0

I need some help putting together the pieces to do this:

  1. Run a script or program that disables USB storage devices.
  2. Log any blocked device mounting to the system event log.
  3. Run a second script or program (or cancel the running program from step 1) and re-enable USB storage devices.

(My app is run on PCs in public labs to create a restricted access "sandbox" in which a user takes a test. I need to block USB storage devices to prevent cheating)

My constraints:

  1. My solution will be executed against public computers that I do not have control over. Anything that requires a reboot, modifying the BIOS, or physically altering the computer won't work.
  2. I can assume that the solution will be executed as an admin, but bonus points if it works for a non-admin.
  3. Only worried about Windows XP right now. Bonus points for Vista or Win7 compatibility.

Partial solutions:

  1. Block automatic mounting of devices via KB 823732. Quick and easy, but:

    • I don't get notified when a device is blocked. (I want to know if someone even tries to cheat, even if they are blocked)
    • According to this article, if the USB Storage driver is not already installed then the Plug-N-Play system will install it on first use, overwriting the registry key and enabling access

  2. Disable USB storage via Group Policy (KB 555324).

    • Can I script the application of these policies to the local computer at runtime, without a reboot?
    • How easily can I revert the policy to its prior state when I'm done?
    • Will blocked devices show up in the security log?

  3. Modify ACLs for USBSTOR.SYS, as shown in this SF question]4.

    • If I deny rights to the file for the current class of user, will my revert script be able to grant the rights back?
    • If I deny rights to the file, how do I make sure that any device mount attempts are recorded in the security log?

I'm open to solutions in .NET or using batch file or powershell scripts.

(Note: this is related to my similar, bountied Stack Overflow question. If you care about SO rep, feel free to answer there as well)

Community
  • 1
Seth Petry-Johnson
  • 143
  • 1
  • 7

1 Answers1

1

to implement group policy you do not need to reboot. Running gpupdate /force (twice) at the client is enough (use psexec for that, for instance).

If you want to revert the policy, just unlink it from the ou and re-run gpupdate /force on the client (again with psexec).

If the computers are not in AD and you cannot implement group policies, you still can get the same results with register imports. Take a look at the adm template you would use in AD and import the register changes with reg.exe and psexec. Another option would be using wpkg (http://wpkg.org) where you have a xml definition of actions for installing/deinstalling stuff. It works great and costs nothing.

natxo asenjo
  • 5,641
  • 2
  • 25
  • 27
  • Thanks for the replies. After some research I discovered that the .adm templates I was trying to set via GP end up modifying the same registry keys as referenced in KB 823732. Since I'm doing this on a per-PC basis (e.g. I don't have an AD controller controlling the show) I think the easiest solution for me is to just manage the UsbStor reg key via a script of some sort. Thanks! – Seth Petry-Johnson Feb 22 '10 at 18:07
  • Marking this as the correct answer because (1) its the only answer, and (2) it answered at least _part_ of my question. – Seth Petry-Johnson Feb 22 '10 at 18:08