• home
  •  > 
  • News
  •  > 
  • Disabling USB through the registry. How to properly enable usb ports in BIOS

Disabling USB through the registry. How to properly enable usb ports in BIOS

In fact, there are quite a few ways. Each of them has its own advantages, and some are not at all interchangeable.

Who needs it?

First of all, administrators. And also if the computer is used by several users.

Why is this necessary?

For security, for privacy, for limiting the capabilities of other users.

My material, as usual, is divided into two parts: system tools and third-party programs (plus small inclusions of my personal opinion).

How to prohibit the use of flash drives?

Directly in Windows OS, this task can be performed using the Group Policy Editor (GPO) and the registry. In addition, you can disable the ports themselves in the BIOS. All this has the added benefit of external software, which I’ll talk about at the end.

Ineffective ways to ban flash drives

In order not to dwell on this later, I will immediately point out several methods that are clearly ineffective, although there is plenty of information about them on the Internet.

  • Physically disabling ports. This, of course, is cool, but there are other ports and adapters for them. Besides, for some reason everyone forgets about the mouse, keyboard, speakers, etc.
  • Removing USB drivers has no effect. The system itself will offer to install them, either from the network or from the drive itself.
  • Banning flash drives in the Group Policy Editor (simply ban each new device by ID). It is better to ban everything and allow the necessary ones, as I will show exactly how below.

I’ll probably start with the Group Policy Editor, since I think this method is the most convenient and effective among the other system ones.

Banning flash drives in the Group Policy Editor

We need to go to GPO. Open the command line (type “cmd” in the search, right-click, run as administrator).

At the command line, type gpedit.msc and press Enter.

The GPO window will open. Now let's move on to the section where we configure the policies we need - “Access to removable storage devices”. Click on it and existing policies will appear on the right.

In this case, we are interested in policies regarding removable media. However, here you can configure work with disks (CD, DVD, floppy), tape drives and other devices.

Also, it is very convenient to be able to choose what exactly needs to be prohibited. For example, in order to save information, you can prohibit recording.

To do this, right-click on the corresponding policy and select “Edit”.

Now select the Enable command and click Apply.

When trying to copy any file to a removable drive, the user will not be able to do so (unless he is a member of the Administrators group). He will see this message.

The same principle applies to other functions (reading, launching).

There is also a policy that disables all classes of devices. That's what it's called.

Access only certain devices

The method above is the simplest. However, if you have only a few media that are used in working with your PC, then you can create a white list.

To do this you need:

  • know the device GUID
  • apply two policies in GPO

Finding the GUID of the USB drive

First, install the device in the USB port, then using the command shown below, go to the “Device Manager” (or, as usual, through the “Control Panel”).

Find your device in the “Portable Devices” section and open its properties.

Go to the "Properties" tab, select the class "GUID" property from the list and copy its value.

We configure the necessary policies. Now let's move on to GPOs. Open the same directory as above – “System”. But now go to “Device Installation – Device Installation Restrictions”.

In the list of policies, we need two highlighted ones. You just turn on the second one.

In the first, you also set the GUID values ​​of devices that are allowed.

Copy the GUID value here (to make the cursor appear, click in the field 2 times).

Now only these devices will be able to start. If you insert other devices, they simply will not be visible.

NOTE. In addition to a policy with a global identifier (GUID), you can also use a policy with a regular ID. However, for some reason it did not work for me (I assume it was due to the OS version). It works exactly on Windows 7 – I used it myself a few years ago.

Banning flash drives in the Windows Registry

Prohibiting the use of flash drives can also be done using the Windows Registry. I would like to immediately note that this method only works when the USB driver is installed. If you do everything described below when it is not yet installed, then when you connect any drive, you will be prompted to install this driver. And the value changed previously will change back to the standard settings.

This method works on all Windows operating systems. However, it is most relevant for Windows XP, since there is no Group Policy Editor there. Therefore, the example will be shown in the environment of this system. So let's continue.

First, open the registry. At the command prompt, type "regedit" and press Enter.

Now go to this registry branch:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

As you can see, there are several options there. One of them is “Start”. It determines how the USB drive is accessible (for any operations, for reading, writing, etc.). Currently set to 3. If you change it to 4, the drives will become completely unavailable. This is what we need.

Click 2 times and change the value to 4.

Now when connected, the device simply will not appear.

HEALTHY! On admin forums, many write that the method does not work. However, this is not true. It’s just that they often try to use it in domain groups of computers in an organization. And there, as you can guess, the OS on all PCs is not updated: on some XP, on others seven, and on some even 2000. So, these systems simply do not yet have some protocols and tools, as a result, the value on the admin computer, and after it and on all the others, it is reset to the standard.

How to disable USB ports in BIOS

Another way to prevent the use of flash drives is to disable USB ports in the BIOS. It's not difficult to do this. However, from my point of view, it is not effective enough. Although, if you consider that most users have no idea not only that ports can be disabled there, but also how to access them, then maybe this is a convenient and fast way.

First, you need to figure out why you might need to disconnect USB ports on your computer. Everything is quite simple here. With the advent of miniature data storage devices operating via USB, a need arose to prevent data leakage from computers. Using a regular flash drive or portable hard drive, you can easily steal any information. To prevent such incidents, it is necessary to completely disable USB ports. Of course, everyone may have their own reasons for disabling ports, but this is not so important. Below are several ways to disable USB ports on your computer.

Disable USB ports in BIOS settings

In fact, everything is quite simple: go to the BIOS settings and disable all ports, or those that are necessary. The caveat is that at the moment there are several versions of BIOS, and disabling ports in each is sometimes different.

