# How to disable USB Drives (jump/flash/external/etc.)



## dinesh_ymca (Nov 15, 2007)

This explains how to disable ONLY USB storage devices (flash/Jump/external HD's) completely without disabling keyboards, mice, etc. 
This method completely stops USB drives without purchasing third party software. 
1. Run regedit and navigate to HKLM\system\currentcontrolset\services\USBstor. 
2. Change the value of the dword "Start" from 3 to 4. If the dword "Start" doesn’t exist, create it. This will prevent a previously installed USB device from loading when the device is plugged into the machine. ((As most of you know this a Microsoft suggestion, which does work perfectly at disabling previously installed devices, however, this alone will not disable USB storage completely. If a user plugs a new USB storage device into the machine the device will install and the dword value will be reset to 3. Now if you incorporate adding this into a script it alone will disable USB drives, but only after a user plugs a device in, removes it without uninstalling it, logs off then logs back on, thereby running the script. This means that there is a window of opportunity for users to have access to new devices, this may be acceptable for some, but not for others.)) 
3. The next thing to do is to change the permissions on the USBSTOR key. You need to DENY full control on the "system" group. 
((What this does is denies everyone the ability to access the USBStor key, effectively killing the ability for any user (including admins) to install USB storage devices. Now the reason you deny the "system" group is because windows will use this account if no one is logged onto the machine yet. If say you want to deny a group of users called "staff", you would need to deny them using GP or a logon script. This will work great, but, if a "staff" group user plugs a USB drive in before logging in to Windows the device will be installed using in the background using the "system" group, then when the user logs in the "staff" group policy is applied denying the user access to the USBstor key, but by this point it makes no difference because the devices is already installed and accessible and once a device is installed the usbstor key is no longer used.))
	So now that these two steps are done, *NO ONE* will be able to install USB drives. 
If a user tries to use a previously installed drive the device will be blocked and nothing will happen, no prompts, nothing. This is accomplished through step 1, the dword value. 
What happens if a user plugs in a "New" device that was not previously installed, the hardware wizard will run, asking for the location of drivers. Regardless of whether a user selects the "automatically" search and install or if they attempt to manually install 3rd party drivers, the HW wizard will prompt the user that "access is denied" once the drivers are selected. This is the result of step 2, denying "system".
Now that we know how to disable USB storage devices we need to find an efficient way to do this without driving through the registry on each and every machine.
This is what we can also to accomplish this method of killing USB drives quickly and easily. 

Create 2 batch files, 1 batch to disable and another for administrators (tech support, ie.) that will re-enable USB drives if the need arises. 

1: First thing is to get a copy of the tool "subinacl.exe". This tool is included with MS Server 2003 RK. 

((What subinacl allows you to due is set specific permissions on the exact group or user, etc.. that you need to, this includes permissions on registry Keys which is what we will be doing.)) 

2: Once you have a copy of "subinacl.exe" set up a folder for your batch files. In my particular case I wanted these batch files available on the network so I created a shared folder named "DisableUSB" on a server. Next I created a subfolder within "DisableUSB" called "subinacl". Put a copy of "subinacl.exe" in this folder. 


3. Next thing to do is create 2 “reg” files in the subfolder “subinacl”. I named the 2 files “dword3.reg” and “dword4.reg”. These files are going to be used to change the value of the dword “start” in the registry key Usbstor. 

I assume most probably know how do create reg files, this is what should be in the files: 

For “dword3.reg” 
****** 
Windows Registry Editor Version 5.00 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\USBSTOR] 
"Start"=dword:00000003 

*change the 3 to a 4 for “dword4.reg”* 


4. Now put these 2 files in the “subinacl” folder if they weren’t created there. 

OK, all the pieces should now be in place. For this example we have a shared folder (on no particular server) called “disableUSB”. Within this folder is a subfolder “subinacl” that has subinacl.exe, dword3.reg, and dword4.reg within it. 

5 . Now to create the 2 batch files. I created these 2 files under the main share folder (disableUSB). One is called “disableUSBdrives.bat” which, you guessed it, disables drives, and the other for re-enabling drives, “enableUSBdrives.bat”. Wow… 

This is how disableUSBdrives.bat is set up: 

@echo off 
cls 
regedit /s \\servername\disableUSB\Subinacl\dword4.reg 
\\servername\DisableUSB\Subinacl\subinacl.exe /keyreg \system\currentcontrolset\services\usbstor /deny=system 
pause 
cls 
echo. 
echo **USB drives disabled** 
echo. 
Pause 

*the path will differ of course. \\servername is just an example. 

for “enableUSBdrives.bat” simply change change “dword4.reg” to “dword3.reg” AND “deny=system” to “grant=system” 

Notice that the only real meat to these batch’s is running regedit and running subinacl. Everything else (cls,pause,echo) is optional, for my particular situation it was needed. 

6. Go the machines that you want to disable USB drives on and run the disableUSBdrives batch from the network share. 

And that’s it. USB drives gone. 

Now of course running a batch from each machine is still time consuming, but In my particular situation it had to be done this way, and is obviously much faster than driving through the registry. 

The most efficient way to incorporate this would be with logon scripting. Unlike with just using the dword start=4 trick, after this script is run, there is no way for joe blow user to use any of his nifty little Jumpdrives or his hot new hard drives. 

Also note that folder names and locations can be set up in any way and anywhere as long as the batch files point to the right place. 

Regards
Dinesh
*Knowurtech.com
(Good technical articles. Submit your articles and get featured on our website. Send email to 
articles@knowurtech.com. To know the benefits *www.knowurtech.com/be_an_expert.html

*Source*


----------



## manmay (Nov 18, 2007)

great article...i wish i had read this 2 months back.....i had to figure all this out myself after serching google.....didnt find a place that had all the info in such concise manner...
actually usb is blocked in my company also...in my case apart from the above i also have to change security permissions in c:\windows\inf folder in order to enable usb drives....this is so as to allow the current user to access usbstor.inf (the driver for usb mass storage devices)...
welli do have a question though....in our workstations, if i change the registry value and permission of usbstor to enable usb, i'm able to enable usb...but after a few hours it get changed automatically to the original disabled state. (i dont restart the computer...but i do lock the desktop quite often)....any ideas y this is happening.?

good article anyway..


----------



## RCuber (Nov 18, 2007)

good tutorial dinesh  did you write it?


----------



## Vishal Gupta (Nov 18, 2007)

Copied from here:

www.petri.co.il/forums/showthread.php?t=3299

Without giving any credits and source. Its limit of plagiarism. Even this dude has posted the same at his blog and advertising here:

*www.knowurtech.com/windows/disabling_usb.html

I hope you'll face some legal action soon.


----------



## danielp (Nov 19, 2007)

Oh, he will, don't worry. Thanks for the heads up!


----------



## Kiran.dks (Nov 19, 2007)

Crazy guys. Plagiarism is flooding internet now. But sad that no law exists (fool proof) to tackle this. Dinesh, You need to learn soon before things become worst for you.

Moderators: Please delete his blog links which he is using for advertising in wrong way. And retain the link which Vishal has given.

Reported.


----------



## dinesh_ymca (Nov 19, 2007)

HI Guys,
I was not aware that this article has been stolen from that site. The article was submitted by one of the user to my site. I have written a mail to author of that site to take this approval and if he doesnot grant his permission , i will be removing that article from my site.
Cheers!!
Dinesh


----------



## victor_rambo (Nov 19, 2007)

btw are those Ebooks on Dinesh's site legal copies?


----------



## Gigacore (Nov 19, 2007)

anyway, thanks for sharing


----------



## bikdel (Nov 19, 2007)

well if i have to turn USB down.. i go straight to BIOS and disable it 

drawback is : no other USB devices you have will work..

but most of the time its only flash drives that you use in usb


----------



## Vishal Gupta (Nov 19, 2007)

dinesh_ymca said:
			
		

> HI Guys,
> I was not aware that this article has been stolen from that site. The article was submitted by one of the user to my site. I have written a mail to author of that site to take this approval and if he doesnot grant his permission , i will be removing that article from my site.
> Cheers!!
> Dinesh


Even the article was posted by some one else at your site, you could provide his/her name as credits. But you didnt, so in both way its plagiarism.


And thnx to Asfaq for adding source link.


----------



## danielp (Nov 19, 2007)

dinesh_ymca said:
			
		

> HI Guys,
> I was not aware that this article has been stolen from that site. The article was submitted by one of the user to my site. I have written a mail to author of that site to take this approval and if he doesnot grant his permission , i will be removing that article from my site.
> Cheers!!
> Dinesh



No, you do NOT have my permission, and you need to remove the article ASAP. 

Next time, all you have to do is ask, and I assue you that I have yet to say no to anyone, all I ask in return is credit and a link to the original article. Is that hard to do?

As for this incident, you will NOT get my permission, and I will continue to monitor your site. Remove the articles ASAP.


----------



## dinesh_ymca (Nov 19, 2007)

Hi Daniel,
Even i donot like someone else work to be published without giving him the due credit. If you donot want to believe me. Thats your problem not mine. I have removed that article from my site.
cheers!!
Dinesh


----------

