Question I can't disable USB Mass Storage using Windows GPE or Registry Editor ?

[Baldovin]

I have a Windows PC which must have USB mass storage disabled. I have gone into Group Policy Editor (Computer Configuration -> Administrative Templates -> System -> Removable Storage Access) and enabled all three removable disk policies which deny R,W,X access. I have enabled the policy to deny all access to all removable storage classes , and disabled direct access in remote sessions to all removable storage. However, after rebooting my machine, my machine was still able to detect any external USBs and read their files (e.g. open .txt files).

I then tried going into the registry to modify the following keys:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBSTOR

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

For both keys, I modified the Start value and set it to 4 to not avail. Then I tried a creating a new subkey for both USBTOR keys (named Parameters), creating a DWORD 32-bit value named DisableRemovableStorage and setting the value to 1.

None of the measures described above have prevented my PC from detecting USB mass storage devices and interacting with the files stored in them. I have thought of removing all permissions to the USBSTOR.SYS driver and USBSTOR.INF file but I am concerned that in doing so, it could eventually break my system. Therefore, is there any policy or key I need to modify to disable USB mass storage?

 

[Ralston18]

When you made the various configuration changes were you sure to save or otherwise confirm those changes?

With the understanding that you had the necessary admin rights to do such things to begin with.

 

[BFG-9000]

Restricting permissions of usbstor.inf and usbstor.pnf for anyone but the admin should not break things, but there are more ways then Windows to do this.

You could see if there is an option on the BIOS to disable the USB ports, as this is very commonly found in business-class PCs. Don't forget to set a BIOS password.

Alternately you could unplug the front ports or physically cut the Data+ and/or - lines to them, which would leave the ports usable for charging but make data transfer impossible. For the rear ports you could install USB port locks/blockers, which you could unlock if you ever needed to use them to reinstall Windows.

Large enterprises may prefer to use software such as USB Lock RP or USB Block to centrally restrict USB ports on all corporate PCs.

 

[Baldovin]

When you made the various configuration changes were you sure to save or otherwise confirm those changes?

With the understanding that you had the necessary admin rights to do such things to begin with.

@Ralston18 I went into the registry and saw that for both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER, the RemovableStorageDevices key has the Deny_All value set to 1.

Apart from looking at the registry and physically inserting the USB to see if it's blocked, I do not know any other way to check the changes have been implemented.

 

[Baldovin]

Restricting permissions of usbstor.inf and usbstor.pnf for anyone but the admin should not break things, but there are more ways then Windows to do this.

You could see if there is an option on the BIOS to disable the USB ports, as this is very commonly found in business-class PCs. Don't forget to set a BIOS password.

Alternately you could unplug the front ports or physically cut the Data+ and/or - lines to them, which would leave the ports usable for charging but make data transfer impossible. For the rear ports you could install USB port locks/blockers, which you could unlock if you ever needed to use them to reinstall Windows.

Large enterprises may prefer to use software such as USB Lock RP or USB Block to centrally restrict USB ports on all corporate PCs.

@BFG-9000 I cannot disable USB ports from BIOS as that wpuld render the ports completely useless and I need to plug in my keyboard and mose to interface with the machine.

 

[Ralston18]

@Baldovin

I think that your requirements are inherently contradictory: You cannot disable the use of USB ports by storage devices and, at the same time, allow other devices (keyboard/mousel) to be able use those USB ports.

However, it does appear that there may be some viable solutions. - you have already attempted some registry edits that did not work. [ Note: Overall, registry editing should be a last resort and only attemped after full system backup including the registry itself.]

One tool that may prove somewhat sucessful is Powershell.

FYI:

https://thedroidguy.com/how-to-disable-usb-ports-in-windows-ten-1263570

The link presents some ideas that may help you work out some means to resolve the contradictions. Including the registry providing that you are willing to take the risks and have properly and fully backed up beforehand.

And there are many other similar links:

https://www.windows11forums.com/art...ports-on-windows-11-for-enhanced-security.55/

Just as an example reference.

Blocking/disabling USB ports is not something that I have worked with (full disclosure) nor I am endorsing or recommending any given app or utility.

Poweshell can, to some extent, identify USB connected devices.

For example (run as admin) via the Powershell prompt:

Get-PNPDevice -Class 'USB'

Get-PNPDevice -FriendlyName '*USB*'

The general strategy being that if a device is identifed as "storage" in some manner then the USB port would be disabled using "Stop-Service" as one potential method of doing so.

