Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Problem description
Assume that you want to prevent users from connecting to a USB storage device that is connected to a computer that is running Windows. This article discusses two methods that you can use to do this.
Resolution
To prevent users from connecting to USB storage devices, use one or more of the following procedures, as appropriate for your situation.
If a USB storage device isn't already installed on the computer
If a USB storage device isn't already installed on the computer, assign the user or the group and the local SYSTEM account Deny permissions to the following files:
- %SystemRoot%\Inf\Usbstor.pnf
- %SystemRoot%\Inf\Usbstor.inf
When you do this, users can't install a USB storage device on the computer. To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps:
Start Windows Explorer, and then locate the %SystemRoot%\Inf folder.
Right-click the Usbstor.pnf file, and then select Properties.
Select the Security tab.
In the Group or user names list, add the user or group that you want to set Deny permissions for.
In the Permissions for UserName or GroupNamel list, select the Deny checkbox next to Full Control.
Note
Also add the SYSTEM account to the Deny list.
In the Group or user names list, select the SYSTEM account.
In the Permissions for UserName or GroupNamel list, select the Deny checkbox next to Full Control, and then select OK.
Right-click the Usbstor.inf file, and then select Properties.
Select the Security tab.
In the Group or user names list, add the user or group that you want to set Deny permissions for.
In the Permissions for UserName or GroupNamel list, select the Deny checkbox next to Full Control.
In the Group or user names list, select the SYSTEM account.
In the Permissions for UserName or GroupNamel list, select the Deny checkbox next to Full Control, and then select OK.
If a USB storage device is already installed on the computer
If a USB storage device is already installed on the computer, you can change the registry to make sure that the device doesn't work when the user connects to the computer.
Important
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For protection, back up the registry before you modify it so that you can restore it if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.
If a USB storage device is already installed on the computer, set the Start value in the following registry key to 4:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
When you do this, the USB storage device doesn't work when the user connects the device to the computer. To set the Start value, follow these steps:
Select Start, and then select Run.
In the Open box, type regedit, and then select OK.
Locate and then select the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStorIn the details pane, double-click
Start.In the Value data box, type 4, select Hexadecimal (if it isn't already selected), and then select OK.
Exit Registry Editor.
Did this fix the problem?
Check whether the problem is fixed. If the problem is fixed, you're finished with this article. If the problem isn't fixed, you can contact support.
More information
Contact the vendor of your USB device to ask about a newer driver.
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft doesn't guarantee the accuracy of this third-party contact information.