We close access to USB flash drives Favorites. Ratoo is a free utility for restricting access to USB flash drives

Very often, flash drives and external hard drives may contain malware. This problem is especially relevant in cases where you have to deal with many unfamiliar people (customers, for example). In today's article we will talk about how to manage USB ports, blocking and unlocking them if necessary.

People often ask: “Is there any program with which I can restrict access to the USB ports of my laptop for “unnecessary” people?”

We answer: “Yes, there is such a program and it’s called Microsoft Windows!” In fact, everything is not so complicated, because you can control whether USB ports are enabled or disabled by editing the registry. And, of course, since only the administrator can correct the registry, “guests” will not be able to activate disabled ports without your permission.

Before we tell you the specific recipe, let us remind you that manipulating the Windows registry is an important change. If your computer or laptop breaks down, we recommend that you seek repairs at srochnyi-remont.ru. The company’s specialists will advise and help quickly resolve the problem.

Blocking and Unblocking USB Ports

If you often work in the registry, then the necessary key is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR. Find the key called Start and change the value to 4 if you want to disable USB support. Do you want to turn it back on? Then install 3 again.

Want to make it easier? Then just open an empty Notepad file and paste the following content into it:

Windows Registry Editor Version 5.00

”Start”=dword:00000004

”Count”=dword:00000000
”NextInstance”=dword:00000000

It will look something like this:

Now save this file by selecting the type " All files" and specifying a clear name, for example, "USB-Off.reg". You have a “switch” ready and all you have to do is make an antagonist for it.

To do this, repeat everything from the beginning, but in the line

”Start”=dword:00000004

replace 4 on 3 . And then save the file, but under the opposite name, for example, “USB-On.reg”.

Now, by running the first file, you will disable the operation of USB ports, and by using the second, you will resume their functioning.

Of all the methods found after a short search, not a single one worked in my case :)

Even the option to limit rights for users in the registry did not produce results (even removing rights for the system and administrator - i.e., all rights completely for everyone - did not help).

As a result, I combined my version (assembling two different ones).

In my case, an ordinary user does not have any privileges in the system (a real dream!) and, of course, maximum functionality was required - i.e. use of certain (registered) media on individual PCs.

To do this, we use only two procedures (actions):

1. We delete from the registry information about all used (registered in the registry) USB storage devices using any convenient method (to your taste).
   The fastest and easiest way for me was to use a simple utility. Then we delete the files from the system %Windows%\inf\Usbstor.pnf And Usbstor.inf .
2. In the future, if you need to add (register) a storage device, add the specified files to the system, then connect (reconnect) the USB drive and it is fully identified (registered) in the system. After registering in the system, we again delete the specified files, which again blocks any attempts by the system to detect a new USB drive.

In the case when rights in the OS are distributed and “normal” work is performed by a user with limited rights, this method completely blocks the ability to connect “Flash drives” that have not been registered (by the system administrator) to the OS.

Removing and adding Usbstor.pnf and Usbstor.inf files can be done using .bat files approximately as follows:

deletion

del /f /s /q C:\WINDOWS\inf\usbstor.inf C:\WINDOWS\inf\usbstor.PNF

restore (provided that the files are located next to the bat file)

xcopy ".\usbstor.inf" "C:\WINDOWS\inf\"
xcopy ".\usbstor.PNF" "C:\WINDOWS\inf\"

Attention! For Windows 7 and higher, all .bat files must be run as an administrator ("Run as administrator" in the context menu).

Below are other ways to restrict access to these devices (they didn’t work for me individually).

Computer Management->Device Manager->USB Universal Serial Bus Controllers->(USB Root Hubs) -> "Device Application: [Disabled]

For example, if the printer is connected to a hub, then it does not need to be disconnected.

note 1. Device Manager can be launched from the command line start devmgmt.msc.

note 2. An interesting feature of Device Manager is to run two commands from the console:

Set devmgr_show_nonpresent_devices=1
start devmgmt.msc

Then hidden devices will appear in Device Manager.

If USB is not required, disable USB controllers.

Prohibit use by everyone except those selected through “Computer Management -> Storage Devices -> Removable Storage -> Properties -> Security.

Flaw

There are some pitfalls here, for example, a ban on using the USER group. But the administrator can be a member of the USER group.

However, this is equivalent to changing the parameter
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR "Start"
"Start"=dword:00000004 - disable;
"Start"=dword:00000003 - allow.

note. You can start the service from the command line
net start "Removable memory"

We go to the %Windows%\inf folder (the folder has the hidden attribute), there are two files in it - Usbstor.pnf and Usbstor.inf.

We deny access to these files except for the administrators group or a specific user.

Why ban USB completely when you can only ban recording?

HKLM\SYSTEM\CurrentControlSet\control\StorageDevicePolicies.

The WriteProtect parameter most likely does not exist. Then it needs to be created with type dword and assigned the value 1.

And don't forget to reboot your computer. To restore - assign the value 0.

So, step by step (of course, you need to have local administrator rights):

1. Win+R (similar to Start -> Run), regedit.
2. . This key stores information about all USB drives ever connected.
3. We give ourselves full access to USBSTOR (right mouse button -> Permissions, check the Full access option for the ALL group).
4. We delete all contents of USBSTOR.
5. We connect the approved flash drive and make sure that it has been identified. A key like Disk&Ven_JetFlash&Prod_TS4GJF185&Rev_8.07 should appear inside USBSTOR (F5 to update the list).
6. Again RMB on USBSTOR, Permissions. We remove Full access from the ALL group, leaving the right to read.
7. The same rights must be assigned to the SYSTEM user, but this cannot be done directly. First you need to click the Advanced button, uncheck the Inherit from parent object... checkbox, and in the Security window that appears, say Copy. After clicking OK again, the SYSTEM user rights will become available for change.
8. To consolidate the effect, click the Advanced button again and check the Replace permissions for all child objects... Confirm execution.

What did we achieve in the end? An approved flash drive connects and disconnects without problems. If an unauthorized connection is attempted, Windows will detect the device, but will not be able to install it, cursing as follows:

Moreover, a new key will be created in USBSTOR, which will clearly indicate an attempt to connect an unapproved USB drive.

We set a task block USB drives on workstations. Moreover, printers connected via USB should work, but flash drives plugged into USB do not!

The task is complicated by the fact that local security policies, and even domain policies in the Windows 2003 Server domain, do not allow you to disable USB drives. There are no such policies.

Everything is complicated by the fact that there are printers connected via USB. The USB bus itself can be turned off through the registry, but then how to get the printers to work is a big question.....

Paid programs cannot be used. The management is not ready to buy them, but you can’t pirate them. Everything should be white and shaggy. 🙂

There is a solution. The result of reading the doc and googling was formatted as an article for the future

The problem is solved by setting file permissions usb.inf And usbstor.inf, which are located in C:\Windows\inf

Everything is brilliant and simple! Through access rights you can not just block access to USB, A restrict access to USB by user.

Guide to setting access rights to USB media and blocking flash drives

1. We install all the necessary USB printers, scanners and other USB devices that you may need on this computer. Then it will be more difficult to install them. 🙂 After all, we will block USB devices.
2. We remove ALL USB drives previously connected to the workstation, otherwise these flash drives will be available to ANY user of the workstation. IMPORTANT: For Windows 7, see information below.
   All previously installed USB flash drives are in the registry; to remove them, run regedit (Start->Run->regedit->Enter), go to the section

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

   and remove from there ALL subsections.

   IMPORTANT in Windows XP: a message may appear that the subkey cannot be deleted. In this case, right-click on the USBSTOR partition and select "Permissions...", set for "All" - full access. Now we are trying to delete subpartitions in the USBSTOR partition, it should work.

   The registry is protected much better in Windows 7 than in Windows XP. To remove previously connected devices, you will have to boot from the Live CD and use the utility to delete entries from the registry. On a running Windows 7, you cannot delete registry entries about previously connected devices. You can download a Live CD image with a utility for editing the registry for Windows 7 32 bit, Windows 7 64 bit, Live CD for Windows XP can be downloaded.

3. Let's go to the folder <диск, где у вас стоит Windows>:\Windows\inf, we find the files: usb.inf, usbstor.inf.
4. Selecting files usb.inf, usbstor.inf, go to properties, in the dialog box that appears, go to the security tab. Finding the button "Additionally" and press.
5. If the “Inherit from the parent object permissions applicable to child objects, adding them to those explicitly specified in this window” checkbox is checked, it must be unchecked. A window with buttons will appear: "Copy", "Delete","Cancel"- click "Copy" And "OK". If you do not have this checkbox, you can skip this item.
6. In the tab "Safety", in the field "Groups and Users" we do the following:
   To completely block USB flash drives for ALL workstation users:
   We delete ALL users.
   To block USB drives only for users without administrator rights:
   We delete all users and add users or groups with administrator rights. Local or domain depends on whether your domain is raised or not. It is more correct to add the local group Administrators, and add the domain group to the local group through “Local Users and Passwords”. But here everyone acts as it is more convenient for him.

