Submit a ticketCall us

WebinarUpcoming Webinar: How Help Desk and Remote Support Pays for Itself

Learn how help desk software can simplify ticketing management, allow you to track hardware and software assets, and accelerate the speed of IT support and service delivery. Gain insights on how remote support tools allow your IT team to maximize their efficiency and ticket resolution by expediting desktop troubleshooting, ultimately helping keep end-users happy and productive.

Register here.

Home > Success Center > Log & Event Manager (LEM) > Prevent a user from stopping the USB Defender service

Prevent a user from stopping the USB Defender service

Table of contents

Updated February 14, 2017


Users in your environment have administrator access and are able to disable their SolarWinds Log and Event Manager USB Defender service so they can attach their USB devices.


It is possible for you to remove certain permissions from the service to prevent them from adjusting it, that falls far into Windows territory, so we'll be covering alternative responses you can configure on your LEM.


  • All LEM versions
  • USB Defender installed on Windows hosts
  • Users of those hosts have access to stop services


Using ServiceStop events, we can easily clone a rule template to monitor for USB Defender stoppage and perform actions such as automatically restart the service or send an email alert to you.

  1. Go to Build > Rules and search for USB.
  2. Locate the USB-Defender Service Stopped template in the bottom section, click the gear icon, and clone it.
  3. Choose a user to receive the email alert in the Users dropdown.
  4. If you want to automatically restart the service, drag the Start Windows Service action from the Actions section on the left to below the Send Email Message action on the right.
  5. Populate the Agent and Service Name boxes in that section for this to function.
    1. Expand the Events section in the top left corner and locate the ServiceStop event.
    2. Drag the InsertionIP field from the Fields section on the left to the Agent box on the right.
    3. Drag the ServiceName field from the Fields section on the left to the Service Name box on the right.
    4. Save and then Activate the rule.






Last modified