How to disable USB Drives (jump/flash/external/etc.)
This explains how to disable ONLY USB storage devices(flash/Jump/external HD's)
completely without disabling keyboards, mice, etc.
I decided to go this route after trying every other option I could find on
the internet. So far this is the only way I have found to completely kill USB
drives without ways to get around restrictions. edit: WITHOUT PURCHASING THIRD
First thing to do is this:
- Run regedit and navigate to HKLM\system\currentcontrolset\services\USBstor.
- Change the value of the dword "Start" from 3 to 4. If the dword
"Start" doesnt exist, create it. This will prevent a previously
installed USB device from loading when the device is plugged into the machine.
((As most of you know this a Microsoft suggestion, which does work perfectly
at disabling previously installed devices, however, this alone will not disable
USB storage completely. If a user plugs a new USB storage device into the
machine the device will install and the dword value will be reset to 3. Now
if you incorporate adding this into a script it alone will disable USB drives,
but only after a user plugs a device in, removes it without uninstalling it,
logs off then logs back on, thereby running the script. This means that there
is a window of opportunity for users to have access to new devices, this may
be acceptable for some, but not for others.))
- The next thing to do is to change the permisions on the USBSTOR key. You
need to DENY full control on the "system" group.
- ((What this does is denies everyone the ability to access the USBStor key,
effectively killing the ability for any user (including admins) to install
USB storage devices. Now the reason you deny the "system" group
is because windows will use this account if no one is logged onto the machine
yet. What I mean by this is if say you want to deny a group of users called
"staff", you would need to deny them using GP or a logon script.
This will work great, but, if a "staff" group user plugs a USB drive
in before logging in to Windows the device will be installed using in the
backgroud using the "system" group, then when the user logs in the
"staff" group policy is applied dening the user access to the USBstor
key, but by this point it makes no difference because the devices is already
installed and accessible and once a device is installed the usbstor key is
no longer used.))
So now that these two steps are are done, *NO ONE* will be able to install
If a user tries to use a previously installed drive the device will be blocked
and nothing will happen, no prompts, nothing. This is accomplished through step
1, the dword value.
What happens if a user plugs in a "New" device that was not previously
installed, the hardware wizard will run, asking for the location of drivers.
Regardless of whether a user selects the "automatically" search and
install or if they attempt to manually install 3rd party drivers, the HW wizard
will prompt the user that "access is denied" once the drivers are
selected. This is the result of step 2, denying "system".
Now that we know how to disable USB storage devices we need to find an efficient
way to do this without driving through the registry on each and every machine.
This is what I did to accomplish this method of killing USB drives quickly
I created 2 batch files, 1 batch to disable and another for administrators(tech
support, ie.) that will re-enable USB drives if the need arises.
- 1: First thing is to get a copy of the tool "subinacl.exe". This
tool is included with MS Server 2003 RK.
((What subinacl allows you to due is set specific permissions on the exact
group or user, etc.. that you need to, this includes permissions on registry
Keys which is what we will be doing.))
- Once you have a copy of "subinacl.exe" set up a folder for your
batch files. In my particular case I wanted these batch files available on
the network so I created a shared folder named "DisableUSB" on a
server. Next I created a subfolder within "DisableUSB" called "subinacl".
Put a copy of "subinacl.exe" in this folder.
- Next thing to do is create 2 “reg” files in the subfolder “subinacl”.
I named the 2 files “dword3.reg” and “dword4.reg”.
These files are going to be used to change the value of the dword “start”
in the registry key Usbstor.
I assume most probably know how do create reg files, this is what should be
in the files:
Windows Registry Editor Version 5.00
*change the 3 to a 4 for “dword4.reg”*
- Now put these 2 files in the “subinacl” folder if they weren’t
OK, all the pieces should now be in place. For this example we have a shared
folder (on no particular server) called “disableUSB”. Within this
folder is a subfolder “subinacl” that has subinacl.exe, dword3.reg,
and dword4.reg within it.
- Now to create the 2 batch files. I created these 2 files under the main
share folder (disableUSB). One is called “disableUSBdrives.bat”
which, you guessed it, disables drives, and the other for re-enabling drives,
This is how disableUSBdrives.bat is set up:
regedit /s \\servername\disableUSB\Subinacl\dword4.reg
\\servername\DisableUSB\Subinacl\subinacl.exe /keyreg \system\currentcontrolset\services\usbstor
echo **USB drives disabled**
*the path will differ of course. \\servername is just an example.
for “enableUSBdrives.bat” simply change change “dword4.reg”
to “dword3.reg” AND “deny=system” to “grant=system”
Notice that the only real meat to these batch’s is running regedit and
running subinacl. Everything else (cls,pause,echo) is optional, for my particular
situation it was needed.
- Go the machines that you want to disable USB drives on and run the disableUSBdrives
batch from the network share.
And that’s it. USB drives gone.
Now of course running a batch from each machine is still time consuming, but
In my particular situation it had to be done this way, and is obviously much
faster than driving through the registry.
The most efficient way to incorporate this would be with logon scripting. Unlike
with just using the dword start=4 trick, after this script is run, there is
no way for joe blow user to use any of his nifty little Jumpdrives or his hot
new hard drives.
Also note that folder names and locations can be set up in any way and anywhere
as long as the batch files point to the right place.
Anyway. hope this helps someone.
Get Excel Report from Database