How to disconnect all usb devices. How to disable or enable USB ports in Windows. Hardware damage to ports

In many companies and organizations there is a ban on USB usage drives is one of the primary tasks set before system administrator enterprises, the reason for this is two troubles - the removal of information (secret documents, etc.) and the entry of it: viruses, games, and the like. At first glance, the problem can be solved simply - disable through the BIOS USB ports, but this will also affect other USB devices - mouse, keyboard, printer or phone charger.

So, you need to programmatically prohibit the use of flash drives without affecting useful USB devices. There are several solution options, let's look at them in more detail:

Disable USB Windows 7, 8, Vista

Beginning with Windows Vista in local group policies ah ( gpedit.msc) a very useful bush has appeared, located in Politics “Local computer” > Computer Configuration > Administrative Templates > System > Access to Removable Storage Devices . It allows you to flexibly configure read, write and execute bans on various classes of removable devices.

Disable USB Windows XP

To disable USB removable storage devices in Windows XP, you need to tweak the registry a little and adjust the access rights to the driver files:

Disable USBSTOR service (regedit.exe)

“Start”=dword:00000004

Set the SYSTEM account permission to “Deny” for the following files:
- %SystemRoot%\Inf\Usbstor.pnf
- %SystemRoot%\Inf\Usbstor.inf

It is described in more detail here, the original source is http://support.microsoft.com/kb/823732

Create a file with the extension – .bat and copy one of the code options
Body files to automate shutdown:

on-USB.bat

Rem 1) ACL cacls %SystemRoot%\inf\usbstor.inf /e /p "NT AUTHORITY\SYSTEM":F cacls %SystemRoot%\inf\usbstor.PNF /e /p "NT AUTHORITY\SYSTEM":F rem 2 ) Registry reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 00000003 /f

off-USB.bat

Rem ACL cacls %SystemRoot%\inf\usbstor.inf /e /p "NT AUTHORITY\SYSTEM":N cacls %SystemRoot%\inf\usbstor.PNF /e /p "NT AUTHORITY\SYSTEM":N rem registry reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 00000004 /f

Banning USB through group policies in Windows server 2003

By default Group Policies in Windows server 2003 does not provide features simple way disabling devices in use removable media such as USB ports, CD-ROM drives, Floppy drives. Despite this, Group Policies can be extended to use the appropriate settings using an ADM template.

The ADM template below will allow the administrator to disable the corresponding device. Import this administrative template into Group Policy as an .adm file.
In C:\WINDOWS\inf we create a file nodev.adm with the contents:

CLASS MACHINE CATEGORY !!category CATEGORY !!categoryname POLICY !!policynameusb KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR" EXPLAIN !!explaintextusb PART !!labeltextusb DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT N AME!! Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynamecd KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom" EXPLAIN !!explaintextcd PART !!labeltextcd DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 1 DEFAULT NAME!! Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynameflpy KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk" EXPLAIN !!explaintextflpy PART !!labeltextflpy DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMER IC 3 DEFAULT NAME!! Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynamels120 KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy" EXPLAIN !!explaintextls120 PART !!labeltextls120 DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled V ALUE NUMERIC 3 DEFAULT NAME!! Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY END CATEGORY END CATEGORY category="Custom Policy Settings" categoryname="Restrict Drives" policynameusb="Disable USB" policynamecd="Disable CD-ROM" policynameflpy="Disable Floppy" policynames120=" Disable High Capacity Floppy" explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver" explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver" explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver" explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver" labeltextusb="Disable USB Ports" labeltextcd="Disable CD-ROM Drive" labeltextflpy="Disable Floppy Drive" labeltextls120="Disable High Capacity Floppy Drive" Enabled="Enabled" Disabled="Disabled"

IMPORTANT! If the added policies are not displayed in the Group Policy Editor, do the following:
1. In the right part of the policy editor window, right-click, go to the View menu item and click Filtering...
2. Uncheck the “Show only controlled parameters politicians"
3. Click OK
After this, the added policies will be displayed on the right side of the Group Policy Editor window.

Banning USB through group policies in Windows server 2008

A ready-made group policy for banning drives has appeared in server operating systems starting with Windows server 2008. You can configure them on the controller via the gpmc.msc snap-in, located in the same path (Policy > Computer configuration > Policies > Administrative Templates > System > Removable storage access) . It works flawlessly, but can only be used in operating rooms Windows systems Vista, 7 and 8.

The situation with Windows XP is somewhat more complicated; despite Microsoft's statements about ending support for XP in the spring of 2014, it still occupies a large part operating systems used in the corporate sector. It doesn’t matter, we’ll set it up like the local one, but only through the GPO. We launch gpmc.msc, create a GPO and start editing it.

Of all those found, not long search None of the methods worked in my case :)

Even the option to limit rights for users in the registry did not produce results (even removing rights for the system and administrator - i.e., all rights completely for everyone - did not help).

As a result, I combined my version (assembling two different ones).

In my case regular user does not have any privileges in the system (a dream!) and, of course, maximum functionality was required - i.e. use of certain (registered) media on individual PCs.

To do this, we use only two procedures (actions):

We delete from the registry information about all used (registered in the registry) USB storage devices using any convenient method (to your taste).
The fastest and easiest way for me was to use a simple utility. Then we delete the files from the system %Windows%\inf\Usbstor.pnf And Usbstor.inf .
In the future, if necessary, add (register) a storage device, add the specified files to the system, then connect (reconnect) USB drive and it is fully determined (registered) in the system. After registering in the system, we again delete the specified files, which again blocks any attempts to determine by the system new usb storage device.

In the case when rights in the OS are distributed and “normal” work is performed by the user with limited rights this method completely blocks the ability to connect flash drives not registered (by the system administrator) to the OS.

Removing and adding Usbstor.pnf and Usbstor.inf files can be done using .bat files approximately as follows:

deletion

del /f /s /q C:\WINDOWS\inf\usbstor.inf C:\WINDOWS\inf\usbstor.PNF

restore (provided that the files are located next to the bat file)

xcopy ".\usbstor.inf" "C:\WINDOWS\inf\"
xcopy ".\usbstor.PNF" "C:\WINDOWS\inf\"

Attention! For Windows 7 and higher, all .bat files must be run as an administrator ("Run as administrator" in the context menu).

Below are other ways to restrict access to these devices (they didn’t work for me individually).

Computer Management->Device Manager->Universal Serial Bus Controllers->(Root USB hubs) -> "device application: [disabled]

For example, if the printer is connected to a hub, then it does not need to be disconnected.

note 1. Device Manager can be launched from command line start devmgmt.msc.

note 2. An interesting feature of Device Manager is to run two commands from the console:

Set devmgr_show_nonpresent_devices=1
start devmgmt.msc

Then hidden devices will appear in Device Manager.

If USB is not required, disable USB controllers.

Prohibit use by everyone except those selected through “Computer Management -> Storage Devices -> Removable Storage -> Properties -> Security.

Flaw

There are some underwater rocks, for example, prohibiting use by the USER group. But the administrator can be a member of the USER group.

However, this is equivalent to changing the parameter
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR "Start"
"Start"=dword:00000004 - disable;
"Start"=dword:00000003 - allow.

note. You can start the service from the command line
net start "Removable memory"

We go to the %Windows%\inf folder (the folder has the hidden attribute), there are two files in it - Usbstor.pnf and Usbstor.inf.

We deny access to these files except for the administrators group or a specific user.

Why ban USB completely when you can only ban recording?

HKLM\SYSTEM\CurrentControlSet\control\StorageDevicePolicies.

The WriteProtect parameter most likely does not exist. Then it needs to be created with type dword and assigned the value 1.

