Disabling flash drives through the registry. Banning flash drives using Windows system tools

Peripheral devices such as a mouse, keyboard, Web camera, and printer are usually connected to the computer via USB ports. In this case, it often happens that one or more ports stop working. That is, when you connect, for example, a flash drive to a computer, it is not recognized, the keyboard or mouse may freeze, and the printer may not respond or print pages.

There are several likely reasons why some or all of the USB ports on your computer are not working. Let's try to understand this issue and find out what should be done to restore normal functioning of the computer.

Checking BIOS settings

The first thing you should pay attention to is the computer's BIOS settings. To enter the BIOS you will need a working keyboard. If the keyboard is connected to the computer via USB and it does not work, then you need to connect a keyboard with a PS/2 connector. Otherwise, you simply won't be able to do anything.

So, let's go to the BIOS, for which, when starting the computer, you need to press the enter key, usually DEL. There may be another key that appears on the screen and is listed in the motherboard manual. After entering the BIOS, find the section responsible for integrated devices (Integrated Peripherals) or the “Advanced” section. Here you should find the “Onboard Devices Configuration” subsection. It contains the parameters responsible for the operation of USB controllers: USB Function or USB 2.0 Controller. These parameters must be Enabled. And if one of them is disabled, then hover over it and press Enter, thereby turning it on. To ensure that the changes you make are not lost, you must save them by pressing F10 and confirm saving by pressing the Y or Enter key.

After restarting the computer, check if the USB ports are working. And if not, then you should look for the reason elsewhere.

USB ports on the front of the computer do not work

As a special case, USB only on the front panel may not work for you. In such a situation, you need to check whether the necessary connectors on the motherboard are connected and whether the wires are damaged. To do this, open the side cover of the system unit and pay attention to the connector at the bottom of the motherboard. On the board itself there is an inscription USB1 or USB2, as well as on the block itself. The wires from the block go to the front panel, and if they are disconnected or broken in one place, then you have discovered the cause of the malfunction. Damaged wires should be connected or replaced. It would also be a good idea to check the contact in the connector on the motherboard. It is also worth paying attention to the board located on the front panel. There may be a short circuit; by the way, such a short circuit can be caused by accumulated dust. Therefore, be sure to clean the system unit from dust.

Problems with the device itself or the cable

The next source of problems with USB may be the cable with which, for example, the printer is connected. This fault is easy to identify and fix. We connect the flash drive to the connector being tested. If it works, then we try to connect another known-good equipment, for example a USB hub, using a suspicious cable. If it also refuses to work, then the reason is clearly in the cable and it should be replaced.

Power outages

There are situations when there is simply not enough power for all devices. For example, connecting an external hard drive that uses two USB connectors at once may disable the printer or keyboard. In this case, the power of the power supply is not enough to provide energy to all consumers. In this case, the problem may not appear immediately, but after some time after turning on the computer. There are several ways out of the situation. If you have a low-power power supply installed, for example, 300 W, then it would be logical to change it to a more powerful one, 450-600 W. You can also use an active USB hub (with external power). It will allow you not only to increase the number of connected USB devices, but also to power them from a separate power supply.

Another reason that affects USB operation is a dead CMOS battery. But at the same time, every time you turn on the computer, you will observe a lost system time and date. After replacing the battery the problem goes away. But this does not occur often, so you should check other possible sources of malfunction.

Missing or incorrect installation of USB drivers

Causes associated with software problems in Windows 7/10 can be identified using Device Manager. If you notice that one or more devices in particular are not working, regardless of the port used, this may indicate that the problem is in the device itself. Open Control Panel and go to Device Manager. All connected devices will be displayed there. If there are items in the list that have a yellow exclamation mark next to them or the name is Unknown Device, then the problem is with this very device. There may be several possible problems here.

Often USB inputs stop working after reinstalling Windows 7/10. The reason is incorrect installation of drivers or the necessary drivers may not be found at all. You will have to select and install manually.

Often, to fix a problem you just need to update the drivers. So, if automatic Windows updates are disabled, and the system itself was installed quite a long time ago, then the relevance of the software is lost, and system errors may appear. In this case, the device begins to work incorrectly, or even stops functioning altogether. To update (reinstall) USB controller drivers, you can use a CD/DVD with drivers for the motherboard or download the necessary drivers from the motherboard manufacturer's website.

You can also turn off the power saving feature for all ports using Device Manager. Expand the list of used USB devices hidden in the sections “USB Controllers”, “Mouse and other pointing devices”, “Keyboards”. Double-click on the desired device to open the properties window. Now switch to the “Power Management” tab and uncheck the “Allow the computer to turn off this device to save power” checkbox. Thus, the device will always be activated under any circumstances.

If some equipment is not recognized, then there may be either a problem with the drivers already known to us, or a hardware problem, consisting of a lack of contact, a damaged cable, or a malfunction of the controller. Moreover, it often happens that when a faulty device is connected, the others stop working normally. The keyboard starts to freeze, as does the mouse, and the printer stops printing. The problem is similar to power shortage, that is, all the power consumption goes to a faulty device, which may have a simple short circuit or other malfunction.

USB ports not working due to controller damage

If none of the above actions helped restore the functionality of the USB ports, then you should check the USB controller of the motherboard, which may have failed. In this case, high-quality repairs and diagnostics should be entrusted to the specialists of the service center. As a way out of the problem, try installing an expansion card, the so-called USB PC controller, which is installed in the PCI slot on the motherboard. This solution is noticeably cheaper than repairing the motherboard USB controller, and when using an additional USB hub, the problem with the lack of ports will not be relevant at all.

As you can see, finding and fixing problems with USB ports is quite a troublesome task, and all because there can be a lot of reasons. Consistent search and elimination of obviously incorrect paths will allow you to identify and eliminate the problem.

Of all the methods found after a short search, not a single one worked in my case :)

Even the option to limit rights for users in the registry did not produce results (even removing rights for the system and administrator - i.e., all rights completely for everyone - did not help).

As a result, I combined my version (assembling two different ones).

In my case, an ordinary user does not have any privileges in the system (a dream!) and, of course, maximum functionality was required - i.e. use of certain (registered) media on individual PCs.

To do this, we use only two procedures (actions):

1. We delete from the registry information about all used (registered in the registry) USB storage devices using any convenient method (to your taste).
   It turned out that the fastest and easiest way for me was to use a simple utility. Then we delete the files from the system %Windows%\inf\Usbstor.pnf And Usbstor.inf .
2. In the future, if you need to add (register) a storage device, add the specified files to the system, then connect (reconnect) the USB drive and it is fully identified (registered) in the system. After registering in the system, we again delete the specified files, which again blocks any attempts by the system to detect a new USB drive.

In the case when rights in the OS are distributed and “normal” work is performed by a user with limited rights, this method completely blocks the ability to connect “Flash drives” that have not been registered (by the system administrator) to the OS.

Removing and adding Usbstor.pnf and Usbstor.inf files can be done using .bat files approximately as follows:

deletion

del /f /s /q C:\WINDOWS\inf\usbstor.inf C:\WINDOWS\inf\usbstor.PNF

restore (provided that the files are located next to the bat file)

xcopy ".\usbstor.inf" "C:\WINDOWS\inf\"
xcopy ".\usbstor.PNF" "C:\WINDOWS\inf\"

Attention! For Windows 7 and higher, all .bat files must be run as an administrator ("Run as administrator" in the context menu).

Below are other ways to restrict access to these devices (they didn’t work for me individually).

Computer Management->Device Manager->USB Universal Serial Bus Controllers->(USB Root Hubs) -> "Device Application: [Disabled]

For example, if the printer is connected to a hub, then it does not need to be disconnected.

note 1. Device Manager can be launched from the command line start devmgmt.msc.

note 2. An interesting feature of Device Manager is to run two commands from the console:

Set devmgr_show_nonpresent_devices=1
start devmgmt.msc

Then hidden devices will appear in Device Manager.

If USB is not required, disable USB controllers.

Prohibit use by everyone except those selected through “Computer Management -> Storage Devices -> Removable Storage -> Properties -> Security.

Flaw

There are some pitfalls here, for example, a ban on using the USER group. But the administrator can be a member of the USER group.

However, this is equivalent to changing the parameter
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR "Start"
"Start"=dword:00000004 - disable;
"Start"=dword:00000003 - allow.

note. You can start the service from the command line
net start "Removable memory"

We go to the %Windows%\inf folder (the folder has the hidden attribute), there are two files in it - Usbstor.pnf and Usbstor.inf.

We deny access to these files except for the administrators group or a specific user.

Why ban USB completely when you can only ban recording?

HKLM\SYSTEM\CurrentControlSet\control\StorageDevicePolicies.

The WriteProtect parameter most likely does not exist. Then it needs to be created with type dword and assigned the value 1.

And don't forget to reboot your computer. To restore - assign the value 0.

So, step by step (of course, you need to have local administrator rights):

1. Win+R (similar to Start -> Run), regedit.
2. . This key stores information about all USB drives ever connected.
3. We give ourselves full access to USBSTOR (right mouse button -> Permissions, check the Full access option for the ALL group).
4. We delete all contents of USBSTOR.
5. We connect the approved flash drive and make sure that it has been identified. A key like Disk&Ven_JetFlash&Prod_TS4GJF185&Rev_8.07 should appear inside USBSTOR (F5 to update the list).
6. Again RMB on USBSTOR, Permissions. We remove Full access from the ALL group, leaving the right to read.
7. The same rights must be assigned to the SYSTEM user, but this cannot be done directly. First you need to click the Advanced button, uncheck the Inherit from parent object... checkbox, and in the Security window that appears, say Copy. After clicking OK again, the SYSTEM user rights will become available for change.
8. To consolidate the effect, click the Advanced button again and check the Replace permissions for all child objects... Confirm execution.

What did we achieve in the end? An approved flash drive connects and disconnects without problems. If an unauthorized connection is attempted, Windows will detect the device, but will not be able to install it, cursing as follows:

Moreover, a new key will be created in USBSTOR, which will clearly indicate an attempt to connect an unapproved USB drive.

First, you need to figure out why you might need to disconnect USB ports on your computer. Everything is quite simple here. With the advent of miniature data storage devices operating via USB, a need arose to prevent data leakage from computers. Using a regular flash drive or portable hard drive, you can easily steal any information. To prevent such incidents, it is necessary to completely disable USB ports. Of course, everyone may have their own reasons for disabling ports, but this is not so important. Below are several ways to disable USB ports on your computer.

Disable USB ports in BIOS settings

In fact, everything is quite simple: go to the BIOS settings and disable all ports, or those that are necessary. The caveat is that at the moment there are several versions of BIOS, and disabling ports in each is sometimes different.

BIOS Award. Go to the BIOS settings and select the item Integrated Peripherals. Let's go to this menu. Next, we simply find the points: USB EHCI Controller, USB Keyboard Support, USB Mouse Support and Legacy USB storage detect and disable them by selecting the option Disabled. Then we simply save the settings and restart the computer;

Phoenix Award And AMI BIOS. Go to settings and select the item Advanced (sometimes some versions may have a Peripherals item) or Advanced BIOS Features. Next we go to the menu USB Configuration. Next, turn off all USB items, save the settings and restart the computer;

UEFI. More modern panel. Go to the menu Peripherals or Advanced. Selecting items Legacy USB Support And USB 3.0 Support and turn them off. Next, save the settings and restart the PC.

Note! In some versions, the menu items may have slightly different names, but that's okay, just go through all the menus and find the USB settings.

Disable USB using the registry

This is a more suitable way. In the registry, you can disable the access of USB ports to specific devices, but not the ports themselves. At a time when almost everything is connected via USB, including a mouse and keyboard, this method will be preferable. You can simply disable port access specifically to flash drives, but the computer mouse will still work fine.

Open the registry editor: keyboard shortcut Win+R, enter the command regedit and click OK. Next, move on to the next section:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

Find an item Start. Open it and enter the value 4 . Save the settings and restart your computer. This section blocks access of external drives to the port.

Note! If USB controller drivers are not installed on the computer, then the value Start will automatically change to the value 3 as soon as the device is connected to the port.

Disable USB via Device Manager

Open device Manager: right click on My computer, open Properties, Further device Manager. Open the menu USB controllers. Right-click and select the item from the context menu Disable.

Important! The option of removing drivers for USB controllers will not work, since the first time you connect the device to the port, Windows will begin installing the drivers.

Disable USB using Windows files

Denying access using the Local Group Policy Editor

You can also ban reading and writing.

Additionally

It is also worth mentioning that there are two more ways to restrict access to ports: limit access using third-party programs and physically disabling the ports.

There is plenty of third-party software on the Internet, and each one is configured differently, so there is no point in describing this method in the article. All you need is to find the desired program and instructions for it.

As for physically disabling ports, this method will only work with ports on the front panel of the system unit. Open the system unit and carefully disconnect the wires going to the ports.

Bottom line

Whatever the reason for the need to disable USB ports, now you know how to do it.

It is often necessary to limit the paths through which programs that are not intended for security at all, and even interfere with or harm the operation of the security system, get onto a computer with a security system.

These can be the most harmless games or the most malicious viruses. In any case, their presence is undesirable. The most common way to transfer viruses and games is to simply USB flash drive or any other USB drive. In order to limit the use of any USB drives in the system and maintain the ability to connect a USB drive approved by management, use the following information:

Given:

• Production operators computer (OC Windows7)
• Management-approved USB flash drive for transferring data from industrial computers to operators' computers

Required:
Provide Connection only one management-approved USB flash drive, while prohibiting the connection of other, unapproved ones.
Solution progress:
You can completely disable the use of USB drives using the instructions, but in our case this method is not suitable, because one flash drive should still work. So we will do it differently:
So, step by step (of course, you need to have local administrator rights):

1. Win+R(analogous to Start -> Run), regedit.
2. . This key stores information about all USB drives ever connected.
3. We give ourselves full access to USBSTOR(right mouse button -> Permissions, check the box Full access at the group ALL).
4. Deleting all content USBSTOR.
5. We connect the approved flash drive and make sure that it has been identified. Inside USBSTOR the type key should appear Disk&Ven_JetFlash&Prod_TS4GJF185&Rev_8.07 (F5 to refresh the list).
6. Right click again USBSTOR, Permissions. We remove Full access at the group ALL, we reserve the right to read.
7. The same rights must be assigned to the user SYSTEM, but this cannot be done directly. First you need to press the button Additionally, uncheck Inherit from parent object..., in the window that appears Safety say Copy. After pressing the button again "OK" User rights SYSTEM will become available for modification.
8. To fix the effect, press the button Additionally again and mark the point Replace permissions for all child objects... Confirm execution.

What did we achieve in the end?
An approved flash drive connects and disconnects without problems. If an unauthorized connection is attempted, Windows will detect the device, but will not be able to install it, displaying a connection error. Moreover, a new key will be created in USBSTOR, which will clearly indicate an attempt to connect an unapproved USB drive.

In fact, there are quite a few ways. Each of them has its own advantages, and some are not at all interchangeable.

Who needs it?

First of all, administrators. And also if the computer is used by several users.

Why is this necessary?

For security, for privacy, for limiting the capabilities of other users.

My material, as usual, is divided into two parts: system tools and third-party programs (plus small inclusions of my personal opinion).

How to prohibit the use of flash drives?

Directly in Windows OS, this task can be performed using the Group Policy Editor (GPO) and the registry. In addition, you can disable the ports themselves in the BIOS. All this has the added benefit of external software, which I’ll talk about at the end.

Ineffective ways to ban flash drives

So as not to dwell on this later, I will immediately point out several methods that are clearly ineffective, although there is plenty of information about them on the Internet.

• Physically disabling ports. This, of course, is cool, but there are other ports and adapters for them. Besides, for some reason everyone forgets about the mouse, keyboard, speakers, etc.
• Removing USB drivers has no effect. The system itself will offer to install them, either from the network or from the drive itself.
• Banning flash drives in the Group Policy Editor (simply ban each new device by ID). It is better to ban everything and allow the necessary ones, as I will show exactly how below.

I’ll probably start with the Group Policy Editor, since I think this method is the most convenient and effective among the other system ones.

Banning flash drives in the Group Policy Editor

We need to go to GPO. Open the command line (type “cmd” in the search, right-click, run as administrator).

At the command line, type gpedit.msc and press Enter.

The GPO window will open. Now let's move on to the section where we configure the policies we need - “Access to removable storage devices.” Click on it and existing policies will appear on the right.

In this case, we are interested in policies regarding removable media. However, here you can configure work with disks (CD, DVD, floppy), tape drives and other devices.

Also, it is very convenient to be able to choose what exactly needs to be prohibited. For example, in order to save information, you can prohibit recording.

To do this, right-click on the corresponding policy and select “Edit”.

Now select the Enable command and click Apply.

When trying to copy any file to a removable drive, the user will not be able to do so (unless he is a member of the Administrators group). He will see this message.

The same principle applies to other functions (reading, launching).

There is also a policy that disables all classes of devices. That's what it's called.

Access only certain devices

The method above is the simplest. However, if you have only a few media that are used in working with your PC, then you can create a white list.

To do this you need:

• know the device GUID
• apply two policies in GPO

Finding the GUID of the USB drive

First, install the device in the USB port, then using the command shown below, go to the “Device Manager” (or, as usual, through the “Control Panel”).

Find your device in the “Portable Devices” section and open its properties.

Go to the "Properties" tab, select the class "GUID" property from the list and copy its value.

We configure the necessary policies. Now let's move on to GPOs. Open the same directory as above – “System”. But now go to “Device Installation – Device Installation Restrictions”.

In the list of policies, we need two highlighted ones. You just turn on the second one.

In the first, you also set the GUID values ​​of devices that are allowed.

Copy the GUID value here (to make the cursor appear, click in the field 2 times).

Now only these devices will be able to start. If you insert other devices, they simply will not be visible.

NOTE. In addition to a policy with a global identifier (GUID), you can also use a policy with a regular ID. However, for some reason it did not work for me (I assume it was due to the OS version). It works exactly on Windows 7 – I used it myself a few years ago.

Banning flash drives in the Windows Registry

Prohibiting the use of flash drives can also be done using the Windows Registry. I would like to immediately note that this method only works when the USB driver is installed. If you do everything described below when it is not yet installed, then when you connect any drive, you will be prompted to install this driver. And the value changed previously will change back to the standard settings.

This method works on all Windows operating systems. However, it is most relevant for Windows XP, since there is no Group Policy Editor there. Therefore, the example will be shown in the environment of this system. So let's continue.

First, open the registry. At the command prompt, type "regedit" and press Enter.

Now go to this registry branch:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

As you can see, there are several options there. One of them is “Start”. It determines how the USB drive is accessible (for any operations, for reading, writing, etc.). Currently set to 3. If you change it to 4, the drives will become completely unavailable. This is what we need.

Click 2 times and change the value to 4.

Now when connected, the device simply will not appear.

HEALTHY! On admin forums, many write that the method does not work. However, this is not true. It’s just that they often try to use it in domain groups of computers in an organization. And there, as you can guess, the OS on all PCs is not updated: on some XP, on others seven, and on some even 2000. So, these systems simply do not yet have some protocols and tools, as a result, the value on the admin computer, and after it and on all the others, it is reset to the standard.

How to disable USB ports in BIOS

Another way to prevent the use of flash drives is to disable USB ports in the BIOS. It's not difficult to do this. However, from my point of view, it is not effective enough. Although, if you consider that most users have no idea not only that ports can be disabled there, but also how to access them, then maybe this is a convenient and fast way.