How-to Guide: Block USB Storage Devices on Windows XP

by admin on September 15th, 2010

This guide is written to help an administrator block the access of USB storage devices like USB flash drives in Windows XP. This is particularly useful for large offices who work in sensitive information, like the Health Care industry.

Setting User Permissions

1. Log into an Administrator account in the desired Windows computer.

2. Open up a Windows Explorer window, and in the address field type:

%SystemRoot%\Inf

3. Locate the files Usbstor.inf and Usbstor.pnf, select both files, right-click and go to Properties.

usbstor.inf and usbstor.png files in windows inf folder

usbstor.inf and usbstor.png files in windows inf folder

4. Click on the Security Tab.

Security Tab in the Properties Panel

Security Tab in the Properties Panel

5. In the Group or User Names list, add the user group that you want to deny permissions to.

6. In the Permissions for that group, click the Deny box next to Full Control.

7. Now repeat step 6 for the System Account.

This will prevent any new access to a USB storage device, but if a device is already installed on the computer you will need to complete these additional steps.

These steps require that you modify the registry. This can cause serious problems if you modify incorrectly. You should begin by creating a backup of your registry. This can be restored in the event that you incorrectly modify and cause an error in Windows.

Backing Up The Registry

1. Click Start, Run, and type:

%SystemRoot%\system32\restore\rstrui.exe

2. Click OK.

3. On the Welcome to System Restore page, click Create a Restore Point and click Next.

4. On the Create a Restore Point page, type a name for the Restore Point and then click Create. -if you have restores turned off it will ask whether to turn on now, click yes, in the System Properties dialog box, clear the Turn off System Restore check box and click OK.

5. After the restore is created click close.

Changing the Registry

1. Click on Start, Run and type:

regedit

2. CLick OK.

3. Locate and click the following Registry Key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

Registry Entry for USBStor

Registry Entry for USBStor

4. In the details area, doubleclick Start.

5. In the Value data box, type 4, click Hexadecimal (if it is not already selected).

6. Click OK.

7. Exit the Registry Editor.

Now the system should be locked from using USB storage devices. Plug in a USB drive and you will see that it will not load. You can check that it does register in the Device Manager but is not permitted to load drivers.

Verifying in Device Manager

1. Click on Start, then Rightclick My Computer and choose Properties.

2. Click on the Hardware tab.

3. Click Device Manager.

4. Listed under Universal Serial Bus Controllers, there should be a device with an exclamation mark. This would be the USB drive with blocked drivers.

Restoring The Registry (ONLY use this if you have incorrectly altered the Registry)

Do not use this to reverse the above effects at a later date, as restoring to this date will undo any adjustments in windows between these dates.

1. Click Start, Run and type:

%SystemRoot%\System32\Restore\Rstrui.exe

2. Click OK.

3. On the Welcome to System Restore page, click Restore My Computer to an Earlier Time and click Next.

4. On the Select A Restore Point page, click the system checkpoint you recently created. In the On This List Select the Restore Point area, click “Guided Help (Registry Backup)” and click Next.

5. A system message may appear that list configuration changes to be made, click OK.

6. Confirm Restore Point Selection, Click Next.

7. Windows will restart, click OK on the confirmation.

Thanks for joining me on another How-to instruction.

1 Comment
  1. martin permalink

    this works but, people in my office already know how to reset it back. Better solution could be a free tool like uHook USB Security, http://dataresolve.com/products/uhook-usb-disk-security/. You can even set a password to protect un-installation

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS