Auto disconnecting Specific USB devices after an amount of time ?

Maidine Fouad
Maidine Fouad used Ask the Experts™
Is there a way to auto disconnect specific USB's devices after a precise amount of time via Registry or GPO ? or can this be scripted

After x amount of time the usb device gets disconected ,If that specific Usb is disconnected then re plugin it would reset the countdown timer back to a amout of time so it can be used again ...

I also researched and found a Microsoft utility called Devcon that manages devices :

DevCon (Devcon.exe), the Device Console, is a command-line tool that displays detailed information about devices on computers running Windows. You can use DevCon to enable, disable, install, configure, and remove devices.

I'm more concerned about the feasibility , can this be done & scripted if no gpo exists for such .... ?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

That utility mighthelp you only a little bit in your curious quest to something that sounds very user-UNfriendly.
Maybe that's why no one has built such an app yet.
Think about copying files to a USB drive, or printing a large document. Suddenly it just stops and you have to re-do everything again (after re-inserting the USB). Obviously, you have a reason for this (which I'd very much like to know, but if you don't want to reveal it, it's also ok).
But alas, you COULD use it to program or script something, though the GPO doesn't seem helpful in this case. Unless you distribute the executable first, and run scripts locally.
Since there's a remote function in the tool, you could just built the app or script around a server in your network that scans available computer, and lists the current hardware
Then at an interval, repeats, and compares the previous scan.
Then you have to keep a database on the new devices, and when the time comes, disconnect the device and clear the database.
So, it's doable, but needs a lot of programming (and even more time for realworld testing)
Another options is to push a self-written app as a service to all the computers.
btanExec Consultant
Distinguished Expert 2018
For DevCon, it can also disable based on device pid and probably, we can use PS trigger the when USB is detected (e.g. MonitorDriveEvents.ps1) and after a timer wait out (Start-Sleep mm) then disable the USB (Devcon). Fo rinfo PS has "RemoveDrive Method"

Besides DevCon, there are other command line tools to "disconnect" USB, you may consider using removedisk with option such as ...
[-a]       activates Windows of applications owning the open handles, requires -h
[-w:nnnn]  wait nnnn milliseconds before closing the program (time to read its output)
or usb disk ejector .  

For the period setting restriction, I am thinking of the task scheduler to be trigger based on USB connected.
Create custom event triggers in Vista Task Scheduler

Put the ThumbDrive in, copy a few files to it, then Safely Remove and check the event viewer for the Event ID if needed.

Look in the Event Viewer. This free utility makes it easy to check though you might need to also check with the Windows Event Viewer.
Maidine FouadEngineer



Thank you for answering

Not at all , What we do as a living in our field is serving and empowering users ^^, i have specific reasons to do that and its not about stopping General storage usbs or printers (heh that would get a lot of users angry ), but for a specific device .

We use Usb security tokens here , and a lot of times every day , users leave it pluged in , so when they go away and the windows auto locks , and for example someone nearby touches the keyboard accidentally (and i dont know why it's 'enter' key accidentally)  it reduces the number of attempts before the security token gets locked , users forget passwords all the time , they hit and miss a lot, so they have to come to the IT department so we unlock it ...(i m not in a position to criticize security measures so ...)

I noticed this and i want to reduce the amount of work we do ,especially "hamster wheel work" (ig resetting tokens)  I like to call it hamster wheel because you keep on doing it (like when the hamster gets on the wheel and starts spinning ) it gets you nowhere , and the amount of work never seems to end + it takes precious time away from our lives , we could focus on more important things

I want the hardware & software to do the work .

Im thinking of this (and automating the Security  unlock meanwhile at least ... ( no clicking on gui's ...) but that's another topic and its easy to do so ) i might do that first then start on this project.

And yes it seems a self written app is the solution , i might just do that one step at a time , i dont mind programming .

And yes perhaps its better to use a scripting language for this project  ,  and keep the script running locally on the clients , deployment is not a problem server client architecture might be overkill for this ?

Good idea this might need a database ,For the database im thinking maybe sqlite , if it's lighweight and not ressource heavy .


thank you for your comment

It seems that powershell can do the job ,those security tokens have specific Pids , monitoring triggers , then using DriveCmdletProvider , and using a timer based on when that usb device is pluged in...

usb disk ejector is great but its gui based, i want to automate not click ^^ , and is built with pascal code i think (.*.pas files ?) i might check the code if it can help ...

and yes task scheduler & the event viewer , Great idea !

can power shell can be used to create tasks , verify the task scheduler service if its on or off and any dependencies  ? (  i can search on the how , i am just checking if PS can or cannot do this , but if you have anything that might help i dont mind )

Also I am thinking how would such script be run  at the Begin Logon prompt (if this is possible) , The usual start-up phase i think for windows is kernel loading phase->Winlogon.exe ->SCM services ->Lsass->  Begin Logon prompt  then user Userinit.exe -> Explorer.exe and GPO'S  and startup programs ... right ?

it might be easy on user init , setting it up as a start up program , but if it can be run before this would be nifty !

I will check what events happen on Usb plug and on usb removal for most used devices and for what we use as security tokens ...

Any input and or Constructive criticism is welcomed
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

btanExec Consultant
Distinguished Expert 2018
Both Removedrive and USB ejector are suggested as they can be CLI - It can be run as a command line program. Not sure where did you  get the info that ejector is pascal based.

For startup, consider running the batch file to execute the job or program
For example, use the appropriate method to configure Notepad.exe to run when a user logs on:

To configure Notepad to run when any user logs on to a specific computer:
Edit the following group policy:
Computer Configuration\Administrative Templates\System\Run These Programs at User Logon

Type the full path name of the program. In this example, type the following path name:

To configure Notepad to run when a specific user logs on (regardless of the computer he or she uses):

Edit the following group policy:
User Configuration\Administrative Templates\System\Run These Programs at User Logon

Type the full path name of the program.
Seems you already know your hardware well, so this would personally be my solution:

Distribute to laptop:

your script (powershell)
enable task scheduler with your script (daily, continuously for every 5 minutes). Script takes probably less than a few ms to process, so no worries there:

Use the script from:

Instead of the webcam description and hardware id, use your own usb security token key's description and hardware id.

The script (not database driven anymore, since you already know it's ONLY ONE usb token that's easily identified. Database driven is necessary if loads and loads of  usb storage devices were to be connected):

check if the token usb key is detected
if no, do nothing
if yes, check if there's flag file, check creation time  of flag file > 30 min, then fire devcon command (test beforehand, that it ONLY disconnect the usb token), remove flag file. If no flag file, make it.
Maidine FouadEngineer


Thank you@kimputer and @btan again for your time

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial