Update 1/18/2007 11:01 PM EST: I have received a few questions about this method – no it will not disable mice, or keyboards. It only disables storage devices attached to the USB port. This includes hard drives, flash drives, and any other type of USB storage device. And yes, if the user has administrator access they can reverse the changes
 |
Our USB Flash drive enable/disable program has been out for quite a while now. Recently we have been getting bug reports that it no longer works. |
How it operates is simple, we set a registry key that tells the UsbStor driver not to load on boot:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Start = 4 (Disabled) – Don’t start the driver on boot
Start = 3 (Enabled) – Start the driver on boot
If we visit Microsoft, this is an appropriate way to disable USB drives, they even recommend it as a group policy to disable USB, CDROM, and floppy drives:
http://support.microsoft.com/kb/555324
After loading about 10 different variations of Windows (2000, XP, 2003, and Vista with different service packs) in VMWare we started to see a clearer picture.
Some variations will simply reset the key ‘Start’ back to 3 when a new flash drive is plugged in. The first trick we tried was denying write access for the system account on the USBStor registry key.
It worked on everything except Windows 2003. This version of windows would reset permissions on the key – and delete it!. Then it would re-create with the USB storage enabled.
Then we came across this document:
http://support.microsoft.com/kb/823732
(Looks like it was published much later than KB 555324)
It tells us to put deny permissions for the users we want to lock out on UsbStor.inf, and UsbStor.pnf in the c:\windows\inf folder. Funny thing – it doesn’t work. Windows XP will reset the permissions and let the user install their flash drive anyhow.
Now we could have created a filter driver that would sit between windows and usb storage, but we wanted something simple that an administrator could do without even using our program.
We found a simpler solution…rename the files. If we simply rename the files to UsbStor.inf.backup, and UsbStor.pnf.backup windows can no longer load the drivers for usb storage.
So to recap. Rename the files, set the registry key to 4, and users can no longer access any type of usb storage. Reverse the rename, and reset the registry key to 3 and users can access their usb storage again. Ahh. Almost forgot. Reboot required each time you switch.
We have a few programs now that will do this for you. First the USB Disabler. It is for disabling, or enabling USB flash drives on the computer you run it from.
Second we have the remote USB flash disabler. It will allow you to pick a machine on your network and enable, or disable USB flash drives
Third, our Network Administrator product can apply it to all the machines on your network.
They all can be found on our downloads page
How can i change file names using group policy?
You can’t
That is why a better way to do this…if you have a large network and want to deploy the change is to use our Network Administrator program:
http://www.intelliadmin.com/NetworkAdministrator.htm
how do i use the flash disabler on vista
It should work fine on Vista. Just make sure you right click and run it as an administrator.
how can i disable usb only for specific users ? say deny access to all limited users in windows vista / 7 ?
There is no functionality within windows that will allow you to do this – the way you can do this is to use a product we have called USB Disabler Pro:
http://www.intelliadmin.com/index.php/usb-disabler-pro/
i have connected my clients to server,,,,,, i need to get a msg to server if the client uses the pen drive or any external device..can u give a script file
When using SATA HDD on IDE Mode, the drive will be run as a USB Device in Windows XP. If we disable uSB Device, will it disable the SATA HDD also ?
No, since the SATA hdd does not use USBStor drivers to load the drive. Where do you get your information that SATA drives are run as USB Devices?