2

I am working with POS systems where we do not want employees to plug in USB drives, keyboards, mice, or ANYTHING into the ports.

I have looked for many solutions to permanently disable the power to / operation of USB ports. Cannot find anything too effective.

I've noticed there are usually multiple "USB Root Hubs" / "Generic USB Hub" / "Intel Host Controllers" depending on each individual PC. Working in Win 7, but doubt that it matters.

Is there a way to effectively totally remove USB usability, including keyboard & mouse?

Preferably a VBScript, PowerShell Script, or batch command since it will be pushed across hundreds of PC's?

Edit: Uninstalling does exactly what I need. How would I create a powershell script to uninstall these drivers?

Currently starting with:

$hubs = Get-WmiObject Win32_USBHub

which returns:

\LAPTOP-CFDT09FN\root\cimv2:Win32_USBHub.DeviceID="USB\ROOT_HUB30\7&AF4FDB&3&0" \LAPTOP-CFDT09FN\root\cimv2:Win32_USBHub.DeviceID="USB\VID_2109&PID_0210\8&256E5DBF&0&3" \LAPTOP-CFDT09FN\root\cimv2:Win32_USBHub.DeviceID="USB\ROOT_HUB30\4&1097135A&4&0" \LAPTOP-CFDT09FN\root\cimv2:Win32_USBHub.DeviceID="USB\VID_0D62&PID_910E\5&1F94A3C&1&1" \LAPTOP-CFDT09FN\root\cimv2:Win32_USBHub.DeviceID="USB\VID_1532&PID_0233\5&1F94A3C&1&8" \LAPTOP-CFDT09FN\root\cimv2:Win32_USBHub.DeviceID="USB\VID_2109&PID_2210\5&1F94A3C&1&11" PS C:\Users\Will.Davis>

Will
  • 45
  • 6
  • "Is there a way to effectively totally remove USB usability, including keyboard & mouse?" - You can configured the appropriate group policy, so only USB devices you define, can be used. However, this would not prevent a USB Killer, only blocking the port itself would prevent that. How you allow specific USB devices through a group policy is well documented topic, without knowing where you are stuck in that process, makes it difficult to help you implement that solution. – Ramhound Oct 31 '19 at 20:00
  • Right, I should have mentioned that these PC's do not have a group policy enabled on them. Not entirely sure why. I'm a JavaScript developer not a sys-admin so the whole process has been half drenched confusion - I am a script guy to them which has turned out to be almost everything they need..... Don't think theyre concerned about "Killers" My options seem to be 1. use a .vbs key macro script to uninstall drivers (multiple configurations sadly) 2. download devcon on the machines and write a Powerscript function. – Will Oct 31 '19 at 20:05
  • You can use a group policy even on a local machine not connected to a domain controller. The only question would be if the edition of Windows you are using would honor the policy. At the end of the day the policy just creates a registry key anyways. – Ramhound Oct 31 '19 at 20:13

3 Answers3

1

Disabling all "USB Root Hubs" should disable all USB ports. This will remove most of the other USB items from below "Universal Serial Bus controllers", there may be one or more remaining USB options that will also be needed to be disabled.

devcon is a useful utility for manipulating devices.

This can also be done using the following .reg script:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000004 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum]
"Count"=dword:00000000
"NextInstance"=dword:00000000

You might also be interested in the PowerShell script at usbManager.ps1.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • Thank you for the reply, Problem is this only removes ability to use USB storage devices, and does not affect the functionality of things like keyboards... I will edit my answer to see if you have any further thoughts. Thanks – Will Oct 31 '19 at 18:34
  • As far as I know, both should block USB ports, not only storage. There are other hacks for storage only. – harrymc Oct 31 '19 at 18:48
  • I'm looking into devcon more and more. That registry script... do I need to restart my PC to see changes? I need to essentially perform the right click uninstall action across the ports. Devcon seems to be the only way..... or is it? – Will Oct 31 '19 at 19:28
  • I was able to get the .INF file names with ```Get-CimInstance win32_PnPSignedDriver | Where-Object {$_.DeviceClass -eq "USB"} | Select-Object -ExpandProperty InfName``` which returned ```usbhub3.inf usbhub3.inf usbxhci.inf usbhub3.inf usb.inf usb.inf usbhub3.inf usbxhci.inf``` None of these begin with "oem" meaning I can't use ```pnputil.exe``` to delete them.. Is there a way around it? – Will Oct 31 '19 at 19:36
1

Get a hot glue gun, and put hot glue in the USB sockets.

K7AAY
  • 9,512
  • 4
  • 33
  • 62
  • 1
    good luck ever getting that out if you ever need to. – Moab Oct 31 '19 at 18:59
  • 1
    Short of opening the case, this is probably the only way to protect against USB Killers. – Dawn Benton Oct 31 '19 at 19:38
  • Hmm... don't think that would fly, sadly. Seems like It's either write vbs keymacros for 3 different systems to uninstall or download devcon and do it the right way. – Will Oct 31 '19 at 19:45
0

I can confirm, that if you have PowerShell 5.1 (which does not come natively in Win7, you would have to update), this command will Disable all USB Ports:

Get-PnpDevice -Class USB | Disable-PnpDevice

in my case it threw a lot of errors but worked. But only after I restarted the machine.

I forgot that i tested this 3 days ago for your question. This night Windows Update restarted my computer, and when I came to work in the morning i couldn't use my USB-Mouse and Keyboard anymore.

Get-PnpDevice -Class USB | Enable-PnpDevice

Will restore your USB Devices to normal again

SimonS
  • 8,924
  • 5
  • 28
  • 48