Or the reverse (from my computer):

PS C:\WINDOWS\system32> Get-PNPDevice -Class 'HIDClass'

Status Class FriendlyName InstanceId
------ ----- ------------ ----------
OK HIDClass Logitech HID-compliant Unifying device {A3535E08-EB...
OK HIDClass HID-compliant vendor-defined device HID\VID_046D...
OK HIDClass Logitech HID-compliant Unifying device {A3535E08-EB...
OK HIDClass HID-compliant vendor-defined device HID\VID_046D...
OK HIDClass HID-compliant system controller HID\VID_046D...
OK HIDClass HID-compliant consumer control device HID\VID_046D...
Unknown HIDClass USB Input Device USB\VID_046D...
OK HIDClass HID-compliant consumer control device HID\VID_046D...
OK HIDClass HID-compliant vendor-defined device HID\VID_046D...
OK HIDClass Logitech HID-compliant Unifying device {A3535E08-EB...
OK HIDClass Logitech Unifying USB receiver USB\VID_046D...
OK HIDClass USB Input Device USB\VID_046D...
OK HIDClass Logitech USB Input Device USB\VID_046D...
OK HIDClass HID-compliant device HID\VID_046D...
Unknown HIDClass HID-compliant game controller

Only allow the InstanceID/HardwareID of the connected keyboard and mouse that can be discovered via Device Manager.

Likely to require some cumbersome Powershell script and also likely to still be easily circumvented.

FYI - USB Class codes:

https://www.usb.org/defined-class-codes

You would/could use the BaseClass and/or the Description information to allow or block USB devices.

 

[Baldovin]

@Baldovin

I think that your requirements are inherently contradictory: You cannot disable the use of USB ports by storage devices and, at the same time, allow other devices (keyboard/mousel) to be able use those USB ports.

However, it does appear that there may be some viable solutions. - you have already attempted some registry edits that did not work. [ Note: Overall, registry editing should be a last resort and only attemped after full system backup including the registry itself.]

One tool that may prove somewhat sucessful is Powershell.

FYI:

https://thedroidguy.com/how-to-disable-usb-ports-in-windows-ten-1263570

The link presents some ideas that may help you work out some means to resolve the contradictions. Including the registry providing that you are willing to take the risks and have properly and fully backed up beforehand.

And there are many other similar links:

https://www.windows11forums.com/art...ports-on-windows-11-for-enhanced-security.55/

Just as an example reference.

Blocking/disabling USB ports is not something that I have worked with (full disclosure) nor I am endorsing or recommending any given app or utility.

Poweshell can, to some extent, identify USB connected devices.

For example (run as admin) via the Powershell prompt:

Get-PNPDevice -Class 'USB'

Get-PNPDevice -FriendlyName '*USB*'

The general strategy being that if a device is identifed as "storage" in some manner then the USB port would be disabled using "Stop-Service" as one potential method of doing so.

Or the reverse (from my computer):

PS C:\WINDOWS\system32> Get-PNPDevice -Class 'HIDClass'

Status Class FriendlyName InstanceId
------ ----- ------------ ----------
OK HIDClass Logitech HID-compliant Unifying device {A3535E08-EB...
OK HIDClass HID-compliant vendor-defined device HID\VID_046D...
OK HIDClass Logitech HID-compliant Unifying device {A3535E08-EB...
OK HIDClass HID-compliant vendor-defined device HID\VID_046D...
OK HIDClass HID-compliant system controller HID\VID_046D...
OK HIDClass HID-compliant consumer control device HID\VID_046D...
Unknown HIDClass USB Input Device USB\VID_046D...
OK HIDClass HID-compliant consumer control device HID\VID_046D...
OK HIDClass HID-compliant vendor-defined device HID\VID_046D...
OK HIDClass Logitech HID-compliant Unifying device {A3535E08-EB...
OK HIDClass Logitech Unifying USB receiver USB\VID_046D...
OK HIDClass USB Input Device USB\VID_046D...
OK HIDClass Logitech USB Input Device USB\VID_046D...
OK HIDClass HID-compliant device HID\VID_046D...
Unknown HIDClass HID-compliant game controller

Only allow the InstanceID/HardwareID of the connected keyboard and mouse that can be discovered via Device Manager.

Likely to require some cumbersome Powershell script and also likely to still be easily circumvented.

FYI - USB Class codes:

https://www.usb.org/defined-class-codes

You would/could use the BaseClass and/or the Description information to allow or block USB devices.

It should be possible to disable USB mass storage without disabling the ports themselves by disabling USB Hub. I trued this on another computer and it worked perfectly. However, the computer I need to disable removable devices is not allowing me to disable USB Hub. I created a new post since it is not related to the GPO or registry changes I already implemented.

(New Post: https://forums.tomshardware.com/threads/cannot-disable-usb-hub-in-device-manager.3860038/)

 

[Ralston18]

Hubs are a Base Class - 09h.

Re:

"I need to disable removable devices is not allowing me to disable USB Hub."

What error messges(s) etc. were presented (if any) when those attempts failed?

There needs to be some consistent and workable way to distinguish between USB connected devices.

Overall though I believe that that would, in turn, open up some security concerns and issues via some sort of spoofing.