Windows 禁用usb存储设备_Windows_Usb

Windows 禁用usb存储设备

windows usb

Windows 禁用usb存储设备,windows,usb,Windows,Usb,是否有一种方法可以通过编程禁用usb存储设备，同时保持usb端口对其他类型的设备（如键盘和鼠标）的功能？取自，未经测试： Directions for Use: 1.) Take the following blue text, copy it, and paste it into a text document. Then, save it as USBSTOR.ADM. CLASS MACHINE CATEGORY "Custom Policies" KEYNAME "SYSTEM\

是否有一种方法可以通过编程禁用usb存储设备，同时保持usb端口对其他类型的设备（如键盘和鼠标）的功能？

取自，未经测试：

Directions for Use:

1.)  Take the following blue text, copy it, and paste it into a text  document.  Then, save it as USBSTOR.ADM.
CLASS MACHINE
CATEGORY "Custom Policies"
KEYNAME "SYSTEM\CurrentControlSet\Services\UsbStor"
  POLICY "USB Mass Storage Installation"
   EXPLAIN "When this policy is enabled, USB mass storage device permissions can be changed by using the drop down box.

Selecting 'Grant Permission' will allow USB mass storage devices to be installed.  Selecting 'Deny Permission' will prohibit
the installation of USB mass storage devices.

IF REMOVING THIS POLICY: Reset to original setting and let policy propegate before deleting policy."
     PART "Change Settings:" DROPDOWNLIST REQUIRED
       VALUENAME "Start"
       ITEMLIST
        NAME "Grant Permission" VALUE NUMERIC 3 DEFAULT
        NAME "Deny Permission" VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
END CATEGORY

2.)  Open a group policy management console (gpedit.msc), and right click on "administrative templates" under "Computer Configuration".  Select "Add/Remove Templates".

3.)  Browse to the text document you just saved and click OK.  You'll now see "Custom Policies" under "Administrative Templates".  Right click on it, select "View", then select "Filtering".  Uncheck the bottom box, labeled "Only show policy settings that can be fully managed".

4.)  Click ok.  Now you'll see the USB policy available for use under the custom policy heading.  From there, you can enable or disable it just like any other policy.

或（禁用USB存储设备，在XP SP3上测试）

（要启用USB存储设备，请在XP SP3上测试）

我们可以使用以下批处理文件来禁用和启用USB存储

禁用_usb_storage.bat

首先重启你的机器

开放注册表

HKEY\U本地\u机器

系统

电流控制集

服务

乌斯伯斯托尔

将禁用设置为

，将启用设置为

最简单的方法是使用更改的注册表值创建一个.reg文件，然后使用WA运行dos命令，如下所示：

regedit.exe/s pathto.regfile

我还没有对此进行测试，但它看起来很合理。很好的一点是，如果一个设备已经被使用了至少一次，它会进行所需的注册表编辑，这导致usbstor设备被创建，并且用户也会对usbstor项目进行访问修改。另一个想法是，它看起来像是为了为需要访问的人启用USB存储，您需要运行命令

net start usbstor

来打开服务，运行命令

net stop usbstor

来关闭服务。我发现其中一个问题是，由于访问被拒绝，尝试重新启动是一件非常痛苦的事情。所以，一旦您计划启用，您几乎必须更改文件的所有权。然而，这些更改似乎不是即时的。发布gpupdate似乎没有帮助，是否需要重新启动？

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 4 /f

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 3 /f

@echo off

:: Disable USBstor driver
reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 4 /f

:: USB Read Only Mode
reg add HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

:: USB Disable startup

reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Boot /t REG_DWORD /d 0 /f

rem reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v System /t REG_DWORD /d 1 /f

reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Auto Load /t REG_DWORD /d 0 /f

:: Disable read permissions on USBstor driver

:: Remove Access for Users from  files

cacls %SystemRoot%\inf\usbstor.inf /E /R users
cacls %SystemRoot%\inf\usbstor.PNF /E /R users
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R users
cacls %SystemRoot%\inf\usbstor.inf /E /D users
cacls %SystemRoot%\inf\usbstor.PNF /E /D users
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D users

:: Remove Access for System
cacls %SystemRoot%\inf\usbstor.inf /E /R system
cacls %SystemRoot%\inf\usbstor.PNF /E /R system
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R system
cacls %SystemRoot%\inf\usbstor.inf /E /D system
cacls %SystemRoot%\inf\usbstor.PNF /E /D system
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D system

