• Enable usb ports. Disconnecting USB devices without using the Safely Remove Hardware function

    First, you need to figure out why you might need to disconnect USB ports on your computer. Everything is quite simple here. With the advent of miniature data storage devices operating via USB, a need arose to prevent data leakage from computers. Using a regular flash drive or portable hard drive, you can easily steal any information. To prevent such incidents, it is necessary to completely disable USB ports. Of course, everyone may have their own reasons for disabling ports, but this is not so important. Below are several ways to disable USB ports on your computer.

    Disable USB ports in BIOS settings

    In fact, everything is quite simple: go to BIOS settings and disable all ports, or those that are necessary. The nuance is that on at the moment There are several versions of BIOS, and port disabling is sometimes different in each.

    BIOS Award. Go to the BIOS settings and select the item Integrated Peripherals. Let's go to this menu. Next, we simply find the points: USB EHCI Controller, USB Keyboard Support, USB Mouse Support and Legacy USB storage detect and disable them by selecting the option Disabled. Then we simply save the settings and restart the computer;

    Phoenix Award And AMI BIOS. Go to settings and select the item Advanced (sometimes some versions may have a Peripherals item) or Advanced BIOS Features. Next we go to the menu USB Configuration. Next, turn off all USB items, save the settings and restart the computer;

    UEFI. More modern panel. Go to the menu Peripherals or Advanced. Selecting items Legacy USB Support And USB 3.0 Support and turn them off. Next, save the settings and restart the PC.

    Note! In some versions, the menu items may have slightly different names, but that's okay, just go through all the menus and find the USB settings.

    Disable USB using the registry

    This is a more suitable way. You can disable it in the registry USB access ports to specific devices, not the ports themselves. At a time when almost everything is connected via USB, including a mouse and keyboard, this method will be preferable. You can simply disable port access specifically to flash drives, but at the same time computer mouse will work fine.

    Open the registry editor: keyboard shortcut Win+R, enter the command regedit and click OK. Next, move on to the next section:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

    Find an item Start. Open it and enter the value 4 . Save the settings and restart your computer. This section blocks access external drives to the port.

    Note! If you do not have them installed on your computer USB drivers controller, then the value Start will automatically change to the value 3 as soon as the device is connected to the port.

    Disable USB via Device Manager

    Open device Manager: right click on My computer, open Properties, further device Manager. Open the menu USB controllers . Right-click and context menu select an item Disable.

    Important! The option of removing drivers for USB controllers will not work, since the first time you connect the device to the port, Windows will begin installing the drivers.

    Disable USB using Windows files


    Denying access using the Local Group Policy Editor


    You can also ban reading and writing.

    Additionally

    It is also worth mentioning that there are two more ways to restrict access to ports: restrict access using third party programs and physically disabling ports.

    There is plenty of third-party software on the Internet, and each one is configured differently, so there is no point in describing this method in the article. All you need to do is find the desired program and instructions for it.

    As for physical shutdown ports, this method will only work with ports on the front panel of the system unit. Open system unit and carefully disconnect the wires going to the ports.

    Bottom line

    Whatever the reason for the need to disable USB ports, now you know how to do it.

    In many companies and organizations there is a ban on USB usage drives is one of the primary tasks set before system administrator enterprises, the reason for this is two troubles - the removal of information (secret documents, etc.) and the entry of it: viruses, games, and the like. At first glance, the problem can be solved simply - disable USB ports through the BIOS, but this will also affect other USB devices - a mouse, keyboard, printer or phone charger.

    So, it is necessary to programmatically prohibit the use of flash drives without affecting useful USB devices. There are several solution options, let's look at them in more detail:

    Disable USB Windows 7, 8, Vista

    Starting from Windows Vista in local group policies ah ( gpedit.msc) a very useful bush has appeared, located in Politics Local computer” > Computer Configuration > Administrative Templates > System > Access to Removable Storage Devices . It allows you to flexibly configure read, write and execute bans on various classes of removable devices.


