Block USB mass storage on Windows - USB sticks, external HDD/SSD, and MTP/PTP smartphones - while keeping mouse, keyboard, audio, webcams, printers and other USB peripherals fully working.
A lightweight endpoint-hardening / data-exfiltration control: no agent, no driver to install. It toggles the Windows USB storage class drivers via the registry.
Warning
Use only on machines you own or administer. -Block/-Unblock require local administrator rights. Test before deploying at scale.
It sets the Start value of three storage-class drivers:
| Driver | Covers |
|---|---|
USBSTOR |
USB sticks, standard external HDD/SSD |
UASPStor |
high-performance USB 3.x drives (USB Attached SCSI) |
WpdBusEnum |
Windows Portable Devices (phones in MTP/PTP mode) |
- Block →
Start = 4(DISABLED): new storage devices are rejected. Drives already mounted stay available until disconnected. - Unblock →
Start = 3(DEMAND): storage works normally again.
Everything else on the USB bus (input devices, audio, cameras, dongles) keeps working - those use different drivers.
Double-click USBBlocker.bat. It self-elevates (UAC) and shows a menu:
[1] Show current status
[2] BLOCK USB storage
[3] UNBLOCK USB storage
[4] Open log
[0] Exit
Run from an elevated PowerShell:
.\USBBlocker.ps1 -Status # show current driver state (no admin needed)
.\USBBlocker.ps1 -Block # disable USB storage
.\USBBlocker.ps1 -Unblock # re-enable USB storage- Actions are written to
usbblocker.lognext to the script. - Changes take effect for newly connected devices; already-mounted drives remain until unplugged.
- For fleet-wide enforcement prefer Group Policy / Intune - this tool is for quick per-machine control and labs.