Share via

Windows 10/11, how to deny to any USB drive BESIDE specified one?

Anonymous
2023-11-23T13:35:45+00:00

Hello dears,

Have a nice day

I have got a task at Windows 10/11 Pro - to allow access to only one specified USB drive and to deny access to any others.

Now user uses some USB drives:

PS C:\Windows\system32> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\\| select FriendlyName

FriendlyName

JetFlash Transcend 32GB USB Device

Kingston DataTraveler 3.0 USB Device

Kingston DataTraveler 3.0 USB Device

Kingston DataTraveler 3.0 USB Device

Kingston DT microDuo USB Device

TOSHIBA TransMemory USB Device

USB DataLogger USB Device

USB Disk USB Device

...

I would like that only "USB DataLogger USB Device" remains accessible from this machine (ok, or "Current User" if it not possible for "Current Machine"). Any others as from this list as not should be inaccessible.

Yes I saw texts where I should remove keys connected with "unnecessary drives" from the Registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_JetFlash&Prod_Transcend_32GB&Rev_1100

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP

etc.

Remains only one position:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_USB&Prod_DataLogger&Rev_2.00

Then set "Read Only" permission to key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

for any access including "System", "All application" etc...

So nobody at all could write to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

and any USB drives (but USB DataLogger USB Device because it is already exists) could not be added here and remain unavailable.

But I dislike this way for at least 2 reasons (sticking hands in the registry is a dangerous way in general and I could not remove these keys because of insufficient rights for sub-keys of these records (yes, surely I tried as machine's local Admin)).

Policies could allow or deny access to USB-drives in general (all accessible or all not). That is not the result I'm looking for.

So my question is:

What is the right way to get what I want with only standard MS or MS recommended tools? Or some workaround?

Upd. I tried to clarify my question.

Windows for home | Windows 10 | Devices and drivers

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-11-24T06:58:52+00:00

    Finally I've overcome "Error while deleting key".

    All I had to do was (run regedit as local administrator):

    manually make myself the owner of the key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_JetFlash&Prod_Transcend_32GB&Rev_1100),

    give myself Full Access to it in Permissions,

    apply them,

    press F5 to refresh and see the underlying sub-key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_JetFlash&Prod_Transcend_32GB&Rev_1100\60A44C...600FA&0) and do the same thing with it, because inheritance doesn't work here.

    Then do the same with:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_JetFlash&Prod_Transcend_32GB&Rev_1100\60A44C...600FA&0\Properties

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_JetFlash&Prod_Transcend_32GB&Rev_1100\60A44C...600FA&0\Properties{3464f7a4-2444-40b1-980a-e0903cb6d912}

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_JetFlash&Prod_Transcend_32GB&Rev_1100\60A44C...600FA&0\Properties{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A

    Only after all these steps I can remove key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_JetFlash&Prod_Transcend_32GB&Rev_1100) totally.

    And start to work with next one...

    Upd01. However, the new USB drives plug in fine and create their keys in the key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR) I heroically cleaned up.

    Even though inheritance permissions for USBSTOR are disabled and everyone (System, Creator, ...) has got "read-only" permissions for key and sub-keys. Nobody has Full access to USBSTOR.

    PS C:\Windows\system32> (Get-acl -Path HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR).AccessToString

    Creator-Owner Allow ReadKey

    NT AUTHORITY\System Allow ReadKey

    BUILTIN\Administrators Allow ReadKey

    BUILTIN\Users Allow ReadKey

    ALL APPLICATION PACKAGES Allow ReadKey

    PS C:\Windows\system32> Get-acl -Path HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR | % { $_.access }

    RegistryRights : ReadKey

    AccessControlType : Allow

    IdentityReference : Creator-Owner

    IsInherited : False

    InheritanceFlags : ContainerInherit

    PropagationFlags : InheritOnly

    RegistryRights : ReadKey

    AccessControlType : Allow

    IdentityReference : NT AUTHORITY\System

    IsInherited : False

    InheritanceFlags : ContainerInherit

    PropagationFlags : None

    RegistryRights : ReadKey

    AccessControlType : Allow

    IdentityReference : BUILTIN\Administrators

    IsInherited : False

    InheritanceFlags : ContainerInherit

    PropagationFlags : None

    RegistryRights : ReadKey

    AccessControlType : Allow

    IdentityReference : BUILTIN\Users

    IsInherited : False

    InheritanceFlags : ContainerInherit

    PropagationFlags : None

    RegistryRights : ReadKey

    AccessControlType : Allow

    IdentityReference : ALL APPLICATION PACKAGES

    IsInherited : False

    InheritanceFlags : ContainerInherit

    PropagationFlags : None

    Nevertheless...

    I don't get it..

    Upd01

    It seems that the USBSTOR key still keeps inheriting rights from the superior key. I don't know what to do about it. Although I have cancelled all inheritance rights and made myself the owner of the key and all sub-keys with Full Access permissions, I can't rename USBSTOR for example and SYSTEM or whoever else could create a new sub-key for new connected USB drive. And I can't rename key USBSTOR.

    So the permissions I have explicitly assigned to USBSTOR do not work. I mean, I'm doing something wrong with them. What I do wrong?

    So the question of MS's recommended method remains open.

    1 person found this answer helpful.
    0 comments
  2. Van S 23,660 Reputation points Independent Advisor
    2023-11-24T04:29:33+00:00

    I apologize that none of the workarounds helped solve the issue. Let me share your case with other community experts. Maybe someone else has other insight about your case.

    0 comments
  3. Anonymous
    2023-11-24T03:14:41+00:00

    Dear Van Dennis,

    thank for your response.

    Please read again my question. I don't want to turn off USB ports and/or driver(s). I want to use ONLY ONE SPECIFIED USB drive "USB DataLogger USB Device". Any others USB drives should be inaccessible here.

    0 comments
  4. Van S 23,660 Reputation points Independent Advisor
    2023-11-23T14:50:20+00:00

    Hi, I am Van. I'll be glad to assist you today.

    Below are some methods you can try to disable USB ports on the device.

    Method 1. Disabling the USB ports through the BIOS setup

    Some motherboards have USB configuration settings in the BIOS in which you can disable or enable the USB ports.

    Method 2. Using the device manager

    Open the device manager. Expand "Universal Serial Bus Controllers." Right-click the USB port, then click "Disable device."

    Please note the port locations so you will not mistakenly disable the keyboard and mouse USB ports.

    Please let me know if you need any further assistance. I will be glad to help.

    0 comments