• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Ideas on how to prevent users from being able to install hardware


Bow Down to the King
Political User
Good day folks. As most of us know Windows does not make it easy to prevent users from installing PnP hardware. Since you can just plug a device in and it will automatically install. There are a few solutions out there, however, none of them seem to be bullet proof.

I have attempted to reset the permissions (ACLS) for the driver.cab (C:\WINNT\Driver Cache\i386\driver.cab) to deny all for SYSTEM, Users (group), and Power Users (group).

I have also attempted to delete the driver.cab file and the sp4.cab file.

Lastly, I attempted to modify the registry key that points to the driver cache.

However, some devices are still able to install themselves because it appears the drivers are kept right on the device itself.

I really don't want to purchase a license to DeviceLock or similar software applications. So my question: Does anyone have any ideas on how to prevent PnP software (such as Thumb Drives, USB Keys, memory card readers, cameras, PDAs, etc. etc. etc.) from being installed automatically and forcing administrator credentials?

Microsoft Support Document: http://support.microsoft.com/?kbid=241367
Other Documents: http://www.windowsdevcenter.com/pub...rverhacks_install.html?page=last&x-maxdepth=0



Under Computer Configuation-->Administrative Templates-->Windows Components-->Windows Installer, configure the options to your liking.


Bow Down to the King
Political User
Reg said:

Under Computer Configuation-->Administrative Templates-->Windows Components-->Windows Installer, configure the options to your liking.

Okay, this may sound rude. But... Windows Installer has NOTHING to do with hardware (PnP) installation. If you read either one of those documents I provided you would see it's not so simple and that there is no such policy in the Group Policy that allows an administrator to prohibit such installations. WI is for software based installs only; not hardware.

Nice try.


Secret Goat Fetish
Political User
despite the massive security threats of plugging in an unknown usb device even a guest user can use a 32mb flash drive :eek: , prehaps disabling pnp altogether?

start >> run >> services.msc

go down to plug and play service and have a play with it?

either turn it off, or restict access to it?


Bow Down to the King
Political User
Already tried that. Other services are dependent upon it. By disabling the service you generate other problems. Not worth the hassle.

bush dogg

OSNN Senior Addict
Political User
If it's front usb ports have you thought of opening the case and unhooking them?

Might check in the bios also, I've had people tell me there is an option in there.
(I looked before posting on both my systems,I don't have that option in
either system but worth a look)

Are there other usb devices in use?

Something else to look at "device manager/usb controllers/right click each usb root hub select properties/general tab at the bottom it will say device usage "use this device enable" you could set one to disable see if that helps.
(I have not tried this with the root hub but may work)


Here's an option for you:

Disable access to the USB based upon groups. For example, it is possible to disable access for USB Mass Storage devices to only administrators by changing the permissions on:


To deny non-administrators access. This works assuming that the device has not already been installed. If it has been installed, you can perform some registry edits to unstall it. I have done this with storage only, but I don't see why you can do this to the Port, Printer, Video, and Storage drivers.

A Microsoft article exists on this and can be found at http://support.microsoft.com/?kbid=823732


Bow Down to the King
Political User
bush dogg: That's not an option for many reasons. The big one is that I would be doing that all day long for a month straight (a lot of workstations).

Lee, NR said it right.

Reg, you *might* be onto some thing. Although, the article provided is based on Windows XP so it might not work for Windows 2000. It's worth a shot though. Thank you.


Gojyone kawaiiiiiiii!
Here you go:


[font=Arial, Helvetica, sans-serif]FEATURES[/font]
In-depth feature listing of Winguard Pro 2004:

  • Built-in programs: There are over 25 or the most common programs built-in for locking on the free version. Whilst premium users get over 50 built-in programs.​
  • Lock your own programs (Premium only): You can also add any of your own programs for locking. Though many are built-in.​
  • Fully configurable: The software comes with it's own Configuration tool, which is very user friendly, and if you get stuck there is a Help menu to hand.​
  • Password timer: You can set in seconds how long you want to give users to enter the password to access any locked programs. This can help deter hackers.​
  • Screen blank: You can have the screen blank in emergencies, this prevents any use of the computer, and blacks out the screen only leaving a password box to access the entire system.​
  • Hide access to the configuration tool: You can stop users from accessing the configuration tool by setting your own password on it. You can also stop them trying to guess the password by disabling the icon on the system tray.​
  • Extra Locking: Did will tell you about Extra Locking? This lets you lock even more features down on your PC. Such as the Desktop, My Computer, Internet Access, Internet Downloading, Software Installations and much more.​
  • Stop people installing software (Premium only): This is a must have for those of you who are sick of users installing software on your computers without your consent. With this feature just a simple click is all that's needed and the software will disable Setup programs, Installers, Self Extracting Exe's, Zip files, the lot.​
  • Help prevent viruses: Using the above feature to stop software installs, this will help prevent such viruses that may be contained in program the user is trying to install.​
  • Lock Files & Folders too: Keep users out of files or entire folders using the optional addon.​
  • Online help: Get help fast using the online help feature.​
  • It's easy to use: It will not bite! It is very easy to use, and looks nice too.​
  • 24 hour technical support: You can also email us for help, and our friendly staff will get back to you promptly.​
  • It's free: WinGuard Pro 2004 is as it states FREE! There is no time limits, or restrictions in the free version what so ever.​
I don't know how well this would work for you but whenever I don't want my brother to use the internet on my comp I just take out the phone line and tape the jack shut.


Bow Down to the King
Political User
Reg, no go. It only works for XP, not 2000.

Jef, shush.

Ferral Imp, I don't know think that would work very well. Nice try.


I'm sorry Hal...
Political User
I know it is possible, cause on the network (running w2k) where i work they have disabled usb hardware instaltion for some users.
Don't know how, though :) just thought it might give you some hope :)


Bow Down to the King
Political User
Khayman said:
I know it is possible, cause on the network (running w2k) where i work they have disabled usb hardware instaltion for some users.
Don't know how, though :) just thought it might give you some hope :)
They are probably running a program such as DeviceLock with runs on client side as a Windows service. I've given up hope.

Time to start testing the company's applications against XP.
If the usb ports are on the front of the computers couldn't you attach a door over them then use a small lock of some sort to secure it closed? (kinda like when some ppl lock their fridge by attaching a lock hasp on it then using a padlock to secure it.)


Bow Down to the King
Political User
I'll hire you. Come and see if you think that's possible. I'll also need a solution for the ports on the back.

My opinion: LOL. Sorry. Thanks.

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
What a long strange trip it's been. =)

Forum statistics

Latest member