Restrict device installation using Registry Editor against BadUSB

2

2

In order to take some measures against BadUSB exploit, I want to restrict USB device installations on Windows 8, as suggested here.

However, gpedit.msc to reach Local Group Policy Editor is not available in Windows 8. Price for Pro upgrade (450₺) is not close to being reasonable in my opinion and I wonder if I can change following settings using Registry Editor.

  1. Prevent installation of devices using drivers that match these device setup classes:

    • 4d36e96b-E325-11CE-BFC1-08402BE10318 – this one controls the automatic installation of USB keyboards.
    • 4D36E972-E325-11CE-BFC1-08012BE10318 – this one corresponds to the NIC (network interface controller)
    • e0cbf06c-cd8b-4647-bb8a-263b45f0f974 – this one is for bluetooth.

  2. Allow administrators to override Device Installation Restrictions policies

I could not find these settings here.

If this is not possible via Registry Editor can you suggest me an alternative solution? ("Not using USB ports at all" is not an option.)

Teo

Posted 2015-09-03T13:59:23.633

Reputation: 705

1If users are local machine user administrators, then any solution outside of a group policy on a domain, can be overridden by them. Even then the entire point of BadUSB, is that the device reports to the OS what it is, so even the solution you describe is not effective against protecting against it. The best way is to only allow specific USB devices registered by an Administrator, with everyone else, not being an Administrator. This solution can only be done through a group policy though. – Ramhound – 2015-09-03T14:04:53.450

There will only be 1 admin user and 1 standard user. Both will be controlled by me. – Teo – 2015-09-03T14:08:48.377

Still does not change the fact, if you only allow USB keyboards, a BadUSB flash device which reported to be a keyboard, would still infect your system. – Ramhound – 2015-09-03T14:12:40.083

I plan to only allow USB storage devices. I want to disable keyboard and mouse installations. I suppose this will prevent BadUSB. – Teo – 2015-09-03T14:18:31.267

1

I've found an alternative solution, a free program to prevent keyboard installation. It is called "G DATA USB Keyboard Guard". Thanks to this program user is asked to grant access when a new keyboard device is found. I haven't tried it. To download: https://www.gdata.de/de-usb-keyboard-guard#c105387

– Teo – 2015-09-03T15:12:43.043

Answers

2

Local Group Policy Editor is not available in Windows 8

I used the following procedure to successfully install gpedit.msc on Windows 7 64 bit Home Premimum.

It apparently works on Windows 8 and Windows 8.1 as well.

UPDATE: According to some readers, this tool also works fine in Windows 8 and Windows 8.1.

Today we are going to share a simple installer which installs the required system files in Windows so that you can enjoy Group Policy Editor in all Windows 7 editions.

  1. First download the setup file using following link:

    Download Group Policy Editor Installer

    You'll find the download link in right-side section of the above mentioned page.

  2. After downloading the ZIP file, extract it using WinRAR or 7-Zip.

  3. Run the extracted setup.exe file.

    It will install the files and you'll be able to access gpedit.msc command via RUN or Start Menu search box.

Note:

  • For Windows 7 64-bit (x64) users! You'll also need to go to "SysWOW64" folder present in "C:\Windows" folder and copy "GroupPolicy", "GroupPolicyUsers" folders and gpedit.msc file from there and paste them in "C:\Windows\System32" folder.

If you are getting "MMC could not create the snap-in" error message while running gpedit.msc, check out following steps to fix the problem. Basically it happens when your username in Windows contains more than one word.

  1. Run the installer and leave it at the last step (do not click on the "Finish" button).

  2. Now go to C:\Windows\Temp\gpedit\ folder.

  3. If you are running 32-bit (x86) edition of Windows 7, right-click on x86.bat file and choose "Open With -> Notepad" option. If you are running 64-bit (x64) edition of Windows 7, right-click on x64.bat file and choose "Open With -> Notepad" option.

  4. You'll find a total of 6 lines containing the following string in the file:

    %username%:f

  5. Edit those lines and replace %username%:f with "%username%":f

For example:

Original: `icacls %WinDir%\SysWOW64\gpedit.dll /grant:r %username%:f`
New: `icacls %WinDir%\SysWOW64\gpedit.dll /grant:r "%username%":f`

  1. Save and run the file (right-click -> Run as Administrator).

  2. That's it. You'll have working gpedit.msc.

Source How to Enable "Group Policy Editor" (gpedit.msc) in Windows 7 Home Premium, Home Basic and Starter Editions?

Could you please provide the content of x64.bat file?

@echo off
echo x64
takeown /f %WinDir%\SysWOW64\gpedit.dll
icacls %WinDir%\SysWOW64\gpedit.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\fde.dll
icacls %WinDir%\SysWOW64\fde.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\gptext.dll
icacls %WinDir%\SysWOW64\gptext.dll /grant:r %username%:f
echo.
echo.

takeown /f %WinDir%\SysWOW64\appmgr.dll
icacls %WinDir%\SysWOW64\appmgr.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\fdeploy.dll
icacls %WinDir%\SysWOW64\fdeploy.dll /grant:r %username%:f

IF NOT EXIST %WinDir%\SysWOW64\GPBAK\NUL MKDIR %WinDir%\SysWOW64\GPBAK
takeown /f %WinDir%\SysWOW64\GPBAK\*
icacls %WinDir%\SysWOW64\GPBAK\* /grant:r %username%:f

IF EXIST %WinDir%\SysWOW64\gpedit.dll copy %WinDir%\SysWOW64\gpedit.dll %WinDir%\SysWOW64\GPBAK\gpedit.dll
IF EXIST %WinDir%\SysWOW64\fde.dll copy %WinDir%\SysWOW64\fde.dll %WinDir%\SysWOW64\GPBAK\fde.dll
IF EXIST %WinDir%\SysWOW64\gptext.dll copy %WinDir%\SysWOW64\gptext.dll %WinDir%\SysWOW64\GPBAK\gptext.dll
IF EXIST %WinDir%\SysWOW64\appmgr.dll copy %WinDir%\SysWOW64\appmgr.dll %WinDir%\SysWOW64\GPBAK\appmgr.dll
IF EXIST %WinDir%\SysWOW64\fdeploy.dll copy %WinDir%\SysWOW64\fdeploy.dll %WinDir%\SysWOW64\GPBAK\fdeploy.dll
IF EXIST %WinDir%\SysWOW64\gpedit.msc copy %WinDir%\SysWOW64\gpedit.msc %WinDir%\SysWOW64\GPBAK\gpedit.msc

copy gpedit.dll %WinDir%\SysWOW64\gpedit.dll
copy fde.dll %WinDir%\SysWOW64\fde.dll
copy gptext.dll %WinDir%\SysWOW64\gptext.dll
copy appmgr.dll %WinDir%\SysWOW64\appmgr.dll
copy fdeploy.dll %WinDir%\SysWOW64\fdeploy.dll
copy gpedit.msc %WinDir%\SysWOW64\gpedit.msc

IF NOT EXIST %WinDir%\SysWOW64\GroupPolicy\NUL MKDIR %WinDir%\SysWOW64\GroupPolicy
IF NOT EXIST %WinDir%\SysWOW64\GroupPolicy\adm\NUL MKDIR %WinDir%\SysWOW64\GroupPolicy\adm

copy system.adm %WinDir%\SysWOW64\GroupPolicy\Adm\system.adm
copy inetres.adm %WinDir%\SysWOW64\GroupPolicy\Adm\inetres.adm
copy conf.adm %WinDir%\SysWOW64\GroupPolicy\Adm\conf.adm
copy wmplayer.adm %WinDir%\SysWOW64\GroupPolicy\Adm\wmplayer.adm
copy wuau.adm %WinDir%\SysWOW64\GroupPolicy\Adm\wuau.adm

regsvr32 /s %WinDir%\SysWOW64\gpedit.dll
regsvr32 /s %WinDir%\SysWOW64\fde.dll
regsvr32 /s %WinDir%\SysWOW64\gptext.dll
regsvr32 /s %WinDir%\SysWOW64\appmgr.dll
regsvr32 /s %WinDir%\SysWOW64\fdeploy.dll

DavidPostill

Posted 2015-09-03T13:59:23.633

Reputation: 118 938

I am curious about what this program is actually doing, what does it change on the system. I have a Win 10 Pro copy on another computer. I tried but simple copy & paste gpedit.msc and gpedit.dll files to SysWOW64 and System32 folders did not work, I get MMC error. Could you please provide the content of x64.bat file? – Teo – 2015-09-03T14:40:55.547

@dx486 Sure. Fortunately I haven't done a clean up recently ;) See updated answer. – DavidPostill – 2015-09-03T14:44:43.980

@dx486 It need more DLLs than just gpedit.dll. Contents added to answer. – DavidPostill – 2015-09-03T14:45:40.230

Thank you for your answer and for additional info about batch file contents. I will firstly try to solve this by copying all files and running this batch file. I will let you know the result. – Teo – 2015-09-03T14:49:40.903

@dx486 Good luck! ;) Let us know how you get on. – DavidPostill – 2015-09-03T14:50:51.457

Asked: 2015-09-03T13:59:23.633

Viewed: 857 times

Active: 2015-09-03T14:44:34.600