Disable usb storage devices

Question

Is there a way to programmatically disable usb storage devices from working while still keeping usb ports functional for other types of devices like keyboards and mice?

Answer 1

Easiest way would be to create a .reg file with your changed registry values and then use WA to run a dos command like this: regedit.exe /s pathto.regfile

Answer 2

We can use the following batch files to disable and enable USB Storage.

Disable_usb_storage.bat

@echo off

:: Disable USBstor driver
reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 4 /f

:: USB Read Only Mode
reg add HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

:: USB Disable startup

reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Boot /t REG_DWORD /d 0 /f

rem reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v System /t REG_DWORD /d 1 /f

reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Auto Load /t REG_DWORD /d 0 /f

:: Disable read permissions on USBstor driver

:: Remove Access for Users from  files

cacls %SystemRoot%\inf\usbstor.inf /E /R users
cacls %SystemRoot%\inf\usbstor.PNF /E /R users
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R users
cacls %SystemRoot%\inf\usbstor.inf /E /D users
cacls %SystemRoot%\inf\usbstor.PNF /E /D users
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D users

:: Remove Access for System
cacls %SystemRoot%\inf\usbstor.inf /E /R system
cacls %SystemRoot%\inf\usbstor.PNF /E /R system
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R system
cacls %SystemRoot%\inf\usbstor.inf /E /D system
cacls %SystemRoot%\inf\usbstor.PNF /E /D system
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D system

:: Remove Access for ower Users
cacls %SystemRoot%\inf\usbstor.inf /E /R "Power Users"
cacls %SystemRoot%\inf\usbstor.PNF /E /R "Power Users"
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R "Power Users"
cacls %SystemRoot%\inf\usbstor.inf /E /D "Power Users"
cacls %SystemRoot%\inf\usbstor.PNF /E /D "Power Users"
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D "Power Users"

:: Remove Access for Administrators
cacls %SystemRoot%\inf\usbstor.inf /E /R Administrators
cacls %SystemRoot%\inf\usbstor.PNF /E /R Administrators
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R Administrators
cacls %SystemRoot%\inf\usbstor.inf /E /D Administrators
cacls %SystemRoot%\inf\usbstor.PNF /E /D Administrators
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D Administrators

:: Remove Access for EveryOne
cacls %SystemRoot%\inf\usbstor.inf /E /R Everyone
cacls %SystemRoot%\inf\usbstor.PNF /E /R Everyone
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R Everyone
cacls %SystemRoot%\inf\usbstor.inf /E /D Everyone
cacls %SystemRoot%\inf\usbstor.PNF /E /D Everyone
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D Everyone


REM ::USB_REG_PERMISSION_changes

:: If parameter recover then undo all this
IF [%1]==[enable] GOTO Enable
:: Create a temporary .REG file - DISABLE USB
> "%Temp%.\u1.ini" ECHO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR [0 0 0 0]
regini "%Temp%.\u1.ini"
DEL "%Temp%.\u1.ini"

:Exit

:: Leave state 
-----------------------------------------------------------------



========================================




Enable_usb_storage.bat
----------------------------------------------


@echo off

:: Enable USBstor driver from registry 
reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 3 /f

:: Enable USBstor READ / Write mode
reg add HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 0 /f


REM :: Remove permissions of actual USBSTORAGE Files


:: Provide Access for Users from  files
cacls %SystemRoot%\inf\usbstor.inf /E /G users:F
cacls %SystemRoot%\inf\usbstor.PNF /E /G users:F
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G users:F
rem cacls %SystemRoot%\inf\usbstor.inf /E /D users
rem cacls %SystemRoot%\inf\usbstor.PNF /E /D users

:: Provide Access for System
cacls %SystemRoot%\inf\usbstor.inf /E /G system:F
cacls %SystemRoot%\inf\usbstor.PNF /E /G system:F
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G system:F
rem cacls %SystemRoot%\inf\usbstor.inf /E /D system
rem cacls %SystemRoot%\inf\usbstor.PNF /E /D system

:: Provide Access for ower Users
cacls %SystemRoot%\inf\usbstor.inf /E /G "Power Users":F
cacls %SystemRoot%\inf\usbstor.PNF /E /G "Power Users":F
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G "Power Users":F
rem cacls %SystemRoot%\inf\usbstor.inf /E /D "Power Users"
rem cacls %SystemRoot%\inf\usbstor.PNF /E /D "Power Users"

:: Provide Access for Administrators
cacls %SystemRoot%\inf\usbstor.inf /E /G Administrators:F
cacls %SystemRoot%\inf\usbstor.PNF /E /G Administrators:F
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G Administrators:F
rem cacls %SystemRoot%\inf\usbstor.inf /E /D Administrators
rem cacls %SystemRoot%\inf\usbstor.PNF /E /D Administrators



:: Provide Access for EveryOne
cacls %SystemRoot%\inf\usbstor.inf /E /G Everyone:F
cacls %SystemRoot%\inf\usbstor.PNF /E /G Everyone:F
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /F Everyone:F
rem cacls %SystemRoot%\inf\usbstor.inf /E /D Everyone
rem cacls %SystemRoot%\inf\usbstor.PNF /E /D Everyone
rem cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D Everyone



REM ::USB_REG_PERMISSION_changes

:: If parameter recover then undo all this
IF [%1]==[enable] GOTO Enable
:: Create a temporary .REG file - DISABLE USB
> "%Temp%.\u1.ini" ECHO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR [1 5 8 11 17]
regini "%Temp%.\u1.ini"
DEL "%Temp%.\u1.ini"

:Exit


:: Leave state 

Answer 3

1. first restart your machine
2. open registry
3. HKEY_LOCAL_MACHINE
4. System
5. CurrentControlSet
6. Service
7. USBstore
8. set Disable to 4 and Enable to 3

Answer 4

Taken from here, not tested:

Directions for Use:

1.)  Take the following blue text, copy it, and paste it into a text  document.  Then, save it as USBSTOR.ADM.
CLASS MACHINE
CATEGORY "Custom Policies"
KEYNAME "SYSTEM\CurrentControlSet\Services\UsbStor"
  POLICY "USB Mass Storage Installation"
   EXPLAIN "When this policy is enabled, USB mass storage device permissions can be changed by using the drop down box.

Selecting 'Grant Permission' will allow USB mass storage devices to be installed.  Selecting 'Deny Permission' will prohibit
the installation of USB mass storage devices.

IF REMOVING THIS POLICY: Reset to original setting and let policy propegate before deleting policy."
     PART "Change Settings:" DROPDOWNLIST REQUIRED
       VALUENAME "Start"
       ITEMLIST
        NAME "Grant Permission" VALUE NUMERIC 3 DEFAULT
        NAME "Deny Permission" VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
END CATEGORY

2.)  Open a group policy management console (gpedit.msc), and right click on "administrative templates" under "Computer Configuration".  Select "Add/Remove Templates".

3.)  Browse to the text document you just saved and click OK.  You'll now see "Custom Policies" under "Administrative Templates".  Right click on it, select "View", then select "Filtering".  Uncheck the bottom box, labeled "Only show policy settings that can be fully managed".

4.)  Click ok.  Now you'll see the USB policy available for use under the custom policy heading.  From there, you can enable or disable it just like any other policy.

or (to disable USB storage devices, tested on XP SP3)

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 4 /f

(to enable USB storage devices, tested on XP SP3)

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 3 /f