Modify registry without HID

0

I am working on a program that will not allow plugging in new USB HIDs but will allow devices like cameras, memory sticks etc. I have accomplished what I need with simple registry entries. Everything was working fine until the system got locked down because, for any reason, HIDs connected to the system were uninstalled.

In this scenario I have working Windows system but it is not possible to connect any HID to it. There are no other ports than USB. I cannot even use system recovery because it is available only by:

  • restarting system with SHIFT held down (no keyboard)
  • failing to start windows 3 times in a row (system boots up fine)
  • using control panel (cannot get there without HID, I guess)

So what are my options to get back from this scenario to working system without having to reinstall Windows? Maybe there is something that I can do before the scenario happens to be prepared for this case?

Also (as stated in the question title) it would solve my case if I could modify registry.

I will not be an administrator of the device so I prefer easier and simplier solutions. However it may be possible to me to connect to the device via the internet. Something like a TeamViewer would work for me but I do not wish to pay for the license.

Filip Hazubski

Posted 2016-06-07T13:51:41.367

Reputation: 117

can you boot from a USB stick? – Harvey – 2016-06-07T14:27:40.877

@Harvey It is okay with me but the simplier and easier to understand by the "average user" the better. – Filip Hazubski – 2016-06-07T14:32:08.610

I'm not sure I understand what you mean by that. So you need a solution to provide to a third-party in the event of a system failure? or are you trying to repair your system currently? If its for a client, you could pre-prepare a bootable USB stick for the client which will they could just boot into if they have any trouble – Harvey – 2016-06-07T14:34:44.327

@Harvey I edited my question. Hardware with the blocked USB will be used by a client and I need a solution in case something goes wrong. USB stick with previously prepared software is a good idea but is not perfect - requires time to create the program and money for the sticks. Maybe create something like a recovery partition? – Filip Hazubski – 2016-06-07T14:41:12.337

Okay, how about creating a PowerShell script to enable USB for a certain time-period every day, Sure its not a perfect solution, but defiantly quick and cheap. For example, a client will have an hour window say at 8pm to plug in a HID and fix? – Harvey – 2016-06-07T14:48:50.843

Also, going down the remote access route, You can use good ol' Microsoft RDP if the device will have a static IP address and you are able to forward port 3389 to the device. Or, create a python client/server script which you could remotely disable the USB blocking – Harvey – 2016-06-07T14:51:38.047

@Harvey Time-based script is worth considering. Good idea! Static IP is fragile but some simple client server script would do. However in this case I need to learn how to make it :) Feel free to post those suggestions as an answer. They are all worth cosidering. – Filip Hazubski – 2016-06-07T14:56:45.873

Answers

2

As discussed in the comments here are some suggestions to combat your problem:

  1. Use of a Bootable USB stick. You could use a Bootable USB with pre-prepared software in order to enter a "panic" mode which would Allow the use of USB Devices, or auto-matically re-configure the machine
  2. A time-sensitive PowerShell Script which will allow a time that USB devices are no longer blocked. Using Windows Task Scheduler you could have a script that could run @ 8pm to enable USB Devices and disable them again @ 9pm. This would give the client access to the machine 1 hour a day to fix or re-configure.
  3. Remote Access. You could use Windows Remote Desktop Connection to hook into the machine and reconfigure the device (We do it with the Intel Compute Sticks!). However this would require that you forwarded port 3389 from the router to the device AND you have a static IP (or Dynamic DNS) set up for that router. Failing this method, you could create a client/server script in Python which would give you some controls remotely without having to worry about port forwarding. There's a great tutorial for how this may work over @ thenewboston - Python Reverse Shell. The concept is to make the client machine contact the server over a TCP connection, server accepts the connection and then you can forward your system commands through to the client..

Harvey

Posted 2016-06-07T13:51:41.367

Reputation: 795

1

I have come up with yet another idea which I decided to implement.

Because I only block HID devices there is no problem with plugging in memory stick. I have created a background process that checks installed drives and looks if there is a specific file in it. If the content of the file is correct the background process modifies the registry and unlocks the OS.

Filip Hazubski

Posted 2016-06-07T13:51:41.367

Reputation: 117

I like this approach +1 – Harvey – 2016-06-14T08:40:28.737

Asked: 2016-06-07T13:51:41.367

Viewed: 64 times

Active: 2016-06-14T06:59:35.400