Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Auto disconnecting Specific USB devices after an amount of time ?

Posted on 2016-08-09
Medium Priority
Last Modified: 2016-08-11
Is there a way to auto disconnect specific USB's devices after a precise amount of time via Registry or GPO ? or can this be scripted

After x amount of time the usb device gets disconected ,If that specific Usb is disconnected then re plugin it would reset the countdown timer back to a amout of time so it can be used again ...

I also researched and found a Microsoft utility called Devcon that manages devices :

DevCon (Devcon.exe), the Device Console, is a command-line tool that displays detailed information about devices on computers running Windows. You can use DevCon to enable, disable, install, configure, and remove devices.

I'm more concerned about the feasibility , can this be done & scripted if no gpo exists for such .... ?
Question by:Maidine Fouad
  • 2
  • 2
  • 2
LVL 37

Expert Comment

ID: 41748556
That utility mighthelp you only a little bit in your curious quest to something that sounds very user-UNfriendly.
Maybe that's why no one has built such an app yet.
Think about copying files to a USB drive, or printing a large document. Suddenly it just stops and you have to re-do everything again (after re-inserting the USB). Obviously, you have a reason for this (which I'd very much like to know, but if you don't want to reveal it, it's also ok).
But alas, you COULD use it to program or script something, though the GPO doesn't seem helpful in this case. Unless you distribute the executable first, and run scripts locally.
Since there's a remote function in the tool, you could just built the app or script around a server in your network that scans available computer, and lists the current hardware
Then at an interval, repeats, and compares the previous scan.
Then you have to keep a database on the new devices, and when the time comes, disconnect the device and clear the database.
So, it's doable, but needs a lot of programming (and even more time for realworld testing)
Another options is to push a self-written app as a service to all the computers.
LVL 65

Assisted Solution

btan earned 1000 total points
ID: 41748742
For DevCon, it can also disable based on device pid and probably, we can use PS trigger the when USB is detected (e.g. MonitorDriveEvents.ps1) and after a timer wait out (Start-Sleep mm) then disable the USB (Devcon). Fo rinfo PS has "RemoveDrive Method"

Besides DevCon, there are other command line tools to "disconnect" USB, you may consider using removedisk with option such as ...
[-a]       activates Windows of applications owning the open handles, requires -h
[-w:nnnn]  wait nnnn milliseconds before closing the program (time to read its output)
or usb disk ejector .  

For the period setting restriction, I am thinking of the task scheduler to be trigger based on USB connected.
Create custom event triggers in Vista Task Scheduler

Put the ThumbDrive in, copy a few files to it, then Safely Remove and check the event viewer for the Event ID if needed.

Look in the Event Viewer. This free utility makes it easy to check though you might need to also check with the Windows Event Viewer.

Author Comment

by:Maidine Fouad
ID: 41750924

Thank you for answering

Not at all , What we do as a living in our field is serving and empowering users ^^, i have specific reasons to do that and its not about stopping General storage usbs or printers (heh that would get a lot of users angry ), but for a specific device .

We use Usb security tokens here , and a lot of times every day , users leave it pluged in , so when they go away and the windows auto locks , and for example someone nearby touches the keyboard accidentally (and i dont know why it's 'enter' key accidentally)  it reduces the number of attempts before the security token gets locked , users forget passwords all the time , they hit and miss a lot, so they have to come to the IT department so we unlock it ...(i m not in a position to criticize security measures so ...)

I noticed this and i want to reduce the amount of work we do ,especially "hamster wheel work" (ig resetting tokens)  I like to call it hamster wheel because you keep on doing it (like when the hamster gets on the wheel and starts spinning ) it gets you nowhere , and the amount of work never seems to end + it takes precious time away from our lives , we could focus on more important things

I want the hardware & software to do the work .

Im thinking of this (and automating the Security  unlock meanwhile at least ... ( no clicking on gui's ...) but that's another topic and its easy to do so ) i might do that first then start on this project.

And yes it seems a self written app is the solution , i might just do that one step at a time , i dont mind programming .

And yes perhaps its better to use a scripting language for this project  ,  and keep the script running locally on the clients , deployment is not a problem server client architecture might be overkill for this ?

Good idea this might need a database ,For the database im thinking maybe sqlite , if it's lighweight and not ressource heavy .


thank you for your comment

It seems that powershell can do the job ,those security tokens have specific Pids , monitoring triggers , then using DriveCmdletProvider , and using a timer based on when that usb device is pluged in...

usb disk ejector is great but its gui based, i want to automate not click ^^ , and is built with pascal code i think (.*.pas files ?) i might check the code if it can help ...

and yes task scheduler & the event viewer , Great idea !

can power shell can be used to create tasks , verify the task scheduler service if its on or off and any dependencies  ? (  i can search on the how , i am just checking if PS can or cannot do this , but if you have anything that might help i dont mind )

Also I am thinking how would such script be run  at the Begin Logon prompt (if this is possible) , The usual start-up phase i think for windows is kernel loading phase->Winlogon.exe ->SCM services ->Lsass->  Begin Logon prompt  then user Userinit.exe -> Explorer.exe and GPO'S  and startup programs ... right ?

it might be easy on user init , setting it up as a start up program , but if it can be run before this would be nifty !

I will check what events happen on Usb plug and on usb removal for most used devices and for what we use as security tokens ...

Any input and or Constructive criticism is welcomed
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 65

Assisted Solution

btan earned 1000 total points
ID: 41751292
Both Removedrive and USB ejector are suggested as they can be CLI - It can be run as a command line program. Not sure where did you  get the info that ejector is pascal based.

For startup, consider running the batch file to execute the job or program
For example, use the appropriate method to configure Notepad.exe to run when a user logs on:

To configure Notepad to run when any user logs on to a specific computer:
Edit the following group policy:
Computer Configuration\Administrative Templates\System\Run These Programs at User Logon

Type the full path name of the program. In this example, type the following path name:

To configure Notepad to run when a specific user logs on (regardless of the computer he or she uses):

Edit the following group policy:
User Configuration\Administrative Templates\System\Run These Programs at User Logon

Type the full path name of the program.
LVL 37

Accepted Solution

Kimputer earned 1000 total points
ID: 41751690
Seems you already know your hardware well, so this would personally be my solution:

Distribute to laptop:

your script (powershell)
enable task scheduler with your script (daily, continuously for every 5 minutes). Script takes probably less than a few ms to process, so no worries there:

Use the script from: https://blogs.technet.microsoft.com/heyscriptingguy/2014/05/25/weekend-scripter-use-powershell-to-find-and-disable-webcams/

Instead of the webcam description and hardware id, use your own usb security token key's description and hardware id.

The script (not database driven anymore, since you already know it's ONLY ONE usb token that's easily identified. Database driven is necessary if loads and loads of  usb storage devices were to be connected):

check if the token usb key is detected
if no, do nothing
if yes, check if there's flag file, check creation time  of flag file > 30 min, then fire devcon command (test beforehand, that it ONLY disconnect the usb token), remove flag file. If no flag file, make it.

Author Closing Comment

by:Maidine Fouad
ID: 41752684
Thank you@kimputer and @btan again for your time

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question