Unable to disable USB Mass Storage using Windows policies or registry keys


Cadena

New member
Local time
11:44 AM
Posts
4
Visit site
OS
Windows
I have a Windows PC which must have USB mass storage disabled. I have gone into Group Policy Editor (Computer Configuration -> Administrative Templates -> System -> Removable Storage Access) and enabled all three removable disk policies which deny R,W,X access. I have enabled the policy to deny all access to all removable storage classes , and disabled direct access in remote sessions to all removable storage. However, after rebooting my machine, my machine was still able to detect any external USBs and read their files (e.g. open .txt files).

I then tried going into the registry to modify the following keys:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBSTOR

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR


For both keys, I modified the Start value and set it to 4 to not avail. Then I tried a creating a new subkey for both USBTOR keys (named Parameters), creating a DWORD 32-bit value named DisableRemovableStorage and setting the value to 1.

None of the measures described above have prevented my PC from detecting USB mass storage devices and interacting with the files stored in them. I have thought of removing all permissions to the USBSTOR.SYS driver and USBSTOR.INF file but I am concerned that in doing so, it could eventually break my system. Therefore, is there any policy or key I need to modify to disable USB mass storage?
 

My Computer

System One

  • OS
    Windows
Hello, and welcome. :alien:

That would only disable "new" USB connections like below instead of all.


If wanted, you can use a different "All Removable Storage classes: Deny all access" policy in the tutorial below to deny access to all removable storage devices

 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Does anything on the computer need access to USB devices? If not, I'd think unplugging them would work. Or is the need for preventing others from plugging in a USB drive?
 

My Computers

System One System Two

  • OS
    Win11 Pro RTM
    Computer type
    Laptop
    Manufacturer/Model
    Dell Vostro 3400
    CPU
    Intel Core i5 11th Gen. 2.40GHz
    Memory
    12GB
    Hard Drives
    256GB SSD NVMe M.2
  • Operating System
    Windows 11 Pro RTM x64
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Vostro 5890
    CPU
    Intel Core i5 10th Gen. 2.90GHz
    Memory
    16GB
    Graphics card(s)
    Onboard, no VGA, using a DisplayPort-to-VGA adapter
    Monitor(s) Displays
    24" Dell
    Hard Drives
    512GB SSD NVMe, 4TB Seagate HDD
    Browser
    Firefox, Edge
    Antivirus
    Windows Defender/Microsoft Security
I have always found that if I do not need to use a particular piece of hardware I would physically disable that device. If it was hardwired to the motherboard, I would find out if the USB ports was able to be disabled on the board by jumper switches or within the BIOS through a parameter.

FFT: IF your USB or other peripherals are connected thtough a ribbon cable sometimes they can be disabled more permanently than with jumpers or a BIOS parameter entry by NOT connecting them to the motherboard.

At least that worked for me...

Cheers!
 

My Computer

System One

  • OS
    Windows 11 Pro Version 23H2 (Build: 22631.4317)
    Computer type
    Laptop
    Manufacturer/Model
    Asus Flipbook Q504UAK - BHI5T13 [ Hybrid (2-in-1) Touch ]
    CPU
    7th gen Intel® Core™ i5 - 7200U (3MB Cache, 2.5GHz)
    Motherboard
    ASUS UX560A
    Memory
    16GB => 8GB [on-board] & 8GB Kingston HyperX DDR4 2666MHZ SoDIMM
    Graphics Card(s)
    Intel® HD Graphics 620
    Sound Card
    Harmon/Kardon built-in
    Monitor(s) Displays
    1
    Screen Resolution
    Touchscreen: 39.6 cm (15.6") Full HD 1920 x 1080 pixels Matt 16:9
    Hard Drives
    Samsung 2TB SSD 870 EVO [SATA]; Samsung 1TB SSD 980 PRO [NVMe Gen3];
    Samsung 4TB SSD T7 Shield [Portable]
    PSU
    19v@2.36A 45W - 20v@5.0A 65W PD (USB-C to Barrel plug 4.0mm x 1.35mm)
    Case
    Aluminum
    Cooling
    Standard cooling fan
    Keyboard
    Backlit, built-in keyboard
    Mouse
    Logitech Mice: G502X & G602
    Internet Speed
    802.11ac
    Browser
    Firefox v131.0.2
    Other Info
    Card Reader, WLAN, 802.11a, 802.11b, 802.11g, Wi-Fi 4 (802.11n), Wi-Fi 5 (802.11ac) , Webcam, HDMI x1
Hello, and welcome. :alien:

That would only disable "new" USB connections like below instead of all.


If wanted, you can use a different "All Removable Storage classes: Deny all access" policy in the tutorial below to deny access to all removable storage devices

Thank you @Brink I tried following your tutorial by enabling the Deny All Access policy for both local machine and current configuration but it did not make any changes. I also went to the registry and ensured that for both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER had the RemovableStorageDevices key with the Deny_All value set to 1. Then I rebooted my machine but nothing has changed and USB mass storage are still not being blocked.
 

My Computer

System One

  • OS
    Windows
Thank you @Brink I tried following your tutorial by enabling the Deny All Access policy for both local machine and current configuration but it did not make any changes. I also went to the registry and ensured that for both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER had the RemovableStorageDevices key with the Deny_All value set to 1. Then I rebooted my machine but nothing has changed and USB mass storage are still not being blocked.

Odd. Did you try opening the USB afterwards?

Removable storage devices (ex: USB) will still show up in File Explorer > This PC, but will give a "Access is denied" error message when trying to open it.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
I need to disable USB Mass Storage. I want to disable Generic USB Hub and USB Root Hub (USB 3.0) in Device Manager but when I right-click on them, the option to Disable device does not appear. If I go to Properties -> Device for each device, the option Disable Device is greyed out. Please could someone how may I be able to disable USB Hubs from Device Manager?
 

My Computer

System One

  • OS
    Windows
Odd. Did you try opening the USB afterwards?

Removable storage devices (ex: USB) will still show up in File Explorer > This PC, but will give a "Access is denied" error message when trying to open it.
Yes I tried and I could open the files in the USB without any restriction whatsoever. I think it should be possible to disable USB mass storage without disabling the ports themselves by disabling USB Hub devices in device manager. I tried this on another computer and it worked perfectly. However, the computer I need to disable removable devices is not allowing me to disable USB Hub. I created a new post since it is not related to the GPO or registry changes I already implemented.

New Post: Cannot disable USB Hub in Device Manager
 

My Computer

System One

  • OS
    Windows
Back
Top Bottom