If I want to block/unblock USB devices, I run in cmd:

reg add "HKLM\SYSTEM\CurrentControlSet\services\USBSTOR" /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\USBSTOR" /v Start /t REG_DWORD /d 3 /f

What I want is:

  1. generates a whitelist of connected usb devices (any usb, includes keyboard, usb storage, mouse, etc). (solved with wmic path Win32_USBControllerDevice get * > usb.txt)

  2. lock/unlock all usb devices, except whitelist. In linux can be done with udev. I have no idea how it is done in Windows.

Note: Please. I prefer to use batch/wmic/regedit/cmd etc, instead USBDeview or other GUI solution. I'm also not interested in solutions based on Powershell

My Research to solve the problem: I found a colection of scripts based Devcon. There is one called RenewUSB.bat. This script remove all USB devices and then rescan for new ones. It could eventually serve as a starting point for what I want.

To download devcon in this Microsoft Old link. To obtain list drivers for all USB devices with commands:

%windir%\system32\devcon.exe DriverFiles =USB > usb.txt
%windir%\system32\devcon.exe find USB\* > usb.txt
%windir%\system32\devcon.exe find *VID* > usb.txt 

PD: Most usb have the identifier "VID" and "USB". Example:

USB\VID_1C4F&PID_0002&MI_01\6&1578F7C2&0&0001 : Input device USB
HID\VID_1C4F&PID_0002&MI_00\7&2B89365C&0&0000 : Keyboard device HID

To block/unblock (specific device of usb.txt):

USB\VID_13FE&PID_1D00\5B7912980144     : USB storage device
%windir%\system32\devcon.exe disable *VID_13FE*
%windir%\system32\devcon.exe enable *VID_13FE*

To block/unblock all usb devices

%windir%\system32\devcon.exe disable *VID* *USB*
%windir%\system32\devcon.exe enable *VID* *USB*

Sometimes devcon does not disable all usb. Only a few. Example:

USB\VID_1C4F&PID_0002&MI_01\6&1578F7C2&0&0001 : Disabled
HID\VID_1C4F&PID_0002&MI_00\7&2B89365C&0&0000 : Disable failed

In this case, no solution. Only replace the command "disable" by "remove".

%windir%\system32\devcon.exe remove *VID* *USB*

But devcon is not a permanent solution for locking and unlocking devices (like reg add which it is). The test is that we can lock a usb device and then run bash script renewusb_2k.bat, and we will see that the script reinstall the usb drivers again and the locked usb device becomes accessible again. So devcon is not the solution to my request.

Thanks in advance


There are already solutions that do this. You can vote to close this question

  • This can be done with a group policy. Before I submit an answer, which will take me over an hour to write, what does your research indicate?
    – Ramhound
    Commented Dec 1, 2016 at 23:59
  • As I said in the question. I know how to do it in linux (bash), but I do not know how to do it in windows (batch). That is why I am asking.
    – acgbox
    Commented Dec 2, 2016 at 0:02
  • m.windowsecurity.com/articles-tutorials/… Just use the enable GP instead of deny and then block all USB storage devices allow will become an exception to the deny policy
    – Ramhound
    Commented Dec 2, 2016 at 0:02
  • I am Asking for you to show us your research
    – Ramhound
    Commented Dec 2, 2016 at 0:03
  • 1
    I'm voting to close this question as off-topic because There are already solutions that do this
    – acgbox
    Commented Jul 18, 2019 at 12:39

1 Answer 1


See the following technet articles on how to restrict and allow devices via group policy. Specifically the Prevent installation of devices not described by other policy settings policy and the Allow installation of devices that match any of these device IDs policy. You'll need to generate a list of all devices, not just USB devices. Because I am unsure if the policy prevents new installs or will prevent existing installed devices from having their drivers loaded. Even if it was just new installs, consider that installing new drivers would count as new hardware being installed.



If you insist on using the command line, you can create group policy objects with powershell:


And to get a list of all devices presently installed on your system using powershell see this answer

Powershell Script to Export all Devices in Device Manager as tree or list?

AFAIK you can not do so using the legacy microsoft command prompt/batch files. You should switch over to powershell anyways as MS has disabled the legacy command prompt by default in the latest Windows 10 insider build and will likely make this change to all users in the next major update.

  • Cmd has not been removed from Windows 10. Only its access. Can be reset again. And if it were completely eliminated, that's no problem. You can put the executable again in the path
    – acgbox
    Commented Dec 2, 2016 at 14:57
  • "MS has disabled the legacy command prompt" - No it hasn't. They spend hundreds of programming hours to add features to the command prompt with Windows 10 they are not going to disable it.
    – Ramhound
    Commented Dec 2, 2016 at 19:20
  • You can clearly see in the screenshot bdc posted it was disabled.
    – Muh Fugen
    Commented Dec 3, 2016 at 17:35
  • @MuhFugen No, the option translates to "Replace Command Prompt with Windows PowerShell in the menu when I right-click the start button or press Windows logo key + X". Commented Nov 13, 2017 at 2:55
  • Seems no one of you read the complete sentence as in "... legacy command prompt by default in the latest Windows 10 insider build ...AND"
    – arana
    Commented Oct 4, 2023 at 21:47

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .