Microsoft Windows enables a lot of features by default. Occasionally, there are certain features that, for security reasons, you may want to have disabled, such as the use of USB Flash Storage devices. If you want to do this on your personal computer to keep it safe from users trying to remove data from your computer or network, this is how.
This guide will help in changing your registry files to completely disable any and all USB Mass Storage devices on your computer. You can distribute this Registry key using GPO to disable it throughout a network.
The things you will need before starting:
- A basic ability to navigate Microsoft Windows.
- Access to an administrator account on your Desktop.
- Basic knowledge of the System Registry (this should always be done with caution).
- Click the Start Button
- Typing the word "regedit" in the search (Make sure to type the entire name as it will NOT appear until you have typed the entire program name.).
- Right click regedit and choose to "Run As administrator".
- Open make certain to type in your administrator name and password at the prompt.
- Alternatively if you already operate as an administrator, you can press the WinButton + R or click Run in the Start Menu and proceed to type regedit inside the Run dialog box and then click Ok.
- Now, once inside of the regedit program, the location of the registry key we are looking to change is located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
- Right click "Start" REG_DWORD inside of that key and choose to "modify" then change the default value from 3 to 4 and click OK.
In order to re-enable USB Mass Storage devices navigate to the Registry key and change the value back to 3.
If you want a command line that will allow you to script, you can use the following lines:
To disable USB Mass Storage
echo y | reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 00000004To enable USB Mass Storage
echo y | reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 00000003
You have now disabled USB Mass Storage devices to be mounted onto your computer.