none
HKLM\System\CurrentControlSet\Services\UsbStor\Start=4 doesn't work on external SSD? RRS feed

  • Question

  • To block USB Storage I have set the reg-key HKLM\System\CurrentControlSet\Services\UsbStor\Start=4

    This works well on all USB Pen Drives, as it blocks access to them.

    However, recently I bought a Samsung T3 external SSD, and when I connect it to USB, I can see the SSD and read/write, i.e.: access to it not blocked.

    What is the matter, is that by design?

    Btw, I do save my File History to that SSDrive, that might be related, I don't know.

    Thursday, February 23, 2017 3:15 PM

Answers

  • Hi,

    We have two ways to Block Read / Write Access to USB in Windows 10

    1# Using Group Policy

    If you want to block access to removable devices for ALL Windows accounts, navigate to this location instead:

    Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

    double-click on the policy Removable Disks: Deny read access, and set it to Enabled.

    2# Using Registry

    In the Registry Editor, navigate to this key instead:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices

    In the left pane, right-click on RemovableStorageDevices, select New -> Key and type in {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.

    {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} is GUID of the generic USB storage device.

    In the right pane, right-click on an empty area and select New -> DWORD (32-bit) Value and type Deny_Read and press Enter, modify its value to 1.

    If you want to deny write access, create a new value Deny_Write and set its value to 1.

    http://www.top-password.com/blog/block-read-write-access-to-usb-or-cd-drive-in-windows-10-8-7/

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 24, 2017 7:17 AM
    Moderator

All replies

  • Why don't you use the group policy?
    Computer Configuration\Administrative Templates\System\Removable Storage Access
    Deny All Access to Removable Devices or Media
    Thursday, February 23, 2017 8:16 PM
  • Hi,

    We have two ways to Block Read / Write Access to USB in Windows 10

    1# Using Group Policy

    If you want to block access to removable devices for ALL Windows accounts, navigate to this location instead:

    Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

    double-click on the policy Removable Disks: Deny read access, and set it to Enabled.

    2# Using Registry

    In the Registry Editor, navigate to this key instead:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices

    In the left pane, right-click on RemovableStorageDevices, select New -> Key and type in {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.

    {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} is GUID of the generic USB storage device.

    In the right pane, right-click on an empty area and select New -> DWORD (32-bit) Value and type Deny_Read and press Enter, modify its value to 1.

    If you want to deny write access, create a new value Deny_Write and set its value to 1.

    http://www.top-password.com/blog/block-read-write-access-to-usb-or-cd-drive-in-windows-10-8-7/

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 24, 2017 7:17 AM
    Moderator
  • Hi,

    Many thanks for all answers!

    I don't use the policies because I don't know how to set these automatically. 
    My goal is to have my USB ports locked by default, unlock them by running an App that I am writing that unlocks the ports for say 30 seconds, during which one can insert a USB device, and have the ports relocked again after the 30 secs, and ideally such that the just inserted USB device is still accessible. 
    This is achieved by toggling the HKLM\System\CurrentControlSet\Services\UsbStor\Start=4 to 3 and back to 4, except with the problem mentioned above that an SSD and maybe many other types of devices can still read/write.

    Proposed solutions: 
    Setting the group policy leads to a reg-key, the setting of which which I can automate:
    HKLM\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\Deny_All=1

    The other proposal sets HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Deny_Read/Write=1 also works fine. Except both still allow access to storage of an iPad, although I find it strange, but I don't mind too much, since then I can still use my iPad as second/third screen using Duet.

    By setting these values Deny_XXX from 0 to 1, USB devices that were already inserted before the Deny_XXX's were set to 1, are disabled, and that's a bit unfortunate. It is a cool feature of setting HKLM\System\CurrentControlSet\Services\UsbStor\Start that setting it from 3 (enabled) to 4 (disabled) leaves USB already inserted USBs enabled, but disables later insertions.

    Friday, March 3, 2017 1:45 PM
  • Hi,

    sorry to say, but this does not entirely work unless the windows service  "portable device enumerator" is running.
    If that service is disabled you can simply access all usb flash drives. - seen on Windows IOT Enterprise 2016.

    best Regards,
    Robin

    PS: It would be great if Microsoft confirms this as bug and fixes it.

    Friday, March 22, 2019 10:26 AM