[gptalk] Re: USB storage block problem.

  • From: "Ananth Rajagopal" <ananth.rg@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Thu, 19 Apr 2007 12:55:01 +0530

So I should run from Computer Configuration, instead of user configuration?

On 4/19/07, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:

 I suspect the problem is that you are trying to modify an HKLM reg key in
the user's security context and they don't have permissions to do that. That
is why a startup script was suggested—because that runs in the LocalSystem
security context.


*From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Ananth Rajagopal
*Sent:* Wednesday, April 18, 2007 8:28 PM
*To:* gptalk@xxxxxxxxxxxxx
*Subject:* [gptalk] Re: USB storage block problem.


yesterday I tried out the script and it was working fine, we deployed it
by evening and today morning, we got an error message in all the systems,
the error message is attached.

I had applied the script in User Configuration, as most of the users do
not shut down their systems, we wanted the script to be applied while users
logon, instead of when at system start.

Kindly advice.

best regards

 On 4/18/07, *Linux'o Mania* <linuxomania@xxxxxxxxxxx > wrote:


First you put this vbscript in *Computer Configuration > Windows Settings
> Scripts > Startup* section.

Now when you restart the computers, it will do the following....

   - Will set the USBSTOR key's startup value to 4 (original is 3).
   This will not let the USB Mass Storage devices start.
   - Will deny anyone's access from usb.inf, usb.pnf files. This will
   deny any newer devices from getting detected....

 Please test & share results...



*Ananth Rajagopal <ananth.rg@xxxxxxxxx> *wrote:

What happens with our old script is that, when users plug in a new usb
device the device gets accepted! I'll test the script you have send and will
let you know as soon as possible, how it fares.

thanks for the help!

On 4/18/07, *Ananth Rajagopal* < ananth.rg@xxxxxxxxx> wrote:

Can you explain a bit more detailed, we already have a bat file running as
logon script, where do I putt his script, run from the bat file or
separately at Computer Startup event? if so can u guide me step by step.

thanks for the reply!

On 4/18/07, *Linux'o Mania* < linuxomania@xxxxxxxxxxx> wrote:

Use this script in GPO's Computer Startup event....


Dim WshShell,Retvalue
Set WshShell = CreateObject("Wscript.Shell")

Retvalue = WshShell.run ("%comspec% /c  %logonserver%\netlogon\xcacls
%windir%\inf\usbstor.inf /D everyone /T /Y",0,False)

Retvalue = WshShell.run ("%comspec% /c  %logonserver%\netlogon\xcacls
%windir%\inf\usbstor.pnf /D everyone /T /Y",0,False)
Set WshShell = Nothing


*Ananth Rajagopal < ananth.rg@xxxxxxxxx>* wrote:

Hi all,

We have this script running in our Windows 2003 domain.

@echo off


regedit /s "\\Tai3dserver\SYSVOL\tai3d .com\scripts\disable.reg"

"\ \Tai3dserver\SYSVOL\tai3d.com\scripts \subinacl.exe" /keyreg
\system\currentcontrolset\services\usbstor /deny=system

the subinacl.exe deployment was advised by Mr. Ray Lewis, basically what
the script does is, it modifies a registry value such that usb removable
storage devices are not read by the system, but new usb storage devices are
getting accessed, how do i block the modification of this registry value?
Kindly suggest methods, I'm a novice in this...

best regards


Yahoo! Mail is the world's favourite email. Don't settle for less, sign up
for your free account 


Yahoo! Mail is the world's favourite email. Don't settle for less, sign up
for your free account 

Other related posts: