Home > Protecting Your USB, Smart Tip, Windows > Protecting Your USB – 4 : Enabling Write-Protect contd…

Protecting Your USB – 4 : Enabling Write-Protect contd…


Scenario contd… : Your PC contains a lot of important and personal files and you are afraid that someone will just connect and copy your important files and want to disable that.

Solution contd… : We covered a method to prevent USB’s from being able to write data in my last post…today lets take it a step further…today we will disable users from connecting a USB storage device – strike the problem at its source.

So how do we do it ??

To prevent users from connecting to USB storage devices, use one or more of the following procedures, as appropriate for your situation.

Case 1 : If a USB storage device is not already installed on the computer (i.e. the user has not connected USB device to the PC in the past)

If a USB storage device is not already installed on the computer, assign the user or the group and the local SYSTEM account Deny permissions to the following files:

  • %SystemRoot%\Inf\Usbstor.pnf
  • %SystemRoot%\Inf\Usbstor.inf

These files are responsible for installing a USB storage device to the PC so when you do this, users cannot install a USB storage device on the computer. To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps:

  1. Start Windows Explorer, and then locate the %SystemRoot%\Inf folder.
  2. Right-click the Usbstor.pnf file, and then click Properties.
  3. Click the Security tab. In the Group or user names list, add the user or group that you want to set Deny permissions for.
  4. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control.
    Note : Also add the System account to the Deny list.
  5. In the Group or user names list, select the SYSTEM account.
  6. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.
  7. Right-click the Usbstor.inf file, and then click Properties.
  8. Click the Security tab.
  9. In the Group or user names list, add the user or group that you want to set Denypermissions for.
  10. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control.
  11. In the Group or user names list, select the SYSTEM account.
  12. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.

Case 2 : If a USB storage device is already installed on the computer

If a USB storage device is already installed on the computer, you can change the registry to make sure that the device does not work when the user connects to the computer.

To do so,  follow these steps:

  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
  4. In the details pane, double-click Start.
  5. In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
  6. Exit Registry Editor.

I agree that while this method might appear crude and too strict ( and might not come under the write-protect definition) but it does implement it (in a way), so i had to cover it… and trust me…. this is one of the methods implemented in corporate environments…

we will continue some more on this USB related topic in my next post….till then…Stay Sharp

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: