Update 1/18/2007 11:01 PM EST: I have received a few questions about this method – no it will not disable mice, or keyboards. It only disables storage devices attached to the USB port. This includes hard drives, flash drives, and any other type of USB storage device. And yes, if the user has administrator access they can reverse the changes
|Our USB Flash drive enable/disable program has been out for quite a while now. Recently we have been getting bug reports that it no longer works.|
How it operates is simple, we set a registry key that tells the UsbStor driver not to load on boot:
Start = 4 (Disabled) – Don’t start the driver on boot
Start = 3 (Enabled) – Start the driver on boot
If we visit Microsoft, this is an appropriate way to disable USB drives, they even recommend it as a group policy to disable USB, CDROM, and floppy drives:
After loading about 10 different variations of Windows (2000, XP, 2003, and Vista with different service packs) in VMWare we started to see a clearer picture.
Some variations will simply reset the key ‘Start’ back to 3 when a new flash drive is plugged in. The first trick we tried was denying write access for the system account on the USBStor registry key.
It worked on everything except Windows 2003. This version of windows would reset permissions on the key – and delete it!. Then it would re-create with the USB storage enabled.
Then we came across this document:
(Looks like it was published much later than KB 555324)
It tells us to put deny permissions for the users we want to lock out on UsbStor.inf, and UsbStor.pnf in the c:\windows\inf folder. Funny thing – it doesn’t work. Windows XP will reset the permissions and let the user install their flash drive anyhow.
Now we could have created a filter driver that would sit between windows and usb storage, but we wanted something simple that an administrator could do without even using our program.
We found a simpler solution…rename the files. If we simply rename the files to UsbStor.inf.backup, and UsbStor.pnf.backup windows can no longer load the drivers for usb storage.
So to recap. Rename the files, set the registry key to 4, and users can no longer access any type of usb storage. Reverse the rename, and reset the registry key to 3 and users can access their usb storage again. Ahh. Almost forgot. Reboot required each time you switch.
We have a few programs now that will do this for you. First the USB Disabler. It is for disabling, or enabling USB flash drives on the computer you run it from.
Second we have the remote USB flash disabler. It will allow you to pick a machine on your network and enable, or disable USB flash drives
Third, our Network Administrator product can apply it to all the machines on your network.
They all can be found on our downloads page
One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools