How to disable USB sticks and limit access to USB storage devices on Windows systems

Submitted by Hannes Schmidt on Sat, 08/20/2005 - 09:50.

USB storage - a possible security risk?

Decent IT administrators secure their networks behind firewalls. They install mail filters on their SMTP servers and deploy anti-virus software on all client workstations. But securing the network is not sufficient -- what happens if the users bring their own USB memory sticks and connect them to the computers at their office? A 1 Gb USB stick can sometimes hold an entire company's vital data. Within minutes or even seconds an employee has all the files they need in order to start up their own business and take all the customers with them. Alternatively, what happens if a careless user accidentally compromises the network with an infected USB stick?

What does Microsoft have to say about it?

If you, the administrator, want to establish a minimum level of security, it is absolutely necessary to control which users can connect USB memory sticks to a computer. Unfortunately, a default Windows XP or Windows 2000 installation comes with no limitations on who is able to install and use USB storage media. Microsoft knowledge base article 823732 contains instructions on how to disable USB storage access for a certain group of users; however, the article only distinguishes between whether or not a USB storage device has been installed on a particular computer. Furthermore, the instructions are limited to a stand-alone computer. According to the general rule of thumb "If it's tedious, there is a better way", I try to avoid techniques that force me to repeat certain tasks for each computer that I manage. That's what group policy objects (GPO) are for.

Suggestions?

Mark Heitbrink describes how to disable USB storage devices entirely on all or some computers in the network. He employs an ADM template in a group policy object that disables the USB storage driver (USBSTOR). The ADM template simply sets the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start to 4 (Disable). But his technique has a serious drawback. It only works if the USB storage driver is already installed. If it has not yet been installed, Windows' plug & play subsystem automatically resets the Start value to 3 (Manual) when it installs USBSTOR after a USB storage device is plugged in for the first time. In that case, USBSTOR remains enabled until the GPO is re-applied, usually at the next reboot. If the storage device is plugged in during that reboot, it will still be available because the USBSTOR driver is started before any GPOs are processed.

The Howto!

If we combine Mark Heitbrink's approach with the one outlined in knowledge base article 823732, we get a more reliable solution. Firstly, we need to prevent USBSTOR from being installed unless the currently logged on user is allowed to use USB storage. We do that by restricting access to USBSTOR.INF and USBSTORE.PNF in a GPO such that PNP can't automatically install the driver. This is possible because when PNP installs a driver, the installation is performed using the priviledges of the currently logged on user. Secondly, we need to make sure that USBSTOR is not started when a USB storage device is plugged in. For that we use Mark's ADM template. The only minor drawback of my solution is that users with access to USB storage need to manually start USBSTOR before connecting USB storage devices.

  1. In Active Directory Users and Computers, open an existing GPO or create a new one and open it. Use the security settings of that GPO to specify which computers it affects.
  2. In that GPO, go to Computer Configuration – Windows Settings – Security Settings – File System and create a new entry (right-click File System and select Add File). Specify the location of USBSTOR.INF (usually SystemRoot%\Inf\USBSTOR.INF)
  3. Change the security settings of the new entry. The security settings that you specify here will be enforced on the USBSTOR.INF of every computer to which the GPO is applied. This process is not additive, which means that the previous security settings of USBSTOR.INF will be overwritten by the ones given in the GPO. It is therefore recommended to grant full control to SYSTEM and local administrators. But unlike in the default security settings of USBSTOR.INF, you should not grant any priviledges to Everybody. You do not need to explicitly deny access – just omit an entry for Everybody. Optionally, you can grant read access to a certain group. Members of this group will be able to use USB storage.
  4. Repeat the above two steps for USBSTOR.PNF.
  5. Download USBSTOR.ADM.
  6. Back in the GPO, right-click Administrative Templates under Computer Configuration and select Add/Remove Templates. Click Add and browse to the location of USBSTOR.ADM. Close the dialog.
  7. You should now have an additional entry called Services and Drivers in Administrative Templates. Click on it. If it is empty, select View from the menu and uncheck Show Policies Only. Click back on Services and Drivers in Administrative Templates. It should now show the USB Storage policy. Double click it, select Enabled and pick Disabled from the Startup Type drop down. Again, the policy must be enabled wheras Startup Type must be Disabled.
  8. Close the dialog as well as the GPO and boot/reboot one of your workstations. Make sure no USB strorage device is connected to that computer. Log on with administrative privileges and check the permissions of USBSTOR.INF and USBSTOR.PNF. Check the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start. It should be 4. It is also ok if the UsbStor key doesn't exist at all.
  9. On the same workstation, log off and back on as a user that should not have access to USB storage. Connect a USB memory stick or a similar device. Nothing should happen. Remove the memory stick.
  10. Log on as a user that should have access to USB storage and execute net start usbstor in a command shell or at Start – Run before connecting the memory stick. The memory stick should initialized and mapped to a drive letter. If USBSTOR fails to start, it's probably because this is the first time a memory stick is plugged into the workstation in which case USBSTOR is not yet installed. Nevertheless, the memory stick should be initialized and mapped correctly but you need to reboot in order to reapply the administrative template such that USBSTOR is disabled again. Alternatively, you can disable it manually by downloading and double clicking USBSTOR.REG as well as executing net stop usbstor.
  11. Instruct the users with access to USB storage that they need to execute net start usbstor before they can connect a USB storage device.
AttachmentSize
usbstore.adm530 bytes
usbstore.reg258 bytes
( categories: Windows | Administrator )
Submitted by Anonymous on Mon, 04/15/2013 - 01:48.
Theoretically, I think the following should allow for select users to have access to USB storage while blocking others. Though it may not start the USBStor service when logging on as a user with access, on a machine that was logged in as a user without access, without having rebooted. If users do not swap between computers often, I doubt this will be a problem, and it will be fine after a reboot (or manually starting the service if you really want to...).
  • Create a security group "Right-USBMassStorage".
  • Create a new group policy with the following configurations.
    • Computer Configuration – Windows Settings – Security Settings – File System
      • %SystemRoot%\inf\usbstor.INF
      • %SystemRoot%\inf\usbstor.PNF
        • Both with the following permissions
        • Allow CREATOR OWNER Full Control Subfolders and files only
        • Allow [DOMAIN]\Right-USBMassStorage Read and Execute This folder, subfolders and files
        • Allow NT AUTHORITY\SYSTEM Full Control This folder, subfolders and files
        • Allow BUILTIN\Administrators Full Control This folder, subfolders and files
        • Allow inheritable permissions from the parent to propagate to this object and all child objects Disabled
    • User Configuration - Windows Settings - Registry
      • First Entry:
        • Hive HKEY_LOCAL_MACHINE
        • Key path SYSTEM\CurrentControlSet\services\USBSTOR
        • Value name Start
        • Value type REG_DWORD
        • Value data 0x4 (4)
        • Item-level targeting: User is NOT a member of the Right-USBMassStorage group.
      • Second Entry:
        • Hive HKEY_LOCAL_MACHINE
        • Key path SYSTEM\CurrentControlSet\services\USBSTOR
        • Value name Start
        • Value type REG_DWORD
        • Value data 0x3 (3)
        • Item-level targeting: User is a member of the Right-USBMassStorage group.
      • Note the different Data value and Item-level Targeting between the two entries.
I haven't concluded testing, but so far this appears to work. If it does not work for Windows 7, it'll probably just be a matter of configuring the policies in "Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access" in addition to the above.
Submitted by Anonymous on Thu, 02/21/2013 - 02:54.

Below is the solution which is working for 32-bit Windows but not working 64-bit ... I need a same function which can do the same thing for 64 bit ....

//disable USB storage...
Microsoft.Win32.Registry.SetValue(
    @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR", 
    "Start", 
    4, 
    Microsoft.Win32.RegistryValueKind.DWord);
//enable USB storage...
Microsoft.Win32.Registry.SetValue(
    @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR", 
    "Start", 
    3, 
    Microsoft.Win32.RegistryValueKind.DWord);
i can read the value on windows 64 bit but can not write the value.... 
RegistryKey  registryKey = RegistryKey.OpenBaseKey(
    Microsoft.Win32.RegistryHive.LocalMachine, 
    RegistryView.Registry64);

Console.WriteLine("registryKey" + registryKey);

registryKey = registryKey.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\USBSTOR");
 Object val = registryKey.GetValue("Start");
Console.WriteLine("The val is:" + val);

here i am getting the current val which is set ...
but when i try to open in write mode...

registryKey = registryKey.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\USBSTOR", true);

and try to set a value 4 to disable it cant work...

registryKey.SetValue("Start", 4);

can any one help....

Submitted by Anonymous on Mon, 11/12/2012 - 05:18.
Thank you for your great efforts just i have tried your ADM file with some OU's to disable the USB storage and its working fine but i still have a problem because i want to exclude users from this OU whereas, controls disabling and enabling the USB with certain users and that if i wanted to exclude some user and enabling the usb for him just for one or two days for business needs and then block the USB again.. so i think that the suitable action that i create two GPO's one to enable the USB and another to disable it and manage who will be added on each GPO by adding them in "Scope" on Group Policy Management ..so i am asking if there is another ADM File to Enable the USB ?
Submitted by Anonymous on Wed, 10/10/2012 - 02:31.
when plugin new device there is found new hardware & "Start"=dword:00000004 value change automatically "Start"=dword:00000003 as default.
Submitted by Anonymous on Fri, 07/15/2011 - 07:28.
thanks for this tutorial!! My DC is Server 2008 so this tutorial might be a little bit outdated. I had to add EVERYONE for usbstor.inf and usbstor.pnf and then DENY everything in order for this to work.
Submitted by Anonymous on Fri, 07/01/2011 - 06:32.
Hi! I think there is. You should try Endpoint Protector from CoSoSys.
Submitted by Anonymous on Thu, 05/12/2011 - 03:42.
Try to put permission to GPO: "Computer Configuration\Windows Settings\Security settings\File System\%Systemroot%inf\Usbstor.inf" Computer Configuration\Windows Settings\Security settings\File System\%Systemroot%inf\Usbstor.pnf for users "Deny". It worked for me.
Submitted by Anonymous on Tue, 03/01/2011 - 15:28.
Is there a way to do this for PNP wireless devices? Thanks...
Submitted by Anonymous on Wed, 02/09/2011 - 04:45.
the mentioned solution is complete .please just use [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR] "Start"=dword:00000004 change hexadecimal to : 4 - disable 3 - enable instead of using exe file, export two separate reg key for enable or disable - just run them no restart or touching services is needed Regards, javadg at gmail
Submitted by Hannes Schmidt on Fri, 10/15/2010 - 10:57.
Thanks! -- Hannes
Submitted by Anonymous on Tue, 10/12/2010 - 17:00.

It seems Microsoft has changed this for Windows 7... and almost none of the sites with instructions have been updated to include the new 7-specific instructions (the old method--even for Vista--didn't work in 7). Here are the new GPO settings you also need to use if you have Windows 7 clients:

Block USB in Windows 7 using Group Policy

Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access

Removable Disks: Deny execute access    Enabled
Removable Disks: Deny read access       Enabled
Removable Disks: Deny write access      Enabled

Submitted by Anonymous on Thu, 09/30/2010 - 12:58.
This method worked for me. At first it worked without any errors. After a few restarts, i started to get the 1058 error when attempting to start USBSTOR (net start usbstor) through the command prompt with the administrator account (that should have access to USBSTOR) When trying to start USBSTOR through an account that should be blocked, i get a "denied access" error, which is the appropriate error. However, to get around the 1058 error, i change the registry value from 4 to 3 to be able to use the USB, then after im done i change it back to 4. It's not pretty, but works. What i'm going to try to do when i have time, is setup a startup script that does this registry change to 3 when logged in, and then a logoff script that changes is back to 4 when logged off (with an account that has access to USBSTOR of course). It should work...and take away a few keystrokes when needing to use an USB. Anyway, thanks for the article. -- TS.
Submitted by Anonymous on Fri, 09/10/2010 - 09:38.
Hello. Thanks for this great discussion. I'm confused. Is the only non-third-party-software option to have a script that on logon stops the service for certain users and upon logoff starts the service and then deny users of a group all access to the pnf and inf files. then when someone needs access we add remove them from said group which will remove the "deny" acl against the files and not stop the service when they log in? Thanks!
Submitted by Anonymous on Wed, 09/01/2010 - 13:20.
Netwrix usb blocker does this. I recommend download the free version.
Submitted by Anonymous on Wed, 08/25/2010 - 10:31.
I am realy thankfull for this chapter.It is help me to see whole problem. But, I cant see that you block domain users to access usbstor.* files. They can access to these files and install new usb drivers. How can i set security settings on this folder on following situation: block all users on domain exept domain group "Allow USB"?
Submitted by Anonymous on Thu, 08/19/2010 - 12:10.
Followed these instructions and it is working flawlessly so far. Easier to apply the gpo scope by including authenticated users and to filter by ou rather than delegation. -sysad of about 500
Submitted by Anonymous on Wed, 12/16/2009 - 04:33.
exact post what I was trying to find. I did all the steps as mentioned above. It is not working for me.. I can see the 'Services und Drivers' under Administrative Templates. I can enable the 'USB Storage'. But it is in red color. But it is showing 'Enabled' under Settings. What could be the problem..? can u pls help me out...? Reply Subject:
Submitted by Anonymous on Fri, 12/11/2009 - 21:25.
Hi, your solution is perfectly match my needs for my company. But I am not really familiar with the scripts. If you mind to share your scripts here? ^_^ IT from Malaysia
Submitted by Anonymous on Fri, 10/09/2009 - 01:11.
The USB is disabled on workstation, but when i log in with a user that has a full access permission on the security of the usbstor.inf and usbstor.pnf, i run the Net Start Usbstor before and after the USB is connect and i got the same error: System Error 5 has occured Access Denied Why that? and how to pass through it???
Submitted by Hannes Schmidt on Tue, 04/07/2009 - 19:15.

Hi Brandon,

I don't think that it is possible to apply the computer settings in a GPO based on the user account. When the logon dialog is displayed, the computer settings from all GPO's have already been applied and Windows won't apply computer settings at user logon. The inverse of what you need is possible, i.e. apply user settings based on which machine a user logs on to. This is called loopback processing. But as I said, that won't help you.

What you could do is change the security settings configured by this GPO to deny access to a particular group instead of allowing access for admins as I suggest in my article. I haven't tried it, but it might work. The GPO will be applied independent of the user but the security settings of the driver files will be modified by the GPO to disallow access to a certain group of users. This means that for regular users access will be allowed while users in the special group it will be denied.

-- Hannes

Submitted by Anonymous on Tue, 04/07/2009 - 17:12.
hi Hannes, Thanks for the wonderful tutorial. I got it set up, and tried to push the GPO using security groups for the scope. We noticed we can push the GPO out to computer names, but not through user accounts. The template doesn't seem to edit the registry, unless a specific computer account is in the GPO scope. Do you have any thoughts on that? We'd like to be able to use a security group, and if said user logs into any machine on our network, then the GPO goes into affect. thanks brandon
Submitted by Anonymous on Sun, 03/15/2009 - 18:53.
it would be easier to deny read rights on the GPO for the admins, imho.. (author of the previous reply)
Submitted by Anonymous on Fri, 03/13/2009 - 16:12.
I wanted to thank you for your article. While it was not the complete solution to my needs it was extremely helpful. In addition to Microsoft KB I was able to accomplish this task on specific computers in a group in our domain. Essentially all I did was write a basic script to run a batch file which silently imports the registry values to disable USB storage. That runs as a computer startup script in the GPO. Then using file system control in the GPO I added the usbstor.inf and usbstor.pnf files, setting security for the users group(s) and the system group as denied access. This works great and prevents users from using any USB flash drive or hard drive on both Windows XP Pro and Windows 2000 Pro machines. Additionally I wanted domain administrators to be able to still use USB drives when they logged in without having to do anything. So I set a login script for their GPO to import the necessary registry values to enable USB storage. Once they login, USB storage works... Then there is a logoff script that sets it back to disabled using the same bat file that disables it at system startup. I have this working on over 150 computers in one domain. No problems as of yet...
Submitted by Anonymous on Wed, 03/11/2009 - 18:57.
Hannes, thank you for your care about the issue and sorry for replying as an anonimous. Here are a bit more details. I set access rights on the both USBSTOR.INF and .PNF to: FULL (for Local Admins), read ONLY (for SYSTEM) and FULL DENY (for users). The registry key is set to "4". Then I login with a user (which is not a member of any admin group for sure), plug a USB stick which was on the PC before - everything's perfect, the device is not loaded. Then I take a USB stick that was not installed on the system before (the driver was not added to the USBSTOR.INF) and what do I see - it becomes available and the registry key resets to "3". So I can copy files files to the USB stick, though for next restart (when the policy will be applied again). Looks like Plug&Play feature has some more rights than SYSTEM with READ ONLY rights for the files. Porbably the behavior is on the PCs with particular updates (i use WinXP with all the updates, service packs and hotfixes). Once again, take a USB stick from a different vendor/model and plug it to make sure... In my case, I had to apply a Group Policy which do the following: 1) Sets the registry key to "4" 2) Sets access rights for the files to FULL (admins and SYSTEM) and DENY (for users) 3) Renames the two files to USBSTOR.INF.backup and USBSTOR.PNF accordingly PS. To rollback from the settings I made a batch file which rollbacks the 1st and the 3rd steps. In addition, it can be used with PCEXEC of Sysinternals in order to perform the rollback procedure remotely. sorry for my limited english
Submitted by Hannes Schmidt on Tue, 03/10/2009 - 21:52.
You are welcome! Can you elaborate on your claim? I'd be curious to hear if you have any specifics as to why a brand/model that has never been attached would behave differently to a brand/model that already was. After all, they all need to use USBSTOR to work and the technique presented here prevents that from loading. Maybe your with your insights we could work around the alleged weakness. The fact that this solution isn't working for some people doesn't necessarily mean that the solution always fails for the reasons you suspect. -- Hannes
Submitted by Anonymous on Mon, 03/09/2009 - 03:32.
Thank you for your efforts, but the solution works ONLY for already installed USB Mass Storage Devices. Try to connect a different (brand and model) USB stick and it starts working until the next restart - it is enough to compromise the security puprose. That is why a part of the people here say "it works for me", but another argue that.. Just take an USB stick from your neighboor and copy the company sensitive data to the carrier..
Submitted by Hannes Schmidt on Fri, 02/13/2009 - 16:52.
Try setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start to 3 manually before running the command. If that fixes the problem, you have two options: either tell your users (the ones that should have USB access) to run "sc config USBSTOR start=auto" and then "sc start USBSTOR" or tell them to run a .reg file that makes the above change. If setting Start to 3 doesn't help I don't know what's going on. -- Hannes
Submitted by Anonymous on Fri, 02/13/2009 - 13:21.
I did exactly as instructed to and it appears to be working as far as disabling USB mass storage devices... However, when I run "net start usbstor" I get the following error: System error 1058 has occured. The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. I've triple checked everything, I am domain admin so I can't see how this would be a rights issue. I've tested on multiple computers, same result. Any help is greatly appreciated.. We're so close :)
Submitted by Hannes Schmidt on Wed, 02/04/2009 - 09:16.
If I remember correctly, removing a group policy from an object (a domain or a OU, for example) will *not* revert registry and security settings affected by it to the values they had on the target computers before the policy was applied to them. So to "undo" the effect of a GPO, you need to invert the GPO, wait until it is applied to all computers, then remove it or move it to the OU and then invert it again. By "inverting" I mean switching the settings in the GPO to their opposite values. When the GPO is applied after the first inversion, the security and registry settings of all computers will be reverted to their original, permissive values. After the second inversion and moving the GPO to the OU, the restrictive settings will be applied, but this time only to the computers in the OU. I can't go into the details how to invert the settings described in this article but here are a few hints. The number in the .reg file needs to be changed from 00000004 to 00000003 and the users/groups that were removed in steps 3 and 4 need to added be again and given whatever permission they originally had (probably, read and write). HTH. -- Hannes
Submitted by Anonymous on Wed, 02/04/2009 - 02:00.
For me it worked from 1st try on whole domain. But than my admin asked from me to move it from whole domain to OU where only computers and some servers are located. From that that moment I am not able to start usb even with privleges. When I type net start usbstor i get message - System error 1058 has occured The service cannot be started.... I have even moved policy on whole domain like it was 1st time that worked, but still I get same error message when I type command. Any help please
Submitted by Anonymous on Tue, 02/03/2009 - 05:23.
i am also faceing same issue
Submitted by Anonymous on Tue, 12/30/2008 - 04:20.
Hi, I want to help to disable the USP true the GP. I tried to Microsoft http://support.microsoft.com/kb/555324 also but that one is not working. So what I want to do is. true the server I want to disable the client pcs USB. True your instruction can edit the registry. But if organizations have 300- 400 computers how we do that. Practically we cant go. So anybody can help me to write down script that one and please explain me how to do. Thank you. That is very urgent if anyone can reply immediately. Im very appreciate that
Submitted by Anonymous on Wed, 12/10/2008 - 05:54.
Dont worry it will work
Submitted by Anonymous on Wed, 12/03/2008 - 10:18.
You can add "net start usbstor" to a .bat startup script. It will silently fail for users that don't have permission to start the service, and work for users that do. I'm doing this on my network and it works wonderfully.
Submitted by Anonymous on Fri, 11/21/2008 - 14:00.
If the implementations described in the main article do not work for you, try modifying or retro-fitting the script I posted to suit your needs: http://badzmanaois.blogspot.com/2008/09/disable-usb-storage-using-vbs-script_07.html ...badz... Bytes & Badz: http://badzmanaois.blogspot.com
Submitted by Anonymous on Wed, 11/19/2008 - 02:39.
thank u hannes i followed all the steps given by u and i tried in my 2003 environment with clients windows xp and 2000. i am able to connect usb k/b and mouse only storage is restricted. once again thank you for ur step by step solution. Shekar shekarrays@gmail.com
Submitted by Anonymous on Tue, 06/17/2008 - 04:26.
by using third parity like www.myusbonly.com it is best , by this u can make list for known drives and any else can not be added if user hav no password... mohamed index_eg@yahoo.com
Submitted by Anonymous on Sat, 05/10/2008 - 20:42.
Hello All, Me too facing some problem during disabling USB Storage on network...lemme explain my scenario....we have windows 2003 Server as DC and workstation as win 2000 Pro, win XP Pro and aslo recently we have added couples of Win Vista machines. So, cud anyone suggest me how can i disable USB mass Storage devices on all systems thru GPO under User Configuration ...admin templates but dey still sud be able to use USB keyboard and mice. Thnx in adv, Sridhar
Submitted by Anonymous on Wed, 01/30/2008 - 06:11.
Pretty much. Once i have installed a verbatim USB, and after completing the instalation i tried with another USB that is of the same Verbatim type. The second USB could not install and so not work, while the first one was working fine.
Submitted by Anonymous on Thu, 01/24/2008 - 18:58.
was just wondering,tried this method on a test group,all looked good,but when I ran gpupdate,then gpresult,showed the GPO was rejected,empty,any idea's?
Submitted by Anonymous on Fri, 01/18/2008 - 01:47.
Try the following registry entry which allow only Read access to user.User can not copy the data from machin to any portable usb disk.but other usb device (KB,Mouse) were work fine. Make new key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies Create the following value (DWORD): WriteProtect and give it a value of 1. done! but this work only on windows XP sp2
Submitted by Hannes Schmidt on Thu, 01/17/2008 - 15:56.
Thanks for suggesting that method. Are you positive that it really only allows one type of USB device and not the entire class of devices supported by a driver? -- Hannes
Submitted by Anonymous on Thu, 01/17/2008 - 04:24.
To give usage to only one device i use this way. Fist you uninstall every device installed previously if there are. At cmd prompt you give these 2 commands: set devmgr_show_nonpresent_devices=1 start devmgmt.msc The fist commant will let you see installed driver that are not present at the system at that moment when you start the Device Manager which is done by the second command. When the DM is started you go to view - Show hidden devices and than at storage device you can see all the drivers that have been installed. Uninstall them all if there are any. After this you plug in the Device that you will use on that PC. after the driver is installed than you disable access to everyone on USBSTOR.* In this method you can not use the reg file since that will disable every USB device that has been installed. The good of this is that you let PPL use the USB and you also limit others from using USB's on that PC. Also the USB devices have each a their code of installation so even if they are the same type, only the allowed device can work on that PC.
Submitted by Anonymous on Mon, 01/14/2008 - 19:15.
We are small company wihtout IT department, and we want to block the evil USB port. Currently we block untrusted USB device by MyUSBOnly, found here. It works without an IT administrator, just prompt you for a password when untrusted USB is inserted into a computer.
Submitted by Anonymous on Thu, 12/20/2007 - 04:40.
At the office where I work, the admins use this software http://www.gfi.com/endpointsecurity/ and it seems to be doing the job! I cant even connect my iPod to transfer some music and files to my office pc. L They can assign who can use external devices and what they use.
Submitted by Anonymous on Tue, 12/04/2007 - 09:59.

We use another way of blocking usb devices. Our desktop management system - desktop authority handles this task quite well. After upgrading to new version several weeks ago we have some nice new abilities for managing anuthorized access to usb ports. Now we can block or allow only particular devices by the serial numbers or manufacturer IDs.

Submitted by Anonymous on Tue, 08/21/2007 - 06:54.

Hi,
This is the exact post what I was trying to find. I did all the steps as mentioned above. It is not working for me.. I can see the 'Services und Drivers' under Administrative Templates. I can enable the 'USB Storage'. But it is in red color. But it is showing 'Enabled' under Settings. What could be the problem..? can u pls help me out...?

Submitted by Anonymous on Wed, 08/08/2007 - 21:35.

Hi Hannes and expert,
There is a system error 1058 has occured during execute "net start usbstor" on command prompt. The explanation given "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it."

I have double confirmed the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start is set to 0x0000000(4) after reboot the machine.

Appreciate for you guys assistance on this matter.

Jeff Q

Submitted by Anonymous on Tue, 08/07/2007 - 03:47.

I can confirm this works - had to figure that out for myself but adding an additional line at the end corrects the above issue. If you follow the step-by-step guide (pcs 'must' be rebooted as the policy you are applying is to computers on the network and policies are applied on connection to a network which happens during the boot-up process).

FYI - running the 'net start usbstor' command will error if there is no USB device plugged in. Just run the command with the usb storage device plugged in and all should be well :)

Minh N.

Submitted by Hannes Schmidt on Mon, 08/06/2007 - 05:55.

Hi Jeff,

Are you by any chance using 2k3 with Group Management Console SP1? If so, try adding an empty line at the end of the ADM file. See this post for details. I also changed the file attached to this article to include a newline at the end.

-- Hannes