And don't forget to reboot your computer. To restore - assign the value 0.

So, step by step (of course, you need to have local administrator rights):

Win+R (similar to Start -> Run), regedit.
. This key stores information about all USB drives ever connected.
We give ourselves full access to USBSTOR ( right key mouse -> Permissions, check the box Full access the group has EVERYTHING).
We delete all contents of USBSTOR.
We connect the approved flash drive and make sure that it has been identified. A key like Disk&Ven_JetFlash&Prod_TS4GJF185&Rev_8.07 should appear inside USBSTOR (F5 to update the list).
Again RMB on USBSTOR, Permissions. We remove Full access from the ALL group, leaving the right to read.
The same rights must be assigned to the SYSTEM user, but this cannot be done directly. First you need to click the Advanced button, uncheck the Inherit from parent object... checkbox, and in the Security window that appears, say Copy. After clicking OK again, the SYSTEM user rights will become available for change.
To consolidate the effect, click the Advanced button again and check the Replace permissions for all child objects... Confirm execution.

What did we achieve in the end? An approved flash drive connects and disconnects without problems. If an unauthorized attempt is made Windows connections will detect the device, but will not be able to install it, cursing as follows:

Moreover, in USBSTOR it will be created new key, which will clearly indicate an attempt to connect an unapproved USB storage device.

First, you need to figure out why you might need to disconnect USB ports on your computer. Everything is quite simple here. With the advent of miniature data storage devices operating via USB, a need arose to prevent data leakage from computers. Using a regular flash drive or portable hard drive, you can easily steal any information. To prevent such incidents, it is necessary to completely disable USB ports. Of course, everyone may have their own reasons for disabling ports, but this is not so important. Below are several ways to disable USB ports on your computer.

Disable USB ports in BIOS settings

In fact, everything is quite simple: go to BIOS settings and disable all ports, or those that are necessary. The nuance is that on this moment There are several versions of BIOS, and port disabling is sometimes different in each.

BIOS Award. Go to the BIOS settings and select the item Integrated Peripherals. Let's go to this menu. Next, we simply find the points: USB EHCI Controller, USB Keyboard Support, USB Mouse Support and Legacy USB storage detect and disable them by selecting the option Disabled. Then we simply save the settings and restart the computer;

Phoenix Award And AMI BIOS. Go to settings and select the item Advanced (sometimes some versions may have a Peripherals item) or Advanced BIOS Features. Next we go to the menu USB Configuration. Next, turn off all USB items, save the settings and restart the computer;

UEFI. More modern panel. Go to the menu Peripherals or Advanced. Selecting items Legacy USB Support And USB 3.0 Support and turn them off. Next, save the settings and restart the PC.

Note! In some versions, the menu items may have slightly different names, but that's okay, just go through all the menus and find the USB settings.

Disable USB using the registry

It's more suitable way. You can disable it in the registry USB access ports to specific devices, not the ports themselves. At a time when almost everything is connected via USB, including a mouse and keyboard, this method will be preferable. You can simply disable port access specifically to flash drives, but at the same time computer mouse will work fine.

Open the registry editor: keyboard shortcut Win+R, enter the command regedit and click OK. Next, move on to the next section:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

Find an item Start. Open it and enter the value 4 . Save the settings and restart your computer. This section closes access external drives to the port.

Note! If you do not have them installed on your computer USB drivers controller, then the value Start will automatically change to the value 3 as soon as the device is connected to the port.

Disable USB via Device Manager

Open device Manager: right click mouse on My computer, open Properties, Further device Manager. Open the menu USB controllers. Right-click and select the item from the context menu Disable.

Important! Driver removal option USB controllers will not work, because the first time you connect the device to the port, Windows will begin installing drivers.

Disable USB using Windows files

Denying access using the Local Group Policy Editor

You can also ban reading and writing.

Additionally

It is also worth mentioning that there are two more ways to restrict access to ports: restrict access using third party programs and physically disabling ports.

There is plenty of third-party software on the Internet, and each one is configured differently, so there is no point in describing this method in the article. All you need to do is find the desired program and instructions for it.

As for physical shutdown ports, this method will only work with ports on the front panel of the system unit. Open system unit and carefully disconnect the wires going to the ports.

Bottom line

Whatever the reason for the need to disable USB ports, now you know how to do it.

Sandbox

Black Overlord March 12, 2013 at 2:37 pm

Quickly and easily disable USB ports on Win7 part 2

Lumber room *

In the previous one I wrote as inexperienced user disable USB ports using group policies. However, I forgot that different versions OS Windows 7 contains various features.
Please note that I am not talking about installing an additional free software, because I know from experience that closing a hole with free software risks opening five more. I suggest using the built-in OS features.

I know from experience that to save money, small companies install such versions “ Home Basic"or "Home Premium" on staff cars (well, this is only installed if the company is trying to work legally and does not want a fine for illegal software. And those companies that are not afraid of inspections install all pirated software and do not suffer))).
And on the “Home Basic” and “Home Premium” versions there are no accessories inherent to their older brothers. And closing ports using group policies will not work. Therefore, we need to block access directly to the executive files that initiate the initialization of devices connected to USB ports.

Let's say that there are 3 users on the machine, “Operator”, “Manager” and “Administrator” in the Administrators and Users groups
It is necessary to make sure that the flash drive can only be used by a user under the “Administrator” account.

Turn on the computer, log in as an administrator, open Explorer and write "%SystemRoot%\inf\"(hereinafter in the text copy without quotes).

Next, in the search we write “USB”

Will output approximately 18 elements. (depends on what system is installed, OS version, installed additional drivers for USB)
We essentially only need 8 files.
usb.inf
usbstor.inf
usbport.inf
winusb.inf
usb.PNF
usbstor.PNF
usbport.PNF
winusb.PNF

Then we need to block access to these files to other users. Right click on the file "usbstor.inf" -> "properties"

Go to the tab "safety", and press the button "change"

Then we select the users we need to disable. For us these are “Operator”, “Manager” and “System”. If we need to disable all accounts that belong to the “Users” group (these are “Operator” and “Manager”), then we simply ban the group. If only a specific one, let’s say “Operator”, then select this particular account.

Attention account“System” also needs to set a ban on using the file.
Then we set a ban on use, switch to another user and also set bans. When required users will be disabled (for me it is only “system” and “users”)

click the “Ok” button

There will be a warning that this will lead to the fact that access to the file will be unavailable and all that (if you want, you can read it), click the “Ok” button again.
Again we read the message about whether we really want to do this (you can read it if you wish), and press the “Ok” button again.

And we repeat this procedure for the next 7 files.
usb.inf
usbport.inf
winusb.inf
usb.PNF
usbstor.PNF
usbport.PNF
winusb.PNF

If this is only an installed OS, then everything is in order and, in theory, access to the flash drive will not be available to selected users. However, if flash drives were already connected to this system by those users who needed to disable access to flash drives, then you will need to change the key in the registry.

Click start -> write regedit -> open the registry

Open the folder “USBSTOR”
and change the value of the “Start” parameter to 4

Tags: disable, USB ports, flash drive

If you encounter a situation where your computer stops responding to commands entered using a connected USB keyboards or mouse, check options USB in settings power plan. Sometimes Windows Maybe turn offUSB devices during downtime, which contributes computer energy saving, but not always justified and convenient in terms of work.
Prevent temporary shutdown USB ports if you encounter similar situation, V power plan should be changed power settings. To do this, click the "Start" button and in the "Search programs and files" field, enter the word "Power Options" and press "Enter". The "Power Options" icon will appear, click on it with the left mouse button.

Open power plans You can also from by going to it in a way convenient for you and, if necessary, switching to the “Small Icons” view mode and selecting the “Power Options” item.