Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1257
  • Last Modified:

Any way to Disable USB usage in the registry

Hi,

Any way i can disable USB excluding USB key and mouse.I need to do this remotely on all machines in the file.This should not disable the key and mouse but should not be able to access any other storage etc.

Regards
Sharath
0
bsharath
Asked:
bsharath
  • 14
  • 13
1 Solution
 
Farhan KaziSystems EngineerCommented:
How to disable the use of USB storage devices
http://support.microsoft.com/default.aspx?scid=kb;en-us;823732

If a USB Storage Device Is Already Installed on the Computer
If a USB storage device is already installed on the computer, set the Start value in the following registry key to 4:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
When you do so, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps:1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
4. In the right pane, double-click Start.
5. In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
6. Quit Registry Editor.

From:
http://www.experts-exchange.com/Hardware/Misc/Q_21893702.html
0
 
Farhan KaziSystems EngineerCommented:
:: ================
:: READ THIS FIRST
:: ================
:: * Following script will disabled USB storage on all system that are in Computers.txt file
:: * To run this script you must have domain administrators rights.
:: * This script require "PSExec.exe" file (comes with PSTools) on C: drive root
:: * This script require "Computers.txt" file on C: drive root from where it will pick computer names.
:: * Successful run will generate "C:\DisableUSB.txt" file on C: drive root.
:: * Copy and Paste following script into notepad and save it with any name having .cmd extension.
:: Batch Script Start

@Echo Off
SETLOCAL

IF NOT EXIST C:\Computers.txt Goto ShowErr
FOR %%R IN (C:\Computers.txt) Do IF %%~zR EQU 0 Goto ShowErr
IF EXIST C:\DisableUSB.txt DEL /F /Q C:\DisableUSB.txt

(
Echo Windows Registry Editor Version 5.00
Echo.
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
Echo "Start"=dword:00000004
)>C:\DisableUSBStore.reg

IF NOT EXIST C:\DisableUSBStore.reg (
      Echo Unable to create DisableUSBStore.reg file on C: drive root.      
      Goto :EndScript
)

FOR /F %%c IN ('Type C:\Computers.txt') Do (
    Echo Processing: %%c
    Echo Disabling USB storage on: %%c >>C:\DisableUSB.txt
    Copy /Y C:\DisableUSBStore.reg \\%%c\C$\ >>C:\DisableUSB.txt
    PSExec \\%%c -s -i Regedit /S C:\DisableUSBStore.reg
    DEL /Q /F \\%%c\C$\DisableUSBStore.reg
)      

Goto EndScript
:ShowErr
Echo "C:\Computers.txt" file does not exist or file is empty!
:EndScript
IF EXIST C:\DisableUSBStore.reg DEL /F /Q C:\DisableUSBStore.reg
ENDLOCAL
:: Batch Script End
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
bsharathAuthor Commented:
Thanks Farhan,

Will this even disable the keyboard and mouse usage.

0
 
Farhan KaziSystems EngineerCommented:
No, It will disable only USB storage devices.
0
 
bsharathAuthor Commented:
Storage you mean (Pen drives)
What will happen to Usb printers,Barcode readers,Blue tooth readers etc
0
 
Farhan KaziSystems EngineerCommented:
Above script will will allow you to block usage of USB removable disks, USB Sticks, Memory Cards etc.. but will continue to allow usage of USB mice, keyboards or any other USB-based device that is NOT a portable disk.
0
 
bsharathAuthor Commented:
Can you help me with a revert back script for this please...
0
 
Farhan KaziSystems EngineerCommented:
To enable USB storage devices change 'Start' value from 00000004 to 00000003 inside the script.

To DISABLE USB Storage  -> "Start"=dword:00000004
To ENABLE USB Storage   -> "Start"=dword:00000003
0
 
bsharathAuthor Commented:
Any way to find if there is a storage or any other device already connected.If you can do this i can raise a new Q...

Excluding Key and mouse...
0
 
bsharathAuthor Commented:
0
 
Farhan KaziSystems EngineerCommented:
OK I have answer Q_22756447.
0
 
bsharathAuthor Commented:
I get this.

Disabling USB storage on: hydsophos
        0 file(s) copied.
Disabling USB storage on: Indiasophos
The system cannot find the file specified.
Disabling USB storage on: dev-chen-mrd100
The system cannot find the file specified.
0
 
Farhan KaziSystems EngineerCommented:
:: ================
:: READ THIS FIRST
:: ================
:: * Following script will disabled USB storage on all system that are in Computers.txt file
:: * To run this script you must have domain administrators rights.
:: * This script require "PSExec.exe" file (comes with PSTools) on C: drive root
:: * This script require "Computers.txt" file on C: drive root from where it will pick computer names.
:: * Successful run will generate "C:\DisableUSB.txt" file on C: drive root.
:: * Copy and Paste following script into notepad and save it with any name having .cmd extension.
:: Batch Script Start

@Echo Off
SETLOCAL

IF NOT EXIST C:\Computers.txt Goto ShowErr
FOR %%R IN (C:\Computers.txt) Do IF %%~zR EQU 0 Goto ShowErr
IF EXIST C:\DisableUSB.txt DEL /F /Q C:\DisableUSB.txt

(
Echo Windows Registry Editor Version 5.00
Echo.
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
Echo "Start"=dword:00000004
)>C:\DisableUSBStore.reg

IF NOT EXIST C:\DisableUSBStore.reg (
      Echo Unable to create DisableUSBStore.reg file on C: drive root.      
      Goto :EndScript
)

FOR /F %%c IN ('Type C:\Computers.txt') Do (
    IF NOT "%COMPUTERNAME%"=="%%c" (
            Echo Processing: %%c
            PING -n 1 -w 1000 %%c|Find /I "TTL" >NUL
            IF NOT ErrorLevel 1 (
                  Echo Disabling USB storage on: %%c >>C:\DisableUSB.txt
                  Copy /Y C:\DisableUSBStore.reg \\%%c\C$\ >>C:\DisableUSB.txt
                  PSExec \\%%c -s -i Regedit /S C:\DisableUSBStore.reg
                  DEL /Q /F \\%%c\C$\DisableUSBStore.reg)ELSE (Echo %%c: Not able to connect)
      )
)      

Goto EndScript
:ShowErr
Echo "C:\Computers.txt" file does not exist or file is empty!
:EndScript
IF EXIST C:\DisableUSBStore.reg DEL /F /Q C:\DisableUSBStore.reg
ENDLOCAL
:: Batch Script End
0
 
bsharathAuthor Commented:
Excellent Farhan.If i need to get them back what should i do.To enable.
0
 
Farhan KaziSystems EngineerCommented:
To enable USB storage devices change 'Start' value from 00000004 to 00000003 inside the script.

To DISABLE USB Storage  -> "Start"=dword:00000004
To ENABLE USB Storage   -> "Start"=dword:00000003
0
 
bsharathAuthor Commented:
Farhan

If we uninstall USB storage in Device mnager and scan the devices its coming back...
0
 
Farhan KaziSystems EngineerCommented:
Above script will NOT uninstall USB storage, it will just block them. They will still be visible in device manager.
0
 
bsharathAuthor Commented:
After i just rescanned the devices the usb was visible back.I mean the storage was back
0
 
Farhan KaziSystems EngineerCommented:
You mean after running above script you are still able read and write into USB memory sticks?
0
 
bsharathAuthor Commented:
Yes farhan.I check it in many systems and when i run the script it does not detect later when i go to device manager and uninstall the unknown usb device and say scan device manger.
It come back.I am able to see the storage device and check
0
 
Farhan KaziSystems EngineerCommented:
Okay! Im at work rite now so can't test this. Plz give me few hours, I'll modify the script and will post it again.
0
 
bsharathAuthor Commented:
Ok Farhan thanks....
0
 
Farhan KaziSystems EngineerCommented:
:: ================
:: READ THIS FIRST
:: ================
:: * Following script will disabled USB storage on all system that are in Computers.txt file
:: * To run this script you must have domain administrators rights.
:: * This script require "PSExec.exe" file (comes with PSTools) on C: drive root
:: * This script require "Computers.txt" file on C: drive root from where it will pick computer names.
:: * Successful run will generate "C:\DisableUSB.txt" file on C: drive root.
:: * Copy and Paste following script into notepad and save it with any name having .cmd extension.
:: Batch Script Start

@Echo Off
SETLOCAL

IF NOT EXIST C:\Computers.txt Goto ShowErr
FOR %%R IN (C:\Computers.txt) Do IF %%~zR EQU 0 Goto ShowErr
IF EXIST C:\DisableUSB.txt DEL /F /Q C:\DisableUSB.txt

(
Echo Windows Registry Editor Version 5.00
Echo.
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
Echo "Start"=dword:00000004
)>C:\DisableUSBStore.reg

IF NOT EXIST C:\DisableUSBStore.reg (
      Echo Unable to create DisableUSBStore.reg file on C: drive root.      
      Goto :EndScript
)
Echo y>C:\Y.txt
FOR /F %%c IN ('Type C:\Computers.txt') Do (
    IF NOT "%COMPUTERNAME%"=="%%c" (
            Echo Processing: %%c
            PING -n 1 -w 1000 %%c|Find /I "TTL" >NUL
            IF NOT ErrorLevel 1 (
                  Echo Disabling USB storage on: %%c >>C:\DisableUSB.txt
                  Copy /Y C:\DisableUSBStore.reg \\%%c\C$\ >>C:\DisableUSB.txt
                  PSExec \\%%c -s -i Regedit /S C:\DisableUSBStore.reg
               Cacls \\%%c\Admin$\INF\usbstor.inf /p SYSTEM:N<C:\Y.txt>NUL
               Cacls \\%%c\Admin$\INF\usbstor.pnf /p SYSTEM:N<C:\Y.txt>NUL
                  DEL /Q /F \\%%c\C$\DisableUSBStore.reg)ELSE (Echo %%c: Not able to connect)
      )
)      

Goto EndScript
:ShowErr
Echo "C:\Computers.txt" file does not exist or file is empty!
:EndScript
IF EXIST C:\DisableUSBStore.reg DEL /F /Q C:\DisableUSBStore.reg
IF EXIST C:\Y.txt DEL /F /Q C:\Y.txt
ENDLOCAL
:: Batch Script End
0
 
bsharathAuthor Commented:
Farhan,

What is the changes between the first and second script
0
 
Farhan KaziSystems EngineerCommented:
First script was to disable USB storage device if it is already installed on the computer, and second version of script has an ability to disable USB storage device even if it is not already installed.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 14
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now