Go Premium for a chance to win a PS4. Enter to Win


Auto disconnecting Specific USB devices after an amount of time ?

Posted on 2016-08-09
Medium Priority
Last Modified: 2016-08-11
Is there a way to auto disconnect specific USB's devices after a precise amount of time via Registry or GPO ? or can this be scripted

After x amount of time the usb device gets disconected ,If that specific Usb is disconnected then re plugin it would reset the countdown timer back to a amout of time so it can be used again ...

I also researched and found a Microsoft utility called Devcon that manages devices :

DevCon (Devcon.exe), the Device Console, is a command-line tool that displays detailed information about devices on computers running Windows. You can use DevCon to enable, disable, install, configure, and remove devices.

I'm more concerned about the feasibility , can this be done & scripted if no gpo exists for such .... ?
Question by:Maidine Fouad
  • 2
  • 2
  • 2
LVL 37

Expert Comment

ID: 41748556
That utility mighthelp you only a little bit in your curious quest to something that sounds very user-UNfriendly.
Maybe that's why no one has built such an app yet.
Think about copying files to a USB drive, or printing a large document. Suddenly it just stops and you have to re-do everything again (after re-inserting the USB). Obviously, you have a reason for this (which I'd very much like to know, but if you don't want to reveal it, it's also ok).
But alas, you COULD use it to program or script something, though the GPO doesn't seem helpful in this case. Unless you distribute the executable first, and run scripts locally.
Since there's a remote function in the tool, you could just built the app or script around a server in your network that scans available computer, and lists the current hardware
Then at an interval, repeats, and compares the previous scan.
Then you have to keep a database on the new devices, and when the time comes, disconnect the device and clear the database.
So, it's doable, but needs a lot of programming (and even more time for realworld testing)
Another options is to push a self-written app as a service to all the computers.
LVL 65

Assisted Solution

btan earned 1000 total points
ID: 41748742
For DevCon, it can also disable based on device pid and probably, we can use PS trigger the when USB is detected (e.g. MonitorDriveEvents.ps1) and after a timer wait out (Start-Sleep mm) then disable the USB (Devcon). Fo rinfo PS has "RemoveDrive Method"

Besides DevCon, there are other command line tools to "disconnect" USB, you may consider using removedisk with option such as ...
[-a]       activates Windows of applications owning the open handles, requires -h
[-w:nnnn]  wait nnnn milliseconds before closing the program (time to read its output)
or usb disk ejector .  

For the period setting restriction, I am thinking of the task scheduler to be trigger based on USB connected.
Create custom event triggers in Vista Task Scheduler

Put the ThumbDrive in, copy a few files to it, then Safely Remove and check the event viewer for the Event ID if needed.

Look in the Event Viewer. This free utility makes it easy to check though you might need to also check with the Windows Event Viewer.

Author Comment

by:Maidine Fouad
ID: 41750924

Thank you for answering

Not at all , What we do as a living in our field is serving and empowering users ^^, i have specific reasons to do that and its not about stopping General storage usbs or printers (heh that would get a lot of users angry ), but for a specific device .

We use Usb security tokens here , and a lot of times every day , users leave it pluged in , so when they go away and the windows auto locks , and for example someone nearby touches the keyboard accidentally (and i dont know why it's 'enter' key accidentally)  it reduces the number of attempts before the security token gets locked , users forget passwords all the time , they hit and miss a lot, so they have to come to the IT department so we unlock it ...(i m not in a position to criticize security measures so ...)

I noticed this and i want to reduce the amount of work we do ,especially "hamster wheel work" (ig resetting tokens)  I like to call it hamster wheel because you keep on doing it (like when the hamster gets on the wheel and starts spinning ) it gets you nowhere , and the amount of work never seems to end + it takes precious time away from our lives , we could focus on more important things

I want the hardware & software to do the work .

Im thinking of this (and automating the Security  unlock meanwhile at least ... ( no clicking on gui's ...) but that's another topic and its easy to do so ) i might do that first then start on this project.

And yes it seems a self written app is the solution , i might just do that one step at a time , i dont mind programming .

And yes perhaps its better to use a scripting language for this project  ,  and keep the script running locally on the clients , deployment is not a problem server client architecture might be overkill for this ?

Good idea this might need a database ,For the database im thinking maybe sqlite , if it's lighweight and not ressource heavy .


thank you for your comment

It seems that powershell can do the job ,those security tokens have specific Pids , monitoring triggers , then using DriveCmdletProvider , and using a timer based on when that usb device is pluged in...

usb disk ejector is great but its gui based, i want to automate not click ^^ , and is built with pascal code i think (.*.pas files ?) i might check the code if it can help ...

and yes task scheduler & the event viewer , Great idea !

can power shell can be used to create tasks , verify the task scheduler service if its on or off and any dependencies  ? (  i can search on the how , i am just checking if PS can or cannot do this , but if you have anything that might help i dont mind )

Also I am thinking how would such script be run  at the Begin Logon prompt (if this is possible) , The usual start-up phase i think for windows is kernel loading phase->Winlogon.exe ->SCM services ->Lsass->  Begin Logon prompt  then user Userinit.exe -> Explorer.exe and GPO'S  and startup programs ... right ?

it might be easy on user init , setting it up as a start up program , but if it can be run before this would be nifty !

I will check what events happen on Usb plug and on usb removal for most used devices and for what we use as security tokens ...

Any input and or Constructive criticism is welcomed
WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

LVL 65

Assisted Solution

btan earned 1000 total points
ID: 41751292
Both Removedrive and USB ejector are suggested as they can be CLI - It can be run as a command line program. Not sure where did you  get the info that ejector is pascal based.

For startup, consider running the batch file to execute the job or program
For example, use the appropriate method to configure Notepad.exe to run when a user logs on:

To configure Notepad to run when any user logs on to a specific computer:
Edit the following group policy:
Computer Configuration\Administrative Templates\System\Run These Programs at User Logon

Type the full path name of the program. In this example, type the following path name:

To configure Notepad to run when a specific user logs on (regardless of the computer he or she uses):

Edit the following group policy:
User Configuration\Administrative Templates\System\Run These Programs at User Logon

Type the full path name of the program.
LVL 37

Accepted Solution

Kimputer earned 1000 total points
ID: 41751690
Seems you already know your hardware well, so this would personally be my solution:

Distribute to laptop:

your script (powershell)
enable task scheduler with your script (daily, continuously for every 5 minutes). Script takes probably less than a few ms to process, so no worries there:

Use the script from: https://blogs.technet.microsoft.com/heyscriptingguy/2014/05/25/weekend-scripter-use-powershell-to-find-and-disable-webcams/

Instead of the webcam description and hardware id, use your own usb security token key's description and hardware id.

The script (not database driven anymore, since you already know it's ONLY ONE usb token that's easily identified. Database driven is necessary if loads and loads of  usb storage devices were to be connected):

check if the token usb key is detected
if no, do nothing
if yes, check if there's flag file, check creation time  of flag file > 30 min, then fire devcon command (test beforehand, that it ONLY disconnect the usb token), remove flag file. If no flag file, make it.

Author Closing Comment

by:Maidine Fouad
ID: 41752684
Thank you@kimputer and @btan again for your time

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Experts Exchange expands question security options for members.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question