How to Disable All External Mass Storage Devices on a Windows 7 Computer?

Vivek Nayyar March 4, 2011 3

There are cases when you don’t want any one to insert any external media in you system. Whether it is a USB flash drive or a CD/DVD ROM, every external storage device makes your machine vulnerable to risks. Also, many companies keep external storage device detection disabled in their office PCs for security purposes. In other words, disabling external storage detection on shared computers is strongly recommended by security professionals.

Process to disable all external storage media devices in Windows 7 computer is as below:

  1. Click on “Start” button.
  2. At the bottom of the menu in the search box type “gpedit.msc” (without quotes).
  3. In the “Local Computer Policy” snap-in under “Computer Configuration” expand “Administrative Templates” tree.
  4. Expand “System” sub-tree.
  5. Select “Removable Storage Access” from “System” sub-tree.
  6. In the right pane double click on “All Removable Storage classes: Deny all access”.
  7. In the “All Removable Storage classes: Deny all access” window select “Enabled” radio button to enable restriction.
  8. All Removable Storage Classes Deny all Access

  9. Click on “Ok” button to accept and confirm your selection.
  10. Close “Local Computer Policy” snap-in.
  11. Click on “Start” button and go to “All Programs”.
  12. From the list select “Accessories”.
  13. Right-click on “Command Prompt” and select “Run as Administrator”.
  14. In the “User Account Control” dialog box click “Ok” button to allow Windows to use your administrative credentials to run the program.
  15. In the “Administrator: Command Prompt” window type “gpupdate /force” (without quotes) and press enter key.
  16. Check your latest configuration by inserting a USB flash drive in a USB port. When you will try to acess the device you will be displayed with message box telling that your access is denied.

3 Comments »

  1. venda March 19, 2011 at 1:03 am - Reply

    What to do on Win 7 home premium? (No gpedit.msc there)

  2. Vivek Nayyar March 19, 2011 at 8:54 am - Reply

    You can try this:

    Click Start Menu > go to run command and type “regedit” without quotes. Registry Editor will open.
    1) Expand the HKEY_LOCAL_MACHINE folder then SYSTEM >CURRENT CONTROLL SET > SERVICES >USBstor, located at the left pane.
    2) Find “Start” in the right pane with the blue icon.
    3) Double click “Start”. A box titled “Edit DWORD value” will open.
    4) Write down “4″ in the “Value Data”

    Let me know if it helps.

  3. Dave July 17, 2011 at 4:48 am - Reply

    @Vivek Nayyar

    uh yeah, that solution totally doesn’t work. That will still allow the user to install and use the device the 1st time they plug it in then disable it for future attempts. The correct way is to go into the C:\Windows\INF folder and rename or delete the usbstor.inf and usbstor.pnf files. Doing that combined with your registry edit will prevent mass storage devices from working on that machine going forward.

Leave A Response »