How to enable/disable USB drive?
On the desktop, right click on MY COMPUTER, and then select MANAGE option. a new window will appear, in that select SYSTEM TOOLS, in that click on DEVICE MANAGER, on the right side of the window pane, a list will appear,
that will show u the components attached to your system, in that select the USB port, right click and disable the port.
If a USB storage device is not already installed on the computer
If a USB storage device is not already installed on the computer, assign the user or the group and the local SYSTEM account Deny permissions to the following files:
• %SystemRoot%\Inf\Usbstor.pnf
• %SystemRoot%\Inf\Usbstor.inf
When you do this, users cannot install a USB storage device on the computer. To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps:
1. Start Windows Explorer, and then locate the %SystemRoot%\Inf folder.
2. Right-click the Usbstor.pnf file, and then click Properties.
3. Click the Security tab.
4. In the Group or user names list, add the user or group that you want to set Deny permissions for.
5. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control.
Note Also add the System account to the Deny list.
6. In the Group or user names list, select the SYSTEM account.
7. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.
8. Right-click the Usbstor.inf file, and then click Properties.
9. Click the Security tab.
10. In the Group or user names list, add the user or group that you want to set Deny permissions for.
11. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control.
12. In the Group or user names list, select the SYSTEM account.
13. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.
If a USB storage device is already installed on the computer
There is a simple registry change that will keep the USB storage drivers from starting when the system boots. Keeps people from walking up to a PC and copying data off with a USB key, but allows you to keep your scanner, keyboard, and mouse working.
As always – back your system up before messing around in the registry.
set the Start value in the following registry key to 4:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
When you do so, the USB storage device does not work when the user connects the device to the computer.
To set the Start value, follow these
steps:1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
4. In the right pane, double-click Start.
5. In the Value data box, type 4, click Hexadecimal (if it is not already
selected), and then click OK.
6. Quit Registry Editor.
Switch this value to 4, and USB storage devices are disabled.
Switch this value to 3, and USB storage devices are enabled.
"Warning : Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. If a USB storage device is already installed on the computer"
Something for System Admins
Step1
.from bios set up
go to advanced setting in the bios then disable usb
Step 2
This method can be used only on Windows XP Professional Edition.
1.Open the Group Policy Editor (Start > Run, type in “gpedit.msc” and press [Enter]).
2.Go to User Configuration > Administrative Templates> Windows Components > WindowsExplorer.
3.Here, you’ll find “Hide these specified drives in My Computer” and “Prevent access to drives from My Computer”.
4.The difference between the two settings is that “Prevent access” will allow the user to see the drive icon, but will give an error message when he tries to access it.
5.“Hide” will remove the icon so the user won’t see it, but the drive can still be accessed by using Start > Run and keying in the drive letter.
6.Under this setting, after you click the radio button next to “Enable”, you’ll see several options. Choose the one you want to
apply, for example, “Restrict A and B drives only”. You’ll notice that the options here are restricted; you cannot, for example,
choose to restrict drives A, B and D.
So a more reasonable option for sysadmins is to disable write access to USB port so that data files cannot be written to the mass storage device. The USB thumb drive will be read-only.
Open the Windows Registry and open the following key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\StorageDevicePolicies
Now add a new DWORD called WriteProtect and put the value as 0 to disable write privileges to the USB port. To reverse the step, either delete the WriteProtect REG_DWORD or toggle the value to 1 which will enable the port.
Remember that the above trick works only with Windows XP SP2.
there are two steps. No one asked the importance or utility of step 1.
Step 2 is enough to enable (or disable) USB. So why do domain admins also do?
They disable the access to the drivers. Usually all USB drives are PnP (plug and play). When a USB stick is inserted into the USB port, Windows checks for the associated and the correct driver file for the device. It will go to USBSTOR.inf and USBSTOR.pnf to discover the device driver.
Now if the access to the two files is disabled for the logged in user, then the driver for the USB device cannot be loaded, let alone enabled or disabled. That is why it is important to grant the access to those files.
Scenarios
a) You had two USB drives - one made by Transcend and other by Kingston.
b) Your PC is domain controlled in your office
c) The domain admin continuously run remote scripts on your machine thereby disabling .inf/.pnf access and disable USB in registry.
d) You have admin rights on PC
Scene 1: You insert the Transcend drive the VERY FIRST time
a) You do not follow step 1 and step 2. Result: FAILURE. Your drive will NOT be usable.
b) You do not follow one or both of the steps. Result: FAILURE. Your drive will NOT be usable.
c) You follow step 1 and step 2. Result: SUCCESS. Your drive will be usable.
Scene 2: You insert the Transcend drive next time
a) You do not follow step 1 and step 2. Result: FAILURE. Your drive will NOT be usable.
b) You follow step 1 but not step 2. Result: FAILURE. Your drive will not be usable.
c) You do not follow step 1 but follow step 2. Result: SUCCESS. Your drive will be usable. This is because the actual driver file (.sys) is already loaded in the \windows\system32 folder.
d) You follow step 1 and step 2. Result: SUCCESS. Your drive will be usable.
Scene 3: You insert the Kingston drive the first time
a) You do not follow step 1 and step 2. Result: FAILURE. Your drive will NOT be usable.
b) You follow step 1 but not step 2. Result: FAILURE. Your drive will not be usable. But the driver file will be loaded in the \windows\system32 folder.
c) You do not follow step 1 but follow step 2. Result: MIXED. If the actual driver file (.sys) is already loaded in the \windows\system32 folder then your drive will work, else not.
d) You follow step 1 and step 2. Result: SUCCESS. Your drive will be usable.
No comments:
Post a Comment