyboard to circumvent countermeasures against USB sticks. That way, it can act as a keyboard and type in thousands of code lines per minute…malicious code.The rubber ducky attack  is very dangerous since your computer can be infected in seconds even with current anti-virus software.

The concept:
The usb device, as any other device, needs to be installed in order to work. This takes a few seconds and is long enough to launch a counter-attack and uninstall that devices again before the attacker can use them. Starting with windows 8, the event log will record usb device installations so that we can use these events to trigger the counter attack, namely a scheduled task. That task simply uses devcon.exe, a command line tool by Microsoft to uninstall these newly connected devices within less than a second.

You can deploy these tasks and scripts using group policy preferences, so that they are active on whole networks.

The way:
1 First, obtain devcon.exe - make sure to realize that there are two versions, one for 32 bit and one for 64 bit windows. Use version 6.1.7600.16385 and deploy it to c:\windows, so that it lies within the path.

2 Then, create a whitelist of devices that you actually use and would like to exclude from becoming uninstalled, using this code, for example inside your domain startup script (please note: starting with win8, domain startup scripts are NOT regularly processed when fast startup is in use, so you might have to look for another way to ensure that script runs)
devcon findall =keyboard>%temp%\whitekey.txt
                      del %windir%\admin\whitekey.txt
                      for /f %%a in ('findstr /v "matching" %temp%\whitekey.txt') do echo %%a>>%windir%\admin\whitekey.txt

Open in new window

3 Now we proceed to deploying the task (for instructions, see ):

Taskname: Keyboardguard

->executing account: system
->trigger:  on event, Log: Microsoft-Windows-Kernel-PnP/Device Configuration, Source: Kernel-PnP, Event ID:410
->Action: start c:\windows\keybguard.bat
Keybguard.bat is a batch file that you need to deploy to the windows directory, too.  Code is
if not exist %windir%\admin\whitekey.txt goto end
                      devcon findall =keyboard >%temp%\keyb.txt
                      del %temp%\keyb2.txt
                      for /f %%a in ('findstr /v "matching" %temp%\keyb.txt') do echo %%a>>%temp%\keyb2.txt
                      for /f "tokens=1,2,3 delims=\" %%a in (%temp%\keyb2.txt) do findstr "%%a\%%b" %windir%\admin\whitekey.txt || devcon.exe remove "@%%a\%%b\%%c"

Open in new window

That’s it. Mission accomplished, no more rubber ducky attacks. Whenever a ducky device is connected, it gets uninstalled in less than a second, leaving it with no time to execute even one line of malicious code. Of course you can modify this a bit so that a central whitelist is used instead of a per-machine-whitelist. But: if your (huge) company has many many different keyboard types, this list gets long and might even have a negative effect on script performance, that’s why I suggest to use one whitelist per machine.
Now, let me add two task scripts that will uninstall unknown MTP Devices (Phones) and USB drives.
Again, we deploy two scheduled task that execute scripts

Taskname: Kill_Phones

->executing account: system
->trigger:  on event, Log: Microsoft-Windows-WPD-MTPClassDriver/Operational | Source: WPD-MTPClassDriver | EventID:1000
->Action: start c:\windows\kill_phones.bat with code
for /f "tokens=1 delims=:, " %%a in ('devcon listclass wpd') do devcon.exe remove "@%%a"

Open in new window

(please note that this uninstalls all phones and does not look for a whitelist – you could use a whitelist like in the previous section, of course. I would not use one since most phones can be charged without being installed and I don’t like seeing BYOD devices on my network)
Edit: This has one drawback: Apple Iphones are special. They will not charge via USB unless a data connection is detected. So my task won't let them charge. If you plan to let Iphones charge, don't use this task but use these 2 GPOs instead:
WPD Devices: Deny read access 
WPD Devices: Deny write access 

Taskname: Kill_USBDrives

->executing account: system
->trigger:  on event, Log: Microsoft-Windows-Kernel-PnP/Device, Source: Kernel-PnP, EventID: 410
->Action: start c:\windows\kill_USBDrives.bat with code
xcopy \\server\share\allowlist.txt c:\windows\ /y
                      devcon.exe findall * |findstr "USB.Mass" >%temp%\usb.txt
                      del %temp%\usb2.txt
                      for /f %%a in (%temp%\usb.txt) do echo %%a>>%temp%\usb2.txt
                      for /f "tokens=1,2,3 delims=\" %%a in (%temp%\usb2.txt) do findstr "%%a\%%b" c:\windows\allowlist.txt || devcon.exe remove "@%%a\%%b\%%c"

Open in new window

Please note that this is again using an allowlist (=whitelist) that is being picked up from a network share and allows central modification. It would contain lines with device IDs, that look like this:


Open in new window

Note that this can be single devices or device classes (like in the above line), just as you like!

That’s all. Feel  free to use and modify these scripts. You might still want to implement logging and alarming (mails/popups). Keep in mind that setting up these protective measures will always have a downside: whenever new keyboards/cordless presenters/USB drives or phones are introduced, you will have to whitelist them from now on.

Comments (5)

Distinguished Expert 2019


Thanks Jim.

I guess at the moment I am pretty fed up with frustration about questions. I have a feeling that it gets worse and worse for us experts. I don't know about the SQL sections, but in the typical system administrator sections (and OS security), I am tempted to say that nowadays 2 out of three questions are really hard to work with for one or the other reason.

Ok, I will try not to let it frustrate me too much.
Top Expert 2014

I might suggest correcting some capitalization and bullet points.

I hadn't heard of USB rubber-ducky devices before.  Thanks for the info!
Hi Mcknife,

I had honestly never thought of anything like this so thanks for the heads up. Could you do the same thing but only activate if an .exe or  .com was run from the USB.  This would allow legitimate use of the USB but still protect the PC. We do it already with GPO to deny running *.exe etc from particular drive letters but your way sounds good too,
Distinguished Expert 2019


Hi James.

When an .exe is run, it's already too late. So until the removal action would have started (triggered by some mechanism, doesn't matter), the exe code is already inside the RAM of your computer and it will not help to uninstall the device, then.
What we could do, is trigger certain actions when the device is plugged in, like for example search the whole device for *.exe or *.com and if found, uninstall the device. But that might take a few seconds and it could be that this process is too slow, so that the exe is already started manually while the search is still on it.
Distinguished Expert 2019


Oh James, somthing that will interest you!
I just "strolled" through our GPOs and came across a setting that I almost forgot: starting with win7, we can deny not only read/write but also execute access (separately) on removable devices by GPO! See

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.