How to use Group Policy to disable USB drives on Windows XP



In my previous article “How to use Group Policy to make USB drives read only on Windows XP” I showed you you could configure Windows XP to prevent users from writing to USB block level devices. However for some organisations just making drives read only is not enough I have heard stories of them having to resort to using hot glue guns to prevent people using USB storage devices.

Update: I just found this article explains how use native Group Policy to disable you USB drives. Microsoft Support: HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

Thankfully there is also a registry key in Windows XP that allows you to block the use of USB storage devices. Now there are two ways to prevent USB storage devices so you may want to implement either or both methods in your organisation. First method prevents computers that have already had USB devices installed and the second prevents any new USB devices from installing.

How to block existing USB Storage Devices

 

To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type SYSTEM\CurrentControlSet\Services\UsbStor into the Key Path field then type Start into the Value Name field and 4 in the Value Data field and click OK.

image

If you want to prevent the installation of USB storage device then we use Group Policy to set the security on the driver files to prevent then from installing.

Key: HKLM\SYSTEM\CurrentControlSet\Services\UsbStor
Value: Start
Data: 4 (hex) = Disabled
Data: 3 (hex) = Enabled

How to block new USB Storage Devices

 

This time edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System. Then click on “Action” menu and then “Add File”. Navigate to C:\Windows\Inf and select “Usbstor.inf” and press “OK”. Now click on “Users” in the security tab and then click in the “Deny” “Full Control” tick box then click OK.

image

Note: Alternatively you could just add the name of the user or group you want to prevent from using USB storage devices.

Click “Yes” to the security warning.

image

Then click OK.

Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a file so we don’t need to worry about inheritance from this object.

image

Now repeat the steps above and this time select “C:\Windows\Inf\Usbstor.pnf”

You should see something like the images below in your group policy.

image

Now either way when users plug in a USB Storage devices into a computer it will prevent OS from seeing the device thus preventing the users from reading and writing to removable media.

See the Microsoft article about this option at http://support.microsoft.com/kb/823732

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

21 Comments

  1. Hiiiiiii
    i have followed the above step’s as shown in ur blog ,
    how can give permission to several other user’s to access the usb like system administrator

    thnks in advance

  2. Hi Alan,

    First, thanks again for your all great Articles.
    Second, I have one question about Other USB Devices.
    How can disable or blocking other USB Devices (USB Modem, Keyboard and etc.) with GPP but under Windows XP as Client and Windows Server 2008 or 2008 R2 as DC.
    With GPP setting for Disabling Other USB devices with Windows 7 work fine but not work with XP.
    Can you tell me, why?

    Thanks again
    best regards

  3. @Alan

    Thanks for your Answer and free Support.
    How can blocking or disable other USB device on XP via GPO or GPP or registry?
    Is there such a thing (Tips or Trick)?

    Thanks again
    best regards

  4. Will be using netbook in our field survey operations.We have netbooks with Windwos 7 professional, can I prevent regular users from installing or copy files like games from usb to the system using Bitlocker?

    Thank you allan

  5. I’m not sure all these answers are what I was looking for.

    I have 1000+ devices I want to inhibit USB drives on.

    Was hoping to do it directly from the DC when they log-on.

    Thanks for the efforts so far through, I would just like to tidy this up and not walk around the whole organisatio.

  6. Pingback: Harrismega Store 2009-2013 | Faraaz Ali

  7. Pingback: How to Implement IPSec between a client and a Server in VMware Workstation 10?

  8. More importantly, is it something that you are passionate about, or can contribute something to.
    She has several blogs, including the one at where she posts about publishing online
    using blogs, article syndication, video, and more. In order to master a skill you must constantly work
    at it.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>