Super User Asked by ajcg on December 24, 2020
If I want to block/unblock USB devices, I run in cmd:
:block
reg add "HKLMSYSTEMCurrentControlSetservicesUSBSTOR" /v Start /t REG_DWORD /d 4 /f
:unblock
reg add "HKLMSYSTEMCurrentControlSetservicesUSBSTOR" /v Start /t REG_DWORD /d 3 /f
What I want is:
generates a whitelist of connected usb devices (any usb, includes keyboard, usb storage, mouse, etc). (solved with wmic path Win32_USBControllerDevice get * > usb.txt)
lock/unlock all usb devices, except whitelist. In linux can be done with udev. I have no idea how it is done in Windows.
Note: Please. I prefer to use batch/wmic/regedit/cmd etc, instead USBDeview or other GUI solution. I’m also not interested in solutions based on Powershell
My Research to solve the problem:
I found a colection of scripts based Devcon. There is one called RenewUSB.bat. This script remove all USB devices and then rescan for new ones. It could eventually serve as a starting point for what I want.
To download devcon in this Microsoft Old link. To obtain list drivers for all USB devices with commands:
%windir%system32devcon.exe DriverFiles =USB > usb.txt
%windir%system32devcon.exe find USB* > usb.txt
%windir%system32devcon.exe find *VID* > usb.txt
PD: Most usb have the identifier “VID” and “USB”. Example:
USBVID_1C4F&PID_0002&MI_016&1578F7C2&0&0001 : Input device USB
HIDVID_1C4F&PID_0002&MI_007&2B89365C&0&0000 : Keyboard device HID
To block/unblock (specific device of usb.txt):
USBVID_13FE&PID_1D005B7912980144 : USB storage device
%windir%system32devcon.exe disable *VID_13FE*
%windir%system32devcon.exe enable *VID_13FE*
To block/unblock all usb devices
%windir%system32devcon.exe disable *VID* *USB*
%windir%system32devcon.exe enable *VID* *USB*
Sometimes devcon does not disable all usb. Only a few. Example:
USBVID_1C4F&PID_0002&MI_016&1578F7C2&0&0001 : Disabled
HIDVID_1C4F&PID_0002&MI_007&2B89365C&0&0000 : Disable failed
In this case, no solution. Only replace the command “disable” by “remove”.
%windir%system32devcon.exe remove *VID* *USB*
But devcon is not a permanent solution for locking and unlocking devices (like reg add which it is). The test is that we can lock a usb device and then run bash script renewusb_2k.bat, and we will see that the script reinstall the usb drivers again and the locked usb device becomes accessible again. So devcon is not the solution to my request.
Thanks in advance
Update:
There are already solutions that do this. You can vote to close this question
See the following technet articles on how to restrict and allow devices via group policy. Specifically the Prevent installation of devices not described by other policy settings policy and the Allow installation of devices that match any of these device IDs policy. You'll need to generate a list of all devices, not just USB devices. Because I am unsure if the policy prevents new installs or will prevent existing installed devices from having their drivers loaded. Even if it was just new installs, consider that installing new drivers would count as new hardware being installed.
https://technet.microsoft.com/en-us/library/2007.06.grouppolicy.aspx
https://technet.microsoft.com/en-us/library/cc772161(v=ws.10).aspx
If you insist on using the command line, you can create group policy objects with powershell:
https://technet.microsoft.com/en-us/library/ee461027.aspx
And to get a list of all devices presently installed on your system using powershell see this answer
Powershell Script to Export all Devices in Device Manager as tree or list?
AFAIK you can not do so using the legacy microsoft command prompt/batch files. You should switch over to powershell anyways as MS has disabled the legacy command prompt by default in the latest Windows 10 insider build and will likely make this change to all users in the next major update.
Answered by Muh Fugen on December 24, 2020
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP