Embed Size (px)
DESCRIPTION
Registry Disable USB
Citation preview
Registry Disable USB
How to Disable Saving to USB in
Registry
The scenario: You want to prevent
users saving files to a USB drive,
probably for security, and to prevent
data theft. After this registry tweak users can still read from the USB
drive.
Topics for Disable USB in Registry
Instructions To Disable USB in the Registry
Key Learning Points to Disable Writing to the USB
Disable Writing to USB Using a .Reg File
Disabling the USB Through Group Policy
Disable USB Windows 8 Group Policy
Preliminary Step
Before you use the registry to disable USB
settings, launch explorer and make sure you can
save files; check that 'New' on the shortcut menu
has not been already disabled by a Group Policy.
Instructions To Disable USB in the Registry
Our mission is to find a specific Control setting in the registry, create
a new Key and then add a DWORD value called WriteProtect.
1) Launch Regedit
2) Navigate to this key:
HKLM\System\ControlSet001\Control
3) Create a New Key called StorageDevicePolices. Ignore the existing
key called plain 'Storage'.
4) Create a New: 'DWORD (32-Bit) Value'. Name this new value:
WriteProtect
5) Edit the 'Value data'. What I do is double click WriteProtect, then
click in the 'Value data:' set to 1. If it displays as 0x00000001 (1)
this is a good sign it is going to disable saving to the USB drive.
6) To check the fruits of your labours, close the registry editor and
restart the computer.
Screenshot showing how the registry can disable USB with
WriteProtect = 1.
To Use the Registry to Enable USB Settings
It's easy to employ the registry to enable USB settings. Launch
regedit and use 'Find' to get to StorageDevicePolices. There, seek the
setting WriteProtect and set its Data = 0 (zero). This means reverse
the protection.
Key Learning Points to Disable Writing to the USB
The overall learning point is that WriteProtect requires a new
parent folder or Key called StorageDevicePolices (see above
screenshot).
Do you find the WriteProtect value in HKCU** or HKLM?
Answer: HKLM.
Do you have to add a value, or modify an existing setting?
Answer: Add a new key then a new value.
Is it a String Value or a DWORD?
Answer: DWORD (32-Bit Value)
Do you need to Restart, or merely Logoff / Logon?
Answer: Restart
Tip: Add this Value, WriteProtect to Regedit's Favorites menu
** HKLM is an abbreviation of HKEY_LOCAL_MACHINE, and HKCU is
shorthand for HKEY_CURRENT_USER. These acronyms are so well-
known that you can even use them in .reg files, Windows 7will
understand and obey the registry instruction.
Disable Writing to USB Using a .Reg File
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Stor
ageDevicePolicies]
"WriteProtect"=dword:00000001
Note: There is an extra line after Windows Registry Editor Version
5.00
How to Import .Reg Files Into the Registry
The concept is simple; create a text file with notepad, then type, or
copy and paste the above 4 lines. Crucially, save the file not as a
.txt, but with a .reg extension.
Once you have the information about the key, the settings and the
value in that file, there are at least three ways of importing the
information into your registry.
1. Double-click the .reg file.
2. Right-click the .reg file, select Merge from the drop-down menu.
3. Launch Regedit then select, File (menu) Import.
See more examples of .reg files
Disabling the USB Through Group Policy
As far as I can see, Group Policy does not have a default setting to
disable drives containing removable media, such as USB ports, CD-
ROM drives. However you can apply ADM templates which extend
Group Policy to use customised settings.
Here is an ADM for Windows Server 2003:
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling
the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by
disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by
disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy
Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"
Summary of How to Disable USB in the Registry
This is a job for Regedit. Firstly you research the correct hive of
HKLM. Then create the key StorageDevicePolices. Next add a
DWORD called WriteProtect. A value of 1 means disable USB in the
registry.
