Registry Hack to Disable Writing to USB Drives
A common security concern at organizations is allowing users to plug in a usb flash drive, because they could so easily copy corporate data.
Since Windows XP SP2, you can disable writing to USB devices altogether using a simple registry hack. Here it is:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]
"WriteProtect"=dword:00000001
You can also just download one of the following registry tweaks to enable or disable writing to USB drives.
Once you use the registry hack, you will have to reboot for the changes to take effect. One should also note that if you are using this trick, you should make sure that the users are not administrators on the computer, because they could easily change this setting back.
This works on Windows Vista as well. Here's the window you'll get when you try and write to a USB drive:
Nice Tip!
Great looking web site, I'll be back soon!
Jamie
How do you prevent employees from copying corporate data to a remote website where they can download it at their leisure?
@C.X.
Typically in an environment that is locked down, you'd have logging on the firewall of all traffic, and probably the majority of outgoing ports would be blocked.
Firewall is the only way to prevent something like that.
This is a great tip, but would this also prevent access to other usb devices like mice, keyboards and cameras?
but what can i do, if the registry is write protected for me? I searched the web from east to west and from south to north ;o)
but i can't find a tip how to change the registry without rights.
You have to be an administrator on the machine in order to make registry changes.
Elevation of privileges would be the only way for a (limited) user to make changes to the registry. Without using an exploit / malware, you're pretty well done. Won't post one here as my SysAdmin hat is on, but I'm sure if you were willing to lose your job, you could try it anyway…
i can't find StoragDevicePolicies in the registry. How can I change the value?
Im the same as Loi, i dont have this item (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies) when i traverse regedit, therefore im not sure adding it in will make any difference… would i not expect to be seeing this item already?
Hi Guys,
We want to disable write option in CDROM Drive. Which mean the users can copy data from CD to Harddsik and and prevent copy data from harddisk to CD. how to do this in GPO. (win2003 Server)
Thanks,
To prevent users from copying data to another site, use a filtering proxy (like Dans Guardian), in concert with the firewall to keep unneeded ports closed (IPCOP is a good one).
This solution has been working great for me for years.
You can also prevent USB writing with GPO as noted here: http://www.petri.co.il/disable.....th_gpo.htm
Preventing CDROM write access can be done a couple ways, as noted here: http://groups.google.com/group.....e?lnk=raot
And without privilege elevation, there is no way for a non administrative user to write to the registry. There are several methods to gain this ability from a standard user account, however I would strongly suggest that you not attempt it, as if you don't already know how to do it, and your IT department is anything like mine, they WILL know, and you very likely WILL be fired. Even if you manage to get away with it initially, they WILL find out eventually.
how would you do the same thing in a windows 2000 enviroment.
i cant find the 'StorageDevicePolicies' ???????//
what should i do????????
the registry disabling of the usb is the best thing that ever happened to me. i have a communial laptop and telling one not to pop in their flash is telling them to actually do so, i have a project to work on and they will see it but never copy the damn thing. thanks so much i will always be around.
Wakas.
would this hack disable usb for all users even for the administrator?
is there a hack to disable usb read-write for normal users only? i mean a hack that would require administrative rights to enable usb read-write?
thanks in advance
@DAVE: Of Course, we will all lose our jobs, if we try to write the registry without an admin account. Maybe we will be arrested, too. And then the lethal injection will come and we all have to die ;o)
OK it's great tip. But I am a traveling from system to system only for using my Pen Drive data. It is not possible to change every system registry. Is there any software, which act as "Write Protect Notch" in floppy drive.
hi guyz.
thought bout this already?
with the many people having usb sticks for carrying all their data, i think its important for us to try protecting that data. this is how we do it. we creat a small program that locks the registry and hence the modification of the flash content when i insert the flash and will run in that mode so that i can invoke it while still running to enable writing of specified files then close again. its better than an anti virus coz then the viruses will remain in the host computer wishing they could do something. get your mind working we need to render this viruses jobless. or what is your thought is my approach good enough to handle what i imagine? if not feel free to give me a way to go bout it. Geeks for life
A pointless exercise. An organization can lock down a system as much as they want, but as soon as they provide a cell phone that can use a memory card (i.e. Blackberry), or provide's an employee with a laptop, you can just wave as your data walks out your door. As the adage goes, "if you make 'XYZ' illigal, only criminals will do 'XYZ'."
jus out of curiosity i wus lke to know if a cell phone that can use a memory card like nokia n72 will do the same???
can someone tell me how to get my system sound and all sound back on my computer after installing MagicJack a usb device??