3

I'm working on an application that needs to temporarily put a machine into a restricted, kiosk-like state. One of the things I need to block is access to attached USB drives. Is there any way to do this, via C#, other than messing with Windows group policy? (That approach is covered by my other SO question on this topic)

I realize there might be security implications of this, and I might need admin rights to the box, and that's OK. At this point I just need pointed in the right direction to continue my research.

Update:

I'm targeting Windows XP for this. Vista support would be nice, but not required. ideally I would only block USB drives plugged in after my app starts up, but it's acceptable to block ALL USB drive access.

This application will be run on machines I do not control. Basically my app gets installed, creating a restricted sandbox. The user then logs into my app, performs some timed actions, and then logs out. My app is them removed, restoring the PC to its prior state. I'm looking for a code-based solution that enables me to make the fewest number of assumptions about the pre-existing environment, up to and including the assumption that I can access the BIOS.

Community
  • 1
  • 1
Seth Petry-Johnson
  • 11,845
  • 7
  • 49
  • 69
  • 1
    It might be out of the box, but one of the simplest way is to disable the USB ports in the BIOS, no ? – Clement Herreman Feb 15 '10 at 15:15
  • Are you wanting to restrict all access on the machine, or just access by your application? – Paul Turner Feb 15 '10 at 15:16
  • Is there the possibility that user remove/insert USB drives during this *temporarily* restricted mode or the USB drives are fixed? Which operating system you are using? – Isaac Feb 15 '10 at 15:24
  • @Clement: I updated the question to indicate that I don't have control over the machines my app is installed on, so I can't assume that I have access to the BIOS. My app is used in public computing environments that likely have their own access controls over things like the BIOS. Thanks though! – Seth Petry-Johnson Feb 15 '10 at 15:40
  • @Programming Hero: all access on the machine. My "app" is just a series of setup and teardown procedures that turn the machine into a restricted kiosk. The user does not directly interface with any of the code I'm writing. – Seth Petry-Johnson Feb 15 '10 at 15:42
  • @Isaac: Thanks for the comment, I updated my question to include that information. – Seth Petry-Johnson Feb 15 '10 at 15:42
  • 1
    Can you physically lock the USB slots? I know it's not a software solution but that would make it more kiosk-like. – Jared Updike Feb 15 '10 at 15:45
  • @Jared: +1 for thinking outside the box, but the issue here is that I don't have control of the PCs that my app runs on, so I have no way of knowing how many USB ports they have or where those ports or located. Plus, I don't want the user to be able to unplug an existing USB device to gain access to their thumb drive. – Seth Petry-Johnson Feb 15 '10 at 16:06

1 Answers1

6

You can do this by modifying the registry.

using Microsoft.Win32;
RegistryKey key;
key = Registry.LocalMachine.OpenSubKey
         ("SYSTEM\\CurrentControlSet\\Services\\UsbStor");
key.SetValue("Start", 4, RegistryValueKind.DWord);  //disables usb drives
key.SetValue("Start", 3, RegistryValueKind.DWord);  //enables usb again

http://support.microsoft.com/kb/823732

Any devices already connected will remain there, but no new usb drives plugged in will be automatically mounted.

sclarson
  • 4,362
  • 3
  • 32
  • 44
  • According to this article (http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks) this only works if a USB storage driver is already installed. If a drive is NOT already installed then the Plug-N-Play infrastructure will install it on first use, and that install will reset this registry key to "3" [allowed]. Have you encountered this issue? Do you have any ideas on how to address it, other than restricting access to USBSTOR.INF per the linked article? – Seth Petry-Johnson Feb 22 '10 at 14:46
  • I'd probably eat the one time hit that it works during your app unless it is absolutely critical. You're ok with something already plugged in working so I'd accept that case as the exception. Either that or distribute your app on USB sticks and sticks and kill the exception case. – sclarson Feb 24 '10 at 04:57