USB -  Registry

Posted on 2006-05-28
Last Modified: 2013-12-04
Hi all

We need to disable the USB in the bios Level. As all are aware that we do get desktops on usb keyboard and mouse and so we have disabled the registry

hklm\system\currentcontrolset\services\usbstor. by changing the start value to 4 usb is by default getting disbaled.

the users are the admin accounts to the local systems. Is there any way we can set permission to the registry value where in users will not be allowed to change the access.

NOTE: I have even tried the following things. I went to the key and selected permissions and removed everyone and selected only domain admins over there and has pushed the same through group policy also. But users are able togo the keys and select add and add everyone and give full permissions and change the value. Is there a way to stop this.

my main aim is Either user should be allowed to change the value in the registry even if they are local admins.

I have tried even disbaling registry. some softwares gets installed and some does not as it gets written to the HKLM. So kindly help me in this.

Question by:ranga_matta
    1 Comment
    LVL 3

    Accepted Solution


    You can disable registry editing via group policy.  Another option is to lock down this area of the registry.  I would honestly recomend you not let anyone except for administrators even edit the registry.  Your users should be a member of hte users group not Power Users or Administrators.  If they are a member of local power users or administrators, they can chagne permissions.

    I highly recomend you use the group policy editor to lock down the workstations, so the users cannot change anything at all in the registry.  I am also confused how users would even know that hklm\system\currentcontrolset\services\usbstor even controlls the usb storage service.  If they know that much, you probably will have problems no matter what you do.  Another option might be to just delete the usbstor service entirely.

    Fire up the command prompt and type c:\>sc delete usbstor.  They cannot turn it on if it doesn't exist.  Then I serriously doubt they would be able to manually create the necessariy entries with regedit.

    You had better make a backup of that registry key though, else you will have to snag it from another computer.

    Thanks and BTW, why don't you want USB Hard DRives and MemorySticks to function?


    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now