Possible vulnerability with USB key's ability to auto-install

Hi all,

If I buy a new usb key or a usb plug-and-play device, Windows automatically begins to install whatever program or drivers necessary to recognize the device. I never get any warning to approve that a device is trying to install or make system changes. What’s worse is that even if I lock the computer and put in a brand new usb-key, Windows still will install that device in the background. If someone were able to get access to the machine while I’m at work and plug-in a usb key programmed to compromise my system, I really can’t see a way to stop it.

I have augmented the Windows System Applications predefined policy and the services.exe policy to ASK for Device Driver Installations. I suppose one could force Windows Systems Apps and services.exe to ask for approval to run any executable, but this could wreak havoc. How can I disable USB auto-installations (I’m not talking about auto-start, I mean the auto-install plug and play) without me being there to monitor and approve. I’ve heard disabling the plug-and-play services would work, but it is not a good idea.

I run Defense+ in Paranoid Mode, not trusting digitally signed vendors, and monitor all settings checked.


To me that sounded like something for Windows rather than CIS. First hit in Google: How To Disable Automatic Driver Installation In Windows 7 / Vista .

Thanks! I saw this on Google, but I was hoping there was a work-around. This is probably the best solution. Thanks again!