BIOS Award. Go to the BIOS settings and select the item Integrated Peripherals. Let's go to this menu. Next, we simply find the points: USB EHCI Controller, USB Keyboard Support, USB Mouse Support and Legacy USB storage detect and disable them by selecting the option Disabled. Then we simply save the settings and restart the computer;

Phoenix Award And AMI BIOS. Go to settings and select the item Advanced (sometimes some versions may have a Peripherals item) or Advanced BIOS Features. Next we go to the menu USB Configuration. Next, turn off all USB items, save the settings and restart the computer;

UEFI. More modern panel. Go to the menu Peripherals or Advanced. Selecting items Legacy USB Support And USB 3.0 Support and turn them off. Next, save the settings and restart the PC.

Note! In some versions, the menu items may have slightly different names, but that's okay, just go through all the menus and find the USB settings.

Disable USB using the registry

This is a more suitable way. In the registry, you can disable the access of USB ports to specific devices, but not the ports themselves. At a time when almost everything is connected via USB, including a mouse and keyboard, this method will be preferable. You can simply disable port access specifically to flash drives, but the computer mouse will still work fine.

Open the registry editor: keyboard shortcut Win+R, enter the command regedit and click OK. Next, move on to the next section:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

Find an item Start. Open it and enter the value 4 . Save the settings and restart your computer. This section blocks access of external drives to the port.

Note! If USB controller drivers are not installed on the computer, then the value Start will automatically change to the value 3 as soon as the device is connected to the port.

Disable USB via Device Manager

Open device Manager: right click on My computer, open Properties, Further device Manager. Open the menu USB controllers. Right-click and select the item from the context menu Disable.

Important! The option of removing drivers for USB controllers will not work, since the first time you connect the device to the port, Windows will begin installing the drivers.

Disable USB using Windows files


Denying access using the Local Group Policy Editor


You can also ban reading and writing.

Additionally

It is also worth mentioning that there are two more ways to restrict access to ports: limit access using third-party programs and physically disabling the ports.

There is plenty of third-party software on the Internet, and each one is configured differently, so there is no point in describing this method in the article. All you need is to find the desired program and instructions for it.

As for physically disabling ports, this method will only work with ports on the front panel of the system unit. Open the system unit and carefully disconnect the wires going to the ports.

Bottom line

Whatever the reason for the need to disable USB ports, now you know how to do it.

In fact, this function has been available since Windows 7 and, by and large, the procedure has not changed since then. Let's look at it using the current version of Windows 10 as an example. As a rule, by default, the function of temporarily disabling the USB port is activated at least for the energy saving mode. Actually, in order to save battery, the system pauses the operation of USB ports during idle moments, so the corresponding settings can be found in the “Power Options” section of the system Control Panel.

We have already discussed how to open the Control Panel in Windows 10 Creators Update. The most convenient way is to use the search bar on the taskbar, where you just need to type “Control Panel”, in which go to the “Power Options” section (if the category display mode is turned on, then first You must click on “Hardware and Sound”). In the window that opens, go to the settings of the desired power supply scheme.

On the next screen, you need to click on “Change advanced power settings.”

A new window will open with a complete list of additional parameters, in which you need to find the item USB Options > Temporarily Disable USB Port Option and set the value "Forbidden", then click OK to save the changes. The function is turned back on in the same way.

It is worth noting that the above example is not a panacea for all possible problems associated with the operation of USB devices; the reasons can be very different, but nevertheless it can help in situations where the problem is related to the operation of this function.

In some situations it may be necessary disable portsusb, which involves two questions: “how to do this?” and “why is this necessary?” Let's try to figure out the second question first, and then consider in detail the procedure for disabling USB ports.

Why disable USB ports?

If your computer is not accessible to other people, then you most likely will not be interested in how to disable USB ports. Otherwise, the value of this type of information will be undoubted, since it is related to security.

Any external device connected to a particular USB port may contain malicious code that can create conditions for leaking confidential information. Therefore, when using one PC by several people, including family members who, unknowingly, can use a “left” flash drive and introduce “malware”, you should take care to temporarily disable the USB ports.

How to disable USB ports on a computer?

There are several ways to achieve the goal. We will not consider them all, but will focus on one, which involves the use of editing the registry. In particular, you will need to find the required object within the registry and change only one parameter. For this:

  1. Open the registry, which can be achieved by opening the Run window (Win + R), then entering the regedit command in the search bar and clicking on the OK button.
  2. Find the USBSTOR folder in the following path:
  • HKEY_LOCAL_MACHINE;
  • SYSTEM;
  • CurrentControlSet;
  • services.
  1. Clicking on the USBSTOR folder will cause parameters to appear, among which you should be interested in only one of them – Start.
  2. Right-click on the line with the Start parameter and go to the “Edit...” section of the menu that opens.
  3. A window will become available in which you need to change the value “3” to the value “4” and then click on the OK button.
  4. At this point the task can be considered completed.


The actions described above will lead to the fact that the USB ports will be disabled, that is, the system will be able to see the connected drives, but the execution of any programs recorded on them will become impossible. To return the system to its original state, it is enough to set the Start parameter to the value “3”.

How to disable a specific USB port?

To disable a specific USB port, you can access the “Device Manager” options:

  • use a keyboard shortcut such as Win + Pause to open the “System” section;
  • in this section on the left there is a link “Device Manager”.

In the selected section, find “USB Controllers”, then the required port and open its properties: right-click, which involves calling up a menu where the bottom line is “Properties”. To disable the selected USB port, open the “Driver” tab and use the “Disable” button.