My colleagues tried this free software to test USB port storage device and downloaded version 1.0. After the test, I was told that it was strange, you must use a USB flash drive once before the software can be disabled. New USB flash drives can be used as usual. So I compared to Microsoft's Official Method of disabling USB storage devices (http://support.microsoft.com/kb/823732/zh-cn#top), a simple dismantling of the software, the conclusion is as follows.
This program is written in easy language. All files suffixed with fnr and fne are easy Language Runtime library files (eAPI is not required for the time being. fne, ecequal. fne, spec. fne files ). The pxqdqgl.exe process is hidden after the program runs. This is achieved by calling the HideProcess interface of IO. dll. When the program runs for the first time, cysys will be created in the system32 directory. ocx and ie32.inf files. The ie32.inf file is actually used to encrypt the password of the storage software. If the file is deleted while the program is running, the file can be restored only after the system is restarted; the ie32.inf file is automatically deleted when it is detached.
The program disables the control of the USB storage device on a single machine. It uses FileMon & RegMon for monitoring and analysis and finds that its basic principle is to modify the key value of the registry, for details, see how to disable USB storage devices in KB823732. When the program is running, perform the following operations:
1. Modify HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ userinitand add pxqdqgl.exe after userinit.exe( start up and run );
2. Modify HKLM \ SYSTEM \ CurrentControlSet \ Services \ USBSTOR \ Start. If USB is disabled, set it to 4. If it is enabled, set it to 3;
The program executes steps 1 and 2 repeatedly (about half a second), which is easy to control.
When you uninstall the program, first restore the registry key value and then exit the program.
This method can only disable devices that have been used (installed) on the computer,
New (uninstalled) USB storage devices can be used at least onceThis is the defect of the program. Now that you have done this step, do not bind xcacls.exe, call the command line to set the permissions of the driver file, or simply rename the driver file and check whether a file of the same name exists at the location every half second... Too much. Stop.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