    Disable USB Windows XP

    To disable USB removable storage devices in Windows XP, you need to tweak the registry a little and adjust the access rights to the driver files:

      1. Disable USBSTOR service (regedit.exe)

    “Start”=dword:00000004

    1. Set the SYSTEM account permission to “Deny” for the following files:
      • %SystemRoot%\Inf\Usbstor.pnf
      • %SystemRoot%\Inf\Usbstor.inf

    It is described in more detail here, the original source is http://support.microsoft.com/kb/823732

    Create a file with the extension – .bat and copy one of the code options
    Body files to automate shutdown:

    on-USB.bat

    Rem 1) ACL cacls %SystemRoot%\inf\usbstor.inf /e /p "NT AUTHORITY\SYSTEM":F cacls %SystemRoot%\inf\usbstor.PNF /e /p "NT AUTHORITY\SYSTEM":F rem 2 ) Registry reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 00000003 /f

    off-USB.bat

    Rem ACL cacls %SystemRoot%\inf\usbstor.inf /e /p "NT AUTHORITY\SYSTEM":N cacls %SystemRoot%\inf\usbstor.PNF /e /p "NT AUTHORITY\SYSTEM":N rem registry reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 00000004 /f

    Banning USB through group policies in Windows server 2003

    By default Group Policies in Windows server 2003 does not provide an easy way to disable devices in use removable media such as USB ports, CD-ROM drives, Floppy drives. Despite this, Group Policies can be extended to use the appropriate settings using an ADM template.

    The ADM template below will allow the administrator to disable the corresponding device. Import this administrative template into Group Policy as an .adm file.
    In C:\WINDOWS\inf we create a file nodev.adm with the contents:

    CLASS MACHINE CATEGORY !!category CATEGORY !!categoryname POLICY !!policynameusb KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR" EXPLAIN !!explaintextusb PART !!labeltextusb DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT N AME!! Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynamecd KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom" EXPLAIN !!explaintextcd PART !!labeltextcd DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 1 DEFAULT NAME!! Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynameflpy KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk" EXPLAIN !!explaintextflpy PART !!labeltextflpy DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMER IC 3 DEFAULT NAME!! Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynamels120 KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy" EXPLAIN !!explaintextls120 PART !!labeltextls120 DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled V ALUE NUMERIC 3 DEFAULT NAME!! Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY END CATEGORY END CATEGORY category="Custom Policy Settings" categoryname="Restrict Drives" policynameusb="Disable USB" policynamecd="Disable CD-ROM" policynameflpy="Disable Floppy" policynames120=" Disable High Capacity Floppy" explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver" explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver" explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver" explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver" labeltextusb="Disable USB Ports" labeltextcd="Disable CD-ROM Drive" labeltextflpy="Disable Floppy Drive" labeltextls120="Disable High Capacity Floppy Drive" Enabled="Enabled" Disabled="Disabled"

    IMPORTANT! If the added policies are not displayed in the Group Policy Editor, do the following:
    1. In the right part of the policy editor window, right-click, go to the View menu item and click Filtering...
    2. Uncheck “Show only managed policy settings”
    3. Click OK
    After this, the added policies will be displayed on the right side of the Group Policy Editor window.

    Banning USB through group policies in Windows server 2008

    A ready-made group policy for banning drives has appeared in server operating systems starting with Windows server 2008. You can configure them on the controller via the gpmc.msc snap-in, located in the same path (Policy > Computer configuration > Policies > Administrative Templates > System > Removable storage access) . It works flawlessly, but can only be used on Windows Vista, 7 and 8 operating systems.

    The situation with Windows XP is somewhat more complicated; despite Microsoft's statements about ending support for XP in the spring of 2014, it still occupies a large part operating systems used in the corporate sector. It doesn’t matter, we’ll set it up like the local one, but only through the GPO. We launch gpmc.msc, create a GPO and start editing it.


    Sandbox

    Near the rector March 12, 2013 at 2:37 pm

    Quickly and easily disable USB ports on Win7 part 2

    In the previous article I wrote how inexperienced user disable USB ports using group policies. However, I forgot that different versions OS Windows 7 contains various features.
    Please note that I am not talking about installing an additional free software, because I know from experience that closing a hole with free software risks opening five more. I suggest using the built-in OS functions.

    I know from experience that in order to save money, small companies install such versions of “Home Basic” or “Home Premium” on their staff’s machines (well, they only install this if the company is trying to work legally and does not want a fine for illegal software. And those companies that are not afraid of inspections then install All pirated software and do not suffer))).
    And on the “Home Basic” and “Home Premium” versions there are no accessories inherent to their older brothers. And closing ports using group policies will not work. Therefore, we need to block access directly to the executive files that initiate the initialization of devices connected to USB ports.

    Let's say that there are 3 users on the machine, “Operator”, “Manager” and “Administrator” in the Administrators and Users groups
    It is necessary to make sure that the flash drive can only be used by a user under the “Administrator” account.

    Turn on the computer, log in as an administrator, open Explorer and write "%SystemRoot%\inf\"(hereinafter in the text copy without quotes).

    Next in the search we write “USB”

    Will output approximately 18 elements. (depends on what system is installed, OS version, installed additional drivers for USB)
    We essentially only need 8 files.
    usb.inf
    usbstor.inf
    usbport.inf
    winusb.inf
    usb.PNF
    usbstor.PNF
    usbport.PNF
    winusb.PNF

    Then we need to block access to these files to other users. Right click on the file "usbstor.inf" -> "properties"

    Go to the tab "safety", and press the button "change"

    Then we select the users we need to disable. For us these are “Operator”, “Manager” and “System”. If we need to disable all accounts that belong to the “Users” group (these are “Operator” and “Manager”), then we simply ban the group. If only a specific one, let’s say “Operator”, then select this particular account.

    Attention account“System” also needs to set a ban on using the file.
    Then we set a ban on use, switch to another user and also set bans. When the required users are disabled (for me it is only “system” and “users”)

    click the “Ok” button

    There will be a warning that this will lead to the fact that access to the file will be unavailable and all that (if you want, you can read it), click the “Ok” button again.
    Again we read the message about whether we really want to do this (you can read it if you wish), and press the “Ok” button again.

    And we repeat this procedure for the next 7 files.
    usb.inf
    usbport.inf
    winusb.inf
    usb.PNF
    usbstor.PNF
    usbport.PNF
    winusb.PNF

    If this is only an installed OS, then everything is in order and, in theory, access to the flash drive will not be available to selected users. However, if flash drives were already connected to this system by those users who needed to disable access to flash drives, then you will need to change the key in the registry.

    Click start -> write regedit -> open the registry

    Open the folder “USBSTOR”
    and change the value of the “Start” parameter to 4

    Tags: disable, USB ports, flash drive

    Do you want to protect the data on your computer under Windows control 10 by blocking or disabling USB drives on your PC? In this guide we'll look at five simple ways Enable or disable USB drives in Windows 10.

    Blocking USB drives in Windows 10 can be done in different ways. You can use the Registry, BIOS or third party utilities to enable or disable USB storage devices in Windows system 10.

    Below are five ways to enable or disable USB drives in Windows 10.

    Method 1 of 5

    Enable or disable USB drives in Windows 10 using the registry

    If you are comfortable making changes to Windows registry, you can enable or disable USB drives in Windows 10 by manually editing the registry. Here's how to do it.

    Step 1: Open Registry Editor

    Step 2: Continue to the next section:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

    Step 3: Now on the right side double click on the option "Start" and change its value to 4 to disable USB drives on your Windows 10 PC. Change the Start value to 3 to enable USB drives and storage devices on your PC.

    Method 2 of 5

    Enable or disable USB ports through Device Manager

    Did you know that you can disable all USB ports using Device Manager? By disabling USB ports, you prevent users from using USB ports to connect USB drives to your computer.

    When you disable USB ports, the USBs on your PC will not work and hence no one will be able to connect USB drives. You will need to re-enable the USB ports to connect devices via USB. Here's how to enable or disable USB ports using Device Manager.

    Step 1: Right click on the button "Start" on the taskbar and select .

    Step 2: Expand USB controllers. Right-click on all the entries one by one, and click "Disable device". Click "Yes" when you see a confirmation dialog.

    Method 3 of 5

    Use USB Drive Disabler to enable or disable USB drives

    If you don't want to edit the registry manually, you can use free tool called USB Drive Disabler For quick start or disabling USB drives on your PC. Simply download USB Disabler, launch it, and then select Enable USB Drives or Disable USB Drives to enable or disable USB drives on your PC.

    Method 4 of 5

    Disable or enable USB ports in BIOS

    Some manufacturers offer an option in the BIOS/UEFI to disable or enable USB ports. Boot into BIOS/UEFI and check if there is an option to disable or enable USB ports. Check your PC's user manual to see if there is an option to enable or disable USB ports in the BIOS/UEFI.

    Method 5 out of 5

    Enabling or disabling USB storage devices USB Guard

    Nomesoft USB Guard- one more free utility to block USB drives on computers running Windows 10 and above earlier versions Windows. You must use this program as an administrator to enable or disable USB storage devices.

    Protection from USB recording disks - can be useful as additional option security.

    Of all the methods found after a short search, not a single one worked in my case :)

    Even the option to limit rights for users in the registry did not produce results (even removing rights for the system and administrator - i.e., all rights completely for everyone - did not help).

    As a result, I combined my version (assembling two different ones).

    In my case regular user does not have any privileges in the system (a real dream!) and, of course, maximum functionality was required - i.e. use of certain (registered) media on individual PCs.

    To do this, we use only two procedures (actions):

    1. We delete from the registry information about all used (registered in the registry) storage devices USB devices any convenient method (to your taste).
      The fastest and easiest way for me was to use a simple utility. Then we delete the files from the system %Windows%\inf\Usbstor.pnf And Usbstor.inf .
    2. In the future, if necessary, add (register) a storage device specified files into the system, then connect (reconnect) USB drive and it is fully determined (registered) in the system. After registering in the system, we again delete the specified files, which again blocks any attempts to determine by the system new usb drive.

    In the case when rights in the OS are distributed and “normal” work is performed by a user with limited rights this method completely blocks the ability to connect flash drives not registered (by the system administrator) to the OS.

    Removing and adding Usbstor.pnf and Usbstor.inf files can be done using .bat files approximately as follows:

    deletion

    del /f /s /q C:\WINDOWS\inf\usbstor.inf C:\WINDOWS\inf\usbstor.PNF

    restore (provided that the files are located next to the bat file)

    xcopy ".\usbstor.inf" "C:\WINDOWS\inf\"
    xcopy ".\usbstor.PNF" "C:\WINDOWS\inf\"

    Attention! For Windows 7 and higher, all .bat files must be run as an administrator ("Run as administrator" in the context menu).

    Below are other ways to restrict access to these devices (they didn’t work for me individually).

    Computer Management->Device Manager->USB Universal Serial Bus Controllers->(USB Root Hubs) -> "Device Application: [Disabled]

    For example, if the printer is connected to a hub, then it does not need to be disconnected.

    note 1. Device Manager can be launched from command line start devmgmt.msc.

    note 2. An interesting feature of Device Manager is to run two commands from the console:

    Set devmgr_show_nonpresent_devices=1
    start devmgmt.msc

    Then hidden devices will appear in Device Manager.

    If USB is not required, disable USB controllers.

    Prohibit use by everyone except those selected through “Computer Management -> Storage Devices -> Removable Storage -> Properties -> Security.

    Flaw

    There are some pitfalls, for example, prohibiting use by the USER group. But the administrator can be a member of the USER group.

    However, this is equivalent to changing the parameter
    HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR "Start"
    "Start"=dword:00000004 - disable;
    "Start"=dword:00000003 - allow.

    note. You can start the service from the command line
    net start "Removable memory"

    We go to the %Windows%\inf folder (the folder has the hidden attribute), there are two files in it - Usbstor.pnf and Usbstor.inf.

    We deny access to these files except for the administrators group or a specific user.

    Why ban USB completely when you can only ban recording?

    HKLM\SYSTEM\CurrentControlSet\control\StorageDevicePolicies.

    The WriteProtect parameter most likely does not exist. Then it needs to be created with type dword and assigned the value 1.

    And don't forget to reboot your computer. To restore - assign the value 0.

    So, step by step (of course, you need to have local administrator rights):

    1. Win+R (similar to Start -> Run), regedit.
    2. . This key stores information about all USB drives ever connected.
    3. We give ourselves full access to USBSTOR (right mouse button -> Permissions, check the box Full access the group has EVERYTHING).
    4. We delete all contents of USBSTOR.
    5. We connect the approved flash drive and make sure that it has been identified. A key like Disk&Ven_JetFlash&Prod_TS4GJF185&Rev_8.07 should appear inside USBSTOR (F5 to update the list).
    6. Again RMB on USBSTOR, Permissions. We remove Full access from the ALL group, leaving the right to read.
    7. The same rights must be assigned to the SYSTEM user, but this cannot be done directly. First you need to click the Advanced button, uncheck the Inherit from parent object... checkbox, and in the Security window that appears, say Copy. After clicking OK again, the SYSTEM user rights will become available for change.
    8. To consolidate the effect, click the Advanced button again and check the Replace permissions for all child objects... Confirm execution.

    What did we achieve in the end? An approved flash drive connects and disconnects without problems. If an unauthorized person tries Windows connections will detect the device, but will not be able to install it, cursing as follows:

    Moreover, in USBSTOR it will be created new key, which will clearly indicate an attempt to connect an unapproved USB storage device.

    Read more: