Blog: USB

I have encountered issues on PCs that can't access CDs or flash drives that previously had removable media access restricted by either group policy or Symantec Endpoint device control. After the control restrictions were removed, trying to read from the CD or flash drive gave an "Access Denied" error.

The only way I've been able to resolve this issue is by going to the Device Manager, uninstalling the CD-ROM drive/flash drive, and then scanning for hardware changes to add it back.

My assumption is that some registry settings aren't being changed correctly when policies are removed, so re-adding the device recreates the registry settings for the hardware.


 

I was at a customer location and needing to reflash a thin client that had become unusable.  After obtaining the imaging utilities needed to write a bootable flash image to a removable USB, I only had one type of USB thumbdrive available, an 8 GB SanDisk Cruzer.
 
Once everything was ready to start creating the bootable image to the USB thumbdrive, the dropdown to select a target device was empty.  
 
Further research into the issue I came across multiple articles about the SanDisk Cruzers showing up as a "fixed disk" instead of "removable USB device".  This appears to be hard-coded into the device from a bit that is set, and there's really not a way to flip the bit to specify that it is a removable USB device (which is what the imaging utility wanted).
 
I went to the nearest big-box store, ignored 90% of their selection which were SanDisk Cruzers, and purchased the cheapest, most generic USB thumbdrive they had.  It worked with the imaging utility without a single problem and was detected as a removable USB device.
 

 

I received several new Cisco 2960x switches to configure and one of them would not boot up stating that the image failed digital signature verification.  These switches have USB interfaces on the front and can be used for file transfer, however more modern USB flashdrives would not work for me.  I had a few older USB flashdrives that worked, so hold on to your flashdrives!

From a working switch, copy the boot image to the USB flashdrive.  
"copy flash:/c2960..../c2960...bin usbflash1:" (or usbflash0: depending on which port it was connected to).

I booted up the switch that wouldn't verify and tried to copy the image onto the switch from usbflash1:  but it told me the copy command was unknown.  Luckily, you can boot off the USB flashdrive image.

I typed "boot usbflash1:/c2960....bin" and it booted the switch where I was able to copy the working image to flash: "copy usbflash1:/c2960....bin flash:/c2960..../c2960....bin"  

​​After overwriting the corrupt image, I rebooted the switch and it passed the verification on the image.


 

I had two customers that needed to exempt a couple of systems from a group policy that disables USB/CD-ROM access, but I ran into the same issue both times when trying to do so.

I added the user to the appropriate group to block the GPO, but when I logged into the user’s PC, the drives still said access denied. I figured the group policy had not applied, so I forced it to apply and then I had the user both log off and back on and also restart with no success on the policy applying.

I did some digging and discovered that there is a bug in Windows that affects the Portable Device Enumerator Service. I tried several things with that service (restarting, looking at other depenedent services, etc) but nothing worked. Microsoft had a Hotfix available, so I tried that and still got nothing. Finally, after some additional research, I ran across a KB article that recommended going into Disk Management, uninstalling the driver for the CD-Rom and then rescanning the disks to let it re-install. As soon as I did that, everything started working properly. 

Here is the KB article with the Hotfix, in case it happens to work for someone else down the road: https://support.microsoft.com/en-us/help/2738898/users-cannot-access-removable-devices-after-you-enable-and-then-disabl


 

 

There are three primary connectors for USB3, shown below:

Standard-A

Standard-B

Micro-B

 

Most everyone knows a USB3 Standard-A cable will work in a USB3 port because they are the same size. But many people may not realize this is also true for the other connectors.

Because the extra pins for USB3 are in a separate part of the connector, you can use a Standard-B USB2 cable in a Standard-B USB3 port, and likewise for the Micro-B cable and port. You won’t get USB3 speeds, but this might be helpful if all you have on hand is a USB2 cable.


 

Chip maker FTDI released an update that went out with recent Windows Updates. This FTDI chip is used in many USB devices. The chip is a USB to UART converter. There are many clones in the market and this update changed the manufacturer ID on these clones to zero, making them unusable on any machine ever again. FTDI has since backed down and have released an update that no longer does this, but the damage may already have been done. So if you had a USB device mysteriously stop working after installing Windows Updates, this may have been the cause. FTDI has a configuration tool that might could be used to set the ID back, if you know what it was to start with. [more]

 

 

I had two 8 GB USB flash drives that suddenly started showing up as only one GB (983 MB).  A little research showed that through creating various live CD images for antivirus, freeNAS, Ubuntu, part image, etc., the drives had been partitioned and Windows was only recognizing the first partition.  Windows disk manager won't change the partitions on the flash drive, either. [more]

A solution is to use command-line diskpart.

Diskpart

- LIST DISK

- SELECT DISK X (Make sure you get the right disk!)

- DETAIL DISK

- CLEAN

- CREATE PARTITION PRIMARY

- EXIT

Then format the drive.


 

An information security audit customer was using Group Policy to disable USB mass storage devices by setting the appropriate registry key from a value of 3 to 4.  They verified the registry values were what they expected and moved on to other things.

After I arrived onsite and spot checked the USB restrictions on some of these workstations none of them prevented the use of my flash drive.  They scratched their heads and checked the registry key and it had been changed back to a 3.  If they forced a GPO update, the key was changed back to a 4 and USB mass storage devices were restricted from then on.

What was happening was these systems had never had a USB mass storage device attached.  The first time one is connected, the system performs the initial installation steps, one of which sets this key to a 3 even if it was set to a 4.  After reapplying the GPO, the restriction finally took effect for good.


 

I was utilizing a new USB headphone/microphone set instead of my normal devices which plug into the jacks on the side of the computer.  Everything worked great when the computer detected the new USB audio device and installed the driver.  Unfortunately, when I was done with the USB device and attempted to connect the old set of headphones, the computer would not detect them.

Upon further investigation, the computer told me there was no audio jack installed on the computer at all!  Evidently the USB device driver had disabled the audio jack completely to where it could not even be detected.  To regain sound, I had to uninstall the USB audio device driver.  This allowed me to access my audio jack settings again.

Beware of what certain device drivers can do!


 

Just as IT departments are finally locking down the use of removable media, a new threat may make existing technical controls irrelevant.  The “Teensy” is a USB microcontroller that plugs into a PC in the same manner as a USB thumbdrive.  But, the technical controls that are able to neutralize the use of thumbdrives and other USB storage have no effect on the Teensy.  That is because the Teensy emulates a human interface device, such as a keyboard.  Since USB keyboards are restricted by very few, if any companies, the Teensy is able to connect undetected.  The tiny microcontroller can be programmed with virtually any code- including code useful in an exploit.

Teensy devices are available online for relatively low cost- under $10 US.  It looks like IT administrators have another thing to keep them awake at night.