Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Any way to Disable USB usage in the registry

Posted on 2007-08-11
27
Medium Priority
?
1,255 Views
Last Modified: 2010-08-05
Hi,

Any way i can disable USB excluding USB key and mouse.I need to do this remotely on all machines in the file.This should not disable the key and mouse but should not be able to access any other storage etc.

Regards
Sharath
0
Comment
Question by:bsharath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 13
27 Comments
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19675586
0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19675597
How to disable the use of USB storage devices
http://support.microsoft.com/default.aspx?scid=kb;en-us;823732

If a USB Storage Device Is Already Installed on the Computer
If a USB storage device is already installed on the computer, set the Start value in the following registry key to 4:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
When you do so, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps:1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
4. In the right pane, double-click Start.
5. In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
6. Quit Registry Editor.

From:
http://www.experts-exchange.com/Hardware/Misc/Q_21893702.html
0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19675635
:: ================
:: READ THIS FIRST
:: ================
:: * Following script will disabled USB storage on all system that are in Computers.txt file
:: * To run this script you must have domain administrators rights.
:: * This script require "PSExec.exe" file (comes with PSTools) on C: drive root
:: * This script require "Computers.txt" file on C: drive root from where it will pick computer names.
:: * Successful run will generate "C:\DisableUSB.txt" file on C: drive root.
:: * Copy and Paste following script into notepad and save it with any name having .cmd extension.
:: Batch Script Start

@Echo Off
SETLOCAL

IF NOT EXIST C:\Computers.txt Goto ShowErr
FOR %%R IN (C:\Computers.txt) Do IF %%~zR EQU 0 Goto ShowErr
IF EXIST C:\DisableUSB.txt DEL /F /Q C:\DisableUSB.txt

(
Echo Windows Registry Editor Version 5.00
Echo.
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
Echo "Start"=dword:00000004
)>C:\DisableUSBStore.reg

IF NOT EXIST C:\DisableUSBStore.reg (
      Echo Unable to create DisableUSBStore.reg file on C: drive root.      
      Goto :EndScript
)

FOR /F %%c IN ('Type C:\Computers.txt') Do (
    Echo Processing: %%c
    Echo Disabling USB storage on: %%c >>C:\DisableUSB.txt
    Copy /Y C:\DisableUSBStore.reg \\%%c\C$\ >>C:\DisableUSB.txt
    PSExec \\%%c -s -i Regedit /S C:\DisableUSBStore.reg
    DEL /Q /F \\%%c\C$\DisableUSBStore.reg
)      

Goto EndScript
:ShowErr
Echo "C:\Computers.txt" file does not exist or file is empty!
:EndScript
IF EXIST C:\DisableUSBStore.reg DEL /F /Q C:\DisableUSBStore.reg
ENDLOCAL
:: Batch Script End
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 11

Author Comment

by:bsharath
ID: 19675645
Thanks Farhan,

Will this even disable the keyboard and mouse usage.

0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19675648
No, It will disable only USB storage devices.
0
 
LVL 11

Author Comment

by:bsharath
ID: 19675655
Storage you mean (Pen drives)
What will happen to Usb printers,Barcode readers,Blue tooth readers etc
0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19675664
Above script will will allow you to block usage of USB removable disks, USB Sticks, Memory Cards etc.. but will continue to allow usage of USB mice, keyboards or any other USB-based device that is NOT a portable disk.
0
 
LVL 11

Author Comment

by:bsharath
ID: 19675696
Can you help me with a revert back script for this please...
0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19675711
To enable USB storage devices change 'Start' value from 00000004 to 00000003 inside the script.

To DISABLE USB Storage  -> "Start"=dword:00000004
To ENABLE USB Storage   -> "Start"=dword:00000003
0
 
LVL 11

Author Comment

by:bsharath
ID: 19675727
Any way to find if there is a storage or any other device already connected.If you can do this i can raise a new Q...

Excluding Key and mouse...
0
 
LVL 11

Author Comment

by:bsharath
ID: 19675731
0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19675750
OK I have answer Q_22756447.
0
 
LVL 11

Author Comment

by:bsharath
ID: 19678350
I get this.

Disabling USB storage on: hydsophos
        0 file(s) copied.
Disabling USB storage on: Indiasophos
The system cannot find the file specified.
Disabling USB storage on: dev-chen-mrd100
The system cannot find the file specified.
0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19678887
:: ================
:: READ THIS FIRST
:: ================
:: * Following script will disabled USB storage on all system that are in Computers.txt file
:: * To run this script you must have domain administrators rights.
:: * This script require "PSExec.exe" file (comes with PSTools) on C: drive root
:: * This script require "Computers.txt" file on C: drive root from where it will pick computer names.
:: * Successful run will generate "C:\DisableUSB.txt" file on C: drive root.
:: * Copy and Paste following script into notepad and save it with any name having .cmd extension.
:: Batch Script Start

@Echo Off
SETLOCAL

IF NOT EXIST C:\Computers.txt Goto ShowErr
FOR %%R IN (C:\Computers.txt) Do IF %%~zR EQU 0 Goto ShowErr
IF EXIST C:\DisableUSB.txt DEL /F /Q C:\DisableUSB.txt

(
Echo Windows Registry Editor Version 5.00
Echo.
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
Echo "Start"=dword:00000004
)>C:\DisableUSBStore.reg