:: Remove Access for ower Users
cacls %SystemRoot%\inf\usbstor.inf /E /R "Power Users"
cacls %SystemRoot%\inf\usbstor.PNF /E /R "Power Users"
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R "Power Users"
cacls %SystemRoot%\inf\usbstor.inf /E /D "Power Users"
cacls %SystemRoot%\inf\usbstor.PNF /E /D "Power Users"
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D "Power Users"

:: Remove Access for Administrators
cacls %SystemRoot%\inf\usbstor.inf /E /R Administrators
cacls %SystemRoot%\inf\usbstor.PNF /E /R Administrators
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R Administrators
cacls %SystemRoot%\inf\usbstor.inf /E /D Administrators
cacls %SystemRoot%\inf\usbstor.PNF /E /D Administrators
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D Administrators

:: Remove Access for EveryOne
cacls %SystemRoot%\inf\usbstor.inf /E /R Everyone
cacls %SystemRoot%\inf\usbstor.PNF /E /R Everyone
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /R Everyone
cacls %SystemRoot%\inf\usbstor.inf /E /D Everyone
cacls %SystemRoot%\inf\usbstor.PNF /E /D Everyone
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D Everyone


REM ::USB_REG_PERMISSION_changes

:: If parameter recover then undo all this
IF [%1]==[enable] GOTO Enable
:: Create a temporary .REG file - DISABLE USB
> "%Temp%.\u1.ini" ECHO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR [0 0 0 0]
regini "%Temp%.\u1.ini"
DEL "%Temp%.\u1.ini"

:Exit

:: Leave state 
-----------------------------------------------------------------



========================================




Enable_usb_storage.bat
----------------------------------------------


@echo off

:: Enable USBstor driver from registry 
reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 3 /f

:: Enable USBstor READ / Write mode
reg add HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 0 /f


REM :: Remove permissions of actual USBSTORAGE Files


:: Provide Access for Users from  files
cacls %SystemRoot%\inf\usbstor.inf /E /G users:F
cacls %SystemRoot%\inf\usbstor.PNF /E /G users:F
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G users:F
rem cacls %SystemRoot%\inf\usbstor.inf /E /D users
rem cacls %SystemRoot%\inf\usbstor.PNF /E /D users

:: Provide Access for System
cacls %SystemRoot%\inf\usbstor.inf /E /G system:F
cacls %SystemRoot%\inf\usbstor.PNF /E /G system:F
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G system:F
rem cacls %SystemRoot%\inf\usbstor.inf /E /D system
rem cacls %SystemRoot%\inf\usbstor.PNF /E /D system

:: Provide Access for ower Users
cacls %SystemRoot%\inf\usbstor.inf /E /G "Power Users":F
cacls %SystemRoot%\inf\usbstor.PNF /E /G "Power Users":F
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G "Power Users":F
rem cacls %SystemRoot%\inf\usbstor.inf /E /D "Power Users"
rem cacls %SystemRoot%\inf\usbstor.PNF /E /D "Power Users"

:: Provide Access for Administrators
cacls %SystemRoot%\inf\usbstor.inf /E /G Administrators:F
cacls %SystemRoot%\inf\usbstor.PNF /E /G Administrators:F
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /G Administrators:F
rem cacls %SystemRoot%\inf\usbstor.inf /E /D Administrators
rem cacls %SystemRoot%\inf\usbstor.PNF /E /D Administrators



:: Provide Access for EveryOne
cacls %SystemRoot%\inf\usbstor.inf /E /G Everyone:F
cacls %SystemRoot%\inf\usbstor.PNF /E /G Everyone:F
cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /F Everyone:F
rem cacls %SystemRoot%\inf\usbstor.inf /E /D Everyone
rem cacls %SystemRoot%\inf\usbstor.PNF /E /D Everyone
rem cacls %SystemRoot%\system32\drivers\USBSTOR.SYS /E /D Everyone



REM ::USB_REG_PERMISSION_changes

:: If parameter recover then undo all this
IF [%1]==[enable] GOTO Enable
:: Create a temporary .REG file - DISABLE USB
> "%Temp%.\u1.ini" ECHO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR [1 5 8 11 17]
regini "%Temp%.\u1.ini"
DEL "%Temp%.\u1.ini"

:Exit


:: Leave state