That's it. Now, when connecting USB flash drives and other USB devices to the workstation, depending on the option selected above, the following will happen: a user without administrator rights will be asked to log in with administrator rights, or the USB device will be blocked and will not work at all.

This article has been tested for functionality under Windows XP SP3, Windows 7 SP1, Windows 2003 Server.

Sometimes it becomes necessary to disable USB ports on a computer or laptop in order to limit access to connect flash drives, hard drives and other USB devices. Disabling USB ports will help prevent the connection of any drives that could be used to steal important information or cause a virus to infect your computer and spread malware across the local network.

Restricting access to USB ports

Let's consider 7 ways, with which you can block USB ports:

1. Disabling USB through BIOS settings
2. Changing registry settings for USB devices
3. Disabling USB ports in Device Manager
4. Uninstalling USB controller drivers
5. Using Microsoft Fix It 50061
6. Using additional programs
7. Physically disconnecting USB ports

1. Disabling USB ports through BIOS settings

1. Enter BIOS settings.
2. Disable all items related to the USB controller (for example, USB Controller or Legacy USB Support).
3. After you have made these changes, you need to save the settings and exit the BIOS. This is usually done using the key F10.
4. Restart your computer and make sure the USB ports are disabled.

2. Enable and Disable USB Drives Using Registry Editor

If disabling via BIOS does not suit you, you can block access directly in Windows itself using the registry.

The instructions below allow you to block access to various USB drives (for example flash drives), but other devices such as keyboards, mice, printers, scanners will still work.

1. Open the Start menu -> Run, enter the command " regedit" and click OK to open the Registry Editor.
2. Continue to next section
   

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

3. On the right side of the window, find the item “ Start” and double-click on it to edit. Enter the value " 4 » to block access to USB storage devices. Accordingly, if you enter the value again “ 3 ", access will be reopened.

Click OK, close Registry Editor, and restart your computer.

The above method only works when the USB controller driver is installed. If, for security reasons, the driver was not installed, the "Start" setting may be automatically reset to "3" when the user connects the USB drive and Windows installs the driver.

3. Disable USB ports in Device Manager

1. Right-click on the " Computer" and select the "Properties" item in the context menu. A window will open on the left side of which you need to click on the link “ device Manager».
2. In the device manager tree, find the item " USB controllers" and open it.
3. Disable controllers by right-clicking and selecting the "Disable" menu item.

This method doesn't always work. In the example shown in the figure above, disabling the controllers (the first 2 points) did not lead to the desired result. Disabling the 3rd option (USB Mass Storage Device) worked, but it only allows you to disable a single instance of the USB storage device.

4. Removing USB controller drivers

Alternatively, to disable the ports, you can simply uninstall the USB controller driver. But the disadvantage of this method is that when the user connects a USB drive, Windows will check for drivers and, if they are missing, will offer to install the driver. This in turn will allow access to the USB device.

5. Prevent users from connecting USB storage devices using a Microsoft application

Another way to deny access to USB drives is to use Microsoft Fix It 50061(http://support.microsoft.com/kb/823732/ru - the link may open near the mituta). The essence of this method is that 2 conditions for solving the problem are considered:

• The USB drive has not yet been installed on the computer
• The USB device is already connected to the computer

Within the framework of this article, we will not consider this method in detail, especially since you can study it in detail on the Microsoft website using the link given above.

It should also be noted that this method is not suitable for all versions of Windows OS.

6. Using programs to disable/enable access to USB storage devices

There are many programs for setting a ban on access to USB ports. Let's consider one of them - the program USB Drive Disabler.

The program has a simple set of settings that allow you to deny/allow access to certain drives. USB Drive Disabler also allows you to configure alerts and access levels.

7. Disconnecting USB from the motherboard

While physically unplugging USB ports on a motherboard is a nearly impossible task, you can disable ports on the front or top of your computer by unplugging the cable that goes to the motherboard. This method will not completely block access to USB ports, but will reduce the likelihood of using drives by inexperienced users and those who are simply too lazy to connect devices to the back of the system unit.

! Addition

Denying access to removable media through the Group Policy Editor

In modern versions of Windows, it is possible to restrict access to removable storage devices (including USB drives) using the Local Group Policy Editor.

1. Run gpedit.msc through the Run window (Win + R).
2. Go to the next branch " Computer Configuration -> Administrative Templates -> System -> Access to Removable Storage Devices»
3. On the right side of the screen, find the “Removable drives: Deny read” option.
4. Activate this option ("Enable" position).

This section of Local Group Policy allows you to configure read, write, and execute access for different classes of removable media.