IF NOT EXIST C:\DisableUSBStore.reg (
      Echo Unable to create DisableUSBStore.reg file on C: drive root.      
      Goto :EndScript
)

FOR /F %%c IN ('Type C:\Computers.txt') Do (
    IF NOT "%COMPUTERNAME%"=="%%c" (
            Echo Processing: %%c
            PING -n 1 -w 1000 %%c|Find /I "TTL" >NUL
            IF NOT ErrorLevel 1 (
                  Echo Disabling USB storage on: %%c >>C:\DisableUSB.txt
                  Copy /Y C:\DisableUSBStore.reg \\%%c\C$\ >>C:\DisableUSB.txt
                  PSExec \\%%c -s -i Regedit /S C:\DisableUSBStore.reg
                  DEL /Q /F \\%%c\C$\DisableUSBStore.reg)ELSE (Echo %%c: Not able to connect)
      )
)      

Goto EndScript
:ShowErr
Echo "C:\Computers.txt" file does not exist or file is empty!
:EndScript
IF EXIST C:\DisableUSBStore.reg DEL /F /Q C:\DisableUSBStore.reg
ENDLOCAL
:: Batch Script End
0
 
LVL 11

Author Comment

by:bsharath
ID: 19679106
Excellent Farhan.If i need to get them back what should i do.To enable.
0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19679114
To enable USB storage devices change 'Start' value from 00000004 to 00000003 inside the script.

To DISABLE USB Storage  -> "Start"=dword:00000004
To ENABLE USB Storage   -> "Start"=dword:00000003
0
 
LVL 11

Author Comment

by:bsharath
ID: 19681392
Farhan

If we uninstall USB storage in Device mnager and scan the devices its coming back...
0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19681447
Above script will NOT uninstall USB storage, it will just block them. They will still be visible in device manager.
0
 
LVL 11

Author Comment

by:bsharath
ID: 19681468
After i just rescanned the devices the usb was visible back.I mean the storage was back
0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19681495
You mean after running above script you are still able read and write into USB memory sticks?
0
 
LVL 11

Author Comment

by:bsharath
ID: 19681546
Yes farhan.I check it in many systems and when i run the script it does not detect later when i go to device manager and uninstall the unknown usb device and say scan device manger.
It come back.I am able to see the storage device and check
0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19681568
Okay! Im at work rite now so can't test this. Plz give me few hours, I'll modify the script and will post it again.
0
 
LVL 11

Author Comment

by:bsharath
ID: 19681575
Ok Farhan thanks....
0
 
LVL 26

Accepted Solution

by:
Farhan Kazi earned 2000 total points
ID: 19691380
:: ================
:: READ THIS FIRST
:: ================
:: * Following script will disabled USB storage on all system that are in Computers.txt file
:: * To run this script you must have domain administrators rights.
:: * This script require "PSExec.exe" file (comes with PSTools) on C: drive root
:: * This script require "Computers.txt" file on C: drive root from where it will pick computer names.
:: * Successful run will generate "C:\DisableUSB.txt" file on C: drive root.
:: * Copy and Paste following script into notepad and save it with any name having .cmd extension.
:: Batch Script Start

@Echo Off
SETLOCAL

IF NOT EXIST C:\Computers.txt Goto ShowErr
FOR %%R IN (C:\Computers.txt) Do IF %%~zR EQU 0 Goto ShowErr
IF EXIST C:\DisableUSB.txt DEL /F /Q C:\DisableUSB.txt

(
Echo Windows Registry Editor Version 5.00
Echo.
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
Echo "Start"=dword:00000004
)>C:\DisableUSBStore.reg

IF NOT EXIST C:\DisableUSBStore.reg (
      Echo Unable to create DisableUSBStore.reg file on C: drive root.      
      Goto :EndScript
)
Echo y>C:\Y.txt
FOR /F %%c IN ('Type C:\Computers.txt') Do (
    IF NOT "%COMPUTERNAME%"=="%%c" (
            Echo Processing: %%c
            PING -n 1 -w 1000 %%c|Find /I "TTL" >NUL
            IF NOT ErrorLevel 1 (
                  Echo Disabling USB storage on: %%c >>C:\DisableUSB.txt
                  Copy /Y C:\DisableUSBStore.reg \\%%c\C$\ >>C:\DisableUSB.txt
                  PSExec \\%%c -s -i Regedit /S C:\DisableUSBStore.reg
               Cacls \\%%c\Admin$\INF\usbstor.inf /p SYSTEM:N<C:\Y.txt>NUL
               Cacls \\%%c\Admin$\INF\usbstor.pnf /p SYSTEM:N<C:\Y.txt>NUL
                  DEL /Q /F \\%%c\C$\DisableUSBStore.reg)ELSE (Echo %%c: Not able to connect)
      )
)      

Goto EndScript
:ShowErr
Echo "C:\Computers.txt" file does not exist or file is empty!
:EndScript
IF EXIST C:\DisableUSBStore.reg DEL /F /Q C:\DisableUSBStore.reg
IF EXIST C:\Y.txt DEL /F /Q C:\Y.txt
ENDLOCAL
:: Batch Script End
0
 
LVL 11

Author Comment

by:bsharath
ID: 19692021
Farhan,

What is the changes between the first and second script
0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19697709
First script was to disable USB storage device if it is already installed on the computer, and second version of script has an ability to disable USB storage device even if it is not already installed.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question