如何阻止 USB 阻止笔式驱动器和外部硬盘驱动器

Question

I want to make a program to block USB so that no one can access USB port to transfer media.

I don't want to block USB port from BIOS because I use USB Key-board and Mouse.

Note: I want to give Administrator Privilege to all the systems but want to block just USB. In my office people need admin privilege to access other registries and windows services because those are programmers. Few Antivirus like Norton have options of blocking USB whether system is running in Admin or User mode. In this every system Client Antivirus runs and Server Antivirus runs in Server. We do settings in Server and in all clients USB gets blocked. Now please dont say that have Norton Antivirus:) I want to know that there must be any way like these Fundu programers did in Norton Antivirus.

Now what I did to achieve this so far.

I created two windows service. One service is continuously changing USBSTOR's Start value to 4 by using timer, to make USB disable always. Also first service is checking continuously whether Second service is running or not. If not then they are sending notification mail to me that some one has tried to stop the service.

Second service is checking continuously whether First service is running or not. If not then they are sending notification mail to me.

I made this so that People should not be able to stop service to unblock USB.

Now the problem is that people can disable my service and the service will not work. At this stage the STATUS of Service is Running but actually its Disabled. So I can only check the STATE (Disabled/Enabled/Automatic) from the Registry Key (Start) of my Service which will be at the location

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/MyServiceName

If Start's value is 2(Automatic), 3(Manual), 4(Disabled) we can check via our service every 2 seconds (for example) whether Start value got changed to 4, if yes then We can reset it to 2.

But here problem is that from service I am able to access USBSTOR's values but not any Service's Registies (Because of security issue)

I used this code to access USBSTOR registry with having write permission

Microsoft.Win32.RegistryKey key;
string user = Environment.UserDomainName + "\\" + Environment.UserName;
RegistrySecurity rs = new RegistrySecurity();
rs.AddAccessRule(new RegistryAccessRule(user, RegistryRights.WriteKey, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow));
key = Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\USBSTOR", true);
key.SetAccessControl(rs);
key.SetValue("Start", "4",RegistryValueKind.DWord);

This code is working fine. (I kept this code in timer function to make Start value = 4 every time, to block USB every time if any third party tool is trying to enable USB by registry fix)

But the problem is that I want to get notification when ever some one is disabling Service. I can not access

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/MyServiceName

registry through due to security created by Windows.

But via Windows Application we can access

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/MyServiceName

registry. So I created an application which will run every time windows get started and will check that some one has disabled my service which blocks USB.

But here also problem is that user can go to

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run

and delete my key to prevent my application to Run.

Now my actual question after a long story is that

1. How to block USB so that any one cant access it [Can we block it by blocking it on hardware level or by making some changes in its Driver. If yes then How?]

2. Can we make a windows service which cant be Disabled [If Yes then How?. We can make it CanPauseAndContinue = False, CanShutDown = False, CanStop = False. But is there any way to avoid Disable it?]

3. Can we prevent Access to Registries (Specific Keys) [ Antivirus software can do this, then how they do this? Does anyone have any idea or knowledge to such an extent? I want if some one is trying to edit USBSTOR value then it must say that Access is denied]

Please Every Geeks, Programmers, Hackers are invited to answer this question. By answering this various newbie also get an idea to make security softwares. Please try to give solution to my problem.

Thanks in Advance.

• Rahul

Answer 1

You could detect and remove any USB drivers for mass storage devices. If a driver gets reinstalled you could delete it automatically or even watch for new hardware inserted. If it is USB based disable it via API calls.

Answer 2

You might just overwrite USBSTOR.SYS with garbage, or delete it entirely (make sure to also nuke SFP's copy).