Disabling Autorun and USB functionality completely

This discussion has a more recent version.
Jali Posts: 1,769 F-Secure Employee

When faced with large Downadup potential, it may be useful to disable autorun or USB sticks completely. This article refers extensively to two Microsoft articles which explain how to do this.

Note: This article assumes that you are comfortable with editing the registry and understand how to set access control lists and/or group policies.

To disable the Autorun functionality, refer to this Microsoft article. It is also desirable to disable Autorun on network drives by removing create rights from the root of such a drive.

To disable the USB functionality, depending on whether the USB storage has already been initialized or not (i.e. the first USB stick inserted will cause installation), do one of the following:

  • If USB storage has not yet been initialised, deny access for specific users or groups to
    • %systemroot%\inf\usbstor.pnf
    • %systemroot%\inf\usbstor.inf
  • If USB storage has already been initialised
    1. In HKLM\System\CurrentControlSet\Services\UsbStor, set Start to
    2. Restart.

For more detailed information, refer to the following Microsoft article.