How to disable USB sticks and limit access to USB storage devices on Windows systems

exact post what I was trying to find. I did all the steps as mentioned above. It is not working for me.. I can see the 'Services und Drivers' under Administrative Templates. I can enable the 'USB Storage'. But it is in red color. But it is showing 'Enabled' under Settings. What could be the problem..? can u pls help me out...? Reply Subject:

Hi, your solution is perfectly match my needs for my company. But I am not really familiar with the scripts. If you mind to share your scripts here? ^_^ IT from Malaysia

The USB is disabled on workstation, but when i log in with a user that has a full access permission on the security of the usbstor.inf and usbstor.pnf, i run the Net Start Usbstor before and after the USB is connect and i got the same error: System Error 5 has occured Access Denied Why that? and how to pass through it???

Hi Brandon,

I don't think that it is possible to apply the computer settings in a GPO based on the user account. When the logon dialog is displayed, the computer settings from all GPO's have already been applied and Windows won't apply computer settings at user logon. The inverse of what you need is possible, i.e. apply user settings based on which machine a user logs on to. This is called loopback processing. But as I said, that won't help you.

What you could do is change the security settings configured by this GPO to deny access to a particular group instead of allowing access for admins as I suggest in my article. I haven't tried it, but it might work. The GPO will be applied independent of the user but the security settings of the driver files will be modified by the GPO to disallow access to a certain group of users. This means that for regular users access will be allowed while users in the special group it will be denied.

-- Hannes

hi Hannes, Thanks for the wonderful tutorial. I got it set up, and tried to push the GPO using security groups for the scope. We noticed we can push the GPO out to computer names, but not through user accounts. The template doesn't seem to edit the registry, unless a specific computer account is in the GPO scope. Do you have any thoughts on that? We'd like to be able to use a security group, and if said user logs into any machine on our network, then the GPO goes into affect. thanks brandon

it would be easier to deny read rights on the GPO for the admins, imho.. (author of the previous reply)

I wanted to thank you for your article. While it was not the complete solution to my needs it was extremely helpful. In addition to Microsoft KB I was able to accomplish this task on specific computers in a group in our domain. Essentially all I did was write a basic script to run a batch file which silently imports the registry values to disable USB storage. That runs as a computer startup script in the GPO. Then using file system control in the GPO I added the usbstor.inf and usbstor.pnf files, setting security for the users group(s) and the system group as denied access. This works great and prevents users from using any USB flash drive or hard drive on both Windows XP Pro and Windows 2000 Pro machines. Additionally I wanted domain administrators to be able to still use USB drives when they logged in without having to do anything. So I set a login script for their GPO to import the necessary registry values to enable USB storage. Once they login, USB storage works... Then there is a logoff script that sets it back to disabled using the same bat file that disables it at system startup. I have this working on over 150 computers in one domain. No problems as of yet...

Hannes, thank you for your care about the issue and sorry for replying as an anonimous. Here are a bit more details. I set access rights on the both USBSTOR.INF and .PNF to: FULL (for Local Admins), read ONLY (for SYSTEM) and FULL DENY (for users). The registry key is set to "4". Then I login with a user (which is not a member of any admin group for sure), plug a USB stick which was on the PC before - everything's perfect, the device is not loaded. Then I take a USB stick that was not installed on the system before (the driver was not added to the USBSTOR.INF) and what do I see - it becomes available and the registry key resets to "3". So I can copy files files to the USB stick, though for next restart (when the policy will be applied again). Looks like Plug&Play feature has some more rights than SYSTEM with READ ONLY rights for the files. Porbably the behavior is on the PCs with particular updates (i use WinXP with all the updates, service packs and hotfixes). Once again, take a USB stick from a different vendor/model and plug it to make sure... In my case, I had to apply a Group Policy which do the following: 1) Sets the registry key to "4" 2) Sets access rights for the files to FULL (admins and SYSTEM) and DENY (for users) 3) Renames the two files to USBSTOR.INF.backup and USBSTOR.PNF accordingly PS. To rollback from the settings I made a batch file which rollbacks the 1st and the 3rd steps. In addition, it can be used with PCEXEC of Sysinternals in order to perform the rollback procedure remotely. sorry for my limited english

You are welcome! Can you elaborate on your claim? I'd be curious to hear if you have any specifics as to why a brand/model that has never been attached would behave differently to a brand/model that already was. After all, they all need to use USBSTOR to work and the technique presented here prevents that from loading. Maybe your with your insights we could work around the alleged weakness. The fact that this solution isn't working for some people doesn't necessarily mean that the solution always fails for the reasons you suspect. -- Hannes

Thank you for your efforts, but the solution works ONLY for already installed USB Mass Storage Devices. Try to connect a different (brand and model) USB stick and it starts working until the next restart - it is enough to compromise the security puprose. That is why a part of the people here say "it works for me", but another argue that.. Just take an USB stick from your neighboor and copy the company sensitive data to the carrier..

Try setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start to 3 manually before running the command. If that fixes the problem, you have two options: either tell your users (the ones that should have USB access) to run "sc config USBSTOR start=auto" and then "sc start USBSTOR" or tell them to run a .reg file that makes the above change. If setting Start to 3 doesn't help I don't know what's going on. -- Hannes

I did exactly as instructed to and it appears to be working as far as disabling USB mass storage devices... However, when I run "net start usbstor" I get the following error: System error 1058 has occured. The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. I've triple checked everything, I am domain admin so I can't see how this would be a rights issue. I've tested on multiple computers, same result. Any help is greatly appreciated.. We're so close :)

If I remember correctly, removing a group policy from an object (a domain or a OU, for example) will *not* revert registry and security settings affected by it to the values they had on the target computers before the policy was applied to them. So to "undo" the effect of a GPO, you need to invert the GPO, wait until it is applied to all computers, then remove it or move it to the OU and then invert it again. By "inverting" I mean switching the settings in the GPO to their opposite values. When the GPO is applied after the first inversion, the security and registry settings of all computers will be reverted to their original, permissive values. After the second inversion and moving the GPO to the OU, the restrictive settings will be applied, but this time only to the computers in the OU. I can't go into the details how to invert the settings described in this article but here are a few hints. The number in the .reg file needs to be changed from 00000004 to 00000003 and the users/groups that were removed in steps 3 and 4 need to added be again and given whatever permission they originally had (probably, read and write). HTH. -- Hannes

For me it worked from 1st try on whole domain. But than my admin asked from me to move it from whole domain to OU where only computers and some servers are located. From that that moment I am not able to start usb even with privleges. When I type net start usbstor i get message - System error 1058 has occured The service cannot be started.... I have even moved policy on whole domain like it was 1st time that worked, but still I get same error message when I type command. Any help please

i am also faceing same issue

Hi, I want to help to disable the USP true the GP. I tried to Microsoft http://support.microsoft.com/kb/555324 also but that one is not working. So what I want to do is. true the server I want to disable the client pc’s USB. True your instruction can edit the registry. But if organizations have 300- 400 computers how we do that. Practically we can’t go. So anybody can help me to write down script that one and please explain me how to do. Thank you. That is very urgent if anyone can reply immediately. I’m very appreciate that

Dont worry it will work

You can add "net start usbstor" to a .bat startup script. It will silently fail for users that don't have permission to start the service, and work for users that do. I'm doing this on my network and it works wonderfully.

If the implementations described in the main article do not work for you, try modifying or retro-fitting the script I posted to suit your needs: http://badzmanaois.blogspot.com/2008/09/disable-usb-storage-using-vbs-script_07.html ...badz... Bytes & Badz: http://badzmanaois.blogspot.com

thank u hannes i followed all the steps given by u and i tried in my 2003 environment with clients windows xp and 2000. i am able to connect usb k/b and mouse only storage is restricted. once again thank you for ur step by step solution. Shekar shekarrays@gmail.com

by using third parity like www.myusbonly.com it is best , by this u can make list for known drives and any else can not be added if user hav no password... mohamed index_eg@yahoo.com

Hello All, Me too facing some problem during disabling USB Storage on network...lemme explain my scenario....we have windows 2003 Server as DC and workstation as win 2000 Pro, win XP Pro and aslo recently we have added couples of Win Vista machines. So, cud anyone suggest me how can i disable USB mass Storage devices on all systems thru GPO under User Configuration ...admin templates but dey still sud be able to use USB keyboard and mice. Thnx in adv, Sridhar

Pretty much. Once i have installed a verbatim USB, and after completing the instalation i tried with another USB that is of the same Verbatim type. The second USB could not install and so not work, while the first one was working fine.

was just wondering,tried this method on a test group,all looked good,but when I ran gpupdate,then gpresult,showed the GPO was rejected,empty,any idea's?

Try the following registry entry which allow only Read access to user.User can not copy the data from machin to any portable usb disk.but other usb device (KB,Mouse) were work fine. Make new key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies Create the following value (DWORD): WriteProtect and give it a value of 1. done! but this work only on windows XP sp2

Thanks for suggesting that method. Are you positive that it really only allows one type of USB device and not the entire class of devices supported by a driver? -- Hannes

To give usage to only one device i use this way. Fist you uninstall every device installed previously if there are. At cmd prompt you give these 2 commands: set devmgr_show_nonpresent_devices=1 start devmgmt.msc The fist commant will let you see installed driver that are not present at the system at that moment when you start the Device Manager which is done by the second command. When the DM is started you go to view - Show hidden devices and than at storage device you can see all the drivers that have been installed. Uninstall them all if there are any. After this you plug in the Device that you will use on that PC. after the driver is installed than you disable access to everyone on USBSTOR.* In this method you can not use the reg file since that will disable every USB device that has been installed. The good of this is that you let PPL use the USB and you also limit others from using USB's on that PC. Also the USB devices have each a their code of installation so even if they are the same type, only the allowed device can work on that PC.

We are small company wihtout IT department, and we want to block the evil USB port. Currently we block untrusted USB device by MyUSBOnly, found here. It works without an IT administrator, just prompt you for a password when untrusted USB is inserted into a computer.

At the office where I work, the admins use this software http://www.gfi.com/endpointsecurity/ and it seems to be doing the job! I can’t even connect my iPod to transfer some music and files to my office pc. L They can assign who can use external devices and what they use.

We use another way of blocking usb devices. Our desktop management system - desktop authority handles this task quite well. After upgrading to new version several weeks ago we have some nice new abilities for managing anuthorized access to usb ports. Now we can block or allow only particular devices by the serial numbers or manufacturer IDs.

Hi,
This is the exact post what I was trying to find. I did all the steps as mentioned above. It is not working for me.. I can see the 'Services und Drivers' under Administrative Templates. I can enable the 'USB Storage'. But it is in red color. But it is showing 'Enabled' under Settings. What could be the problem..? can u pls help me out...?

Hi Hannes and expert,
There is a system error 1058 has occured during execute "net start usbstor" on command prompt. The explanation given "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it."

I have double confirmed the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start is set to 0x0000000(4) after reboot the machine.

Appreciate for you guys assistance on this matter.

Jeff Q

I can confirm this works - had to figure that out for myself but adding an additional line at the end corrects the above issue. If you follow the step-by-step guide (pcs 'must' be rebooted as the policy you are applying is to computers on the network and policies are applied on connection to a network which happens during the boot-up process).

FYI - running the 'net start usbstor' command will error if there is no USB device plugged in. Just run the command with the usb storage device plugged in and all should be well :)

Minh N.

Hi Jeff,

Are you by any chance using 2k3 with Group Management Console SP1? If so, try adding an empty line at the end of the ADM file. See this post for details. I also changed the file attached to this article to include a newline at the end.

-- Hannes

Hi Hannes,
The following error occured during i'm performing step 7 that written by you. The error message as below:
----------------------------------------------------------------------
\\domain.com\SysVol\domain.com\Policies\{02F4FCEF-6DF0-4030-961F-32A95E778085}\aDM\USBSTOR.ADM ONLINE 17:

eRROR 51 unexpected keyword

Found: CATEGOR
Expected: CATEGORY

The file can not be loaded
----------------------------------------------------------------------

I have double confirmed the "CATEGORY" is written correctly in usbstor.adm file (line 17) but no idea why system found it spell wrongly. Really appreciate ur assistance on this matter. Thanks

Jeff

Hi there,i read your article. Thanks for such wonderful efforts.I am creating an application in which I want to enable and disable USB drive. I tried it in following way. I changed the registry entries for start and image path under key HKEY_LOCAL_MACHINE/system/current control set/services/USBSTOR. But I need to restart the computer for these changes to take effect. How should I avoid the restarting of the system?Is there any windos service to be stopped? When I tried to use net stop usbstor ,it gives me error that cant execute this command.
Can you please let me know how can I do it?
My requirement is something like this.

(1) USB1 is inserted in USB port1.
(2) Run [my exe] USB.exe (Parameter as disable).
(3) Insert another USB i.e. USB 2 in usb port 2. It should be disabled.
(4) Again Run USB.exe (parameter as enable).
(5) Insert USB. It should be enabled.

Kindly reply as early as you can as this is very urgent for me.
Thanks in advance.
Abhijit

The solution described here did work for me. Otherwise I wouldn't have written this article. But everyone's mileage varies. I'm happy to hear that you found a solution that works for you.

-- Hannes

Yes, I was right, locking files won't work. Here's a kind of solution:
http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html
Drony

Hannes,
I think you are not quite right. I assume that PNP driver is installed by System account that has F rights to both registry and files mentioned. I'm still playing with it, but I can't stop USB from working under regular accounts.
Actually, the only thing we need is to prevent SYSTEM acc to write into HKLM\SYSTEM\CurrentControlSet\Services\USBStor\Start _value_, but we can restrict writing to the _key_ only, so SYSTEM would not be able to install driver even for permitted users.
So far I can't find the solution...
Drony

I am having some problems getting this to work. The GPO seems to be being applied correctly, the security permissions on the two files mentioned are correct, and the registry key is set to 4.
However, when I log on as a standard user the usb keys work. If I then log on as an administrator again, the key has changed back to 3.

Any ideas would be greatly appreciated

Alex

I don't quite agree with your line of reasoning here and usually I don't tolerate "URL drops" in comments but I'll make an exception this time because the software you mention seems legit and has its purpose.

-- Hannes

We don't want to roll out any settings through GPOs that aren't easy to roll back or control on a per-PC basis so we're gonna update our PCs remotely using a great FREE utility by IntelliAdmin:

http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html

It is free, changes the USBSTOR registry setting, and renames the usbstor.inf and usbstor.pnf files so the driver won't work. Also, it is easily reversible with the same utility and I don't have to leave my chair to hit every PC in the domain. I love it!

Unfortunately the block works fine for USB Pen Drives and Hard Disk, but today phones can be conected to syncronize with email and used as a storage device. Windows XP does not understand that phones are also storage devices.

Hi,

The USBstore.reg is really working for me, but on executing locall systems only, planning to convert the same to MSI package and implement through GP on 2003.

If it works it would be great for me.

Thanks & Regards,
Aravind

Have a look at www.securewave.com they have a tool called Sanctuary Device Control: it is extremely secure and allows customised access to certain brands / models of usb keys. it also allows you to encrypt usb keys as soon as they are plugged in. NICE!

I am having the same problem as Derek, my clients are XP machines and I can see that the GPO is being applied correctly but I can still add new USB devices to the computer.

You can grant users the right to control a service using the Security Settings - System Services setting of a Group Policy. This is a starter How To Configure Group Policies to Set Security for System Services

-- Hannes

Hello!

you say: "The only minor drawback of my solution is that users with access to USB storage need to manually start USBSTOR before connecting USB storage devices." ok, but how can do that user what not a member administrators group? when login and type "net start usbstor" gave "access denied" message. and when i login with administrative rights message is: "service is disabled or..." ok its correct because in registry set 4 (disable). In this situation you must after "net start..." place new registry value, and (reboot is necesary?) then start service? so this article is good for completly disable USB storage - or meybe i'm not read carefully...

ps.
sorry english is not my natice langage
.

greets

Have you actually tried it? Because this article is about disabling usbstor.sys which stands for USB storage. Usbstor.sys is not responsible for talking to HID devices. I have used this method on plenty boxes with both USB mouse and keyboard. If it disables your USB mouse/keyboard you must have either picked the wrong file or something else is messed up on your system. Sorry.

-- Hannes

It seems this method also blocks USB-keyboards and USB-mice. Many PC's today do not have a PS2 port anymore for keyboard and mouse. Therefore an USB port must be used. How to distinguish between an allowed keyboard and a forbidden USB memory stick?